664 posts • joined 11 Jul 2011
Re: Let's Encrypt
"What's not to like?"
I use their certs on my HTTPS hosted sites and this meets my needs and those of my guests. However, I'd be more than a bit concerned if something looking just like the domain name of my bank, but differently Unicoded, appeared with a padlock symbol certificated on the basis of someone being able to put an arbitrary file onto the web server for whatever the domain name was. With Unicode characters within domain names, many different text strings showing the URL next to the green padlock symbol can have the same appearance as the legitimate domain name.
Extended Validation is supposed to make this kind of business name impersonation hack more difficult.
Re: The problem is not Linux itself...
"Sorry, you've sent us an MS Excel (.xlsx) file: we don't use those. Please resave the file in the correct OpenDocument (.ods) format, or better still for future ease of use, import it into LibreSheet and use that application instead."
If you accept and run macros within office documents received from random senders outside your organisation, then you deserve to get infected and hacked by whatever's coming to you. If the office documents don't have or need to run macros, they will almost always render fine in LibreOffice.
Re: Your Money Back. Guaranteed,.
It's considered safer for drug buyers and vendors to use the dark web to meet and transact than to meet in person. A vendor has a reputation to lose if the product doesn't arrive or do what's advertised. Then there's the avoidance of turf wars, which without availability of recourse to civil law, tends to involve debt collection and contract enforcement using violence or threats of such. These same considerations applying to illegal drugs will also apply to dark web malware and hacking services marketplaces. The possibility of anonymous payment using Bitcoin makes this all possible - to the extent significant inherent risks, hassles, costs and delays make using this system for criminal payments worthwhile. Money laundering using cash is also much more risky and for similar reasons.
Clearly the purchaser needs to check the reputation of the vendor for reliability of delivery and quality of goods and services as with any online purchase.
"what's in it for me?"
'The issue of IPV6 always seems to come down to "what's in it for me?". '
If you don't care about the feudalisation of the internet and serfdom in respect of having no effective ability to influence or decide who knows what about you, then IPV6 has little to offer you. Efforts such as the Freedombox will come to nothing without the ability to install within networks which allow both client and server connections.
The alternative is continued degradation of the Internet in which most connections are client only, due to address starvation, in which getting anything done requires giving all your data away to cloud providers who mediate all your connections and sell the data they gather in the process to the highest bidder.
The only security relevant code with transparency
This has to be open source and has to be developed in the open, and with reproducible build capabilities * so that anyone interested can verify it or collaborate with any number of interested others to share and discuss the verification of it. Anti-virus on closed platforms has to operate with root and kernel level access due to its very nature. Having a consortium of universities or an audit "partner" able to inspect code based on vendor criteria in the forum offered and managed by the vendor doesn't guarantee that the urgent update you need to defend against a recent and critical threat has been independently verified.
* for why reproducible builds are required see: https://reproducible-builds.org/
How much leccy do miners actually pay for ?
This influences rational behaviour. If my local sysadmins ask us to leave several thousand machines running over the weekend for "essential security updates" it makes you wonder what else they're doing with all that machinery. This goes all the way to people accepting an app which they don't pay for and has a mining trojan, viruses running on botnets and teenagers wasting their parents electricity bill.
Property is theft
This article conflates and confuses 3 entirely separate property rights which have nothing to do with each other, other than the ridiculous grouping term "intellectual property" as if someone could "own" an idea.
The only natural property right is what a bandit, warlord or crook seizes by force and defends by force. That is how it was before the rule of law. In a democratic society law only works by consent of the governed, and if the public interest grants private property rights to be defended at public expense, the public interest requires compensation for the cost of this, both in relation to the cost of exclusion of those fenced out, and in relation to the cost to the public purse of maintaining legal boundaries around private property. If the land registry records your ownership of a plot of land with a dwelling on this, then you get to pay taxes to your local authority and that's how it should be.
Those claiming otherwise demand from us that those dispossessed subsidise the public cost of private property.
Copyright discussion has traditionally been one sided, due to the inability of politicians to oppose this uncompensated land grab by the man who buys ink by the barrel load and get elected.
Patents are good in the unusual and classic case of an inventive idea that no-one else would have been at all likely to have come up with. But most patents granted nowadays are nothing of the sort and are artificial monopolies maintained at the public expense, raising the price of any mildly innovative product for all of us. Patent offices make their money from patent applications and for applicants to continue to apply for these in large numbers a proportion of bad patents have to be granted making most patents bad. We've given the patent offices a license to print money, and given such a right who wouldn't run their printing press at full speed ?
The only one of these 3 areas of law which works in the public interest concerns trade marks. If John Smith has built a reputation at considerable effort and expense making and selling "John Smith Widgets" (TM), it's entirely reasonably that someone else shouldn't be able to adopt his name and pass off their inferior widgets as if they were his. This should and does not generally prevent another John Smith applying his name to a different trade.
Re: Encryption is complicated enough already
Interestingly enough I supervised a student project last year investigating post-quantum cryptography algorithms. It's basically about arithmetic. I'm not a mathematician myself, but the student already had a maths degree so was qualified to look at and compare current proposed post-quantum schemes. My main problem was understanding what she wrote well enough to give a fair mark for her paper. This promises to solve a big problem if quantum computing ever becomes a reality and we don't want to have to patch this issue very hastily as that's likely to leave very many implementation holes we'd rather not create in the first place. So it's a timely area of maths research.
For non-mathematicians, public key cryptography all hinges around a set of numbers on which arithmetic can be performed to make other numbers from them. let's call these numbers by their RSA convention, M,C,E and D . (RSA uses 2 numbers: E and N both as the public key but I'll just call this number E here for simplicity).
The algorithm needs to find a way to transform a randomly generated number: M ( M is for message, but it's actually used to encrypt the real message. It's a random 256 or 128 bit number used as an AES symmetric session key. We use symmetric algorithms for the heavy lifting, and public key algorithms to help protect the symmetric keys ).
We make M into an encrypted number: C, (for cyphertext)
so using a public key: E, we can say:
C = encrypt(M,E)
such that the private key: D can be used to convert C back into M.
M = decrypt(C,D)
If the public and private keys E and D are generated from the same input as a related pair, and knowledge of C and E by an eavesdropper can't be used to obtain M or D and having a large working quantum computer is no help, then the properties of RSA will hold in a post-quantum crypto scheme with the above arithmetic properties.
It's also useful if the scheme works in the opposite direction, so encrypting a hash H of a message into S using private key D can be reversed using the public key E to regenerate the hash, this scheme can be used for message signing and signature verification as well as message encrypting.
S = sign(H,D)
H = verify_signature(S,E)
So we've got 4 functions, each of which takes 2 parameters as input and generates a single output. How we use the inputs and outputs outside of these functions stays the same, it's what's inside the encrypt, decrypt, sign and verify_signature functions which concerns these different post quantum algorithms.
trusting trust and someone else's randomness not being as good as yours
Hence the larger and more complex the apparatus, the less likely it is you've been fully able to verify it doesn't contain any unwelcome secrets or hidden backdoors making the output observable, predictable or being capable of manipulation by unwelcome parties. A simple electronic circuit you've built yourself involving a pair of zener diodes as a noise source followed by some analogue amplification and digital gates to ensure you get an even bias between 1s and 0s might be as good as it gets in this particular space. If you have to buy hardware made by someone else, paying for it cash in person makes it less likely to be replaced within the delivery chain. IBM used to advise mainframe managers to use dice for system passwords, but we need more entropy for long term and session secrets nowadays. It's possible the hardware RNG vendor may be fully security audited, but what about the delivery chain ?
Re: Almost nobody even has beep installed.
" ... only 1.88% of users have beep installed. Only 0.31% use it regularly "
That's a very good example of the reason you shouldn't apt-get dist-upgrade forever (or your package management distribution upgrade of choice equivalent). This process leaves obsolete packages installed which you probably no longer want and which seem destined to come back and bite you when you least expect it. Doing a full and clean install occasionally, apart from maintaining knowledge of how to configure stuff you've become dependent upon, will keep a system in a more sane condition.
Beware faked rationales
They've been trying to push GM frankenfoods on us for years based on the easily refutable lie that the world will starve if we don't all surrender and eat it. Note that this yeast strain will presumably be licensed so breweries will either be prevented from growing their own yeast in the traditional manner, or will have to pay a regular monthly license fee in order to do so. The parts of Herefordshire and Kent where they grow hops look environmentally rich and diverse to me.
Of course the employees of the evil corporation which wants to foist this on breweries and drinkers can be encouraged to say it tastes good. I guess they would, wouldn't they.
computer misuse offences should be tried where the hacker was at the time.
It may be appropriate to drag people thousands of miles away in relation to terrorism offences or murders carried out where they're to be extradited to. But justice is not served by doing this for alleged crimes where the individual alleged to have carried out these crimes has no other connection with the place where they were alleged to have occurred. The UK courts should first of all decide whether the accuser has enough evidence to prosecute the case locally, refuse extradition if not, and whether they're making up the claimed damages based on the cost of making secure systems which should have been made secure before the alleged offence occurred. The treaty we have with the US seems to be very one sided and needs to be torn up and renegotiated.
@AC: "Why not fix the platform ?"
It can't be fixed, because the customers of the platform pay for user data and there is no other product.
Much of the leccy used is likely to be stolen.
Various articles are referencing use of vast botnets, malware, adware or mobile apps to mine cryptocurrency. The externalised cost is your CPU running hotter, and your mobile battery being exhausted sooner. Then there's what the BOFHs do with them and your employers electric bill when they ask you to leave your workplace computers on all weekend for 'software updates'.
Any crytocurrency mining operation which gets someone else to pay the electric bill will outcompete those who have to pay the market rate. How to burn the planet sooner rather than later.
Give a guy a license to print money
And he'd run the printers at full speed wouldn't he ? That's what a patent granting office has, in the sense each patent is a monopoly and collects application fees, more of which are likely to be paid the more likely it is for a patent application to be granted.
Low quality patents are a cost for everyone else. You run a small business, which a large business says treads on an obvious patent ? You can't afford the few million in legal fees to have it questioned ? Your business now has to pay tribute, or goes bust or can only afford to continue if taken over. If you pay for a product or service which requires patent licenses it's going to cost you more and we all pay more for such products and services.
@teknopaul: Current recommendation
I'd start with Postfix if you've never managed a MTA before. Simple doesn't seem to be a possibility in this space, but Postfix is relatively easy to setup if you just want to receive and relay for local mailboxes and handle transactional email from local webapps. If your human users want IMAP/POP3 you probably want Dovecot also.
@Mike Pellatt - Re: There are alternatives...
I do conditional post-processing on headers using Postfix as my MTA using entirely separate programs executed using the /etc/aliases mechanism. If I wanted to do selective processing pre queuing, I'd probably use the Postfix Milter interface for this. Better in my view to modularise what you need to do into different programs, but the usual stuff lots of other sites want including CLAM-AV and DKIM seems reasonably straightforward (compared to Sendmail) to integrate.
Re: Yes, it's hard, but...
I suspect early use cases might include where a provider of a vertical application which needs a higher level of security than otherwise available sufficiently to make it worth installing dedicated client applications - e.g. a bank or other financial trading platform which makes you use their own browser or plugin. But if an application provider can achieve that, I'm unsure that much better security is obtainable by using DNSSEC than would be provided by the application using a restricted CA list.
So if the benefits of DNSSEC will only occur when enough people use it we're down to a chicken and egg problem. There must be some benefit for a registrar which offers support in the sense more technical site operators who care about security will migrate to them from their competitors.
Difficult to imagine
under what circumstances assuring the security and integrity of this kind of approach is easier than Bob verifying the binding between Alice's identity and her asymmetric public key. Until then it's interesting research, but esoteric and impractical.
Open source hardware needed ?
Personally I think patching existing systems is likely to have to involve using software to increase timing entropy resulting in the blocking of these side channels where the software access control context calls for it. So processes already running sandboxed from each other or owned by different users shouldn't be able to read each other's memory and will run slower as a consequence.
This is just a patch. If the deeper problem exposed is that proprietary hardware can't be trusted anymore due to it's combination of obscurity and complexity, then open source hardware might offer a solution for users and applications where security really matters enough, initially to be willing to pay more for hardware offering the same raw performance, until scale economics enable this approach to compete against established hardware designs. The RISC-V open source hardware project seems to be making useful progress .
Re: DNS is insecure - muggle key mismanagement
It's a question of whether it's better for a muggle to learn to be more like a wizard by risking key management mistakes or to risk getting screwed by an incompetent or untrustworthy registrar which holds the keys for them. I guess if the muggle who wants looking after has the sense to pay for the less cheap registrar who relies on income from customers to not want to screw them over, that's their choice.
DNS is insecure
What's needed is for the reputable registrars to provide customers with more useful help in setting up DNSSEC in ways such that the customer retains the zone signing private key and this never exists on the DNS servers which serve the public key and signed records. The DNSSEC standard also probably needs a signed assertion available to the effect that unsigned subdomains of a zone do not exist, but if it currently has this capability I'm unaware of it.
"I am amazed at the decision, I think this is the first time in history that a UK judgement has prevented extradition to the US, but I might be wrong."
You are wrong. Garry McKinnon's case had various similarities to this one. https://en.wikipedia.org/wiki/Gary_McKinnon#Extradition_proceedings
@AC: re Extraordinary rendition
"He will need to suspect anyone coming within a foot of him in the street of having a rag with chloroform and a car parked around the corner to take him to a "private" Cessna parked at a nearby airport. Everywhere worldwide. UK included."
Depends on whether the US want us to tear up the treaty that allows lawful extradition. If they commit crimes of assault and kidnap on UK soil because they lose an extradition case in the UK courts, this would make any future UK extradition legal cases and the treaty that requires these moot, regardless of whether these concern a silly hacker or a genuine terrorist.
Re: You do know that Moore’s law says nothing about speed?
"Design changes can fix most of the weaknesses that allow Spectre and Meltdown, but it will take them a while to filter through to live systems."
It's always been reasonable for processes running with the same userid to share information from an access control point of view - you can always have more userids or introduce the appropriate mandatory access controls. If you want to create better boundaries between processes to restrict information sharing, operating systems already have plenty of discretionary and mandatory access controls which are supposed to give software designers the ability to achieve this. It is appropriate to close off these side channel vulnerabilities where processes are already running in different security contexts. It probably isn't appropriate to hit performance where the software design already runs things within the same security context and available access controls which could be used aren't being used.
We expect hypervisors and sandboxed applications to be contained against side channel information leaks, so the performance hit of containment needs to be accepted as part of the processor and operating system access control design.
Problematic business model
Geocities was bought in 1999 for $3.57B and switched off 10 years later. Providing the server and service with no revenue stream apart from paltry advertising, however temporarily popular, could only have been sold for that price if someone making the decision imagined it could become a monopoly capable of being monetized at some point.
Creating a production as opposed to demonstration/research app using such a service is likely to be high risk unless you can know in advance what it's going to cost your users and how they will pay for it. If it becomes a must-have monopoly, your heavy users will be price gouged or have to stop using what they've come to depend upon. If they imagine it will cost nothing it's unsustainable by definition and will eventually be switched off when the investor gives up funding the black hole.
If the NSA want to do illegal surveillance within the US of US citizens, I thought that's what they paid GCHQ to do for them legally.
Just as well it doesn't work all the time
In the early days of computer viruses when we used to find new ones every other month while providing a PC helpdesk and support service, I used to send samples encrypted against the public key provided by our then anti-virus vendor to said vendor so they could update their products and we could detect and remove them with less work on our part. Obviously I didn't want the malware I was sending our anti-virus vendor to infect anything else within the transmission channel so PGP encryption was a must.
Re: Bank Vault locks - cardboard doors
"The problem is that those who hold the high value secrets might know this but their bosses have a timeline of the next prime ministers questions."
This is probably why those in the know seem unlikely to want to include politicians within their inner circle.
Bank Vault locks - cardboard doors
Perhaps the cryptographic equivalent of bank vault locks can be got through by the tiny elite likely to be in the know, but why would anyone bother most of the time ?
Those who hold such high value secrets (i.e. knowledge of algorithm weaknesses) where these exist will want to use them very infrequently and against only the highest value targets for fear of disclosure through honeypot techniques and well tuned intrusion detection systems. It's all basic spy craft - those with high value sources protect these as much as they can which means most who could usefully know are denied access, information gained from these sources has to be very carefully guarded and sanitised prior to declassification and use, and the more use that is made will increase the probability that this kind of source gets disclosed sooner rather than later.
Everything else will involve getting through the cardboard doors - the very many and various implementation weaknesses against which very few systems are likely to be properly protected. So I don't think I'll be rolling my own crypto or combining multiple forms of it or engaging in other obscurity exercises likely to fail when I'm not yet doing the thousand other things I'd have to do (including knowing all my chip technologies and binary device drivers and system software) to avoid the cardboard doors.
The targets I have to defend just aren't valuable enough for me to worry about algorithms no-one has yet discovered unsafe despite large prizes for effective attacks being on offer for those who try to discover these backdoors.
What's wrong with https://22.214.171.124/
I don't think CA's trusted by any browser currently issue certificates per IP address. I'd also guess it would be insecure for them to do so unless they only issued these for addresses known to be static for the future lifetime of the certificate anyway, and I guess also that the PTR reverse mapping pointed back to a domain which also participates in the same ownership establishment protocol. Could possibly be done in the IN-ADDR.ARPA domain using DNSSEC.
@Androgynous Cupboard - Re: Pot calls Kettle black
"That we should hold Wikipedia to a lower standard because many of the pages are wrong?"
Not at all. Wikipedia consistently achieves a very high standard in relation to the articles most people read, just as the Linux kernel achieves a much higher standard than proprietary alternatives in connection with the code paths most people use. There are still plenty of zero day vulnerability bugs in Linux device drivers hardly anyone ever uses or checks the source code of. If I find an error in Wikipedia I correct it, and if I find a bug in Linux I report it to the appropriate maintainer.
Pot calls Kettle black
I have no reason to doubt that the Register tries very hard to get facts right as well, and generally believes its sources until corrected when it checks, fesses and corrects, just as Wikipedia does. But I very much doubt The Register has the funding to take the same amount of time to correct articles which are of more than passing interest and which are read by more than a few people over many years. Sure Wikipedia also has many pages likely to be wrong, but how many people are interested in correcting these compared to the articles which get 99.9% of Wikipedia's page hits ?
The second law of thermodynamics when applied to the WWW would humble any editor who both understands and cares, but debugged open source knowledge is a difficult beast to compete against for those for whom their published output is a profit centre.
Been there done that
My automated python suduko solver does this using a combination of simple techniques and clone, guess and exclude in about 400 lines of source code. Haven't found a suduko it can't solve. Will link the source code if anyone's interested enough.
Re: Isn't it about time...
"national CAs were only authorized to sign certificates for their own national TLD" . That's called DNSSEC. See also RFC7671, otherwise known as DNS Authentication of Named Entities (DANE).
User friendly encryption ?
If the user of a product is aware that they have to do something in order to encrypt or decrypt then their security process isn't user friendly, because a secure process is secure by default. Crypto keys for typical users should be created and stored automatically, e.g. when they register a domain or account, and ideally stored where they're very unlikely to be meddled with by their user, and can't be meddled with by anyone else. Those able to access private keys in the first place need to know what they're doing with them, or these aren't secure.
Depends what ransomware victims are obliged to buy
BTC/BCH is now less dependent on blind faith and is now managed by the number of marks infected by ransomware and the proportion of these who decide to buy in, in order to decrypt their data. Another group who have to buy in are arms and illicit substance vendors who want to reduce their risks of becoming collateral damage victims in the violent gang warfare which traditionally has controlled their turf in the absence of recourse to civil law to resolve contractual disputes. So which one of these currencies survives, or whether both survive, will be determined by survival of the fittest ransomware and darknet marketplaces, and how long it takes regulators to disbelieve these systems have legitimate uses before closing down the BTC/BCC for conventional exchanges as accessories to money laundering.
Is this model trusting 3rd parties not to be evil ??
Wow, but I'm not convinced this article has more than scratched the surface of the real security issue, likewise "fixing" it using HTTPS only fixes the 4th party exploit described.
It's not difficult to understand why a security scanner needs admin access to a system. This context presumably prevents normal sandboxing, as you would get for 3rd party scripts linked through a webpage - though I block such scripts generally. But even if the 3rd party content were provided using HTTPS is it really considered sane for such content to have the same admin access to the PC as the scanner it funds ? It sounds to me like the 3rd parties are probably not just getting access to _show_ you their content. An investigation into whether they are in fact or are capable of _accessing_ likely to be more valuable content on the machine being scanned seems called for.
Personal data seems likely to be more valuable than the right to display content during a scan or web page view, and it's why I'm refusing so many mobile apps inappropriate rights to access this on my mobile platforms which they don't need in order to deliver the functionality offered.
continuing demand for bitcoin
As managed by the number of marks who get infected by ransomware, a proportion of whom will choose to pay the ransom and so have to buy in. Bitcoin is a managed currency, where 3 factors: mining, anonymisation and demand management are all likely to be in the hands of those controlling the biggest botnets for various technical and cost reasons. So this impending fork probably won't change the game much, though might leave cybercriminals 2 different payment options. Governments blocking the $conventional for Bitcoin exchanges as money laundering accessories would do that, by making it impossible for marks to pay ransoms, making Bitcoins worthless overnight.
Re: I think the point is that..
"You can use PGP signatures, but how do you know you have the right PGP key to validate it with?"
If you have been using Debian or Ubuntu for any length of time, packaged software downloads are signed using developer keys, some of which have signed the Tails gpg keys. So you can install the debian-keyring package, which is signed by these distribution repositories and this gets the same verification as other Debian or Ubuntu packages installed using apt-get . This means that for the NSA to have compromised the Tails instance as downloaded through a MITM or whatever, and for you not to be able to detect this if you're very careful and check signatures, they would also have had to compromise signed parts of the Ubuntu or Debian infrastructure. It seems to me much more easy for the NSA to have compromised the Tails distribution itself. To find that kind of hole you would have to check the Tails source code and compile it yourself, assuming you're both paranoid enough to want to do that, while sufficiently technically capable to compile it yourself on a platform which you do actually trust. Instructions on checking this chain of trust here:
"People who pay more than than an average yearly income for a bottle of rotten grain DESERVE to get cheated!!!"
It's the emperor's clothing - the oldest scam in the book. And the psychology is all to do with the presentation. Once the mark who is parting with the cash has been sufficiently flattered, their vanity will override their sense of taste anyway. And frankly I don't see anyone parting with that much cash for a blend of organic substances and residues preserved in spirits aged beyond where it can still have very much flavour wanting to waste a drop by putting it into a reagent testing machine anyway. Yes it's true - all beverages will lose their flavour if aged beyond what's best for them, which in the case of fine whisky can be up to 20 years.
Re: So what about the battery
They can use kevlar bags in hold to contain luggage explosions up to a certain size. And then use fire suppressants which they wouldn't be allowed to use in the cabin.
Change the distro ?
Given the modularity of different Linux desktop flavours and different Linux distros, this particular choice no longer needs to be conflated. I thought the underlying package management systems had pretty much fixed that problem years ago. You choose a distribution for its package management style and the package repositories and their management nowadays - not the desktop flavour.
Re: Property is theft
@Doctor Syntax: If I make or grow something by my own efforts you should be entitled to it for free because somehow I've stolen it from you?"
No form of property is absolute. It always confers _limited_ legal monopoly rights and can come with reciprocal social obligations. This is because the law which enforces legitimate property rights is a balance of public interest exercised at cost to the public through the expense of the taxpayer funded legislature and court systems. There used to be only one informed side to this discussion concerning copyright: i.e. your side, because that's the only side the man who bought ink by the barrel considered fit to print. That's no longer the case.
There is a wider public interest in the creation of new intellectual property. But no-one is incentivised to create original new work based on speculation of what they might earn 20 or more years after it's published. Those so engaged have better incentive if they are not going to be contested by every stale idea or meme from the past which someone else may have thought of generations before and which new creative work can't avoid accidentally infringing upon, or legitimate reference to. The public benefits from new copyright being established to the extent outdated copyright enters the public domain, but not when copyright durations are extended beyond their original legitimate purpose by one sided terms of discussion and political lobbying.
If you ever purchase a plot of land, you'll find your rights are also limited. You probably won't be allowed to turn a domestic dwelling into an industrial unit by planning restrictions. You'll have to pay taxes to the local authority. You won't be able to stop aircraft overflying, or miners from undermining. Your house and land ownership is defended by the public purse, to the extent it's in the public interest that you enjoy your ownership for the purpose for which the wider public intended, through planning and other environmental regulations and the local taxation due.
Property is theft
One person's property always fences everyone else out of what's been enclosed. It doesn't happen without taxpayer funded cost of the legal protection to whoever is granted this exclusive right. it's all of us who pay the taxes to enforce property rights, but not all of us who benefit from the exclusive rights granted to private individuals and corporations.
Sometimes there's a good case for it, and sometimes the reverse. Sometimes what spun as benefitting most people will change compared to what's happened before - change is to be expected here. The Bible probably wouldn't exist had the early copyists had a concept of IP as a moral issue, because to survive the burnings of Bibles and the feeding to the lions of those who would copy it in opposition to the state morality at that time, considerable resources had to be invested, given the primitive procedure of copying then with the effort this took. On the other side of the argument you'll find that agricultural productivity increased greatly through the late 18th and early 19th century as a direct consequence of the land enclosures and Parliamentary acts which enabled the conversion of land held in common into private smallholdings which could later be concentrated into the hands of the richest. But it came at a terrible price for those forced off the land into near slavery in the industrial mills.
Copyright in something close to its current form probably can't be avoided in some sense, but it almost certainly lasts longer than is needed to incentivise the work it protects. It lasts too long, due to the previously successful lobbying efforts of those who would extend it to last for ever minus a day and the improbability of politicians arguing against the private interests of whoever bought ink by the barrel. If copyright lasted a shorter period, perhaps similar to the 20 year lifetime of patents, it would construct fewer barriers to the creation of newer cultural work which has to reference older works by reusing these in some minor ways.
Squirrelmail has been around for years, and trouble free in my case, and this vulnerability doesn't affect me as I use SMTP/IMAP as the front/back ends for it. As with others, I try to keep personal and family communications away from corporate data mining and branding. I've heard of Roundcube, but as I've been successful with Squirrelmail/Postfix/Mailman and others, which have been relatively straightforward to setup , configure and maintain compared to Sendmail which I used in the past. So I've had no reason to try Roundcube as Squirrelmail just works. Can you provide one ? It's Dovecote and trying to get proper email clients working sensibly on all sorts of tablet/phone platforms that have me tearing my hair out, so maintaining webmail for this kind of application (other than on proper desktops which have proper email clients) makes more sense as I only need to do it once for many client platforms.
trust decisions need verification
This is probably mostly about human decisions here being assisted by machine ones, though the fully machine decisions also matter, e.g. what is the probability this email came from a spammer, or what is the probability this prospective customer will pay ?
Verification of what to believe first and foremost depends upon who said something. If it's said by someone you've never heard of, do cryptographically verifiable assurances exist from trustworthy assurers that the person who said this is generally honest ? E.G. Has the Guardian's/BBC's/Telegraph's/(choose your media poison) known key signed that this person is on their staff ? Or is this person a friend of a friend known to have good judgement about choice of friends ?
If assertions of fact e.g. in Wikipedia have verifiable chains of trust to more than one strong trust source, these assertions are likely to be considered as more reliable than assertions with only 1 chain to a weaker source. Trusting a key holder to be a good verifier of one variable which matters, (e.g. identity or veracity or honesty ) doesn't automatically make it a good verifier of other variables.
Building this key infrastructure is something the social networks which already know about who knows whom or who reads what will have a natural advantage. And it's an inherently Metcalfe Law monopoly position liable to be exploited in ways which probably aren't in all of our best interests - if we think a little about what the banks have done to everyone else historically. Privacy requires we are able to speak with different digital personae in different contexts each of which may have its own reputation as perceived and verified by others.
An IPV6 address that's really hard to remember.
How many IPV4 addresses (or phone numbers for that matter) do you remember ? That's what DNS was invented for - so you don't have to remember IP addresses.
Re: I'm Ok with IPV4 for now
"Why would I need IPV6? What will it bring me?"
The ability to address and talk to the half of the planet which doesn't yet have Internet at all in any form ? So I was happy with my short 1960ies style telephone number - what did adding extra digits give me ?
That's the most obvious benefit. Not having to talk through proprietary cloud servers due to loss of end to end connectivity with Carrier Grade NAT at both ends between which a connection could usefully be made is the next compromise best avoided, and not having to pay a price to rent an IPV4 address in a market shortage so you can run your own cloud server is a further compromise best avoided, otherwise required to save a limited addressing scheme gone smelly due to being way past its use by date.