Look, you're obviously childish and hostile, and probably trolling, but I'll answer a couple things anyway.
Yeah, I proved you wrong so I must be childish, hostile and probably trolling. Absolutely.
None of my questions were difficult to answer: they were specific, pointed questions to justify your "prediction". But all of them skirted. And I never said OOXML was same as h264. But a free fully-legal h264 implementation is as impossible as free OOXML implementation: due to partially different reasons. Hence the analogy.
Wake me up when you gather citation for your prediction. Or, maybe you find an argument which does not need the stupid prediction.
When predicting the future, one can always say, "nuh uh!" I could say, "The world probably won't explode in the next 10 seconds," and you could say, "It might! Where's your evidence!"
1. You didn't say "probably". After being caught making idiotic statements, you now want to give such an impression. 2. I have already showed you how the same happened with MP3 after luring everyone with a false sense of security, just like yours. They even went after the behemoth, if there is one in this industry, Microsoft; before which all tremble. 3. You are counting on corporation(s) forever not to do something that in some cases might maximize profit for themselves. 4. From the looks of it, you must have supported the OOXML "standard" too.
In other words, the above quoted statement is an awful analogy of the situation. Not that I expected any better, so my keyboard is saved from the coffee in my mouth.
However, we don't know for sure that there even are any decent patent-free video codecs
Hence, thankfully, you are not on the board to decide on the standard. (Those who actually are, might have sold themselves, but that is a different story.) Why not figure it out first, talk to patent owners (if any), get contracts signed which make sure internet freedom is not compromised? We have done without HTML5 for billions of years, it is not like anyone is holding his breath for a solution to this problem. But if a standard is once arrived at, it must be a good one, lest all standards in the world suffer (the more) for it.
Firefox, Chromium, Konqueror will not even be able to write "standards compliant" in their descriptions. Internet Explorer will be able to. I look at it as a pretty major threat to internet freedom, given the respect IE shows to standards.
They *want* it to be widespread so that they can get a cut of every bluray sale and every iTunes movie rental.
AND every Firefox download. AND every Ubuntu download. AND every mom-n-pop computer assembler who installs (no more) Free Software on his customers' machines out of box. AND the new Free internet access software, that no-one has even imagined yet and will never imagine if such "standards" abound in the industry. So, you are right that they want it to be widespread. But you are wrong that internet freedom will not be the less for it.
Are you serious? What, are you 5 years old? Grow up.
You made a stupid claim (about the future, to boot). You have absolutely no basis in reality to predict it. I caught you at it. And it is I that am 5 years old? Awesome.
I am not saying that it is "an absolute crime", whatever you mean by it. People have been asked to pay billions of dollars to MP3 patent holders. After it became the "only audio format in the world". The software I want to use in a standard-compliant way are not developed by people who can pay billions of dollars to follow this standard (e.g. mozilla, most linux distributions, free small-time browsers/internet access software, mom-and-pop computer system assemblers). I do not want standard compliance to cost anything other than good coding. My this wish was in general satisfied in the software/internet world. It ensures the freedom that the internet has come to embody. You falsely advocate (by giving unsubstantiated predictions, no less) that this not happen anymore, that simply "standard" compliance could cost money.
If the h264 patent holders, to make it part of a standard, sign some deal to not go after software/hardware manufacturers for this, I might not find problems with it. But you, who have zero authority, sense and qualification to make any statement about it; are "assuring" this? Do you realize how idiotic it is?
Regardless, what we were really talking about is Flash. Flash doesn't actually diminish use of h264 anyway. It just serves as a media player which plays the same h264 files.
This means you can become official crystal-ball gazer and spew forth cock-and-bull stories about the future, and I am supposed to accept them?
I didn't give any opinions, I just asked for citations for your unsubstantiated claims. You tried to substantiate them with your own worthless opinions about the matter, which I rejected by telling you their worth.
Now for mythical "good sense" of yours. Consumers need not get sued directly to get affected. Numerous software and consumer electronics manufacturers got sued for MP3. This included corporations of humongous size, which could throw money like water to win the lawsuit. This means Free software cannot do much with MP3 if they want to be absolutely legal. Similar is possible with h.264. You give no proof that it won't happen. Your repeated claims that it won't happen do not count as proof.
But anyway, you don't even have proof that h.264 patent owners would not go after consumers directly (not at all for indirectly). So better not make statements about which you know nothing if you do not wish to reveal to the world your idiocy.
In another sense, it's not patent infringement so long as the patent holder isn't going to ask you to stop.
Do you want to imply that h.264 patent owners will not "ask you to stop"? That is a considerable statement, and pretty convincing citation is needed to back it up. Unless you are fanboy of some of the h.264 patent holders, of course.
Even if they might not have been much litigious with h.264 so far, making it part of "standards" would give them tremendous temptation to start doing so now. Somewhat similar to mp3: general public became aware of its patent encumbered-ness only after it was "the only audio format".
See the sentence above the sentence right above this one.
You evil h4x0r!!! You tried to trap me into an infinite loop? My security software detected it and foiled your misguided attempt to bind me into an infinite loop reading your depraved post. Obviously, security software is not as bad as you make it sound.
(And you thought halting problem was insoluble in good time).
Nothing against your argument, but in this case, the AppStore policy is the DRM. I guess the GP meant it this way too. So, content providers here are the Software(App) providers (yet not excluding the real content providers like book/music/video etc). The line between content and software is blurring, especially on the ipad.
Just widen your definition of DRM a bit, and you will see that DRM is very much the issue here too.
The reason why some "content" providers might prefer the walled garden (arguably it is DRM) is that you can't pirate applications* => more revenue. Simple & secure design draws people towards it and creates larger market for content providers => more revenue. Design is simple because there are fewer options. Secure because there are fewer options, and trouble-making apps can be revoked after the fact. RDF also plays its role.
*You can pirate applications if you jail-break but there are definite disadvantages of jail-breaking. Few who do jail-break don't change what I mentioned above.
Your statement about ipad being bigger; is spot on. I don't see how it comes under "portable" devices at all. Most netbooks can be put in a large pocket / very small hand & shoulder bag / ladies purse / man purse. Ipad can only occupy a small subset of the aforementioned abodes. I don't see the hysteria about thickness. Less than an inch, and the other dimensions become very important.
WAAAH!! you are a moron, you won't recognize GPL if it danced naked in front of you. You are not fit to lick the boots of a respectable open source missile professional.
You have to supply the code only if the enemy/unfortunate neighbour asks for it. You could also levy a reasonable charge for the cost of media.
It might be an incorrect conspiracy theory, but your refutation of it is absolutely idiotic. You have already assumed that the theory is false before proceeding to refute it.
It's not like there's a shortage of malware going around, you know? Why'd we engineer threats when there are real ones aplenty? I could see your argument if the amount of hard hitting malware was less than half a doze
What proof do you have that the "real ones aplenty" are not created by anti-virus companies? Or rent-a-coder from Ukraine paid by anti-virus companies out of their "R&D" costs?
Why spend that money if it's already been spent by someone else?
The whitelist can't help. The only workable solution depends on a default deny environment.
Then how do you define whitelist? I thought, like I guess the GP poster did too, whitelist is default deny environment. Whitelisting is just a way to override the default deny.
Or do you want a "default" deny, which cannot be overridden?
the article says that only 5% of Facebook users have bothered to hide their friends list
Not that I use Facebook much, but I did try to hide as much as possible. But when I logged in Facebook a month or so later, Facebook "helpfully" showed me a page, ostensibly to give me a "higher control" of my privacy settings. This page had all the privacy settings marked the equivalent of "publicly visible" and if I wanted to hide them again, I would have to painstakingly do this for each of the settings (a 2 step process for about 8 items). I couldn't see any obvious way to "mark all private", or even to keep the status quo. But a simple "OK" would mark all the items as publicly visible. I went ahead and did that painstaking process to ensure my privacy but it has been 2 months, and I haven't logged back in.
I had quoted the question right above the statement that the question is not being answered. Quoting it again, hope you can at least read bold.
Where do I legally download XP SP3 with all the updates, if my laptop came with XP SP1, or if I bought XP SP1 around 8 years ago?
2. Both options have one more step than the Linux alternative popularly available.
Actually they're the same as the Linux alternatives - Linux still needs to be updated after install.
Come on. Do I have to teach you counting now? In case you are under 5 years of age, it might make sense, so here you go:
Linux: Step 1: Install fully updated distribution / latest distribution release Step 2: update and reboot once.
Windows: Step 1: (Re)Install the version you have, XP SP1 in this case Step 2: Download & Install XP SP3 Step 3: update and reboot once (could be more than once too, at least for XP SP2 it was multiple reboots a few months before release of SP3)
However, the point is that the "extra step" is utterly irrelevant to anyone except a pedantic Slashdot nerd.
Arguably, at least 2 pedantic Slashdot nerds: you and me. If it is irrelevant to you, why are you counting (that too wrong) the steps?
To me, it doesn't matter much. But the fact remains that one takes 3 steps and the other takes 2.
Why is this relevant?
Because "oh noes, lookit all those reboots ! Windoze sux LOL !" is basically the whole line of argument being put forth.
Sounds interesting. A question: Isn't "committing" supposed to tell everyone about a change? How does that work without network connection?
A person A commits a file. Commit is successful. Now, if another user B checks-out a file, B is supposed to get the changes made by A. This is what I have come to understand commit is. Is it wrong? Or git does some magic there?
Where do I legally download XP SP3 with all the updates, if my laptop came with XP SP1, or if I bought XP SP1 around 8 years ago?
You download SP3 from Microsoft, then either apply it straight after installing (1 reboot), or slipstream it before installing (no reboots).
1. Doesn't answer the question. 2. Both options have one more step than the Linux alternative popularly available.
This constant harping on about reboots as if they're the end of the world just highlights how out of touch the group of people here is. Most people *shut down* their computer at least a few times a week, if not daily.
Why is this relevant? 1. Who is "harping on about reboots"? I just stated what is true. 2. Who said they're "the end of the world"? 3. Who said most people don't "*shut down* their computer"?
I've compared it to a fruit vendor. When buying apples, everyone selects the best apples for himself and leaves the not-so-good apples behind. After a day of such selling, only bad apples remain which cannot be used next day because it would increase the proportion of not-so-good apples, and customers would flee. This is common practice. There are 2 options for the apple vendor:
1. WAAAH, NOT FAIR!!!, you should take both good and bad apples. If you only take the good apples, my business model is broken and I go into losses. 2. He can simply consider the possibility of people choosing good apples into his business model.
But that could mean 2 opposite things, right? 1. They could be using drastic Ad filters, so they are not even bothered about having Slashdot remove the ads for them. 2. They actually don't mind seeing a bit of sane ads.
1 are people that are useless for advertisers. 2 are people who are useful. Since they are measured by the same yardstick (does not accept the offer to remove ads), how is this information useful to advertisers?
1. Read up on metrics here. Most of your fallacies and misrepresentations of my arguments are due to ignorance of this subject. Wikipedia is here admittedly not very detailed, but it's a start.
2. Chief fallacy at present: Your arguments, examples and calculations miss the effect of corporate policy on blocking/delaying IP/account/region on detecting an attempt to crack. "Cracking Management", if you will.
No, that isn't correct. If the password is frequently changing, then strictly speaking there isn't a maximum
I had to quote my own post earlier to remind you the context where the number 240 came from. This does not mean you cannot go and read my earlier post to get the full context. So I have to quote myself once more, with more context this time:
Once upon a time, there was a sysadmin A. He didn't change his password for 20 years. Maximum number of password crack attempts per unit time(Max attempt flux): (keyspace/20years).
See? During this period, he did not change the password because you recommended not to. So, there IS a maximum. So your statement(quoting again below as you keep losing track) is wrong:
No, that isn't correct. If the password is frequently changing, then strictly speaking there isn't a maximum
Frankly, this is getting tiresome. Hope you understand my feelings. I am not reading any further of this post of yours because I get the scary feeling that rest of your post is based on the wrong premises that I just mentioned above. Correct me if this feeling is wrong.
Didn't I just demonstrate that the maximum increase in safety from changing your password frequently is a factor 2?
If you think you can measure "safety" like that, you have a lot of studying to do to be able to credibly argue anything on this subject. I do not feel up to explaining it in a slashdot post, as it will go somewhat into metrics and philosophy of science; I'll just leave this subject there.
Quote from my post:
Maximum number of password crack attempts per unit time (Max attempt flux)
Hope you can at least read bold. For maximum number of password crack attempts, one would have to exhaust the keyspace. The number 240 comes from there. What you are talking about, is average. Anything I can do to make you understand the difference between maximum and average?
And all this assumes that the attacker is systematic and remembers which passwords he's already tried. If I was going to try a brute force attack, I wouldn't even bother with that, I'd just select trial passwords randomly from the dictionary
There is one less cracker for sysadmins to worry about, then. Thank FSM that you exist. Hope your progeny fill the cracker world.
Big fat hairy deal.
A few posts ago, there was no difference at all. Since you were too uneducated to understand the difference, so that I had to explain it twice; it became too big fat hairy deal. Awesome.
Actually I was wrong before when I suggested that the average would be unchanged
Yeah, my main point was that. So I am almost done. I see a lot of such comments from geeks about "idiotic" policies of banks etc. to get passwords of their customers changed. I just wanted to debunk them.
So you can see that as password is changed more frequently, the number of attempts changes from (keyspace/2) for no password changes, to (keyspace) if the password is changed frequently
You are using "number of attempts" as a metric for the difficulty level of password cracking. Since by this metric, difficulty for the cracker is only twice, you say difficulty is only twice. But this is not the only metric for measuring the difficulty. Another metric too makes practical sense:
Once upon a time, there was a sysadmin A. He didn't change his password for 20 years. Maximum number of password crack attempts per unit time(Max attempt flux): (keyspace/20years).
There was another contemporary sysadmin B. He changed his password every month. Maximum number of password crack attempts per unit time (Max attempt flux): (keyspace/1month).
Max attempt flux is 240 times for sysadmin B as compared to sysadmin A. Using this metric, one could say periodically changing the password is 240 times more secure. But even then, one would be wrong because that is just a(nother) metric. In essence, security cannot be measured though one can come-up with metrics that approximate that.
Now, you ask, why "attempt flux" as a metric? This has practical uses. Using this attempt flux, network policies can be arrived at which take drastic measures when observed attempt flux reaches a significant fraction of max attempt flux. Too restrictive network policies, and the system is a pain to work with: think red-tape for sysadmins to get their passwords reset, accounts unblocked, IP's unblocked etc. Too permissive, and one doesn't even know that his network is being systematically "worked" upon.
For the above policy, max attempt flux can be used as an input. Though, average attempt flux can also be used, depends upon the paranoia rampant in the system. As you say, this (average attempt flux) would be twice for the sysadmin that changes his password than the one who doesn't.
Additionally, by keeping changing the password, one prevents long-running situations when someone has acquired (by cracking, maybe got lucky, key-logger, maybe tortured an employee, maybe used an ex-employee, lot depends on company policies) the password and he doesn't want to lock out other administrators but just silently carry on his activities and systematically delete his traces.
Also, there was another sysadmin C: who never changed the password. Asymptotically, he will be cracked.
At any rate, it is best not to propagate the myth that changing passwords doesn't help at all. To buy the (maybe little) extra amount of security, a sysadmin can use a random password generator every (1/2/3 months, or whatever) and memorize it, and it will not kill him but rather justify his salary.
Erm, except you're assuming that this 'an attacker', which is a little silly.
I didn't make any such assumption (did I give such an impression? I didn't mean to). I was only replying to the parent post, which made a general statement about non-necessity of changing a password ever.
In my last post, I quoted your statement which demonstrated that you falsely think "Effectiveness of a dictionary attack" is the same as "probability of the attacker guessing it each attempt". This post of yours confirms that you still think so after my explanation, so obviously I need to give detailed explanation. Thankfully the examples you give also amply demonstrate your fallacy.
Note that I am assuming a somewhat intelligent attacker, and not an absolutely naive one.
A probability of 1/10 per attack means that on average it will take 5 attempts for the attacker to guess my password
Absolutely wrong premises. Probability is not 1/10 per attack. It is 1/10 for the first attack, 1/9 for the second, 1/8 for the third and so on. If he chooses sequential pattern, and goes from 0-9: After the 1st failed attack, the attacker "knows" that 0 is not the password.
Now, he can try the same password again, but he will do so only if there are significant chances of your changing the password between his 2 attempts. Typically this is false, and your argument makes it impossible because you suggest never changing the password. So my above paragraph is mostly true, and absolutely true in your case.
Changing my password has no effect on the time taken to crack it.
It most certainly does have an effect. There are 2 options for the attacker: 1. From the start of his attack to its end, he can assume that password does not change. In this case, there are chances that he has already tried a password and then you have changed it. So it is possible that he has exhausted the set of possible passwords, and yet not cracked the password successfully. 2. He can assume the password can change any time. This makes him retry the same passwords over and over again. Not sure what heuristic will serve him best here, but it is certain that this one takes more time, effort and energy of the attacker. He will make such an assumption only if he has seen sysadmins to change passwords frequently in his cracking "career". Sysadmins/sysadmin advisors like you will make life easy for crackers.
Specifically, there are chances that a password changer sysadmin will change his password to something an attacker has already tried. And by the time the attacker retries this new password, it has become an old password.
If you are not convinced of this, try it with some dice
By now, I hope you have understood that this example/analogy is wrong. There is no restriction on dice to not show same number twice. But there can only be one password at a time. That you gave this example, again shows your fallacy: "each attack is independent of previous attacks". Hope I have debunked it in the above section.
Look, you're obviously childish and hostile, and probably trolling, but I'll answer a couple things anyway.
Yeah, I proved you wrong so I must be childish, hostile and probably trolling. Absolutely.
None of my questions were difficult to answer: they were specific, pointed questions to justify your "prediction". But all of them skirted. And I never said OOXML was same as h264. But a free fully-legal h264 implementation is as impossible as free OOXML implementation: due to partially different reasons. Hence the analogy.
Wake me up when you gather citation for your prediction. Or, maybe you find an argument which does not need the stupid prediction.
When predicting the future, one can always say, "nuh uh!" I could say, "The world probably won't explode in the next 10 seconds," and you could say, "It might! Where's your evidence!"
1. You didn't say "probably". After being caught making idiotic statements, you now want to give such an impression.
2. I have already showed you how the same happened with MP3 after luring everyone with a false sense of security, just like yours. They even went after the behemoth, if there is one in this industry, Microsoft; before which all tremble.
3. You are counting on corporation(s) forever not to do something that in some cases might maximize profit for themselves.
4. From the looks of it, you must have supported the OOXML "standard" too.
In other words, the above quoted statement is an awful analogy of the situation. Not that I expected any better, so my keyboard is saved from the coffee in my mouth.
However, we don't know for sure that there even are any decent patent-free video codecs
Hence, thankfully, you are not on the board to decide on the standard. (Those who actually are, might have sold themselves, but that is a different story.) Why not figure it out first, talk to patent owners (if any), get contracts signed which make sure internet freedom is not compromised? We have done without HTML5 for billions of years, it is not like anyone is holding his breath for a solution to this problem. But if a standard is once arrived at, it must be a good one, lest all standards in the world suffer (the more) for it.
Firefox, Chromium, Konqueror will not even be able to write "standards compliant" in their descriptions. Internet Explorer will be able to. I look at it as a pretty major threat to internet freedom, given the respect IE shows to standards.
They *want* it to be widespread so that they can get a cut of every bluray sale and every iTunes movie rental.
AND every Firefox download. AND every Ubuntu download. AND every mom-n-pop computer assembler who installs (no more) Free Software on his customers' machines out of box. AND the new Free internet access software, that no-one has even imagined yet and will never imagine if such "standards" abound in the industry. So, you are right that they want it to be widespread. But you are wrong that internet freedom will not be the less for it.
Are you serious? What, are you 5 years old? Grow up.
You made a stupid claim (about the future, to boot). You have absolutely no basis in reality to predict it. I caught you at it. And it is I that am 5 years old? Awesome.
I am not saying that it is "an absolute crime", whatever you mean by it. People have been asked to pay billions of dollars to MP3 patent holders. After it became the "only audio format in the world". The software I want to use in a standard-compliant way are not developed by people who can pay billions of dollars to follow this standard (e.g. mozilla, most linux distributions, free small-time browsers/internet access software, mom-and-pop computer system assemblers). I do not want standard compliance to cost anything other than good coding. My this wish was in general satisfied in the software/internet world. It ensures the freedom that the internet has come to embody. You falsely advocate (by giving unsubstantiated predictions, no less) that this not happen anymore, that simply "standard" compliance could cost money.
If the h264 patent holders, to make it part of a standard, sign some deal to not go after software/hardware manufacturers for this, I might not find problems with it. But you, who have zero authority, sense and qualification to make any statement about it; are "assuring" this? Do you realize how idiotic it is?
Regardless, what we were really talking about is Flash. Flash doesn't actually diminish use of h264 anyway. It just serves as a media player which plays the same h264 files.
This means you can become official crystal-ball gazer and spew forth cock-and-bull stories about the future, and I am supposed to accept them?
I didn't give any opinions, I just asked for citations for your unsubstantiated claims. You tried to substantiate them with your own worthless opinions about the matter, which I rejected by telling you their worth.
Now for mythical "good sense" of yours. Consumers need not get sued directly to get affected. Numerous software and consumer electronics manufacturers got sued for MP3. This included corporations of humongous size, which could throw money like water to win the lawsuit. This means Free software cannot do much with MP3 if they want to be absolutely legal. Similar is possible with h.264. You give no proof that it won't happen. Your repeated claims that it won't happen do not count as proof.
But anyway, you don't even have proof that h.264 patent owners would not go after consumers directly (not at all for indirectly). So better not make statements about which you know nothing if you do not wish to reveal to the world your idiocy.
Not sure how to break it to you but here goes: your opinion is not even worth shit. As I said before, citation needed.
In another sense, it's not patent infringement so long as the patent holder isn't going to ask you to stop.
Do you want to imply that h.264 patent owners will not "ask you to stop"? That is a considerable statement, and pretty convincing citation is needed to back it up. Unless you are fanboy of some of the h.264 patent holders, of course.
Even if they might not have been much litigious with h.264 so far, making it part of "standards" would give them tremendous temptation to start doing so now. Somewhat similar to mp3: general public became aware of its patent encumbered-ness only after it was "the only audio format".
See the sentence above the sentence right above this one.
You evil h4x0r!!! You tried to trap me into an infinite loop? My security software detected it and foiled your misguided attempt to bind me into an infinite loop reading your depraved post. Obviously, security software is not as bad as you make it sound.
(And you thought halting problem was insoluble in good time).
Nothing against your argument, but in this case, the AppStore policy is the DRM. I guess the GP meant it this way too. So, content providers here are the Software(App) providers (yet not excluding the real content providers like book/music/video etc). The line between content and software is blurring, especially on the ipad.
Just widen your definition of DRM a bit, and you will see that DRM is very much the issue here too.
The reason why some "content" providers might prefer the walled garden (arguably it is DRM) is that you can't pirate applications* => more revenue. Simple & secure design draws people towards it and creates larger market for content providers => more revenue. Design is simple because there are fewer options. Secure because there are fewer options, and trouble-making apps can be revoked after the fact. RDF also plays its role.
*You can pirate applications if you jail-break but there are definite disadvantages of jail-breaking. Few who do jail-break don't change what I mentioned above.
Your statement about ipad being bigger; is spot on. I don't see how it comes under "portable" devices at all. Most netbooks can be put in a large pocket / very small hand & shoulder bag / ladies purse / man purse. Ipad can only occupy a small subset of the aforementioned abodes. I don't see the hysteria about thickness. Less than an inch, and the other dimensions become very important.
WAAAH!! you are a moron, you won't recognize GPL if it danced naked in front of you. You are not fit to lick the boots of a respectable open source missile professional.
You have to supply the code only if the enemy/unfortunate neighbour asks for it. You could also levy a reasonable charge for the cost of media.
It might be an incorrect conspiracy theory, but your refutation of it is absolutely idiotic. You have already assumed that the theory is false before proceeding to refute it.
It's not like there's a shortage of malware going around, you know? Why'd we engineer threats when there are real ones aplenty? I could see your argument if the amount of hard hitting malware was less than half a doze
What proof do you have that the "real ones aplenty" are not created by anti-virus companies? Or rent-a-coder from Ukraine paid by anti-virus companies out of their "R&D" costs?
Why spend that money if it's already been spent by someone else?
Similarly to above, citation needed.
The whitelist can't help. The only workable solution depends on a default deny environment.
Then how do you define whitelist? I thought, like I guess the GP poster did too, whitelist is default deny environment. Whitelisting is just a way to override the default deny.
Or do you want a "default" deny, which cannot be overridden?
GP:
iPAD
You:
IPod
But I'm not a blind moron like yourself
the article says that only 5% of Facebook users have bothered to hide their friends list
Not that I use Facebook much, but I did try to hide as much as possible. But when I logged in Facebook a month or so later, Facebook "helpfully" showed me a page, ostensibly to give me a "higher control" of my privacy settings. This page had all the privacy settings marked the equivalent of "publicly visible" and if I wanted to hide them again, I would have to painstakingly do this for each of the settings (a 2 step process for about 8 items). I couldn't see any obvious way to "mark all private", or even to keep the status quo. But a simple "OK" would mark all the items as publicly visible. I went ahead and did that painstaking process to ensure my privacy but it has been 2 months, and I haven't logged back in.
I had quoted the question right above the statement that the question is not being answered. Quoting it again, hope you can at least read bold.
Where do I legally download XP SP3 with all the updates, if my laptop came with XP SP1, or if I bought XP SP1 around 8 years ago?
2. Both options have one more step than the Linux alternative popularly available.
Actually they're the same as the Linux alternatives - Linux still needs to be updated after install.
Come on. Do I have to teach you counting now? In case you are under 5 years of age, it might make sense, so here you go:
Linux:
Step 1: Install fully updated distribution / latest distribution release
Step 2: update and reboot once.
Windows:
Step 1: (Re)Install the version you have, XP SP1 in this case
Step 2: Download & Install XP SP3
Step 3: update and reboot once (could be more than once too, at least for XP SP2 it was multiple reboots a few months before release of SP3)
However, the point is that the "extra step" is utterly irrelevant to anyone except a pedantic Slashdot nerd.
Arguably, at least 2 pedantic Slashdot nerds: you and me. If it is irrelevant to you, why are you counting (that too wrong) the steps?
To me, it doesn't matter much. But the fact remains that one takes 3 steps and the other takes 2.
Why is this relevant?
Because "oh noes, lookit all those reboots ! Windoze sux LOL !" is basically the whole line of argument being put forth.
By whom (other than your strawman, of course)?
Sounds interesting. A question: Isn't "committing" supposed to tell everyone about a change? How does that work without network connection?
A person A commits a file. Commit is successful. Now, if another user B checks-out a file, B is supposed to get the changes made by A. This is what I have come to understand commit is. Is it wrong? Or git does some magic there?
Where do I legally download XP SP3 with all the updates, if my laptop came with XP SP1, or if I bought XP SP1 around 8 years ago?
You download SP3 from Microsoft, then either apply it straight after installing (1 reboot), or slipstream it before installing (no reboots).
1. Doesn't answer the question.
2. Both options have one more step than the Linux alternative popularly available.
This constant harping on about reboots as if they're the end of the world just highlights how out of touch the group of people here is. Most people *shut down* their computer at least a few times a week, if not daily.
Why is this relevant?
1. Who is "harping on about reboots"? I just stated what is true.
2. Who said they're "the end of the world"?
3. Who said most people don't "*shut down* their computer"?
Evil bit FTW. Yo man, you found the solution at last.
I've compared it to a fruit vendor. When buying apples, everyone selects the best apples for himself and leaves the not-so-good apples behind. After a day of such selling, only bad apples remain which cannot be used next day because it would increase the proportion of not-so-good apples, and customers would flee. This is common practice. There are 2 options for the apple vendor:
1. WAAAH, NOT FAIR!!!, you should take both good and bad apples. If you only take the good apples, my business model is broken and I go into losses.
2. He can simply consider the possibility of people choosing good apples into his business model.
But that could mean 2 opposite things, right?
1. They could be using drastic Ad filters, so they are not even bothered about having Slashdot remove the ads for them.
2. They actually don't mind seeing a bit of sane ads.
1 are people that are useless for advertisers. 2 are people who are useful. Since they are measured by the same yardstick (does not accept the offer to remove ads), how is this information useful to advertisers?
1. Read up on metrics here. Most of your fallacies and misrepresentations of my arguments are due to ignorance of this subject. Wikipedia is here admittedly not very detailed, but it's a start.
2. Chief fallacy at present: Your arguments, examples and calculations miss the effect of corporate policy on blocking/delaying IP/account/region on detecting an attempt to crack. "Cracking Management", if you will.
No, that isn't correct. If the password is frequently changing, then strictly speaking there isn't a maximum
I had to quote my own post earlier to remind you the context where the number 240 came from. This does not mean you cannot go and read my earlier post to get the full context. So I have to quote myself once more, with more context this time:
Once upon a time, there was a sysadmin A. He didn't change his password for 20 years. Maximum number of password crack attempts per unit time(Max attempt flux): (keyspace/20years).
See? During this period, he did not change the password because you recommended not to. So, there IS a maximum. So your statement(quoting again below as you keep losing track) is wrong:
No, that isn't correct. If the password is frequently changing, then strictly speaking there isn't a maximum
Frankly, this is getting tiresome. Hope you understand my feelings. I am not reading any further of this post of yours because I get the scary feeling that rest of your post is based on the wrong premises that I just mentioned above. Correct me if this feeling is wrong.
Didn't I just demonstrate that the maximum increase in safety from changing your password frequently is a factor 2?
If you think you can measure "safety" like that, you have a lot of studying to do to be able to credibly argue anything on this subject. I do not feel up to explaining it in a slashdot post, as it will go somewhat into metrics and philosophy of science; I'll just leave this subject there.
Quote from my post:
Maximum number of password crack attempts per unit time (Max attempt flux)
Hope you can at least read bold. For maximum number of password crack attempts, one would have to exhaust the keyspace. The number 240 comes from there. What you are talking about, is average. Anything I can do to make you understand the difference between maximum and average?
And all this assumes that the attacker is systematic and remembers which passwords he's already tried. If I was going to try a brute force attack, I wouldn't even bother with that, I'd just select trial passwords randomly from the dictionary
There is one less cracker for sysadmins to worry about, then. Thank FSM that you exist. Hope your progeny fill the cracker world.
Big fat hairy deal.
A few posts ago, there was no difference at all. Since you were too uneducated to understand the difference, so that I had to explain it twice; it became too big fat hairy deal. Awesome.
Actually I was wrong before when I suggested that the average would be unchanged
Yeah, my main point was that. So I am almost done. I see a lot of such comments from geeks about "idiotic" policies of banks etc. to get passwords of their customers changed. I just wanted to debunk them.
So you can see that as password is changed more frequently, the number of attempts changes from (keyspace/2) for no password changes, to (keyspace) if the password is changed frequently
You are using "number of attempts" as a metric for the difficulty level of password cracking. Since by this metric, difficulty for the cracker is only twice, you say difficulty is only twice. But this is not the only metric for measuring the difficulty. Another metric too makes practical sense:
Once upon a time, there was a sysadmin A. He didn't change his password for 20 years. Maximum number of password crack attempts per unit time(Max attempt flux): (keyspace/20years).
There was another contemporary sysadmin B. He changed his password every month. Maximum number of password crack attempts per unit time (Max attempt flux): (keyspace/1month).
Max attempt flux is 240 times for sysadmin B as compared to sysadmin A. Using this metric, one could say periodically changing the password is 240 times more secure. But even then, one would be wrong because that is just a(nother) metric. In essence, security cannot be measured though one can come-up with metrics that approximate that.
Now, you ask, why "attempt flux" as a metric? This has practical uses. Using this attempt flux, network policies can be arrived at which take drastic measures when observed attempt flux reaches a significant fraction of max attempt flux. Too restrictive network policies, and the system is a pain to work with: think red-tape for sysadmins to get their passwords reset, accounts unblocked, IP's unblocked etc. Too permissive, and one doesn't even know that his network is being systematically "worked" upon.
For the above policy, max attempt flux can be used as an input. Though, average attempt flux can also be used, depends upon the paranoia rampant in the system. As you say, this (average attempt flux) would be twice for the sysadmin that changes his password than the one who doesn't.
Additionally, by keeping changing the password, one prevents long-running situations when someone has acquired (by cracking, maybe got lucky, key-logger, maybe tortured an employee, maybe used an ex-employee, lot depends on company policies) the password and he doesn't want to lock out other administrators but just silently carry on his activities and systematically delete his traces.
Also, there was another sysadmin C: who never changed the password. Asymptotically, he will be cracked.
At any rate, it is best not to propagate the myth that changing passwords doesn't help at all. To buy the (maybe little) extra amount of security, a sysadmin can use a random password generator every (1/2/3 months, or whatever) and memorize it, and it will not kill him but rather justify his salary.
You are absolutely right. Except
Erm, except you're assuming that this 'an attacker', which is a little silly.
I didn't make any such assumption (did I give such an impression? I didn't mean to). I was only replying to the parent post, which made a general statement about non-necessity of changing a password ever.
In my last post, I quoted your statement which demonstrated that you falsely think "Effectiveness of a dictionary attack" is the same as "probability of the attacker guessing it each attempt". This post of yours confirms that you still think so after my explanation, so obviously I need to give detailed explanation. Thankfully the examples you give also amply demonstrate your fallacy.
Note that I am assuming a somewhat intelligent attacker, and not an absolutely naive one.
A probability of 1/10 per attack means that on average it will take 5 attempts for the attacker to guess my password
Absolutely wrong premises. Probability is not 1/10 per attack. It is 1/10 for the first attack, 1/9 for the second, 1/8 for the third and so on. If he chooses sequential pattern, and goes from 0-9: After the 1st failed attack, the attacker "knows" that 0 is not the password.
Now, he can try the same password again, but he will do so only if there are significant chances of your changing the password between his 2 attempts. Typically this is false, and your argument makes it impossible because you suggest never changing the password. So my above paragraph is mostly true, and absolutely true in your case.
Changing my password has no effect on the time taken to crack it.
It most certainly does have an effect. There are 2 options for the attacker:
1. From the start of his attack to its end, he can assume that password does not change. In this case, there are chances that he has already tried a password and then you have changed it. So it is possible that he has exhausted the set of possible passwords, and yet not cracked the password successfully.
2. He can assume the password can change any time. This makes him retry the same passwords over and over again. Not sure what heuristic will serve him best here, but it is certain that this one takes more time, effort and energy of the attacker. He will make such an assumption only if he has seen sysadmins to change passwords frequently in his cracking "career". Sysadmins/sysadmin advisors like you will make life easy for crackers.
Specifically, there are chances that a password changer sysadmin will change his password to something an attacker has already tried. And by the time the attacker retries this new password, it has become an old password.
If you are not convinced of this, try it with some dice
By now, I hope you have understood that this example/analogy is wrong. There is no restriction on dice to not show same number twice. But there can only be one password at a time. That you gave this example, again shows your fallacy: "each attack is independent of previous attacks". Hope I have debunked it in the above section.