You forgot to mention 600 hp, a 0-60 time of 3.5 seconds and a top speed of 208 mph. A vehicle with abilities so far outside the envelope of normal driving means that you have to exercise a lot of additional control in order to keep the car under control. It means you have to be a better than average driver in order to drive in an average style.
The way Google evaluates talent is pretty bad, and it's not an interesting company to work at unless all you're interested in is a stable income with lots of perks.
Stable income, lots of perks... yep that's terrible:-)
Actually, you forgot my favorite feature of working for Google: A complete lack of idiots. Everyone I work with -- right down to the facilities staff, amazingly enough -- is bright, focused, engaged and rational. In three years, working with hundreds of others (Google is highly collaborative), I found a single counterexample, and he's now gone.
They heavily suffer from NIH syndrome and are convinced that the technology they created (and they created software for pretty much anything) is the best in the world, even when it's painfully outdated.
NIH syndrome... maybe a little, but less than it might appear. It's absolutely true that pretty much all of the Google infrastructure is home-grown. Partly that's NIH, but I think mostly it's because there's fairly little software out there that can function at Google's scale. And even where there are now publicly-available tools that can do the job, they didn't exist when Google created its stuff, and it doesn't make sense to switch.
Frankly, Google does have some pretty amazing tools, and I'm no wet-behind-the-ears pup who never saw what was in the world before joining Google, either; I had over 20 years as a professional software engineer when I started working for them. I went in expecting to roll my eyes regularly at all of the homegrown code that they could have just bought -- but frankly I don't see it much.
I do see a fair number of places that an industrial RDBMS like Oracle or DB/2, could be used and that would be faster for transactional applications than bigtable et al, and more reliable and easier to manage than massively-sharded MySQL (Google uses a lot of massively-sharded MySQL). But I can also see that using a COTS RDBMS would reduce agility and might be hard to integrate into the rest of the infrastructure -- and might run into scalability problems. Google's own stuff runs into scalability limitations, but at least we can fix it.
Outside of that... for dev tools Google uses pretty much the standard open source suite. For massive-scale process management, there just isn't anything out there to compete with borg, or the rest of Google's cluster management suite. I interviewed with a company that builds somewhat similar software, and so did some research on that space... and there's just nothing remotely like borg. Dremel, Borgmon/Monarch, Critique... same story.
For version control, Google uses Perforce, a commercial product, and about the only thing out there that could handle a multi-terabyte codebase which receives thousands of commits per day -- how many code repositories measure their performance in commits per second? However, I understand that Google has had to customize it extensively.
So, on NIH... not so much. Google engineers rarely look outside the company for stuff, but it's because they rarely need to, and if they do need something that none of the available tools can handle, there is rarely anything outside that could work.
To get hired, you have to use the Google way of doing things to solve problems.
Not sure what you're talking about there. To get hired you have to solve some pretty standard types of CS problems.
Assume 0-10 words are required for this, reducing 2^n to n^10 (same word can be chosen twice in the same password, of course). Then all permutations of those 10 words are required, so multiply it by factorial 10.
Oh, one correction: You already accounted for all the permutations in the initial selection n^10 (assuming n is the number of words in the dictionary). Multiplying by 10! results in over-counting. n^10 is the entropy... and if n=2^11, you've got a 110 bits of entropy which is an incredibly strong passphrase.
Far from that. 2^n is assuming there is a possibility all the words are used.
No.
With a 2048-word dictionary, you get 11 bits of entropy per randomly-selected word (because 2048 = 2^11). A four-word example like the one Munroe suggested therefore has 44 bits of entropy -- with four words n = 44.
For 2048 word dictionary, with average word size 5, 2^n means a password of length 0 to 10240 (over ten thousand) characters
Ah, I see, you think we're trying to achieve n = 2048? Not at all. The point is to achieve a reasonable level of entropy in a memorable way. If you want a password space of 2^44 with randomly-selected lowercase letters you have to use a 10-letter password, but a sequence of 10 randomly-selected letters is pretty hard to remember. Even if you use an alphanumeric character set, with upper and lower case, and throw in another 10 symbols for a character set of size 72, you'd still need 8 characters.
The beauty of the XKCD approach is that you can much more easily remember four random words -- or four images, especially if you can invent some relationship between them -- than 8 random characters.
I don't know if doing so should be illegal per se, just that doing so should hurt Google's bottom line, in such a way that they proactively try to prevent it.
I don't think it should be illegal at all, personally, but courts have ruled repeatedly that linking can and often does constitute contributory infringement, going back to the original 2600 ruling. Bottom line nothing, Google is legally obligated to comply and the courts could get really nasty with them if they just refused.
(Disclaimer: I am a Google employee, but that has nothing to do with this post. I've been fascinated with online copyright law for decades, and you can find many examples of me saying exactly the same things long before I started writing code for Google.)
Umm, she does have ADD (combined type), but that's trivial to manage, and is managed. As for coping skills, after years in treatment, including full-time residential treatment (after multiple serious suicide attempts), she has excellent coping skills when she chooses to use them. Keep in mind you're talking about someone who has not just a few but essentially all of the classic BPD symptoms, and in a fairly extreme form. Much of my life for the last several years has been focused on keeping her alive. She's been diagnosed by many different practitioners independently, and the only hesitation was that nearly all of them refused to issue an actual diagnosis of BPD until she became an adult. Until then it was always "extensive traits associated with BPD", or words to that effect. And while I don't recall if Dexedrine has ever been in the mix of medications, she has been on Wellbutrin. It helps some.
You're the one who has been reducing it to one cause.
You're arguing that anonymity is an essential component of creativity, and that even if we keep all the rest, tossing that one bit will dramatically reduce creativity. Or perhaps you're arguing that removing any single element will dramatically reduce creativity; it's not clear whether you're saying there is one single point of failure or multiple single points of failure, but you're definitely arguing that anonymity is a single point of failure -- lose that and you've lost creativity. That's a very big assertion.
In fact, not only do I see countless counterexamples, but I'm not sure I see any examples that you can point to and say "See, if that person hadn't had privacy (s)he wouldn't have been able to create." Examples where access to information is a clear pre-requisite not only abound, I think it's reasonable to say that no one creates anything except by building on what they've learned from others. Similarly, it's easy to look at any creative work that consumes a significant amount of time and it's clear that it could not have been created had the creator had to spend 18 back-breaking hours per day laboring in a field. Those make sense as pre-requisites. Privacy? Not so much.
I'm not saying you're wrong, just that any truth in your claim is far from obvious, and I don't find your assertions convincing.
If we were to count letters, the "correct horse battery staple" password would have ~117 bits of entropy (26^25 = ~2^117). But it doesn't, it has 44 bits. This is because it's a sequence of four words selected from a dictionary of 2048 entries. 2048^4 = (2^11)^4 = 2^44.
Assuming a good iterated password hashing function like, say, scrypt, 44 bits is pretty decent, and proof against anyone who isn't willing to throw tens of thousands of dollars at cracking that one password.
FWIW, I don't actually use XKCD-style passwords, not because of security deficiencies but because I have to use my passwords far too often to want to type anything that long. I shoot for 50 bits of entropy, but with shorter passwords. My passwords are generally 8 characters long, unless the character set specified by the system is too restricted to achieve 50 bits, in which case I add characters until I achieve the desired level. 50 bits is arguably excessive, but only if you assume that systems implement proper password hashing, with iterated hash functions and salt. I know from experience that you can't assume that, so I add a few more bits to be sure.
I don't pick Amazon because I "save" 7.25% in sales tax.
Of course not, because you don't save it. Like any good citizen you dutifully report it on your annual state income tax form, and pay the applicable sales tax then.
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.
Nonsense. You don't understand the approach XKCD was suggesting; you can't defeat entropy by getting a bigger dictionary. If that were true, then AES-128 would be trivially easy to crack because I can enumerate all of the possible keys. I have a 100% perfect dictionary.
The point that by selecting a set of randomly-chosen words (do not do the selection yourself; use a random number generator) words, you can get a great deal of entropy in a fairly memorable form. It doesn't matter if the attacker knows the exact method you used (as long as it's random), and knows the exact dictionary you selected your words from; he's still going to have to try 2^n possibilities, where n is large enough to make brute force impractical.
The pie chart often does apply that long, because early in their career, they signed a contract for N albums, all of which the record company will own.
Those contracts are routinely broken. It's not hard for a well-heeled band's attorneys to get them out of such a contract, particularly since the labels almost never comply fully with their side of the deal.
The problem is that when one is WHITE, one is expected to exist and compete as an atom, an individual absolute with no assistance from any entity outside oneself. Meanwhile, the NON-WHITE is permitted to exist and compete in whatever form said non-white may have. There are ETHNIC CREDIT UNIONS but no WHITE CREDIT UNIONS. there are ETHNIC COMMUNITY CENTERS but no WHITE COMMUNITY CENTERS. Therefore, unless you have your life ahead of you paid in full via inheritance and/or windfall, you remain JUST AS "OTHER" as before you attempted to renounce WHITE PRIVILEGE.
Sometimes the truth is racist but it does not undo the fact that it is the best representation of reality. You remain just as "other" to them despite the fact that you renounced viewing them as "other".
Heh. No, it was several years ago, perhaps 10. The project I was working on actually failed. I was a contractor from IBM Global Services and while we were working pretty effectively we were also being aggressively undermined by a group of UMG employees who insisted they could do it. They won the political battle. I was pretty skeptical that they could deliver though, so my guess is that after forcing us out they tried and failed, leading to the need for your project.
By all means feel free to correct anything I've misstated, BTW. It has been a while for me and I could have misremembered some things.
I think that's more a result of the fact that we consider them "other". Different color, language, culture, religion... they're strange and therefore not us, and therefore we have little empathy for them as people and our ideological interest in their government following the form we'd like and doing what we want is stronger. At least we're no longer willing to simply massacre them out of hand, though.
On the other hand, to my moral sensibilities "starve millions with sanctions" is an odd phrase; do we really equate refusing to trade with someone with forcibly depriving them of sustenance? After all, we're not taking anything from them, we're just refusing to give something to them, something we have no obligation to provide. And it's not like the countries aren't capable of feeding their people, it's just that their corrupt governments and institutions don't care to bother. So do we really have a moral obligation to trade with them?
I have to think about whether you're oversensitive, or I'm deficient.
That's another good point. I don't think you can attribute a difference in creative output to one cause. And among all of the possible causes, I think the opportunity to hide what you're doing from your neighbors has to rank near the bottom.
So we're entitled to a higher standard of living? Why? Forget the "them" and "us". We're all people, and we all deserve the same opportunity to make what we can of ourselves.
I think it's common throughout all of science; we certainly keep seeing more and more evidence of it. And yet overall we still do manage to make forward progress. I'm not saying that makes it okay, not at all. Just that the net effect is still positive, just not nearly as good as it should be.
We've all seen the pie chart showing just what a tiny fraction of the pie the artist receives for a sold recording owned by a record company.
Maiden owns all their recordings, and always has. And even if they hadn't near the beginning of their career, they certainly would own all of the later stuff now. The pie chart doesn't apply to successful artists after the first 5-10 years of their career. They no longer really need the labels.
Perfection is the enemy of good. Just because there are problems -- which are endemic throughout most all science -- doesn't mean that everything is worthless.
Phones and portable cameras. There are hundreds of millions of phones and portable cameras without a "recording" light. You did just propose putting such a light on phones and portable cameras, did you not?
Sure. But I thought you were arguing that Glass was the really big problem, because it's worn rather than carried. If that's the case, put a light on it... and while you're at it put a light on everything else going forward. You'll still have the ability to tell that a phone lying on the table isn't recording you, whether it has a light or not. But with future, light-equipped, devices, you'll be able to tell even when the device is being held up.
And nearly all camcorders and many if not essentially all cameras with video-taking features already do have recording lights.
You forgot to mention 600 hp, a 0-60 time of 3.5 seconds and a top speed of 208 mph. A vehicle with abilities so far outside the envelope of normal driving means that you have to exercise a lot of additional control in order to keep the car under control. It means you have to be a better than average driver in order to drive in an average style.
The way Google evaluates talent is pretty bad, and it's not an interesting company to work at unless all you're interested in is a stable income with lots of perks.
Stable income, lots of perks... yep that's terrible :-)
Actually, you forgot my favorite feature of working for Google: A complete lack of idiots. Everyone I work with -- right down to the facilities staff, amazingly enough -- is bright, focused, engaged and rational. In three years, working with hundreds of others (Google is highly collaborative), I found a single counterexample, and he's now gone.
They heavily suffer from NIH syndrome and are convinced that the technology they created (and they created software for pretty much anything) is the best in the world, even when it's painfully outdated.
NIH syndrome... maybe a little, but less than it might appear. It's absolutely true that pretty much all of the Google infrastructure is home-grown. Partly that's NIH, but I think mostly it's because there's fairly little software out there that can function at Google's scale. And even where there are now publicly-available tools that can do the job, they didn't exist when Google created its stuff, and it doesn't make sense to switch.
Frankly, Google does have some pretty amazing tools, and I'm no wet-behind-the-ears pup who never saw what was in the world before joining Google, either; I had over 20 years as a professional software engineer when I started working for them. I went in expecting to roll my eyes regularly at all of the homegrown code that they could have just bought -- but frankly I don't see it much.
I do see a fair number of places that an industrial RDBMS like Oracle or DB/2, could be used and that would be faster for transactional applications than bigtable et al, and more reliable and easier to manage than massively-sharded MySQL (Google uses a lot of massively-sharded MySQL). But I can also see that using a COTS RDBMS would reduce agility and might be hard to integrate into the rest of the infrastructure -- and might run into scalability problems. Google's own stuff runs into scalability limitations, but at least we can fix it.
Outside of that... for dev tools Google uses pretty much the standard open source suite. For massive-scale process management, there just isn't anything out there to compete with borg, or the rest of Google's cluster management suite. I interviewed with a company that builds somewhat similar software, and so did some research on that space... and there's just nothing remotely like borg. Dremel, Borgmon/Monarch, Critique... same story.
For version control, Google uses Perforce, a commercial product, and about the only thing out there that could handle a multi-terabyte codebase which receives thousands of commits per day -- how many code repositories measure their performance in commits per second? However, I understand that Google has had to customize it extensively.
So, on NIH... not so much. Google engineers rarely look outside the company for stuff, but it's because they rarely need to, and if they do need something that none of the available tools can handle, there is rarely anything outside that could work.
To get hired, you have to use the Google way of doing things to solve problems.
Not sure what you're talking about there. To get hired you have to solve some pretty standard types of CS problems.
Assume 0-10 words are required for this, reducing 2^n to n^10 (same word can be chosen twice in the same password, of course). Then all permutations of those 10 words are required, so multiply it by factorial 10.
Oh, one correction: You already accounted for all the permutations in the initial selection n^10 (assuming n is the number of words in the dictionary). Multiplying by 10! results in over-counting. n^10 is the entropy... and if n=2^11, you've got a 110 bits of entropy which is an incredibly strong passphrase.
Far from that. 2^n is assuming there is a possibility all the words are used.
No.
With a 2048-word dictionary, you get 11 bits of entropy per randomly-selected word (because 2048 = 2^11). A four-word example like the one Munroe suggested therefore has 44 bits of entropy -- with four words n = 44.
For 2048 word dictionary, with average word size 5, 2^n means a password of length 0 to 10240 (over ten thousand) characters
Ah, I see, you think we're trying to achieve n = 2048? Not at all. The point is to achieve a reasonable level of entropy in a memorable way. If you want a password space of 2^44 with randomly-selected lowercase letters you have to use a 10-letter password, but a sequence of 10 randomly-selected letters is pretty hard to remember. Even if you use an alphanumeric character set, with upper and lower case, and throw in another 10 symbols for a character set of size 72, you'd still need 8 characters.
The beauty of the XKCD approach is that you can much more easily remember four random words -- or four images, especially if you can invent some relationship between them -- than 8 random characters.
I don't know if doing so should be illegal per se, just that doing so should hurt Google's bottom line, in such a way that they proactively try to prevent it.
I don't think it should be illegal at all, personally, but courts have ruled repeatedly that linking can and often does constitute contributory infringement, going back to the original 2600 ruling. Bottom line nothing, Google is legally obligated to comply and the courts could get really nasty with them if they just refused.
(Disclaimer: I am a Google employee, but that has nothing to do with this post. I've been fascinated with online copyright law for decades, and you can find many examples of me saying exactly the same things long before I started writing code for Google.)
Umm, she does have ADD (combined type), but that's trivial to manage, and is managed. As for coping skills, after years in treatment, including full-time residential treatment (after multiple serious suicide attempts), she has excellent coping skills when she chooses to use them. Keep in mind you're talking about someone who has not just a few but essentially all of the classic BPD symptoms, and in a fairly extreme form. Much of my life for the last several years has been focused on keeping her alive. She's been diagnosed by many different practitioners independently, and the only hesitation was that nearly all of them refused to issue an actual diagnosis of BPD until she became an adult. Until then it was always "extensive traits associated with BPD", or words to that effect. And while I don't recall if Dexedrine has ever been in the mix of medications, she has been on Wellbutrin. It helps some.
What's the basis of your expertise?
You're the one who has been reducing it to one cause.
You're arguing that anonymity is an essential component of creativity, and that even if we keep all the rest, tossing that one bit will dramatically reduce creativity. Or perhaps you're arguing that removing any single element will dramatically reduce creativity; it's not clear whether you're saying there is one single point of failure or multiple single points of failure, but you're definitely arguing that anonymity is a single point of failure -- lose that and you've lost creativity. That's a very big assertion.
In fact, not only do I see countless counterexamples, but I'm not sure I see any examples that you can point to and say "See, if that person hadn't had privacy (s)he wouldn't have been able to create." Examples where access to information is a clear pre-requisite not only abound, I think it's reasonable to say that no one creates anything except by building on what they've learned from others. Similarly, it's easy to look at any creative work that consumes a significant amount of time and it's clear that it could not have been created had the creator had to spend 18 back-breaking hours per day laboring in a field. Those make sense as pre-requisites. Privacy? Not so much.
I'm not saying you're wrong, just that any truth in your claim is far from obvious, and I don't find your assertions convincing.
You didn't do the math :-)
If we were to count letters, the "correct horse battery staple" password would have ~117 bits of entropy (26^25 = ~2^117). But it doesn't, it has 44 bits. This is because it's a sequence of four words selected from a dictionary of 2048 entries. 2048^4 = (2^11)^4 = 2^44.
Assuming a good iterated password hashing function like, say, scrypt, 44 bits is pretty decent, and proof against anyone who isn't willing to throw tens of thousands of dollars at cracking that one password.
FWIW, I don't actually use XKCD-style passwords, not because of security deficiencies but because I have to use my passwords far too often to want to type anything that long. I shoot for 50 bits of entropy, but with shorter passwords. My passwords are generally 8 characters long, unless the character set specified by the system is too restricted to achieve 50 bits, in which case I add characters until I achieve the desired level. 50 bits is arguably excessive, but only if you assume that systems implement proper password hashing, with iterated hash functions and salt. I know from experience that you can't assume that, so I add a few more bits to be sure.
I don't pick Amazon because I "save" 7.25% in sales tax.
Of course not, because you don't save it. Like any good citizen you dutifully report it on your annual state income tax form, and pay the applicable sales tax then.
Would it keep a government agency from brute-forcing on a super computer?
Depends how many words you use. Use enough to get to, say, 80 bits of entropy, and assuming a decent (slow) hashing algorithm, yes it would.
+1
The system is fine up to that point. For high security passwords, you really need a unique password per site.
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.
Nonsense. You don't understand the approach XKCD was suggesting; you can't defeat entropy by getting a bigger dictionary. If that were true, then AES-128 would be trivially easy to crack because I can enumerate all of the possible keys. I have a 100% perfect dictionary.
The point that by selecting a set of randomly-chosen words (do not do the selection yourself; use a random number generator) words, you can get a great deal of entropy in a fairly memorable form. It doesn't matter if the attacker knows the exact method you used (as long as it's random), and knows the exact dictionary you selected your words from; he's still going to have to try 2^n possibilities, where n is large enough to make brute force impractical.
The pie chart often does apply that long, because early in their career, they signed a contract for N albums, all of which the record company will own.
Those contracts are routinely broken. It's not hard for a well-heeled band's attorneys to get them out of such a contract, particularly since the labels almost never comply fully with their side of the deal.
The problem is that when one is WHITE, one is expected to exist and compete as an atom, an individual absolute with no assistance from any entity outside oneself. Meanwhile, the NON-WHITE is permitted to exist and compete in whatever form said non-white may have. There are ETHNIC CREDIT UNIONS but no WHITE CREDIT UNIONS. there are ETHNIC COMMUNITY CENTERS but no WHITE COMMUNITY CENTERS. Therefore, unless you have your life ahead of you paid in full via inheritance and/or windfall, you remain JUST AS "OTHER" as before you attempted to renounce WHITE PRIVILEGE.
Sometimes the truth is racist but it does not undo the fact that it is the best representation of reality. You remain just as "other" to them despite the fact that you renounced viewing them as "other".
Good fences make good neighbors.
I'm glad I don't live in your head.
I got typhoid fever when I was in Mexico, does that count?
Heh. No, it was several years ago, perhaps 10. The project I was working on actually failed. I was a contractor from IBM Global Services and while we were working pretty effectively we were also being aggressively undermined by a group of UMG employees who insisted they could do it. They won the political battle. I was pretty skeptical that they could deliver though, so my guess is that after forcing us out they tried and failed, leading to the need for your project.
By all means feel free to correct anything I've misstated, BTW. It has been a while for me and I could have misremembered some things.
You may overstate the case a bit, but I do strongly agree that public is public. We need to draw that line.
I think that's more a result of the fact that we consider them "other". Different color, language, culture, religion... they're strange and therefore not us, and therefore we have little empathy for them as people and our ideological interest in their government following the form we'd like and doing what we want is stronger. At least we're no longer willing to simply massacre them out of hand, though.
On the other hand, to my moral sensibilities "starve millions with sanctions" is an odd phrase; do we really equate refusing to trade with someone with forcibly depriving them of sustenance? After all, we're not taking anything from them, we're just refusing to give something to them, something we have no obligation to provide. And it's not like the countries aren't capable of feeding their people, it's just that their corrupt governments and institutions don't care to bother. So do we really have a moral obligation to trade with them?
I have to think about whether you're oversensitive, or I'm deficient.
That's another good point. I don't think you can attribute a difference in creative output to one cause. And among all of the possible causes, I think the opportunity to hide what you're doing from your neighbors has to rank near the bottom.
So we're entitled to a higher standard of living? Why? Forget the "them" and "us". We're all people, and we all deserve the same opportunity to make what we can of ourselves.
I think it's common throughout all of science; we certainly keep seeing more and more evidence of it. And yet overall we still do manage to make forward progress. I'm not saying that makes it okay, not at all. Just that the net effect is still positive, just not nearly as good as it should be.
We've all seen the pie chart showing just what a tiny fraction of the pie the artist receives for a sold recording owned by a record company.
Maiden owns all their recordings, and always has. And even if they hadn't near the beginning of their career, they certainly would own all of the later stuff now. The pie chart doesn't apply to successful artists after the first 5-10 years of their career. They no longer really need the labels.
Furthermore, if your Glass screen is off and you're going to keep it off so I know you're not recording, why don't you just take it off when asked
It also provides audio.
Perfection is the enemy of good. Just because there are problems -- which are endemic throughout most all science -- doesn't mean that everything is worthless.
Phones and portable cameras. There are hundreds of millions of phones and portable cameras without a "recording" light. You did just propose putting such a light on phones and portable cameras, did you not?
Sure. But I thought you were arguing that Glass was the really big problem, because it's worn rather than carried. If that's the case, put a light on it... and while you're at it put a light on everything else going forward. You'll still have the ability to tell that a phone lying on the table isn't recording you, whether it has a light or not. But with future, light-equipped, devices, you'll be able to tell even when the device is being held up.
And nearly all camcorders and many if not essentially all cameras with video-taking features already do have recording lights.