Even if Bob is masquerading as Sally, if the connection to the secure resource isn't persistent, then Frank still can't access it without Sally's secure password.
a) Not password, but security related (say restriction downloads). You have Bob on the 1st floor who pretty much just writes out paperwork. However, Bob's computer gets a virus. This virus emails itself to the department in the form of an infected document or whatever, which gets opened by Jim in accounting. Now Jim's computer sends all the client-info to some public webserver where it's picked up by crackers from Russia.
Ok, even allowing you the situation where an email virus is run, that shouldn't give it access to sensitive client info, because sensitive client info should _not_ be accessible in the clear on Jim's computer. At the worst the Russian crackers should get a list of the client's names and contacts, but not account data. The account data should _not_ exist in the clear in a non-volatile form on Jim's computer. If the virus is doing screen captures or something, then the info may be available to it, I'll give you that, since Jim (being in accounting) may have to see the account details at some point.
b) We'll use Bob as an example again, except this time, Sally from HR has gone on Maternity leave. There's nobody to replace her right away, so Bob gets somewhat of a promotion. Sally gives Bob access to her network share via her username/password, so that he can access documents there. Sally's password is fairly secure, however Bob's is still "fido." Frank from the other department decides to sniff around because he thinks he's getting stiffed on pay. He logs into Bob's computer and downloads an Excel sheet with the employee pay scales from Sally's share that's still connected on Bob's computer...
Okay, first off Bob does _not_ get Sally's user name and password. Bob uses his own user name and new _secure_ password to access the network share. Bob should _not_ be masquerading as Sally. The connection to a secured resource should _not_ be persistent. Even if Frank guesses Bob's insecure workstation password, he does not have Bob's new secure password to the network share, and the network share is no connected, so Frank has no access.
Now, I don't agree with IT Departments that insist you have a 15-character alphanumeric password with at least 2 other characters, but having a decently secure password that's not easily dictionaried or guessed is not that hard.
I agree. Ironically, where I once worked they had a password policy that placed a _maximum_ number of characters, and disallowed characters like $, @, !, etc. It also disallowed using the same character twice in a row, so things like P@ssW0rd would not be allowed, because of the "ss". The end result was people using insecure passwords that are hard to remember.
And how do you work out which roles those are? Bonus points for describing how to integrate a data access privilege level for every user when they are first hired, when they change role, or every time the information they access changes.
The security protection should be put on the resources being accessed, not the user accessing them. Keep things with different security needs separate. When someone's role changes and they need access to that resource, then they have to conform to the security requirements of that resource. If that means using a different password than their desktop log-in, that's fine.
Oh look, it's ten thousand times easier and more secure to train everyone to do the right thing in the first place.
Easier, yes. More secure, no. You can't successfully train everybody at the same level, without lowering the level to the point of not providing adequate security when it really is needed.
The first few releases of Linux sucked too. However, just like Linux, once people start using it for their own purposes, their improvements will make their way back for others to use.
OpenMoko right now is mediocre. OpenMoko in 5 years, after several companies sell products based on it, and dozens of hackers make those devices do new and novel things, and OpenMoko will rock.
In IT security, people just want to download cool screen savers. Most simply don't see the risk. As such, the job of an IT security professional is much more difficult (e.g. - "why can't my password just be the name of my dog?").
That is exactly why most people don't like IT security. The true answer is that their password _can_ be the name of their dog, for 95% of users, because they won't have access to sensitive information by default. To access that sensitive info, they should have to jump through security hoops, use secure passwords, etc, but not to unlock their workstation after refilling their coffee.
There's an old saying, that I can't remember exactly, that says if you use the same protection to safeguard your bread, as you do your money, then your money will be as insecure as your bread used to be. The reason is that nobody is going to run the vault combination every time they want a slice of bread, so the end result will be that the vault stays open, making your money insecure.
Well, not so long ago I too was Windows power user. Then I read some stuff on Linux file system, package managers etc. Now you can pry Ubuntu from my cold dead fingers.
The difference is that you were a "Windows" power users, and not a Windows "Power User". The former is a power users who happens to use Windows, the later is a Windows users who happens to use Windows.
Or since it costs the government x dollars to protect the country in aggregate, the cost should be x/population for each person.
Only if the value of the country in aggregate can be calculated as y*population, for some constant y. I think we can agree that not everybody in the country has the same value to the aggregate as everybody else.
Does someone who pays $100,000 dollars in taxes get 100 times the benefit of someone who pays $1000 in taxes?
Theoretically, yes.
If a private company were providing the same benefit, then each person would have to pay equally for the value of the benefit. Government systems are the only ones that charge you more if you have the ability to pay it, rather than charging you according to how much you value their product.
Consider insurance, where cost of insurance is proportional to the value of what is being insured. Someone with a $1,000,000 house shouldn't pay the same insurance as someone with a $100,000 house. Since government's role is to safeguard your person and property, then the cost to you should be proportional to the value of your person and property.
Do they get half the benefit from the schools that educate their children, or the roads used to bring the groceries we eat?
In theory, yes. In practice, it's probably slightly more than half, as there is an upper bounds to the benefit you can receive from those examples.
Besides, by this reasoning they are getting exactly half the benefit I get. This argues for a flat tax rate.
Yes, it does.
How do you define productivity? If it's working hard, then you're right. If it's providing something of value that people will pay for, then you're not.
Unskilled labor is something of value that people pay for. Almost everything offered by unskilled labor adds value.
Is there a logical reason for taxes to be per-unit (of income), instead of per person?
In that case, people would be your unit, so the more people you have, the more total taxes you pay.
The government services they finance are not per-unit, I don't get twice as much DEA enforcement, or USCIS (= INS) prevention of competition for my job from Mexicans, than somebody who makes half my income.
You don't get twice as much service, but you do get twice the benefit. Should someone pay the same amount to protect their $25,000 as you do to protect your $50,000?
But unless the market is really messed up more productive people can negotiate higher salaries.
People with a less available skill set can negotiate higher salaries. Some very productive people work as unskilled labor. Your productivity may increase demand slightly, but a shortage of supply is a sure way to earn more.
They can also change jobs to higher paying ones a lot more easily than people without a track record of productiveness.
A flat tax rate would tax the rich more than the poor (same percent of a higher income is more). Our system with a higher tax rate definitely taxes the rich more than the poor.
Well no, it would tax them the same, because taxes are a per-unit thing. The fact that rich people have more units doesn't mean they're taxed more (on a flat-tax system, our current progressive one actually does tax them more).
At what point does it stop being obvious that you need to take even more money from rich people and even less from poor people? When your tax rates get so high you're starting to cause your most productive workers to leave the country?
There is no necessary correlation between a person's income and their productivity.
The thing is, despite all the flaws in Adobe's flash player, it is generally fast and things load really quickly. Java on the other hand though more open and better, takes forever to get things loaded and navigation in Java has always seemed to be laggy.
The loading speed of the Java plugin is being addressed with the upcoming update 10, which actually contains many improvements. The navigation issues are usually a result of a badly written UI, which unfortunately is all too easy to do with AWT and Swing.
The new JavaFX takes much of the complexity out of writing a well behaved UI. It will also have better multimedia playback for video content like what YouTube uses Flash for.
I can see Linus and Theo drafting legislation that would cure all disease, end hunger and create world peace, but then being unable to pass it because they can't agree on what license to release it under.
Slashdot Mirror
Even if Bob is masquerading as Sally, if the connection to the secure resource isn't persistent, then Frank still can't access it without Sally's secure password.
a) Not password, but security related (say restriction downloads). You have Bob on the 1st floor who pretty much just writes out paperwork. However, Bob's computer gets a virus. This virus emails itself to the department in the form of an infected document or whatever, which gets opened by Jim in accounting. Now Jim's computer sends all the client-info to some public webserver where it's picked up by crackers from Russia.
Ok, even allowing you the situation where an email virus is run, that shouldn't give it access to sensitive client info, because sensitive client info should _not_ be accessible in the clear on Jim's computer. At the worst the Russian crackers should get a list of the client's names and contacts, but not account data. The account data should _not_ exist in the clear in a non-volatile form on Jim's computer. If the virus is doing screen captures or something, then the info may be available to it, I'll give you that, since Jim (being in accounting) may have to see the account details at some point.
b) We'll use Bob as an example again, except this time, Sally from HR has gone on Maternity leave. There's nobody to replace her right away, so Bob gets somewhat of a promotion. Sally gives Bob access to her network share via her username/password, so that he can access documents there. Sally's password is fairly secure, however Bob's is still "fido." Frank from the other department decides to sniff around because he thinks he's getting stiffed on pay. He logs into Bob's computer and downloads an Excel sheet with the employee pay scales from Sally's share that's still connected on Bob's computer...
Okay, first off Bob does _not_ get Sally's user name and password. Bob uses his own user name and new _secure_ password to access the network share. Bob should _not_ be masquerading as Sally. The connection to a secured resource should _not_ be persistent. Even if Frank guesses Bob's insecure workstation password, he does not have Bob's new secure password to the network share, and the network share is no connected, so Frank has no access.
Now, I don't agree with IT Departments that insist you have a 15-character alphanumeric password with at least 2 other characters, but having a decently secure password that's not easily dictionaried or guessed is not that hard.
I agree. Ironically, where I once worked they had a password policy that placed a _maximum_ number of characters, and disallowed characters like $, @, !, etc. It also disallowed using the same character twice in a row, so things like P@ssW0rd would not be allowed, because of the "ss". The end result was people using insecure passwords that are hard to remember.
And which are the 5%?
The ones who can change other people's passwords.
And how do you work out which roles those are? Bonus points for describing how to integrate a data access privilege level for every user when they are first hired, when they change role, or every time the information they access changes.
The security protection should be put on the resources being accessed, not the user accessing them. Keep things with different security needs separate. When someone's role changes and they need access to that resource, then they have to conform to the security requirements of that resource. If that means using a different password than their desktop log-in, that's fine.
Oh look, it's ten thousand times easier and more secure to train everyone to do the right thing in the first place.
Easier, yes. More secure, no. You can't successfully train everybody at the same level, without lowering the level to the point of not providing adequate security when it really is needed.
The first few releases of Linux sucked too. However, just like Linux, once people start using it for their own purposes, their improvements will make their way back for others to use.
OpenMoko right now is mediocre. OpenMoko in 5 years, after several companies sell products based on it, and dozens of hackers make those devices do new and novel things, and OpenMoko will rock.
In IT security, people just want to download cool screen savers. Most simply don't see the risk. As such, the job of an IT security professional is much more difficult (e.g. - "why can't my password just be the name of my dog?").
That is exactly why most people don't like IT security. The true answer is that their password _can_ be the name of their dog, for 95% of users, because they won't have access to sensitive information by default. To access that sensitive info, they should have to jump through security hoops, use secure passwords, etc, but not to unlock their workstation after refilling their coffee.
There's an old saying, that I can't remember exactly, that says if you use the same protection to safeguard your bread, as you do your money, then your money will be as insecure as your bread used to be. The reason is that nobody is going to run the vault combination every time they want a slice of bread, so the end result will be that the vault stays open, making your money insecure.
And yet I got modded insightful for being redundant, and you got nothing while being informative.
You gotta love Slashdot.
That was one of the links in the summary....
In the what?
They'd never get more than 1 vote, assuming it was initialized to zero. ;-)
0 % 3 == 0, correct? If it were initialized to zero, it would stay at zero. Unless in C# 0==true.
Obligatory XKCD reference: http://xkcd.com/463/
Well, not so long ago I too was Windows power user. Then I read some stuff on Linux file system, package managers etc. Now you can pry Ubuntu from my cold dead fingers.
The difference is that you were a "Windows" power users, and not a Windows "Power User". The former is a power users who happens to use Windows, the later is a Windows users who happens to use Windows.
Or since it costs the government x dollars to protect the country in aggregate, the cost should be x/population for each person.
Only if the value of the country in aggregate can be calculated as y*population, for some constant y. I think we can agree that not everybody in the country has the same value to the aggregate as everybody else.
No I'm not, but that's an implementation error, not a design error.
Does someone who pays $100,000 dollars in taxes get 100 times the benefit of someone who pays $1000 in taxes?
Theoretically, yes.
If a private company were providing the same benefit, then each person would have to pay equally for the value of the benefit. Government systems are the only ones that charge you more if you have the ability to pay it, rather than charging you according to how much you value their product.
Consider insurance, where cost of insurance is proportional to the value of what is being insured. Someone with a $1,000,000 house shouldn't pay the same insurance as someone with a $100,000 house. Since government's role is to safeguard your person and property, then the cost to you should be proportional to the value of your person and property.
Is their life worth half of mine?
Financially? yes.
Do they get half the benefit from the schools that educate their children, or the roads used to bring the groceries we eat?
In theory, yes. In practice, it's probably slightly more than half, as there is an upper bounds to the benefit you can receive from those examples.
Besides, by this reasoning they are getting exactly half the benefit I get. This argues for a flat tax rate.
Yes, it does.
How do you define productivity? If it's working hard, then you're right. If it's providing something of value that people will pay for, then you're not.
Unskilled labor is something of value that people pay for. Almost everything offered by unskilled labor adds value.
Is there a logical reason for taxes to be per-unit (of income), instead of per person?
In that case, people would be your unit, so the more people you have, the more total taxes you pay.
The government services they finance are not per-unit, I don't get twice as much DEA enforcement, or USCIS (= INS) prevention of competition for my job from Mexicans, than somebody who makes half my income.
You don't get twice as much service, but you do get twice the benefit. Should someone pay the same amount to protect their $25,000 as you do to protect your $50,000?
But unless the market is really messed up more productive people can negotiate higher salaries.
People with a less available skill set can negotiate higher salaries. Some very productive people work as unskilled labor. Your productivity may increase demand slightly, but a shortage of supply is a sure way to earn more.
They can also change jobs to higher paying ones a lot more easily than people without a track record of productiveness.
In what industry do you work?
A flat tax rate would tax the rich more than the poor (same percent of a higher income is more). Our system with a higher tax rate definitely taxes the rich more than the poor.
Well no, it would tax them the same, because taxes are a per-unit thing. The fact that rich people have more units doesn't mean they're taxed more (on a flat-tax system, our current progressive one actually does tax them more).
At what point does it stop being obvious that you need to take even more money from rich people and even less from poor people? When your tax rates get so high you're starting to cause your most productive workers to leave the country?
There is no necessary correlation between a person's income and their productivity.
We can already turn base metals into gold, but the cost of doing so is more than the gold is worth, and the gold will kill you.
Not nuclear. At least, not from our sun.
The thing is, despite all the flaws in Adobe's flash player, it is generally fast and things load really quickly. Java on the other hand though more open and better, takes forever to get things loaded and navigation in Java has always seemed to be laggy.
The loading speed of the Java plugin is being addressed with the upcoming update 10, which actually contains many improvements. The navigation issues are usually a result of a badly written UI, which unfortunately is all too easy to do with AWT and Swing.
The new JavaFX takes much of the complexity out of writing a well behaved UI. It will also have better multimedia playback for video content like what YouTube uses Flash for.
I don't disagree that flash is bad for the web, but in order to convince developers not to use it, there needs to be a valid alternative.
Sun is hoping that Java/JavaFX will be just that alternative.
They could read the 6000 page OOXML specification. It would take just as long, and would probably prove a good point in the process.
I can see Linus and Theo drafting legislation that would cure all disease, end hunger and create world peace, but then being unable to pass it because they can't agree on what license to release it under.
We need new blood in political office... people who are a little more 'in' with technology, etc.
Great, then we'll just have them wasting time filibustering measure to declare Vi better than Emacs, or KDE better than Gnome.
Way to use logic on Slashdot and ruin my +5 Funny.
Good point, Windows should identify the offending driver, read it's manufacturer info, then shame the creator on the BSoD.
"A fatal exception has occurred because CheapHardware's Crappy802.11g device driver was written by mildly retarded gibbons."