Moxie Marlinspike gave a fantastic talk on this subject in 2010, even down to the government mandated tracking device vs mobile phone: https://www.youtube.com/watch?v=eG0KrT6pBPk
Here's a set of default templates I wrote. I respect the reasoning for not providing them, but implementing 15 templates to get started out of the box is a bit onerous.
https://github.com/yourcelf/django-registration-defaults
Emphatically: yes. Those who collect stats on them find that they contribute a substantial portion of shares.[1] People rant against them often, probably because they wish they weren't effective, and they might not personally click them. But others do.
Wouldn't a solution be for the server to set its session cookie for every subdomain, as HTTP-only? For example, set "_gh_sess" for every requesting domain, whether www.github.com, github.com, something.github.com; and ".github.com" as well. If you hit them all, you prevent js from shadowing them.
Github only sets their cookie for "github.com". What I'm suggesting is that they set multiple http-only cookies: one for "github.com", one for ".github.com", another for every subdomain you access -- "pages.github.com", etc. If there's already an http-only _gh_sess cookie for every subdomain I can put scripts on, I won't be able to shadow it with my own _gh_sess cookie.
Got it, thanks. More detail at [1] mentioned by gingerline above: "the secure flag does not prevent a cookie from being overwritten. In fact, a HTTP site can overwrite a cookie with a secure flag, as long as the domain names are related appropriately. The secure flag provides confidentiality protection but not integrity protection."
This idea goes back further than you might think. The "Stereoscopic Workspace", from the Architecture Machine group at MIT in 1983, was a prototype of this idea, surprisingly close to this implementation 30 years later.
Indeed. A good way to increase diversity in hiring is to set a rule: your hiring process isn't done until you've received a minimum number of applications from various demographics that are underrepresented.
You still pick the best applicant from all submissions, but it forces you to make sure that news of your position spreads into more than just the usual communities.
See http://freedomdefined.org/Definition for a view (not RMS's) which extends the spirit of the Free Software definition to "Cultural Works", including art, music, etc.
Creative Commons has adopted the language of "Free Culture Approved" for licenses which meet this definition. Not all CC licenses do (in particular, non-commercial or no derivatives clauses are incompatible).
I think it's similar to http://isitchristmas.com/ . It's a simple answer that's always the same, to drive the point home: you are always the one responsible for your uptime, no matter whether you choose dedicated hosting, the cloud, your own closet, etc. You can't outsource responsibility.
Lamson seems to be a solid framework, but after trying to use it for a project I dropped it. Two assumptions it makes didn't work for me.
First, it takes over port 25 as your default SMTP server. This is great in that it saves you from dealing with the messy world of aliases etc, but not great on a shared host that does other things with mail as well.
Second, the FSM routing, while convenient, was ultimately limiting. Lamson routes mail based on the state of the sender (for example, 'subscribed', 'new', etc). But this state storage is abstracted away -- so if you wanted to change an address's state outside of the email flow (for example via a web app) or append additional data to the state, you have to re-implement the model logic for the FSM. I wonder if this is the reason why librelist, Zed's mailing list server implemented in lamson, has no web interface for subscription or list creation.
Lamson doesn't help you with parsing email any more than Python's standard library does (which is pretty decent, if a little verbose), so if you can handle setting up routing/aliases of mail to your application and storing state yourself, it might not add much.
