Answering to this and the others:

If you install malware on the target's computer, that is not a man-in-the-middle, and certificate will be of little protection anyway.

This story shows the fundamental flaw of the TLS CA infrastructure: it only certifies that the connection is established with the reported DNS domain name. That is not utterly useless, but not far from it.

The protection against man-in-the-middle attack is relevant only in a handful of cases. With home Internet access, MitM can more or less only be performed by network operators, who have a lot to lose if they are caught playing these games. It is more of an issue with public access, but still rather minor.

What would be really useful would be CA that certify the honesty of the sites. “If you see our green padlock, that means this site is reliable. If they scam you, we will refund you.”

I will not hold my breath.

Hear, hear!

I am convinced that most people are inherently honest and would gladly pay for what they watch, if given the chance. And I remember a TED talk by Amanda Palmer saying the same thing.

But what do they ask us to pay for? Exclusive rights wars, clumsy proprietary players, limited play periods.

If the studios and distributors had any brains at all, they would acknowledge that limiting the spread of the files is a lost war, they would give easy access to them and a wide variety of payment methods, including an open “I have watched something from you for free (I will not tell you if it was legally or not), I would like to give back” donate form. And they would actually charge for extra features such as earlier access.

I even suspect a lot of pirates would respect that and not compete with the paying extra features.

At this time, as far as I know, only Crunchyroll gets it almost right.

The answer to the question is visible by just observing the world. What are the best pieces of software out there? Linux, *BSD, PostgreSQL, Vim, FFmpeg (sorry for the shameless plug), Zsh, etc.

Then look at the kind of team that did produce these awesome pieces of software.

Pratchett and Baxter already predicted this. The next phase is to have babies so big that the mother needs to step to a parallel world to give birth.

Your analogy is flawed in two ways.

First, “cloud repositories” are not used just to distribute malware. But that is not the most important.

Second, if someone shoots me with a gun, I die, I do not have any choice. If someone hands me malware, I ignore it and move to something else.

Malware is a non-issue. The real issue is the abysmal security of consumer devices and software.

Malware is a problem when people try to execute it. Malware laying in “cloud repositories” (what does that even mean?) is doing no harm except waste place. Why waste even more energy trying to scan it? Or even study it?

Actually, you are slightly wrong. The three options you suggest apply before you are in a situation of copyright violation: when you are considering distributing your project, you have to do one of these things.

But after the copyright violation, it is too late. If you steal something, get caught and give it back, you still go to prison. The same applies to any kind of wrongdoing: undoing it after getting caught does not avoid the punishment.

The GPL has an explicit provision for violations: (emphasis mine) “Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.”

In other words, if someone violates the terms of the GPL and gets caught, they lose all right to the software, and have to beg the copyright holders to get them back. The copyright holders may be satisfied with simple compliance, but they may require extra good will proofs.

Of course, if the infringer does not want to comply, the only option becomes to sue them. And the judge would not order compliance, only damages.

Why is it possible in the first place?

If I were to design a protocol of this kind, one of the first measures I would take, in the protocol itself if relevant and in any implementation, would be to check that peer-provided source addresses match the routing system, making spoofing impossible. I cannot fathom that the people who designed this particular protocol did not do the same from the beginning, and even more so that they did not fix it since then.

Hear, hear.

This is exactly wanting to have the cake and eat it. Or even more appropriately, the French version: he wants the butter and keep the butter money.

As a side note, since trademarks are associated with a particular kind of products, he could sell McAfee sandwiches or open the MacAfee massage salon and be ok.

Sorry, go back to high school: “increase [...] by 330 percent” means 4.3 faster.

Rounding 3.3 to three would have been acceptable.

People should stop using variation percentages outside the range -50% – +100%, i.e. ÷2 – ×2. They always get it wrong.

And why does /. eats U+2212 MINUS SIGN?

Indeed. I should have been more explicit in my message: the wad of cash and the brass knuckles were colorful examples, but the real threat comes from peer pressure within the family, even more so because it is most often implicit.

(There is a scene in an Astérix comic book: the village must vote between its current (male) chief and a woman; the Druid explains the secret ballot procedure, the woman candidate proposes a show of hand, and then a show of hand to decide if the actual vote will be by a show of hand; all the women raise their hand for the show of hand, and when the men want to raise theirs for the secret ballot, a dark look from their wives stops them. It loses a lot of its funny if you think about the actual reality of domestic abuse that is being parodied and that usually goes the other way around, but I think it illustrate how important and tricky the secret ballot is.)

You are completely missing the point. All the cryptography and the blockchains and the secure protocols in the world can not detect if someone is standing behind the computer with a wad of cash (vote buying) or brass knuckles (coercion) and checking that you are voting right.

One of the core features of the secret ballot is the voting booth, where the voter is alone to do the final choice, with official oversight.

Of course, the privacy of the voting booth is not perfect, it is weakened by all sorts of features, from absentee voting to tolerating children in the booth with their parent. But it is still the norm for most voters and is way more solid than a situation where the norm would be to vote from home.

Puritanians*: always ten years ahead of their twenty-years lag.

* Because we need a name for the nameless and demonymless country between Canada and Mexico; “United States of Puritania” it is.

Vote-by-mail, or any system where there is no voting booth with official overseer, lacks anonymity.

Voters need the right of keeping their vote secret, but that is not enough. If voters can show who they voted for, they can be intimidated or otherwise induced into voting for someone in particular. They can of course say who they voted for, but they cannot be allowed to prove it to someone else.

That is what the voting booth is for. With generalized vote-by-mail, we would see much more vote buying and small-scale intimidation such as “vote for my stepbrother if you want to keep your job”.

I am surprised that so few people make that connection when the issue arises.