On MacOS, certificates are managed through the Keychain Access application, rather than in the browser itself. Open Keychain - it's in Applications > Utilities. On the left of the window, you'll see either one pane labeled "Category", or two panes, "Keychains" and "Category". If you only see one pane, select View > Show Keychains. Then in the "Keychains" pane select "System Roots". A list of all root certificates will appear on the right. You can click on a column header like "Name" to sort on that column.
Find the certificate you want to remove - CNNIC ROOT is right there - and double-click on it. Details about the certificate will appear. Click the arrow next to "Trust" to open the trust details. Change "When using this certificate" from "Use System Defaults" to "Never Trust".
It's not possible to delete one of the built-in certificates, at least not using the Keychain Access application. (There is a command line utility that can do it, but even then the removal isn't permanent, and the cert may reappear - though it will be marked "Never Trust".)
The publishers of DRM'ed textual material are about to come to a very painful choice point. Up until recently, scanning a book or journal was an annoying manual procedure, and the results were not very clean. The book scanners used by libraries and by other professionals - with such features as automatic page detection so you could scan a pair of pages together, automatic de-skewing so you didn't have to get the book configured exactly right, automatic digital page smoothing to compensate for the curve of the pages - cost tens of thousands of dollars.
Look around a bit and you can find many similar devices at reasonable prices. The only thing that's still quite expensive is automatic page turning - but you can probably live without that. And the prices are only going to drop further, and the software will only get better.
The result of this is that publication in paper form will be likely publishing music on a CD: Soon, huge numbers of people will be able to make a DRM-free "eBook" version with very little time, money, or effort expended - and it'll probably look better than most eBook versions. The files involved are small - you could probably scan every book published in English over a year onto a USB stick.
An obvious response will be to try to stop publishing on paper. But that won't work - an eBook reader's screen is, if anything, easier to scan than a paper book. Just push the next page button. There may be calls to put artificial limits on how fast the page button can be pushed, but given that people skim books to look for material, the reader makers will resist. Maybe readers with LCD screens can be set up to make it hard on the scanners, though I have my doubts. For the e-paper readers - no hope, the screens are just passive displays almost all the time; try to play games like having the letters move around all the bit all the time and the battery will give out quickly.
These publishers are the walking dead. They just don't know it yet.
So ... who's going to take the clip of Rogers's interview, overlay it with big letters saying "LIe!" followed by someone giving all the details of why it's a lie (in the style of political attack ads), and circulate it widely? (I'd do it but I have neither the equipment nor the editing skills to do a good job.)
Nah. The City Council should vote to disallow any spending of City funds to prosecute this lawsuit. Bloomberg could certainly ante up the money, but he probably can't give the money to the city attorneys - he'd have to be the plaintiff, and then he would probably be found not to have standing.
Of course, this assumes the usual arrangement of government legislative and executive functions. New York City's government structures are incredible baroque - plus there's an overlay of rights and responsibilities that you would expect to belong to the City, but that the State legislature has chosen to take control of for various (typically really bad) reasons. So I have no idea whether it would even be possible for the City Council to control how City money is spent.
All that said: Bloomberg has, in general, been a very good mayor. He has a couple of blind spots, which for some reason have become more and more visible as his tenure approaches its end. Leaders all have their limitations. Rudolph Guilliani was a much more problematic figure with many more odd blind spots, but not only was he also a pretty successful mayor, but he was certainly the mayor the city needed after 9/11 - at least *shortly* after 9/11, when everyone looked for leadership and a sense that the world and the City would somehow survive and recover.
Given New York City's size and complexity, an effective mayor who doesn't have some strange sides to him ... probably can't exist.
The real fake reviews are the 5-star reviews. They were planted by the Telco's exactly to start this debate, months later thus distracting attention from the book and the real issue: That we have to continue to have the best Internet in the world, provided by the best companies in the world, because those companies are dedicated to helping the NSA keep us all safe by carefully but completely lawfully preventing that precious Internet - a wonderful American invention - from being used by, you know, terrorists and mother-rapers and father-rapers and all those others on the Group W bench.
You're all a bunch of filthy hippies and Communists and traitors who don't appreciate what this great country of ours - not yours - has done for you. If you don't like it, why don't you just get out and go live in one of those workers' paradises you dream of, like Sweden or Eurasia or something.
-- A True Patriot from Iowa or Idaho or one of those places
If the government can demand your hashed password, they can also demand your *actual* password. While a site doesn't *store* that, it has access to it *every time you log in*. After all, that's exactly what you provide in order to log in!
There are protocols (SRP http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol is the most prominent example) in which having full access to the data on the server doesn't permit you to imitate a client (without additional work to brute-force the actual password), Unfortunately, such protocols aren't trivial to retrofit into existing systems as they require significant computation on the client side, so they haven't seen much traction. Perhaps it's time to consider them.
For an interesting example of how to respond to the new environment, have a look at the Northshire Bookstore (http://www.northshire.com/). Northshire is located in Manchester, Vermont - a fairly small community surrounded by smaller communities, many poor. But Manchester is a tourist hub - there's a ton of skiing in the area, and many resorts that get summer traffic as well. The town is a tourist shopping hub. Many years ago, it was filled with locally owned store; for the last ten years or so, the major chains have taken over with outlets. The outlets are fading a bit; we'll see what replaces them.
Northshire has been there through all the changes. The store expanded a couple of years ago, and is, in total footprint, comparable to a medium-sized B&N. But since it started life in what was probably once a hotel, and added rooms here and there, it doesn't *feel* huge - it feels like a bunch of rooms. And it specializes in providing an experience: Knowledgable, friendly staff; regular talks by authors; special displays by local writers; little notes on the shelves from bookstore employees describing their favorites; etc.
Northshire has had a book printing machine (I don't know who makes it) for a couple of years. They also started selling on-line a while back.
I have no connection with the store, other than as a long-time customer: We vacation nearby a couple of times a year, and as a family tradition always include a visit to Northshire on every trip. The store has been busy every time we've been in there. And we always leave with a large collection of new books. In fact, we used to have Borders near us at home. We realized that we almost never went there: Books we needed "quickly" came from Amazon; books that were the result of browsing came from Northshire. Borders just kind of faded from our lives (though we do miss knowing it's there).
I hope Northshire's external appearance of success don't conceal inner dry rot. It's been a tough couple of years for many of the Manchester vendors, and they haven't had to deal with the technological changes in the book business.
As far as I can see, not a single comment here so far is from a person in a position to judge whether targeting works. That's because "works" is measured by *the customer who bought the ads*, not by *the person receiving them*.
Advertising is a game of statistics. No matter what medium you use, most ads will be completely ignored by the vast majority of people who see them. That's a reality that businesses have had to accept for years - there's even an old joke to the effect that "Half my advertising money is wasted. If only I knew which half!" In fact, if you consider an ignored ad "wasted money", the fraction "wasted" is over 99%. The only way to judge whether advertising is actually effective is to compare profit - income minus expenses, where expenses includes ads - for different amounts of advertising. Not easy to do, but most businesses have concluded that "wasting" money on ads is actually a worthwhile investment.
Because the actual fraction of ads that pay off is so small, it takes only a tiny increase in the absolute number to make a big difference. Suppose you ran an ad that a million people saw, and it brought in 100 customers you wouldn't have otherwise bought your product. (In most situations, that would be an incredibly successful campaign.) Now suppose targeting doubles that to 200 new customers.
Initially, of the million people who saw the ads, 100 thought they were relevant, while 999,900 thought they were not. With targeting, 999,800 thought they were not. So if you ask those who received the ads whether they got relevant ads, you'll reach the conclusion that an absolutely overwhelming percentage did not. Obviously, targeting *doesn't work*.
And yet, doubling the number of customers the ad brings in is an impossibly high improvement. Advertisers would kill to get it. More to the point - they'd pay a great deal of money to whoever could deliver numbers like that. Obviously, targeting *does* work!
One person they spoke to is certain that this will soon change - that within 5 years, there might be limits on what data Target can collect, and there will certainly be limits on what they can sell. I pretty sure that's true.
By the way, it's important to keep in mind that Target - and every other company that does targeted advertising - always emphasizes that the positive value to the customer in delivering ads that describe products they might actually need. But that's of course not why the companies are doing this. The point is to sell more products. In fact, it's pointed out in these articles that the reason Target is so interested in discovering pregnant women and marketing to them is that it's long been known that young families tend to "bond" to certain brands (and likely places to buy them). Get them early and they'll keep coming back. Those early special discounts will be repaid many times over by full-price purchases.
Is there something wrong with this? Probably not, but just as there's a line where "clever" becomes "creepy", there's a line where "attractive" becomes "manipulative". It's never clear where the line is until after you've crossed it.
Many years ago, the group I worked for at a large company moved to a brand new facility. There was a committee that helped in designing various amenities, like the cafeteria. One decision was on the color. A consultant on the matter recommended (I think) yellow, because studies had shown that people bought more food in a yellow cafeteria. OK … but who is going with yellow good for? It's certainly good for the company running the cafeteria; but for everyone else working there, probably not. Whenever you see clever ideas like data mining to find pregnant women … ask yourself: Cui bono? Who benefits?
"We spent millions to put in that new safety system, and it's been totally wasted - we haven't had an accident in two years!"
It's very nice to say that "the free market" eliminated Microsoft IE's near-monopoly on browsers - but it's a misreading of history. No real "free market" existed, either before or after the change.
*Before* the change, Microsoft made a number of monopolistic moves. Windows represented virtually the entire PC market, and was impossible to attack: The deal offered to hardware vendors by Microsoft was "If you want a reasonable price for Windows, you have to agree to pay *per unit shipped*, whether a unit has Windows on it or not." Windows itself had IE6 embedded. You could, if you were technically adept, install another browser - but IE6 had to stay, because various other pieces of Windows (deliberately) relied on it.
*After* the change, Microsoft was under government scrutiny and regulation. They were forced to modify Windows to yank out dependencies on IE. More important, they were forced to offer users a choice of browsers during installation. There was no user demand for any of this, because the majority of users never even knew there was an issue.
If you look at things strictly from the point of government regulation, the market was "free" before the anti-trusts moves, and what Microsoft did was simply sharp-elbowed competition. That's a principled position, if one not shared by most people. You can argue, purely on market theory grounds, that Microsoft's moves were, in the long run, going to leave an opening for competitors to take the market from them. What you *can't* argue is that IE6's decline *proves* that pure market competition would have been sufficient - because it wasn't pure market competition that did the trick.
A meaningless comparison. Key length is one of those obvious things - after all, it's just a number and bigger is clearly better, right? - that leads people astray all the time. The thing to keep in mind is that what matters is not the *number of bits in the key*, it's the number of possible distinct keys. If I told you "I use AES-256 for absolute security, but it's easy for me to remember the key: I only choose keys between 1 and 1000" - well, that's obviously not very secure: You can guess my key in at most 1000 tries!
For a system like AES, every possible 128 (or 192 or 256) bit combination is a valid key. The strength of the system (against a brute force attack!) can be read directly off the number of bits. No conceivable computer will ever be able to attack a 256-bit key, and personally I cannot imagine a situation where a 128-bit key could be brute-forced.
For a system like RSA, only very special combinations of bits correspond to valid keys. An AES key is just a bunch of bits, while an RSA key, as a number, has to be product of exactly two prime numbers in a particular range, with special properties to boot. Even then, there would be too many values to try in a pure brute force fashion- but because of the necessary mathematical properties of an RSA key, no one does that. Instead, they use more efficient techniques that rely on those mathematical properties. A 1024 bit RSA key requires about as much computational effort as an 80-bit AES-like key. That's why the current recommendation is for at least 2048 bits (roughly the equivalent of 112 AES-like bits), though that's considered pushing it a bit. To get to the equivalent of a 128-bit AES key, you need a 3072-bit RSA key; to match AES-256, you need a 15360-bit RSA key! Such keys actually get used today. In 2005, if you combine published estimates, experts were predicting that 1024-bit RSA should be phased out by 2010 (though high-value uses should move faster). OK, so half way through that period, *one* 1024-bit RSA key was broken ... though in fact even that isn't true. (Breaking an RSA key amounts to factoring a large number into its two constituent primes. What the link points to was a successful factorization of a very specially chosen number - 2^1039-1 - for which even better mathematical techniques are known. Even so, it took the equivalent of 100 years of computer time. An indication that it was time to move on from 1024-bit keys? Absolutely. A practical "break" for massive numbers of RSA keys? Not quite.
An alternative to RSA is elliptic curve crypto (ECC), which has the same public-key properties but can use many more possible combinations of bits in a key, so can get by with dramatically shorter keys. In fact, to get the ECC equivalent of n-bit AES, you need 2n-bit ECC.
It's certainly true that courts consider it a virtue to rule as narrowly as possible, and only answer questions actually asked by a particular case. But we also need broader principles to emerge so that people can have reasonable certainty of how new, but not completely novel, cases will be treated. If Levy is correct, we're going to have to see more Hot News cases decided before we really know where we stand.
Each WPA association in shared secret (PSK) mode uses a unique session key, which is computed using the shared secret (the password you enter), the MAC addresses of the two ends of the association, and two random numbers, once generated at each end. So if you enable WPA but with password "password" - or anything else - each individual device will actually use a different encryption key in conversations with the access point.
*If* someone is monitoring at the time the association is set up, they will get all the data needed to compute the actual session key. But if they weren't able to see the establishment of the association, they can't derive the key. So, unlike the case with non-encrypted connections, just being able to converse with the access point doesn't mean you can read all its traffic. In fact, you can only read your own.
Now, this is not a very robust kind of protection. One attack against an existing connection is to interfere with it in any of a variety of ways, forcing it to be re-established - at a time when you are presumably monitoring, Still, it's better than nothing - and it's sufficient to render connections opaque to Firesheep.
A convention some people are following is to give the network a name that tells you what password to use. Of course, you can (depending on the exact circumstances) simply tell people what the password is - or put up a sign with that information.
For all the effort and money, the Times's paywall doesn't even work right. My wife ran into it last weekend. She'd apparently reached her limit of 20 stories. We're actually long-time paper subscribers, so "just had to log in". Except it wouldn't work. She actually called the Times support line. They had us clear cookies, log out, and log back in again. That worked for one or two stories - at which point it kicked in again.
Fortunately, for Safari uses, there's a *built in workaround*: Just click the "Reader" button.
There are so many levels on which the Times just doesn't get it. They pissed off a very long time subscriber, wasted support costs (non-trivial, if you look at general industry costs) for *two* calls, the second of which was just a complaint that it didn't work - and ended up with another person who now knows how to get around their code when she needs to.
The Federal False Claims Act - allowing anyone to file a suit "on behalf of the Federal Government" against a Federal contractor for frauds against the government, and then share in any award - has been on the books since 1863 and has been used and upheld through this day. It was actually broadened in 1986 and 2009. So there's by no means an absolute bar to Congress's ability to allow private citizens to act when the government itself has failed to.
How that will play out in this case - exactly where a court will draw the lines on what Congress can and cannot delegate - I have no clue. But it's certainly not obvious that Congress can't allow anyone to help enforce the Patent Marking restrictions.
Judges are supposed to follow the law as written - whether they like it or not. (There are out's for them in some cases, but usually not.) The decision they rendered here was based on the language Congress handed them: The court relied on the “exceedingly broad language” of § 1030(e)(1) that “’[i]f a device is “an electronic … or other high speed data processing device performing logical, arithmetic, or storage functions,’ it is a computer.” The court also held that “there is nothing in the statutory definition that purports to exclude devices because they lack a connection to the Internet.”
Congress also wrote the law that, for the most part, takes away a judge's discretion in deciding on the sentence. One can make some arguments for this (it increases predictability, it helps ensure that rich white kids don't get shorter sentences for the same crime as poor black kids); one can make political arguments for it (people feel judges are too lenient and have chosen, through their elected representatives, to be tougher on criminals); and one can make very good arguments *against* it (basically, little in real life is cut and dried and trying to pin things down too much leads to miscarriages of justice). Nevertheless, this is the law we have on the books today.
I'd be the first to agree that it's absurd to enhance a sentence based on "use of a computer" when that "computer" is a cell phone. Hell, I'd even agree that enhanced sentencing for using a computer on the Internet is a bad idea. But I disagree that this is an indictment of the judges involved. It's an indictment of Congress, which passed bad laws.
The first part of fixing a problem is putting the blame in the right place.
Is it legitimate for Apple to do something like this? There's plenty of precedent. Apple views their store as ... like a store. Try going into a Walmart, setting up a booth, and selling books or CD's or whatever. You want to sell at Walmart? You use their system: You deliver stuff wholesale, they get it out to consumers. Start an auction on Ebay, then make side deals with people to sell stuff without Ebay getting its cut, and they'll close your account (and perhaps go after you if for what you owed) if they find out. A real estate agent gets paid even if you find a customer yourself. (I bought my first house based on a newspaper ad. The seller was pissed that he had to pay the broker, who had absolutely nothing to do with the sale, his 3% - but the contract with the broker required it and is quite enforceable.) In a way, Apple is being more open here than Walmart would be: It's as if Walmart said "sure, set up your booth - but you also have to let us sell your books/CD's at the same time."
Is it a good idea for Apple to do this? We'll see. Sony and Amazon and Barnes and Noble are certainly pissed about it, but realistically, if you're an Apple customer, this is unlikely to hurt you - and in fact it probably makes it more convenient for you. (The only way you as a consumer get hurt is if Sony and Amazon and B&N decide to drop their apps entirely. That seems unlikely - Apple didn't make this move until it was offering a market so large that they would find it difficult to walk away. But Amazon in particular is no pushover - they'll certainly bargain hard. We have certainly not heard the last word on how this will actually work.)
If you're going to split Verizon, you have to split AT&T along the same lines - classic DSL vs. U-Verse, with the slowest marketed U-Verse speed being twice the highest classic DLS speed.
But if you start down that path, why not start splitting cable providers into areas where they've built out DOCSIS 3.0 and areas where they haven't?
The fact is that no one (other than the carriers themselves) have data this fine-grained - and it's not even clear that they do. Oh, they know the theoretical speeds of their "last-mile" offering; but that's nowhere near the same thing as actual measured data. Fios, for all the theoretical speed of its fiber, could have crippled connections into and out of wherever all that fiber converges. Or there could be other things limiting them, perhaps even stuff they aren't aware of.
The Netflix data is valuable exactly because it's measured, not a guess. Networks are complex combinations of many different components, and you're kidding yourself if you think you can know the performance of any non-trivial network without measurement.
Sigh. So many remarks, so little understanding. And in this case, understanding is actually quite important.
The attack on Facebook *was* a man-in-the-middle-attack, not just keystroke logging. Like many sites - including stores and even banks - Facebook encrypted the password (and probably the username) that you sent. You'll see sites that do that show a little "why is this secure?" help box to assure you that, no, the page itself doesn't show a lock indicator (because it isn't https) but your credentials are perfectly safe because they are sent "using 128-bit encryption".
But they are not at all safe because you have no idea who you are actually talking to. It could be Facebook/the store/your bank; or it could be someone who mocked up a page that looks like Facebook's/your store's/your bank's, complete with a nice, encrypted username/password mechanism, sending your username/password right to them. The Tunisian attack was a slight variation in that they modified the real page on the fly to inject this attack, rather than making up a fake site - but the end result was the same.
If you're going to put your stuff in a safe-deposit box handed to you by a bank official - make sure you're really at a bank, and that it's a real bank official handing you the box! Relying on a "secure username/password" field on an unauthenticated page is like accepting an offer of a safety deposit box from some guy on the street outside the bank. Sure, the box is solid steel and the lock is high quality - but who else has the key?
If a site you deal with offers "security" by encrypting just the login information - complain to them. You'll almost certainly be unable to get a message to anyone who actually understands the issue - but if you follow up by closing your accounts, eventually they'll get a clue.
Techdirt has not posted any stories submitted by leichter.