The fact that Visual C++ won't compile that code means that (1) Visual C++ implements a language that is not exactly C++
I don't understand. If the behavior is undefined, doesn't that mean that it's up to the compiler to decide what to do in those cases? That doesn't mean that VC++ implements a language that is not exactly C++, it means that it chose to throw an error when this particular undefined behavior occurs. A compiler which doesn't throw that error is still deciding how to handle behavior undefined by the standard.
Also, Monty must always open the other door. If he gets to choose when to open the other door, all bets are off.
I generally think that this should go without saying, as it's part of the problem domain. But every once in a while someone will try to claim that since I didn't expressly say that he opens the door for each contestant (and he didn't always, on the show) then you can't assume that he always does.
The 100 doors explanation solidifies that in people's minds, when they still feel a little uncomfortable with the explanation you gave.
But I've actually gone to the trouble of proving the point with a deck of cards. I ask them to pick the ace of spaces, then I go through the deck looking for that card. I set 50 cards aside and say, "Either the card you're holding is the ace of spades, or the card I'm holding is the ace of spades. Want to trade?" If they still don't think it matters, I repeat the experiment and keep track of how many times they would have won if they'd switched. It has never taken more than 3 tries to get them to understand.
There are also probably a lot of people who decided to buy a new TV and got a 3D one so that they wouldn't be wanting to replace it 3 years down the road.
It's really a toss-up as to whether this saves you any money, since in 3 years, the prices should have plummeted, but lots of people do this kind of thing.
It's not about privacy--it's about keeping the people behind the account as the account owner so that aggregated information about that person/account remains accurate.
Some anonymous criminal now owns your throwaway account. Now what will they do with it? Expand the account to all the free options that Yahoo offers? Send Pharma spam? Use it as storage for the worst imaginable porn? Store prerelease videos and albums? Use it as the base address for Myspace, Facebook and Twitter accounts to resell likes, fans, tweets and references? You don't know. What you do know is that if the lawyers or prosecutors track it down the trail ends at your house.
Well, no, the trail ends at an IP address in e.g. Russia, from which the account was last accessed and the password changed. I know that we like to think of the cops as being technical idiots, but the people who work on cybercrime cases really aren't, and they won't suspect the originator of the account in cases like this.
Everyone wants to blame 'dumb' people and 'dumb' voters, but in this case, by these standards, roughly 98% of voters are idiots. How were the voters in this case supposed to have precognition of the foolish choices that would be made by those that they put into power? By their ridiculously banal campaign advertisements? Impossible.
...
Everyone wants to say Bush was an idiot, or Obama is an idiot, or Clinton is an idiot.
The best predictor of future actions is past actions. Keeping that in mind, I have a couple of things to point out:
- If this school board gets reelected, you can reasonably consider the voters who did so to be dumb. - People who groused about Clinton or Bush and then voted for him again are dumb, however... - We basically don't elect people to the office of the President; instead, we elect parties. You probably have a decent idea of the kinds of things that a presidential candidate will do when you vote for him, even if you don't have past experience to draw from. You know Republicans are going to cut taxes for the rich. You know that neocons are going to inflate and spend. You know that Democrats are going to tax (the rich) and spend.
What irks me the most is when politicians make bald-faced lies during their campaigns, but I think that's a rant for a different time.
Funny that this comes up. There's a joke I heard once about a doctor asking for help with his computer, and the IT guy asking for free health advice, and the differences in responses.
That happened to me recently, in the doctor's office. They'd just migrated to a new system and were having issues. The PA knew I was in IT and asked if I knew how to fix it. I said that I could probably fix it fairly easily, and asked what they would pay (or if they would comp my visit.) At first, apparently, she thought I was kidding. When she found out that I wasn't, she got indignant. When I asked why her time and expertise were more valuable than mine, she said "It's just a computer." Yeah. It's just a computer until it stops working and you don't know how to fix it, just like every other industry*.
That was when I decided not to go back to that office. Unfortunately, I expect that there would be similar expectations just about anywhere you go.
It's probably just as well that I didn't try to fix it, though. As someone notes below, once you give someone help like that, it's your problem for the rest of your life. Also, I wouldn't want to be blamed for any HIPAA-related issues.
* Actually, in the medical industry, it's even worse. You legally can't get lots of medication without a doctor's script, so even if you know what you need, you can't "fix it yourself." Because of regulations.
Why does your mechanic charge so much for an hour's (or less) work? Well, it's because they have expertise. You aren't paying for the hour of work, you're paying for the years of learning how to troubleshoot and do the job correctly. You're helping recoup the investment, whether that investment was time, money, or a combination of both.
There was a brief period of history when people who used computers basically knew how they worked. If a person had a computer, they knew a damn bit about it. It was probably very much a hobby to that person.
That period is over, due to innovations in ease-of-use and cheap electronics. Based upon my anecdotal evidence, computer literacy is falling. They're becoming even more like black boxes that people don't know anything about. Do most people know what a browser is? Or that there are other things out there on the Internet besides the blue E icon?
For most things, a decent, random password isn't that bad. You can combine a password manager program, like KeePass, with a file sync solution, like Dropbox, and gain several security benefits without sacrificing much (if anything).
I'm very, very nervous about storing my password file on Dropbox. If a weakness is found in the encryption implementation that protects the file, you'd have to consider all of those passwords compromised (in my opinion.)
I don't know of a better synchronization solution, though. Certainly nothing that's as braindead easy as storing your encrypted password file in the cloud.
certificates are only really useful if you've done some form of vetting to confirm that I am who I said I am,
Irrelevant for a comparison to passwords. Passwords provide no more identity than PKI. The fact that with PKI, there are common methods of chaining trust means that it would be easier to establish identity with PKI, assuming you trust the chain...
Why go through the expense, complexity, and risks posed by all keys on a single USB drive when there are perfectly useful password-based solutions already available that don't involve me trusting parties I don't know?
Yeah, me too. I got that bank account when I was a kid and didn't really know better. If they were still acting that way, I'd ditch them for a better bank.
36^8 is long enough for brute-forcing to be infeasible over the network in most cases, so you're mostly worried about attacks where the attacker has a password hash already. There's a narrow intersection where an attacker can have the hash and not already have all the access they need for the box/account. It certainly exists, and it's something to concern yourself with, but I don't sweat it too much when a site restricts me to 8 characters (even exactly 8 characters.) I think it's a silly, arbitrary restriction, and I suspect that it usually means that their app is poorly coded/secured, though. I mean, if they're storing a hash, the has will be fixed length no matter the input. If they're storing the password (one of the only reasons I can see them limiting the length of it)....I don't really know what to say.
Reusing your e-mail password is a big fail all around. It's probably something you don't want getting everywhere, and because so many sites use the e-mail address as the username, you're basically giving everyone access to all of those sites.
I have been meaning to develop a password scheme along these lines:
- Each e-mail account I have must use a different. unique password. - All e-commerce site which do not have "cloud" data (e.g. Amazon, Nook, iTunes) and which don't store credit card information for easy purchasing use the same password.* - Each e-commerce site which has either cloud data or which stores credit cards for ease of purchasing (one-click) must use a different, unique password. - Shell accounts use SSH keys to log in, however they still need unique passwords if I have sudo on the box.**
I haven't decided on what to do with social networking sites and forums. My gut is that they don't need unique passwords, however I wouldn't want my account to be used for spamming. I think using a weak scheme for uniqueness might work, such as prepending the site name to a common password. This would be a middle-ground--automated harvesting would fail, but I'd still have a very easy to remember password for the sites. If someone is targeting me, I have more problems than whether or not my Slashdot account is hacked.
Of course, any site using OpenID can just be linked to my Google account.
* Basically, places where I have something semitangible to lose (the books, movies, music associated with the account) if the account is compromised.
** Though there are other ways to deal with authentication once you are on the box, such as OPIE, which doesn't require giving them a password.
I'm hoping that Google will eventually allow two-factor authentication (using a smart phone as your "something you have") for everyone. They already allow it for Premiere, Education, and Government customers.
Since Google is an OpenID provider that more and more sites are starting to trust, that would be a very good way of getting the security I want out of OpenID. Unfortunately, Google's OpenID url is really crappy (it's https://www.google.com/accounts/o8/id )
I even had a site, I'm pretty sure it was a bank, that required the password be exactly 8 characters, and only alphanumeric.
Not really. 36^8 is a couple of orders of magnitude larger than 36^7 + 36^6 + 36^5 + 36^4 + 36^3 + 36^2 + 36 (and most sites would probably enforce a minimum password requirement anyway.)
That's far better than what my bank used to do, which was a PIN of 4-6 numbers, and no way for me to audit failed logins. They have (thankfully) addressed both issues, as well as implemented the common (lame) "two-factor" authentication which consists solely of two things that I know.
I've seen something like this before. The idea is that the concatenation of the site name and the master password is hashed to create a password which is unique to that site. You don't have to have your computer--you can do this from anywhere that you can install pwdhash, as long as you remember your master password.
Came here to say this. The article talks about how stupid these practices are, but there are reasonable reasons for doing most of them.
Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised. (A separate recent study revealed that 75% of people use the same password for Social Networking Sites and their email accounts)
I reuse passwords because it's simply not possible for me to remember more than about 20 password/username/site tuples. I have a password "scheme" that I use to make memorable passwords, but I have to deal with sites which: - Have restrictions on the username that means I can't use my normal one - Already has my usual username taken - Have restrictions on the characters/length of the password etc.
So I have a few throwaway passwords that I don't care about, and I use those most places where I don't care if the account gets compromised. Why do I care if someone gets access to my deepdiscountdvd account?
Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.
Password complexity is complex. What's better, an 6 character password with special characters or a 13 word phrase? Using a special symbol is not a panacea of password security.
12 percent have shared a password in a text message (vs. 4 percent overall)
It depends upon how important that password is, but in general, I'm not worried about people sniffing my SMS messages. If I'm going to share a password with someone, I generally consider that password to be useless anyway.
Passwords are forgotten occasionally, often or always by over half of consumers (51 percent).
No kidding? I thought it would be higher. I guess the main reason it's not higher is because people re-use passwords.
I use "access to my e-mail address" as my credential for a lot of sites, when I can't be bothered to remember the password or store it in my keepass database (which, itself, has about 50 passwords in it.)
86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers
Ever, or sometimes? I mean, some sites don't even use SSL for authentication (*coughcough*)
14 percent never change their banking password.
If you use a good password, and you assume that the bank itself hasn't been compromised, why change it?
Slashdot Mirror
The fact that Visual C++ won't compile that code means that (1) Visual C++ implements a language that is not exactly C++
I don't understand. If the behavior is undefined, doesn't that mean that it's up to the compiler to decide what to do in those cases? That doesn't mean that VC++ implements a language that is not exactly C++, it means that it chose to throw an error when this particular undefined behavior occurs. A compiler which doesn't throw that error is still deciding how to handle behavior undefined by the standard.
hmm...hadn't considered the tethering point of view. Touche, good sir!
You know, since this very article is about Verizon selling a MiFi with an iPad, I'm pretty surprised that anyone overlooked that use-case.
Also, Monty must always open the other door. If he gets to choose when to open the other door, all bets are off.
I generally think that this should go without saying, as it's part of the problem domain. But every once in a while someone will try to claim that since I didn't expressly say that he opens the door for each contestant (and he didn't always, on the show) then you can't assume that he always does.
The 100 doors explanation solidifies that in people's minds, when they still feel a little uncomfortable with the explanation you gave.
But I've actually gone to the trouble of proving the point with a deck of cards. I ask them to pick the ace of spaces, then I go through the deck looking for that card. I set 50 cards aside and say, "Either the card you're holding is the ace of spades, or the card I'm holding is the ace of spades. Want to trade?" If they still don't think it matters, I repeat the experiment and keep track of how many times they would have won if they'd switched. It has never taken more than 3 tries to get them to understand.
He said it was easy to explain. He didn't say he was proving it.
There are also probably a lot of people who decided to buy a new TV and got a 3D one so that they wouldn't be wanting to replace it 3 years down the road.
It's really a toss-up as to whether this saves you any money, since in 3 years, the prices should have plummeted, but lots of people do this kind of thing.
but a lot of Facebook apps require Flash, which doesn't work on iPod touch or iPad.
If you need to log in to Facebook and use a flash app, you might want to consider seeking help.
It's not about privacy--it's about keeping the people behind the account as the account owner so that aggregated information about that person/account remains accurate.
Some anonymous criminal now owns your throwaway account. Now what will they do with it? Expand the account to all the free options that Yahoo offers? Send Pharma spam? Use it as storage for the worst imaginable porn? Store prerelease videos and albums? Use it as the base address for Myspace, Facebook and Twitter accounts to resell likes, fans, tweets and references? You don't know. What you do know is that if the lawyers or prosecutors track it down the trail ends at your house.
Well, no, the trail ends at an IP address in e.g. Russia, from which the account was last accessed and the password changed. I know that we like to think of the cops as being technical idiots, but the people who work on cybercrime cases really aren't, and they won't suspect the originator of the account in cases like this.
Hell, I don't live in a swing state, so every two years, I wonder why I bother going out to vote. I always do, though.
Everyone wants to blame 'dumb' people and 'dumb' voters, but in this case, by these standards, roughly 98% of voters are idiots. How were the voters in this case supposed to have precognition of the foolish choices that would be made by those that they put into power? By their ridiculously banal campaign advertisements? Impossible.
Everyone wants to say Bush was an idiot, or Obama is an idiot, or Clinton is an idiot.
The best predictor of future actions is past actions. Keeping that in mind, I have a couple of things to point out:
- If this school board gets reelected, you can reasonably consider the voters who did so to be dumb.
- People who groused about Clinton or Bush and then voted for him again are dumb, however...
- We basically don't elect people to the office of the President; instead, we elect parties. You probably have a decent idea of the kinds of things that a presidential candidate will do when you vote for him, even if you don't have past experience to draw from. You know Republicans are going to cut taxes for the rich. You know that neocons are going to inflate and spend. You know that Democrats are going to tax (the rich) and spend.
What irks me the most is when politicians make bald-faced lies during their campaigns, but I think that's a rant for a different time.
Funny that this comes up. There's a joke I heard once about a doctor asking for help with his computer, and the IT guy asking for free health advice, and the differences in responses.
That happened to me recently, in the doctor's office. They'd just migrated to a new system and were having issues. The PA knew I was in IT and asked if I knew how to fix it. I said that I could probably fix it fairly easily, and asked what they would pay (or if they would comp my visit.) At first, apparently, she thought I was kidding. When she found out that I wasn't, she got indignant. When I asked why her time and expertise were more valuable than mine, she said "It's just a computer." Yeah. It's just a computer until it stops working and you don't know how to fix it, just like every other industry*.
That was when I decided not to go back to that office. Unfortunately, I expect that there would be similar expectations just about anywhere you go.
It's probably just as well that I didn't try to fix it, though. As someone notes below, once you give someone help like that, it's your problem for the rest of your life. Also, I wouldn't want to be blamed for any HIPAA-related issues.
* Actually, in the medical industry, it's even worse. You legally can't get lots of medication without a doctor's script, so even if you know what you need, you can't "fix it yourself." Because of regulations.
Most specialized industries are the same way.
Why does your mechanic charge so much for an hour's (or less) work? Well, it's because they have expertise. You aren't paying for the hour of work, you're paying for the years of learning how to troubleshoot and do the job correctly. You're helping recoup the investment, whether that investment was time, money, or a combination of both.
Protip: "Why are you nosy?" isn't a good reply to that.
There was a brief period of history when people who used computers basically knew how they worked. If a person had a computer, they knew a damn bit about it. It was probably very much a hobby to that person.
That period is over, due to innovations in ease-of-use and cheap electronics. Based upon my anecdotal evidence, computer literacy is falling. They're becoming even more like black boxes that people don't know anything about. Do most people know what a browser is? Or that there are other things out there on the Internet besides the blue E icon?
This sounds pretty interesting. What are your other methods?
For most things, a decent, random password isn't that bad. You can combine a password manager program, like KeePass, with a file sync solution, like Dropbox, and gain several security benefits without sacrificing much (if anything).
I'm very, very nervous about storing my password file on Dropbox. If a weakness is found in the encryption implementation that protects the file, you'd have to consider all of those passwords compromised (in my opinion.)
I don't know of a better synchronization solution, though. Certainly nothing that's as braindead easy as storing your encrypted password file in the cloud.
certificates are only really useful if you've done some form of vetting to confirm that I am who I said I am,
Irrelevant for a comparison to passwords. Passwords provide no more identity than PKI. The fact that with PKI, there are common methods of chaining trust means that it would be easier to establish identity with PKI, assuming you trust the chain...
Why go through the expense, complexity, and risks posed by all keys on a single USB drive when there are perfectly useful password-based solutions already available that don't involve me trusting parties I don't know?
which I guess you don't :)
Yeah, me too. I got that bank account when I was a kid and didn't really know better. If they were still acting that way, I'd ditch them for a better bank.
36^8 is long enough for brute-forcing to be infeasible over the network in most cases, so you're mostly worried about attacks where the attacker has a password hash already. There's a narrow intersection where an attacker can have the hash and not already have all the access they need for the box/account. It certainly exists, and it's something to concern yourself with, but I don't sweat it too much when a site restricts me to 8 characters (even exactly 8 characters.) I think it's a silly, arbitrary restriction, and I suspect that it usually means that their app is poorly coded/secured, though. I mean, if they're storing a hash, the has will be fixed length no matter the input. If they're storing the password (one of the only reasons I can see them limiting the length of it)....I don't really know what to say.
Reusing your e-mail password is a big fail all around. It's probably something you don't want getting everywhere, and because so many sites use the e-mail address as the username, you're basically giving everyone access to all of those sites.
I have been meaning to develop a password scheme along these lines:
- Each e-mail account I have must use a different. unique password.
- All e-commerce site which do not have "cloud" data (e.g. Amazon, Nook, iTunes) and which don't store credit card information for easy purchasing use the same password.*
- Each e-commerce site which has either cloud data or which stores credit cards for ease of purchasing (one-click) must use a different, unique password.
- Shell accounts use SSH keys to log in, however they still need unique passwords if I have sudo on the box.**
I haven't decided on what to do with social networking sites and forums. My gut is that they don't need unique passwords, however I wouldn't want my account to be used for spamming. I think using a weak scheme for uniqueness might work, such as prepending the site name to a common password. This would be a middle-ground--automated harvesting would fail, but I'd still have a very easy to remember password for the sites. If someone is targeting me, I have more problems than whether or not my Slashdot account is hacked.
Of course, any site using OpenID can just be linked to my Google account.
* Basically, places where I have something semitangible to lose (the books, movies, music associated with the account) if the account is compromised.
** Though there are other ways to deal with authentication once you are on the box, such as OPIE, which doesn't require giving them a password.
I'm hoping that Google will eventually allow two-factor authentication (using a smart phone as your "something you have") for everyone. They already allow it for Premiere, Education, and Government customers.
Since Google is an OpenID provider that more and more sites are starting to trust, that would be a very good way of getting the security I want out of OpenID. Unfortunately, Google's OpenID url is really crappy (it's https://www.google.com/accounts/o8/id )
I even had a site, I'm pretty sure it was a bank, that required the password be exactly 8 characters, and only alphanumeric.
Not really. 36^8 is a couple of orders of magnitude larger than 36^7 + 36^6 + 36^5 + 36^4 + 36^3 + 36^2 + 36 (and most sites would probably enforce a minimum password requirement anyway.)
That's far better than what my bank used to do, which was a PIN of 4-6 numbers, and no way for me to audit failed logins. They have (thankfully) addressed both issues, as well as implemented the common (lame) "two-factor" authentication which consists solely of two things that I know.
I've seen something like this before. The idea is that the concatenation of the site name and the master password is hashed to create a password which is unique to that site. You don't have to have your computer--you can do this from anywhere that you can install pwdhash, as long as you remember your master password.
Don't forget to steal their keyfob.
Copy and paste (both of you?)
Came here to say this. The article talks about how stupid these practices are, but there are reasonable reasons for doing most of them.
Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised. (A separate recent study revealed that 75% of people use the same password for Social Networking Sites and their email accounts)
I reuse passwords because it's simply not possible for me to remember more than about 20 password/username/site tuples. I have a password "scheme" that I use to make memorable passwords, but I have to deal with sites which:
- Have restrictions on the username that means I can't use my normal one
- Already has my usual username taken
- Have restrictions on the characters/length of the password
etc.
So I have a few throwaway passwords that I don't care about, and I use those most places where I don't care if the account gets compromised. Why do I care if someone gets access to my deepdiscountdvd account?
Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.
Password complexity is complex. What's better, an 6 character password with special characters or a 13 word phrase? Using a special symbol is not a panacea of password security.
12 percent have shared a password in a text message (vs. 4 percent overall)
It depends upon how important that password is, but in general, I'm not worried about people sniffing my SMS messages. If I'm going to share a password with someone, I generally consider that password to be useless anyway.
Passwords are forgotten occasionally, often or always by over half of consumers (51 percent).
No kidding? I thought it would be higher. I guess the main reason it's not higher is because people re-use passwords.
I use "access to my e-mail address" as my credential for a lot of sites, when I can't be bothered to remember the password or store it in my keepass database (which, itself, has about 50 passwords in it.)
86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers
Ever, or sometimes? I mean, some sites don't even use SSL for authentication (*coughcough*)
14 percent never change their banking password.
If you use a good password, and you assume that the bank itself hasn't been compromised, why change it?
Overall, the article seems fairly useless.