Extend it how? Facebook has the densest social graph in the world and they think two strangers can reach each other within 4 hops, mostly. But that's what it'd be if "everyone in the world" (or close to it) was a part of the WoT. This will never happen or even get close. So in practice you probably don't have a great way to extend your WoT in this way unless you happen to be a part of the very small security geek community, and even then, it's probably not easy.

Keys (and certs) contain email addresses.

But do you really think there is a single US CA out there that would say no to a national security letter requiring them to issue a torproject.org certificate if they actually needed it?

NSL's request data. You're probably thinking of a court order. And of course the answer is no, they'd follow the order. But what makes you think a person taking part in the WoT would refuse a court order where a CA would roll over? Jail time sucks the same for both. The idea that CA's are uniquely vulnerable doesn't really make sense, given that the WoT lets you see who trusts who and serve a court order on anyone in the chain.

Stuxnet actually proves another part of why the CA system is utterly broken. Because they just had to break in *somewhere* in order to get a key signed by *any* CA in order to sign their stuff.

I think you are confused. Yes, Windows will load any driver signed by a member of the Windows hardware program. How else do you think it's supposed to work? Once code is loaded into the kernel it can do anything it likes and theres not much technical way to stop it with current-gen kernels, so there's no way to issue a certificate for one kind of driver but not another kind, it would be meaningless. Regardless, even if there was, the decision about how much power a signing key has for Windows is entirely Microsoft's decision, it has nothing to do with CAs.

I suspect you are thinking of the "any CA can sign for any domain name" issue in SSL. It has both weaknesses and strengths. The weakness is if any CA is compromised, they have full power. The strength is there's lots of competition which helps keeps prices down and makes revocation actually a realistic threat, because the customers of a CA that's about to be revoked DigiNotar style can go to any other CA to get fresh certs. You're never in a situation where the CA you want to revoke is the last man standing for some class of names.

Bitcoin is not an authentication mechanism. If you can prove that a CA is signing bogus certificates for intelligence agencies please do so - nobody had been able to show this so far and it would move the debate forward at a critical time.

You're sort of getting close to what the certificate transparency project does.

So can you find a path to the genuine keys through your personal web of trust?

The thing is, you're wrong and your own post shows that.

Firstly, we have no evidence of any CA being compromised by intelligence agencies despite the obvious appeal to them of doing so. This is remarkable. Despite the huge number of Snowden documents so far none of them have even hinted at compromise of the CA infrastructure. What we have seen a lot of discussion of is ways of circumventing it by stealing private keys directly from end users, and doing MITM on non-SSLd connections of which there are plenty.

Nobody can rule out that some CA is in fact minting false certificates for intelligence agencies. But so far nobody has presented any evidence of it.

Your Stuxnet example proves my point and disproves yours. They didn't use a false certificate there - they hacked the end user (a hardware manufacturer) to obtain their private key. Well guess what, you can steal PGP keys in the same way, nothing magical about that.

Most of Bitcoin's problems aren't with the software. Bitcoin's irrevocable money sends to anonymous remote parties are the con man's dream. At last, you can rip people off without ever giving them enough info to find you. That's why Bitcoin is such a scumbag magnet.

You can turn that around and make the same criticism of credit cards, from the sellers perspective. They're also a scumbag magnet. Trying to sell anything with credit cards is a fraud nightmare. Banks routinely approve transactions that are later reversed due to card detail theft, and the seller is just expected to suck it up. I've seen what big sellers have to do to control fraud. And sellers matter: it takes two to tango!

That said, Bitcoin can theoretically do dispute mediated transactions (where they could be reversed later in case of seller fraud). However the user interfaces and workflows for this are immature and so in practice it's not done much today. Perhaps this year we will see that change.

The point of using such a version number is exactly to remind people that Bitcoin is new and experimental. It's quite possible to understand that something is a risky experiment, yet still take it seriously - these two things are not incompatible.

But, hey, if you want to put your money into a currency which is still getting bug fixes, go right ahead. That's your choice.

Banks and governments routinely have to upgrade banknotes and other forms of security on their own money, which you can see as "fixing bugs" in the sense that the ability to counterfeit is a bug. Development never really stops, so a 0.9 vs 1.0 is an entirely arbitrary line in the sand.

Swing has been replaced with JavaFX, which is a very modern and rather slick UI framework. It's got a very nice skin, can be styled with CSS, is rendered via OpenGL or Direct3D with all the attendant features that provides, has a full blown animation and effects framework, a good visual designer (no longer left up to IDE makers), uses native file choosers, and can reliably hit 60 frames per second. Also the API is very clean and so far I found it a joy to work with.

The downside? Of course, Java 8 is huge and bundling it makes your apps have a big download. Boo. JWrapper looks like a good way to make stripped down cross platform native installers though, but I didn't get a chance to try it yet.

Multiple inheritance is a feature nearly no modern language has, but Java 8 does support mixins which are how most languages provide similar functionality (interface method definitions can now have bodies).

Co-operation? I highly, highly doubt that.

I can see only two possibilities for how the NSA could collect every single phone call of an entire country, such that the Washington Post would agree not to publish the name of the country. One is that it's something like North Korea where the infrastructure is really weak and there might conceivably be only a handful of points where all telephone calls pass through. If a covert team on the ground were able to splice those fibres, or hack the telephone equipment remotely, and somehow duplicate the internal traffic onto fibres heading out of the country , I can see they could be intercepted at that point.

The other possibility is that it's a small country that's supposed to be "allied" (Washington does not really have allies), like Belgium, seat of the EU. We know that GCHQ hacked Belgacom pretty badly. Undoubtably the NSA has done the same with other telcos. In this case, the WashPo agrees not to disclose it to avoid causing even more severe diplomatic fallout (though this was apparently not a concern so far). For a small but modern country it's quite feasible to imagine hacked telephone equipment simply sending all phone call data out over the internet or a fibre that's meant to be dark without anyone actually noticing, as phone calls are relatively low bandwidth.

Regardless, this is pretty amazing. Every time I think these fuckers can't get any creepier, they do. First OPTIC NERVE and now this.

These stories always leave me depressed. It's clear nothing is going to happen, the politicians all seem to be creaming themselves over these powers and can't wait to legalise it all ... then they can conveniently go after anyone who is breaking their collection with crypto.

I'd be interested to know your background. Are you Ukrainian? The information I was able to find seems to disagree with you.

There are no "two" of Ukraine, this division is part of Kremlin's false narrative.

Seeing as you brought up language, here's what happened when in 2012 the government passed a law that would allow Russian to be an officially recognised language in parts of the country where it was being used: fist fights broke out in Parliament. Yeah, real unified. They had a major fight over allowing Russian to be used legally by the people who actually speak it just two years ago.

Presently, both languages are officially recognized.

Yes, they are, despite that one of the first acts of the new parliament in Ukraine was to try and revert the 2012 law. The only reason it didn't happen is that the law, which was passed by the majority of parliamentarians, was vetoed by the new Prime Minister.

Russia has done, economically, much better than Ukraine over the past years. Its people are better off and GDP per capita is a lot higher. What's more, no matter which government is in power in Kiev it seems to throw major fits over basic things like whether the Russian language should be officially recognised, despite the clear reality on the ground. Is it any wonder that maybe the people in Crimea don't seem to be too worried about joining Russia? The election may well have been biased or rigged - it's hard to know because the west refused to send any official observers - but we just saw Ukrainians engage in massive street protests in Kiev. I didn't see any such protests happening in Crimea yet.

There's more hints of this in her article. It starts out by complaining about "aggressive communication on pull requests" and how little the men respected her opinion.

In quite some years working in the software business I have occasionally seen men and women genuinely be dicks on code review threads, but I have never once seen an entire group of people be dicks simultaneously. What I have seen, repeatedly, is people who do not have any engineering background bump up against the no nonsense, no bullshit get-it-done-now attitude that is pervasive in the software world. This is especially a problem for people from fuzzy marketing-type backgrounds, which is what this woman has, and especially on code review threads, where reviewers always have a backlog and writing each line-by-line comment as if it were a formal business letter would waste staggering amounts of time.

My experience has been that men love it when a woman turns up and gets real, respectable work done! What men definitely don't love is when they reply to some request saying "That won't work because of X" and this is interpreted as aggressive by the person whose work was not up to scratch (whether it be men or women). If she couldn't get respect on her code review threads and perceived the communication as aggressive, I bet the real story is that nobody was being aggressive but her work simply contained lots of mistakes, and having them pointed out without any cushioning (as is normal) hurt her ego.

Reading this story has not made any difference to my desire to work for github. It has reminded me of other times in my previous job where similar issues cropped up, though not normally so publicly. The genuine fault ALWAYS lay with the complainer.

Is the iTunes Store not to your satisfaction? It's always worked fine for me. I never notice the DRM.