Then again, most bank data is "protected" by such amazing "identity" information like a social security number and your mother's maiden name.
That's why I don't waste time using long passwords on them.
Which is more likely - someone brute forcing an 8 character password via the bank's online login page, or getting access via other means?
Remember, banks have to allow their stupid/forgetful/careless customers convenient ways to regain access to their accounts. So there's a limit to how secure things can be.
Don't waste time creating long passwords (e.g. 20 characters long) for online services. Just make sure you don't use the same password for everything, and don't use stupid passwords. Easy to guess = stupid. Brute forceable in 100 billion tries = not stupid.
Why? From what I see - the attackers are way more likely to crack the sites via other ways (SQL injection, social engineering) than crack my passwords. Just look at the plentiful evidence.
If the hackers try to make say 100 billion tries in 1 day they're more likely to DoS the service first, someone/something will notice the 1 million hits per second.
So it's stupid to waste your life typing in >20 character passwords only to find the hackers pwned the site via other means (or via the CTO's easily guessed password;) ).
Yes once they pwn the site they can download and brute force the passwords. But if that password isn't the same for anything that you really care about, it doesn't matter, a successful bruteforce only gets them what they already have.
Long passphrases can make sense for stuff that you have near complete control over, e.g. PGP/GPG signing, disk crypto. Or you are confident that the weakest link will still be comparable to the strength of a long passphrase.
BTW, changing passwords regularly is also overrated for similar reasons.
I propose that a referendum is mandatory before a country starts any "offensive military action" (genuine defence is different).
If the referendum does not pass (say 66% of _total_ eligible_ voters must vote for war), all the political leaders that proposed the military action are put on death-row, and at a convenient time another referendum is held.
If that second "redemption" referendum does not pass, those political leaders are executed.
If it later turns out the military action was a actually a very good idea, the executed political leaders get "purple heart" awards, everyone makes nice remarks about them and a few tears are shed.
If it later turns out that a "defensive war" was not actually defence, or enough people believe the leaders tricked them into the war, there is another referendum and the leaders are put on death row, etc etc.
With my proposal our leaders can still lead soldiers into battle in this modern day and age. And they are far more believable when they claim the war is necessary and worth the lives and cost (and worth killing masses on the other side too) - because they put their own lives on the line first.
The other benefit is the side being attacked can with a clearer conscience wipe out your country by whatever means necessary - civilians and all. Hey most of you voted for the war right? So you're no longer mere civilians dragged into an unwanted war by your leaders.
. Enterprise security works great for students, employees, and so on but isn't very helpful when you are talking guests,
The problem is the WiFi standards are broken/braindead (even after so many years). You can't easily provide secured WiFi channels to guest users.
They could have copied "https" where the clients can be anonymous and still have secured channels. They could have worked with Microsoft, Apple, dlink etc to set up a standard where the WiFi clients will try "WPA2 Enterprise" and log on as "anonymous" with password = "anonymous" (prompting/warning the user before that if the AP's fingerprint is new/different).
In practice the university/hotel/restaurant/cafe is less likely to sniff your traffic maliciously than some other guest.
Some idiot is going to say everyone should be using IPSEC, but that'll just prove he/she is an idiot. The last I checked, anonymous users can't make successful IPSEC connections to slashdot or thousands other more popular sites out there. Or more importantly - to their DNS server.
As for WiFi is just "wired equivalent", wired LAN ports can be set up to have port security or even per port vlans (many hotels do that), but you can't really do that with WiFi (you can pretend to but it doesn't work without good crypto).
Despite Hyper-V performing better[1] than VMware Server (VMware server is free) in some benchmarks , I'd still prefer VMware till Hyper-V improves its virtualization so that it works with Linux better WITHOUT having to install their probably still crappy (but not crap enough to reject) virtualization drivers.
Microsoft should also fix/improve the "remote management" bit for Hyper-V too.
Currently you practically have to use an unsupported tool ( http://archive.msdn.microsoft.com/HVRemote ) to try to get remote management working, and it still doesn't always work.
With VMware remote management is practically already installed as part of installing VMware. No real big issue.
Sure you probably don't get the "Windows Domain" credentials stuff with VMware, but I don't have great confidence of successfully doing anything sophisticated in that area and still have hyper-v remote management work. Supposedly you "add this user to a group and give that group the permissions" and well it still didn't work, I still had to add specific user permissions. Maybe it takes time before it starts working (AD policy propagates), but if that's the case, I don't have time for that, nor time to waste on it _when_ it stops working for whatever reason.
So for these and other reasons if there are no other requirements (e.g. political reasons) , it'll be vmware and I'd just let the hardware take care of the 10% performance difference (Windows Server Enterprise licenses cost money too, so go Linux and spend more on hardware). If you're using virtual machines and that 10% is make or break you're doing it wrong anyway.
BTW yes I know geostationary satellites are 40000km away and the theoretical round trip ping latency via pure satellite links is thus 280ms * 2 . But in practice it sure seems worse than that;).
In comparison the Sun is about 8 light minutes away.
The speed of light is so slow that even latency is an issue for intercontinental undersea links, and worse for the satellite links (which can have latency in the order of seconds).
The one thing I've learned is, people who argue our Founding Fathers didn't understand or completely missed something when they created the US Constitution, are either completely ignorant of the subject at hand or have an agenda which is contrary to the best interest of the American people.
Jesus could have been more efficient if he spent his time raising rich people from the dead for cash and selling loaves and fishes. Then he could have paid for dozens of people to die on crosses and stuff.
1) I don't think efficiency or more people dying on crosses is what he was aiming for. 2) There were probably dozens of people who died on crosses. Jesus is the one whose name at least a billion people know of.
Why does that matter? Don't tell me you're one of those waiting for it to turn 1.0 to use it.
You want to see whether something is OK to use you look at the source code, if that's not available or practical, you look at the track record, release notes, past/unfixed vulnerabilities, and "word of mouth". And you see how often you can get it to crash[1].
You certainly don't use the version number.
[1] Putty does crash, esp if you use the tunnelling stuff a lot.
Then they ask you for your other truecrypt password. And it might start to feel like one of "those" countries.
AFAIK the problem with truecrypt's plausible deniability is you can't really use BOTH the hidden and outer volumes. You can only use one.
So if you've mounted stuff with atime or use NTFS without NtfsDisableLastAccessUpdate set, it's very likely they can figure out you have a hidden volume when: 1) There's evidence that you've been using the drive a fair bit. 2) the files you "revealed" were all more than X years old and untouched since.
A better way for plausible deniability would be for a distro/OS to have crypto built-in AND at least one encrypted volume created by default. e.g. https://bugs.launchpad.net/ubuntu/+bug/148440
That way you could plausibly claim you have no idea what the passphrase is (or even what this "encrypted volume" and "passphrase" stuff is:) ), because most of the users don't... Or at least can successfully pretend to not know;).
Slashdot Mirror
Then again, most bank data is "protected" by such amazing "identity" information like a social security number and your mother's maiden name.
That's why I don't waste time using long passwords on them.
Which is more likely - someone brute forcing an 8 character password via the bank's online login page, or getting access via other means?
Remember, banks have to allow their stupid/forgetful/careless customers convenient ways to regain access to their accounts. So there's a limit to how secure things can be.
Don't waste time creating long passwords (e.g. 20 characters long) for online services. Just make sure you don't use the same password for everything, and don't use stupid passwords. Easy to guess = stupid. Brute forceable in 100 billion tries = not stupid.
;) ).
Why? From what I see - the attackers are way more likely to crack the sites via other ways (SQL injection, social engineering) than crack my passwords. Just look at the plentiful evidence.
If the hackers try to make say 100 billion tries in 1 day they're more likely to DoS the service first, someone/something will notice the 1 million hits per second.
So it's stupid to waste your life typing in >20 character passwords only to find the hackers pwned the site via other means (or via the CTO's easily guessed password
Yes once they pwn the site they can download and brute force the passwords. But if that password isn't the same for anything that you really care about, it doesn't matter, a successful bruteforce only gets them what they already have.
Long passphrases can make sense for stuff that you have near complete control over, e.g. PGP/GPG signing, disk crypto. Or you are confident that the weakest link will still be comparable to the strength of a long passphrase.
BTW, changing passwords regularly is also overrated for similar reasons.
No, I don't really see much benefit from that.
I propose that a referendum is mandatory before a country starts any "offensive military action" (genuine defence is different).
If the referendum does not pass (say 66% of _total_ eligible_ voters must vote for war), all the political leaders that proposed the military action are put on death-row, and at a convenient time another referendum is held.
If that second "redemption" referendum does not pass, those political leaders are executed.
If it later turns out the military action was a actually a very good idea, the executed political leaders get "purple heart" awards, everyone makes nice remarks about them and a few tears are shed.
If it later turns out that a "defensive war" was not actually defence, or enough people believe the leaders tricked them into the war, there is another referendum and the leaders are put on death row, etc etc.
With my proposal our leaders can still lead soldiers into battle in this modern day and age. And they are far more believable when they claim the war is necessary and worth the lives and cost (and worth killing masses on the other side too) - because they put their own lives on the line first.
The other benefit is the side being attacked can with a clearer conscience wipe out your country by whatever means necessary - civilians and all. Hey most of you voted for the war right? So you're no longer mere civilians dragged into an unwanted war by your leaders.
This seems much fairer and better to me.
The right to travel unmolested by car should, inded, be a civil right.
Driving licenses exist because most people want to travel unmolested by a car ;). And so it is a privilege.
You can still travel unmolested by car without a driving license, as long as someone else does the driving.
FWIW it's still a very easy privilege to get. if you want to kill somebody, you do it with a car: https://www.youtube.com/watch?v=2ex6dHzcgOE
From what I gather the driver was "given a 12 month sentence suspended for two years, 200 hours community service, ordered to pay £500 compensation and banned from driving for three years."
BUT do it sober or else: http://www.dailymail.co.uk/news/article-1314227/Drink-driving-nurse-sentenced-8-years-killing-grandmother.html
. Enterprise security works great for students, employees, and so on but isn't very helpful when you are talking guests,
The problem is the WiFi standards are broken/braindead (even after so many years). You can't easily provide secured WiFi channels to guest users.
They could have copied "https" where the clients can be anonymous and still have secured channels. They could have worked with Microsoft, Apple, dlink etc to set up a standard where the WiFi clients will try "WPA2 Enterprise" and log on as "anonymous" with password = "anonymous" (prompting/warning the user before that if the AP's fingerprint is new/different).
In practice the university/hotel/restaurant/cafe is less likely to sniff your traffic maliciously than some other guest.
Some idiot is going to say everyone should be using IPSEC, but that'll just prove he/she is an idiot. The last I checked, anonymous users can't make successful IPSEC connections to slashdot or thousands other more popular sites out there. Or more importantly - to their DNS server.
As for WiFi is just "wired equivalent", wired LAN ports can be set up to have port security or even per port vlans (many hotels do that), but you can't really do that with WiFi (you can pretend to but it doesn't work without good crypto).
Despite Hyper-V performing better[1] than VMware Server (VMware server is free) in some benchmarks , I'd still prefer VMware till Hyper-V improves its virtualization so that it works with Linux better WITHOUT having to install their probably still crappy (but not crap enough to reject) virtualization drivers.
Microsoft should also fix/improve the "remote management" bit for Hyper-V too.
Currently you practically have to use an unsupported tool ( http://archive.msdn.microsoft.com/HVRemote ) to try to get remote management working, and it still doesn't always work.
The alternative to that tool is consulting a 5 part series on some blog: http://blogs.technet.com/b/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx
With VMware remote management is practically already installed as part of installing VMware. No real big issue.
Sure you probably don't get the "Windows Domain" credentials stuff with VMware, but I don't have great confidence of successfully doing anything sophisticated in that area and still have hyper-v remote management work. Supposedly you "add this user to a group and give that group the permissions" and well it still didn't work, I still had to add specific user permissions. Maybe it takes time before it starts working (AD policy propagates), but if that's the case, I don't have time for that, nor time to waste on it _when_ it stops working for whatever reason.
So for these and other reasons if there are no other requirements (e.g. political reasons) , it'll be vmware and I'd just let the hardware take care of the 10% performance difference (Windows Server Enterprise licenses cost money too, so go Linux and spend more on hardware). If you're using virtual machines and that 10% is make or break you're doing it wrong anyway.
I wonder if there would be Chinese badge farmers.
They might be a bit handicapped for any "Tiananmen" related campaigns...
More like it'll be able to leak more than 4GB of memory.
BTW yes I know geostationary satellites are 40000km away and the theoretical round trip ping latency via pure satellite links is thus 280ms * 2 . But in practice it sure seems worse than that ;).
No. Speed of light is only about 300 million metres per second ( 299 792 458) or 300000km/sec.
http://www.google.com/search?q=speed+of+light
So round trip time is 44.6 minutes
http://www.google.com/search?&q=401+million+km++*+2+%2F+speed+of+light
In comparison the Sun is about 8 light minutes away.
The speed of light is so slow that even latency is an issue for intercontinental undersea links, and worse for the satellite links (which can have latency in the order of seconds).
But you're proposing planet scale copying! Copying is illegal!
The Corporations unwritten constitutional right to profits must be protected!
Yeah, if the corporations are privatizing the profits but socializing their losses, you might as well have the Government take them over.
At least the Gov would have to _pretend_ to follow the constitution and stuff like the FOIA.
The Corporations don't.
I wouldn't be surprised if the oil lasts a lot longer in Scottish hands ;).
But it's not that stable yet. If you use it to tunnel browser proxy connections, from time to time you'll notice it crashing.
Whereas I don't recall the openssh client crashing on me.
It doesn't bother me that much, the hackers would be better off targeting web browsers.
The one thing I've learned is, people who argue our Founding Fathers didn't understand or completely missed something when they created the US Constitution, are either completely ignorant of the subject at hand or have an agenda which is contrary to the best interest of the American people.
How do you explain the amendments then?
http://www.usconstitution.net/const.html#Amends
They came AFTER the constitution was created. So the Founding Fathers sure missed those.
And the amendments are often the bits that the US citizens hold dearest.
See: http://en.wikipedia.org/wiki/Monopoly_on_violence
Seriously. Visit a slum in India sometimes - but make sure to duck at the right time.
Really? I've been told by various people who have been to India that what many do is stop walking, lift their garments up a bit, maybe squat/spread the legs a bit, then shit (and it appears to be true: http://therearenosunglasses.wordpress.com/2009/03/05/india-failing-to-control-open-defecation-blunts-nation%E2%80%99s-growth/ ). FWIW many walls also have messages[1] on them telling people not to pee on them...
As for plastic bags, some places in the world are so poor that plastic bags would be too scarce or too useful to be used for throwing shit.
On a related note, there's an organization in India that builds public toilets (amongst other things): http://en.wikipedia.org/wiki/Sulabh_International
[1] Sometimes even paintings of Indian gods in the hope of better deterrence: http://articles.timesofindia.indiatimes.com/2009-09-17/varanasi/28111767_1_ghats-rana-mahal-urinating
See also: http://blogs.wsj.com/indiarealtime/2010/06/11/peeing-in-pune-urinating-in-udaipur/
Aww give Steve a break. He's likely to be one of those with congenital absence of conscience. Or a malformed/defective one.
That's why he gets to park at those bays.
Jesus could have been more efficient if he spent his time raising rich people from the dead for cash and selling loaves and fishes. Then he could have paid for dozens of people to die on crosses and stuff.
1) I don't think efficiency or more people dying on crosses is what he was aiming for.
2) There were probably dozens of people who died on crosses. Jesus is the one whose name at least a billion people know of.
Why does that matter? Don't tell me you're one of those waiting for it to turn 1.0 to use it.
You want to see whether something is OK to use you look at the source code, if that's not available or practical, you look at the track record, release notes, past/unfixed vulnerabilities, and "word of mouth". And you see how often you can get it to crash[1].
You certainly don't use the version number.
[1] Putty does crash, esp if you use the tunnelling stuff a lot.
If it's anything like the fans I see, the blades end up dust coated but not dust choked. Dust beyond a certain level gets flung/blown away.
Whereas conventional heatsinks can end up dust choked.
Do you know your file system's allocation strategy?
Just because you don't use "half" the space doesn't mean they won't clobber each other.
AFAIK if you're unlucky enough to be using NTFS your files could end up at all sorts of places.
Then they ask you for your other truecrypt password. And it might start to feel like one of "those" countries.
AFAIK the problem with truecrypt's plausible deniability is you can't really use BOTH the hidden and outer volumes. You can only use one.
So if you've mounted stuff with atime or use NTFS without NtfsDisableLastAccessUpdate set, it's very likely they can figure out you have a hidden volume when:
1) There's evidence that you've been using the drive a fair bit.
2) the files you "revealed" were all more than X years old and untouched since.
A better way for plausible deniability would be for a distro/OS to have crypto built-in AND at least one encrypted volume created by default.
e.g. https://bugs.launchpad.net/ubuntu/+bug/148440
That way you could plausibly claim you have no idea what the passphrase is (or even what this "encrypted volume" and "passphrase" stuff is :) ), because most of the users don't... Or at least can successfully pretend to not know ;).
If it's really OSS, she can fork the entire code, and tell him to fuck off.
A valid cheque for a million dollars is also some ink on a piece of paper.
Heck nowadays a billion dollars is a bunch of electrons in some computer or some magnetic stuff on spinning disks.