Slashdot Mirror


User: hawguy

hawguy's activity in the archive.

Stories
0
Comments
5,882
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,882

  1. Re:I thought the problem was security? on Obama Admin Wants Hackers Charged As Mobsters · · Score: 1

    Lame argument. The victim is already punished by the criminal act. There is nothing wrong with "throwing the book" at a "hacker". You haven't proven that the criminal act is less culpable. You only tried to blame the victim for the criminal's action.

    Let me put it another way, if the victim was more vigilant with his/her cyber security the hacker would either find another target or work harder to counter the security measures. The victim may change, but the criminal stays the same. The point being that regardless of the victim's actions the hacker is still the criminal and should be punished.

    Preventive measures are always a good thing. The lack of preventive measures do not justify the crime.

    The problem is that the victim is often not punished enough by the criminal act.

    Making harsher penalties for hackers won't do anything to stop hacking. Sure, maybe some casual kid in his basement may think twice (but probably not), but unless companies take strong measures to protect their data, it will continue to be stolen.

    II faced the same thing at my last job - I couldn't get funding or permission to take any security measures beyond what we were legally bound to by PCI and SOX. We held a surprising amount of personal data for our customers, and there is more we could have done to protect it, but a data breach would merely be embarrassing to the company and not hold any real financial or criminal penalties. but it would have released data that consumers consider to be private and personal. (without naming the company, they consolidate data from multiple sources and resell it to other companies, primarily for use in marketing)

    Unless companies are held liable for their data, it will continue to be stolen - often by people or organizations outside the reach of US law.

  2. I thought the problem was security? on Obama Admin Wants Hackers Charged As Mobsters · · Score: 4, Insightful

    Rather than the maximum sentences for cyber crimes have failed to keep pace with the severity of the threats, it seems that in many cases the problem is that hacked party's network security has failed to keep pace with the value of the data.

    If a thief breaks a company's car window (where there's a sign that says "Credit card numbers stored here!") and steals a printout with a million credit card numbers, everyone will say the company was stupid for leaving the printout sitting on the car seat.

    Yet when a hacker exploits a well known (and easily eliminated) SQL injection vulnerability to do the same thing, suddenly the hacker is escalated to "organized crime" level?

  3. Regenerative braking? on Tapping Subway Trains For Energy · · Score: 2

    How is this different from traditional regenerative braking (they even mention regenerative braking in the article) that's already in wide use by electrified transit providers? I don't see how feeding energy into local flywheels is any different than feeding it back into the grid? Surely a grid that's capable of delivering megawatts of power for to start a train is capable of absorbing (fewer) megawatts of power for braking?

    Is the 30 seconds @ 3 - 4MW figure mentioned in the article accurate? That's a 6000 amp draw for a 600V system, sounds like a lot of current over a relatively small conductor -- the conductors that I've seen appear to be around a 4/0 gauge, which is only rated for around 250A. Granted, for only 30 seconds it could exceed this rating, but 6000A?

  4. Re:Wireless = less network engineers? on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 1

    Obligatory things are obligatory.

    The only problem with that is explaining it to non-geeks. If I tell users to use four unique words as passwords, they'll use short passwords like:

    iasathe (i-as-a-the)

    Then when I say they need to use longer words, they'll use common phrases and sentences:

    "darksideofthemoon"
    "foreverandaday"
    "ihatepasswords"

    So then an attacker just needs to compile a list of common password phrases, *and* can use grammar analysis to greatly reduce the password space that they have to search.

    I ran the xkcd comic past a few of our users, and they didn't get the "random word" part.

    But I did convince our sysadmin that there's no need to make hard to remember and hard to type admin passwords using simple substitions because the hackers all know those substitutions so they don't buy much additional security.

     

  5. Re:Wireless = less network engineers? on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 1

    But for phishing/social engineering the expiration time is not very relevant, because unlike brute force, there is no trying passwords.

    I don't expire passwords every 90 days because that's how long it takes to brute force them, I expire them every 90 days because if a password is compromised by any means, I don't want it to be usable forever.

    The person tricked to give the password out will always give the current password, no matter whether it was set one hour ago or one year ago, and especially independent from what it was when the phishing/social engineering attack started.

    And if a password is brute forced, it will be the current password - it doesn't matter how the password is compromised, it will be valid at that point in time. Few brute force attacks take 90 days - most take minutes or hours because they are looking for simple passwords (like "Password1234", or "h0rse1!" (which are both "complex" but trivial to brute force)

    Nor will the password expiry time make the phishing/social engineering attack any harder (indeed, it could make it easier, because it could be used for phishing attacks specifically aimed at password expiration, like "your password is about to expire, click here to change it"). So the only effect of a 90 day password expiry is that an attacker has on average 45 days to exploit a phished/social-engineered password -- that's still plenty of time to use it.

    That's pretty much the point of the expiration - so a compromised password isn't good forever. Yes, a lot of damage can be done in 45 days, but a lot more damage can be done in 450 days.

    Another argument for password expirations in a corporate environment is so when people share passwords (as they invariably do in an office "Hey Sally, This is Jack, I don't have access to the TPS report but Bob needs it, can I borrow your password to print it?), after Jack leaves the company he doesn't retain permanent access to Sally's login account since he knows her password.

    Of course, using something like an RSA token takes care of all of these issues - your password expires within a few minutes.

  6. Re:Wireless = less network engineers? on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 1

    Here is my prediction:
    Instead of password the common place would be a biometrics sensor where people would put their fingers and get "scanned". And an average IT guy would be responsible for sitting in a help desk and answering phone calls:
    "Hello thank you for calling Acme Help Desk... Yes so you can't get in? Can you go wash your hands? I know you say that your hands are clean but try it... No do not use your moisturizing cream after washing... "

    That place is already here -- many laptops include built-in fingerprint scanners as an option, and standalone USB scanners are readily available. But I wouldn't completely replace a password with a fingerprint scanner since most scanners can be easily spoofed with a fingerprint captured in silly putty.

    We've been using an employee punch-clock system with fingerprint scanners for about 2 years now - the scanners work pretty well, few problems with people unable to scan in. Each employee has at least 2 fingers enrolled in the system.

  7. Re:Wireless = less network engineers? on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 1

    Long, complex passwords help prevent brute-force attacks. Expiration times guarantees that an attacker has only 90 days to hack and use a password before it becomes useless.

    But then, wouldn't a better rule be that the expiration period is longer if your password is longer and more complex? After all, it takes much more time to crack such a password. And giving longer expiration times to longer, more complex passwords would also mean an incentive for people to actually use such passwords, instead of using the minimum length/complexity they can get away with.

    Long, complex passwords help prevent brute-force attacks. Expiration times guarantees that an attacker has only 90 days to hack and use a password before it becomes useless.

    But then, wouldn't a better rule be that the expiration period is longer if your password is longer and more complex? After all, it takes much more time to crack such a password. And giving longer expiration times to longer, more complex passwords would also mean an incentive for people to actually use such passwords, instead of using the minimum length/complexity they can get away with.

    If brute force were the only way that a password could be compromised, that might make sense (even if it would be hard to manage - how do you map password length to expiration time?) but I suspect that more passwords are compromised by phishing and social engineering than brute force. But that doesn't mean that you can ignore brute force by allowing 6 character non-complex passwords -- network security is made up of many layers.

  8. Re:Wireless = less network engineers? on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 1

    Long, complex passwords help prevent brute-force attacks.

    Of course, but none of these machines are facing the internet. You need to be either in an office or use VPN, and connecting from a device with an authorized MAC address to connect. What security is added by making passwords expire all the time? I can memorize a complex password, or a couple of them, but a couple of them that have to be changed all the time (and require half a dozen tries before you've got one that is accepted) is so annoying that almost every one of those 20,000 employees say: screw this, it's post-it time.

    Many companies have services exposed to the outside world that use credentials from the inside servers - things like Outlook Web Access (OWA), intranets, employee timeclock systems, HR benefits information, etc. MAC address authentication is barely better than no authentication at all, so it doesn't count - it keeps an employee from bringing in a computer from home, but requires only a tiny amount of work from a hacker to bypass it.

    Not that it matters, anyone in the company can get a virus that tries to brute force attack your password against the Active Directory servers directly.

    Or maybe a user uses the same password for the corporate network and online banking and the bank got hacked.

    Or the user falls victim to a phishing scam.

    Even if you exercise the utmost care and don't (knowingly) have your password hacked, the password expirations are for those users that *do* get their password hacked - it prevents the password from being usable forever.

  9. Re:Wireless = less network engineers? on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 1

    an you explain how such password rules enhance security? A serious question, I'm trying to learn something here.
    At work we also have the two factor authentication: a pin card reader that generates a key, and a password.

    Long, complex passwords help prevent brute-force attacks. Expiration times guarantees that an attacker has only 90 days to hack and use a password before it becomes useless.

    Password lockouts after too many failures slow down brute force attacks, but don't stop them. With no complexity requirements, many people will choose a common word, and maybe append a number to the end when they have to make up a "new" password. If you take the top 2400 common English words and want to brute force them, if a site has a password lockout after 10 wrong guesses that resets in an hour, you can guess 240 passwords/day or the entire dictionary after 10 days. (multiple by 10 if you want to try adding a digit to the end).

    But, if the attacker has a list of user names at a company (usually not too hard to come by, all you need is a printed phone list and you can guess the usernames), they can guess passwords much faster. If a company has 1000 users, then they can guess passwords 1000 times faster since they get to test each password across all 1000 users before going on to the next one so they get 1000 chances of getting a match for each guess. It still takes the same amount of time to go through the entire dictionary, but they have a much greater chance of guessing right.

    A longer password also helps protect against Rainbow Table attacks if the hacker can get to unsalted password hashes.

  10. Re:Wireless = less network engineers? on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 1

    I'm more than a little tired of newbies who think the attacks are coming from the outside in the form of script kiddies and port scans. The attacks are coming from the INSIDE, by fully authorized users who face little if any opposition. The absolute HIGHEST RISK is the disgruntled worker who fears being outsourced and keeps a nifty supply of sensitive material on a USB drive. Ironically, the IT workers who build these "secure enterprise networks" are among the biggest security threats.

    If you have access to sensitive information - accounting data, credit card numbers, etc on my company's network, you don't have access to a USB drive or any removable media. You also can't use any web email services - your PC can hit a few whitelisted websites, but nothing else. You won't be able to send any non-scanable attachments in an email (i.e. encrypted .zip file), and we do scan outbound emails for things like credit card numbers. If you try hard enough, you can send something out via email (or printer or screenshot by iPhone, etc), but you can't deny knowing that it's against policy. Since these restrictions can get in the way of doing work, some users have two PC's, one with access to sensitive data, some without.

    "Unless your kids are hosting their own email server, your household budget *does* include an email administrator, you're just paying it to your ISP (or through trading off some privacy and pageviews to an ad-supported email provider)"

    Have you ever heard of Gmail with a POP3 client? Sheesh.

    And you think that when you use POP that Google is not mining your email for marketing information? You don't have to view any ads at all to be valuable to Google.

    "This may come as some surprise to you, but maintaining an enterprise network of 500 desktops is different then a single desktop - a college student can spend 2 hours of his own time recovering from a virus infection, doing that across 500 desktops with 2 helpdesk staff would take over 2 months."

    This may come as a surprise to you, but my 2 kids and 498 of their colleagues have the same number of computers as your "enterprise network of 500 desktops". They accomplish more of what they set out to do than the average corporate employee -- with a lot less BS

    Do your 2 kids and 498 of their colleagues have the documentation to back up their HIPAA compliance? How often do they complete a PCI penetration test? Have they passed a SOX IT audit? As I said before, IT's job is not just to make sure that you can use your computer, but also to make sure that your computer meets all of the regulatory requirements of the business.

    They accomplish more of what they set out to do than the average corporate employee -- with a lot less BS. Although your hypothetical 500 infected desktops might take a helpdesk a few man-months to re-image, would't it be cheaper to buy MacBooks and fire the helpdesk?

    First, OSX is not immune to viruses and operating system corruption, the need to reimage computers doesn't go away because it's OSX.

    Second, application support is not any easier with OSX. About 30% of our users are on OSX, but most of them run a Windows instance in Parallels because there are some applications (including some cloud hosted SaaS applications) that require Windows (and/or MSIE). So now, instead of just supporting an OSX desktop, IT ends up supporting a virtual Windows desktop as well. But even without Parallels and the need to support a whole second desktop environment, Mac users still have issues with applications, file access/permissions, hardware issues and all of the other typical problems that Windows users have.

  11. Re:Wireless = less network engineers? on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 2

    You say that is if IT asked for SOX, HIPAA, PCI, etc along with all of the script-kiddies (and professional hacker networks) that are actively looking for vulnerabilities. IT engineers a network that meets compliance regulations because they *have* to, not because they thought it might be a fun thing to do. After a few SaaS providers are hacked, it will be interesting to see what kind of responsibility the customer has for the hack even if they made sure that the provider had all of the right certifications.

    No network, no hacking the network. You're a solution in search for a problem.

    What? A SaaS provider doesn't mean no network, I still have all of the desktop network security concerns on my network, but now the SaaS provider's network is a target too so I have to rely on them to provide adequate network security.

    Unless your kids are hosting their own email server, your household budget *does* include an email administrator, you're just paying it to your ISP (or through trading off some privacy and pageviews to an ad-supported email provider)

    Given the fact that you're already doing that, why the hell go and find an extra admin, added to the payroll? Let the cloud companies take care of it and just call your ISP if your internet connection is down, because... you know... That's what they're for. Do you also have a phone operator, just in case you're getting phone phreaked? Lol..

    My business ISPs don't include email for free, my ISPs include data only. I'm sure I could pay more for email, but I'd have to pay a lot more for hosted Exchange, and my users won't let me get rid of Exchange. I've priced it out and it's still cheaper to run exchange in-house given that we have to have Windows admins on staff to run other systems.

    I do have a phone operator, who manages the corporate phone system and call center telecommunications - a day of downtime of the call center can cost us more revenue than an entire year of salary for the telecom manager.

  12. Re:Flawed premise on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 1

    I have to disagree with you. If you run solutions such as WAN acceleartion, you will solve the issue of latency.
    Please google: "amazon ec2 riverbed"

    I think you're confusing bandwidth requirements with latency - WAN acceleration can reduce bandwidth requirements (which can helps with latency since it takes less time to send 256B of data than to send 1KB of data), but you can never eliminate the latency of the wire. If it takes 200ms to send a packet back and forth, no amount of compression or other WAN optimization will get rid of that latency when you're trying to retrieve data from the remote server.

  13. Re:Wireless = less network engineers? on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 2

    I used to think the same, but in my office with around 200 people, most quite active PC users, with our new wireless setup most people have stopped connecting up the laptop to cable when they move back and forth between their desk (if they have a permanent one) and meetings/workshops, and just use wireless. Even when doing videoconferencing. It has become more than good enough. Only time I notice the difference is when moving very large files (GBs) over the network. There are many thinks you can do setting up a good wireless network to give a high density of users good effective bandwith.

    For a competing datapoint, I'm in an office with 500 people and 50 discrete Wifi zones (ok, not all in the office areas, maybe 30 of them cover the offices) and the only time people use Wifi is when they are in a conference room, and even then they complain about speed "How come it takes soooo looong to open up this 50MB powerpoint presentation? It only takes a few seconds at my desk!". Everyone gets a 1Gbit connection at their desk. The most they are going to see on Wifi is 22mbit, and most real world speeds are much lower than that. We'd like to roll out dual-band wireless N, but only about 20% of our endpoints support it, so perhaps next year when it gets better penetration we'll be able to justify the rollout.

  14. Re:Wireless = less network engineers? on Ask Slashdot: What Will IT Look Like In 10 Years? · · Score: 2

    The average corporate IT department has ALREADY degraded to the level of TSA; more interested in "compliance" than business success. At some point, the pendulum has to swing back the other way -- cutting the costs imposed by all of these policies and self-important police. By that time, I think we will have a "bring your own" mentality towards desktop hardware, just as mechanics are expected to supply their own tools. Instead of buying servers (or even cloud-based virtual servers), corporate IT will buy complete applications whose server-side infrastructure is vendor-supplied. Mandatory stupidity and shortsighted cost control have pretty much killed off the ability to handle IT any other way.

    You say that is if IT asked for SOX, HIPAA, PCI, etc along with all of the script-kiddies (and professional hacker networks) that are actively looking for vulnerabilities. IT engineers a network that meets compliance regulations because they *have* to, not because they thought it might be a fun thing to do. After a few SaaS providers are hacked, it will be interesting to see what kind of responsibility the customer has for the hack even if they made sure that the provider had all of the right certifications.

    If the company doesn't care that its customer list is emailed to a russian hacking network, they should just tell their IT department that network security is not needed. Security is inconvenient, and sometimes gets in the way of doing real work. Each layer of security you add on to the network adds complexity and a potential source of failure (sure, in a perfect world, your HA pair of network filter proxies would never go down since they have built-in redundancy, but when the vendor supplies a bad update file that slows them both to a crawl, then everyone is unhappy).

    I once had an executive demand to be exempt from our password policy (which was quite reasonable - 8 characters, complex, 90 day expiration) because it was too hard to remember a new password every 90 days. I put together some written justifications for the password policy, pointing out that if he wanted to maintain access to the data that he has now, we'd be in violation of several regulatory mandates (which I would have to report in our next annual audit report), and asked him and my boss to both sign the paperwork to show that they were taking on all of the risk. Neither signed, and the exec somehow figured out how to remember his passwords (which I suspect meant writing it down, which is no longer a problem since we're now using 2 factor authentication)

    So basically, I'm saying that if you don't like the way IT runs your network, just absolve them of any responsibility for opening it up and doing it your way, and I'm sure they'd be happy to comply.

    If your kid's facebook page is hacked, no one cares except them. If your hospital lets your health records leak out, they can face large fines, and if it was a egregious violation, individuals can face personal fines and criminal charges.

    The future model of IT is what home users and especially college students are doing right now. My KIDS have less computer downtime than the average corporate IT worker, and our household budget does NOT include an e-mail administrator or desktop support.

    Unless your kids are hosting their own email server, your household budget *does* include an email administrator, you're just paying it to your ISP (or through trading off some privacy and pageviews to an ad-supported email provider)

    This may come as some surprise to you, but maintaining an enterprise network of 500 desktops is different then a single desktop - a college student can spend 2 hours of his own time recovering from a virus infection, doing that across 500 desktops with 2 helpdesk staff would take over 2 months. (which is why IT makes you keep your files and windows profile on the fileserver, so instead of spending 2 hours trying to clean up an infection, they can spend 5 minutes starting a reimage of your compute

  15. Re:No thanks. on Linux Journal Goes — Surprise! — Digital · · Score: 3, Informative

    I'm very disappointed because it was my bathtub reading material. The bottom corners can sometimes get soggy, but it's still good. Can't say the same about a digital device. I'm not into the iPad hype anyways.

    Get a Kindle(*), put it in a 1 Quart ziplock baggy. Problem solved.

    I've done this in the bathtub, hot tub, and pool with no ill effects to my kindle. Which is more than I can say about some books and magazines I've accidentally dropped in the tub.

    * I'm sure other e-book readers would also work, but my Kindle fits perfectly in a cheap baggy, and the next-page prev-page buttons are easy to press while in the baggy -- probably not the case if it were a touchscreen device (like the Nook Color)

  16. Re:Might make it worse? on Chinese Researchers Propose Asteroid Deflection Mission · · Score: 1

    I'm not talking about the human consequences, I'm talking about the natural consequences with no human intervention required.

    For instance, if anyone had actually pressed the proverbial nuke button, nuclear winter would probably have done in the capitalists and communists alike. In this case, the amount of ash and dust spewed into the atmosphere would probably take out a large portion of the crop-growing capacity, causing massive famine at best. Another way of putting it: They won't be saying "Oh, oops, sorry, our mission failed", because (a) they won't be capable of talking to anyone, and (b) there's nobody left for them to talk to. When you're talking doomsday scenarios, it often doesn't matter who's to blame or who "won".

    Oh, I don't think this particular asteroid would be that catastrophic - current estimates put it in the 200 megaton range -- the largest nuke test was 50 megatons, so this is "only" 4 times larger.

    Granted, it would cause huge death and destruction over many hundreds of square miles wherever it hits, but I wouldn't think it would cause world-wide crop failure and famine.

  17. Re:Might make it worse? on Chinese Researchers Propose Asteroid Deflection Mission · · Score: 1

    Then they're probably dead too. It's the same as the problem of blowing up the USSR with nukes: Even if you succeed, you have nasty consequences to deal with afterwords.

    But how do you prove it was intentional? They'll say "Oh oops, looks like our mission failed, we failed to impact with enough force to divert the asteroid from the earth. sorry." They'll even include an international team of scientists on the team to design and implement the project, to help deflect (pun intended) blame for the "accident".

  18. Might make it worse? on Chinese Researchers Propose Asteroid Deflection Mission · · Score: 1

    Since we still don't even know that it will hit that keyhole (the last stat I saw was 1:250,000 chance), what are the chances that instead of a direct hit, we'll just make a glancing blow that ultimately nudges it through the keyhole?

    This mission seems to make more sense if there's a 100% chance it will hit the keyhole, because then there's no way to make it worse, but I'd like to see some statistics on the chances of making the situation worse (or on completely missing it and doing nothing at all)

    At the very least, we should plan on *two* missions... one farther away, and then if it turns out we haven't pushed it out of the way, send a modified spaceshuttle full of Texas Oil workers to drill a hole and plant a nuclear bomb in its core. Then they could make a movie about it.

  19. Re:A shame on HP Spinning Off WebOS and Exiting Hardware Business · · Score: 1

    I really liked my Palm Pre. I would have replaced it if HP had released a comparible replacement, but the Pre 3 still isn't out and I had to get an android phone. My new phone has more apps, a better browser and better hardware, but I still think WebOS's multitasking paradigm was better.

    I was really looking forward to the Pre3, I was thinking about moving from my Droid-1 to the Pre3 when it comes out, but I guess now I'll have to hold onto the Droid a little longer and see what comes out of the Google-Motorola deal.

  20. Re:Everyone gets same deal as Nokia? on Microsoft Exec Responds To the Google-Motorola Deal · · Score: 2

    What is your point? Nokia is their most valuable partner. That doesn't mean that Microsoft isn't supporting all of the hardware makers. Since partnering with Nokia they have also added ZTE, Fujitsu, and others. Clearly Nokia is their #1 partner, but Microsoft doesn't own them and Microsoft is not promoting Nokia as "the" WP7 to get. The internet is promoting Nokia as the WP7 phone to get, but so far Microsoft hasn't even show off a Nokia phone while has demoed new phones from Samsung, Fujitsu, etc...

    My point is that on the one hand, MS is claiming that they are the only vendor-neutral mobile phone software maker, but on the other hand, they are throwing billions of dollars at "their most valuable partner".

    That hardly sounds vendor neutral unless they do the same for every partner. Google has no reason to give special treatment to their new motorola division at the expense of their other hardware partners - they profit from getting more Android handsets out in the market, they aren't going to make a bundle of money from hardware sales.

  21. Everyone gets same deal as Nokia? on Microsoft Exec Responds To the Google-Motorola Deal · · Score: 5, Insightful

    So when Microsoft says this:

    Windows Phone is now the only platform that does so with equal opportunity for all partners.'

    Does that mean that everyone gets billions of dollars from MS?

    http://thenextweb.com/microsoft/2011/04/21/nokia-and-microsoft-deal-official-definitive-agreement-signed/

    As a result of the deal, Nokia will pay Microsoft royalties for the Windows Phone platform, starting only when the Finnish company launches its first Windows Phone devices. Microsoft has also agreed to make payments to Nokia “measured in the billions of dollars” for services but also intellectual property royalties.

    Or are we supposed to believe that MS would have paid for Nokia's IP even if Nokia hadn't switched to Windows Phone?

  22. Re:This guy is just blowing smoke. on Cop Seeks Wiretapping Charges For Woman Who Videotaped Beating · · Score: 2, Funny

    The idiom is "Moot point", not mute point.

    If you're going to correct someone, you should at least be right about it.

    It's a "Moo point". It's like a cow's opinion, you know, it just doesn't matter. It's "moo".

    http://www.imdb.com/title/tt0583431/quotes?qt=qt0254874

  23. Re:Computer researchers are too much like computer on WPA/WPA2 Cracking With CPUs, GPUs, and the Cloud · · Score: 2

    I think you're missing the point of the XKCD comic... There are around 3000 commonly used words in English (xkcd assumed 11 bits per word, or 2048 words). A 6 year old child has a vocabulary of between 2500 and 5000 words.

    If user uses a 5 word password there are 3000^5 = 2.4E17 different combinations

    In your 12 character, mixed case (52) + numeric (10) + symbols (20 common symbols?) password there are 83 possible symbols, so that's 1E25 combinations.

    So technically, your "random" password may be 500,000 times safer, but even 2.4E17 combinations will take thousands of years to brute force at a million guesses/second. Not many people have secrets worth that much effort, and for those that do, they can use a 6 word passphrase so even at a billion guesses/second it would take thousands of years to brute force it.

    Few people can reliably remember a random string, especially when they need a different password for different accounts, and have to change it every 30 - 90 days, so they'll end up writing it down or storing it in some password keeper that's subject to attack.

    However, most people can remember: "seesawseashoresally" or "liontigercougarnotdog" much more easily than a random string, and they'll end up with a very secure password than the usual method of doing s1mpl3 sub5t1tut10ns. And many people (like me) can type a 20 character phrase faster than a 12 character random string.

  24. Re:electric bikes! on What's the Carbon Footprint of Bicycling? · · Score: 1

    human-powered biking burns more fossil fuels than e-biking, due to the fossil fuels used in fertilizing, processing and transporting food (even for vegetarians).

    Let that last one sink in. Burning coal to power an electric bike is more environmentally friendly than eating a vegetarian diet and pedalling!

    You're assuming that a human powered cyclist eats significantly more than a electric powered cyclist -- I don't eat any more food when I bike, if anything, I eat less since my weekend meals tend to be bigger than my weekday meals (when I commute to work). And if I didn't bike, I'd be burning off calories by running or at the gym.

  25. Re:My habit on What's the Carbon Footprint of Bicycling? · · Score: 1

    Bikes also damage roads far less than cars do. A heavy bicycle weighs around 30 pounds

    Slightly misleading, as it doesn't take into account the 170-pound rider on the bicycle. But I've read that the damage done to a road by a vehicle is somewhere between the third and fourth power of the weight per axle.

    Not really misleading since that 170 pound rider is going to be on the road whether he's on his 30 pound bicycle or in his 3000 pound car.