The Linux kernel uses goto statements. About 95000 times..
In the absence of exceptions, goto is a great tool for simplifying and clarifying error handling.
In a language with exceptions, goto is much less useful. I won't say it's never useful, but if I'm ever tempted to use goto for anything other than jumping to an error handling block, I know I need to take a step back and rethink the structure of the code, because there's almost certainly a better way.
as there used to be a lot of broken IPv6 setups in the wild.
Well there are a lot of broken broadband setups too, with hideous line noise and lag, but I don't see Google withholding access from those people.
The point isn't to withhold access, it's to make sure that when people with broken IPv6 setups try to use Google services, those services actually work as well as everything else on the web.
All web browsers and most other Internet apps these days will try IPv6 first if DNS reports an AAAA name. If IPv6 doesn't actually work, though, you'll get nothing at all until the connection times out and the browser falls back to trying the IPv4 address. This makes for a really bad user experience, especially for Google web search, which prides itself on being extremely fast.
Going global with IPv6 on June 6 (assuming that's the plan), is a pretty gutsy move, because it could well make Google's services less accessible and useful to people than competing services. The problem with be the fault of ISPs, routers, etc., but to the average end user it'll just be "Google is slow and Bing is fast".
Heck, Hurricane Electric assigned me a/64 IPv6 subnet (2^64 addresses available)
Hehe. In IPv6-land a/64 isn't a subnet, it's a host. You can use it as a subnet if you want to, but that's not how it's designed. HE will allocate you a few actual subnets if you want --/48s (2^80 addresses available).
Duh. Sorry, thinko./80 is a host, you're right that/64 is a subnet. It's the smallest IPv6 subnet. But HE will allocate you a/48 (I think up to five of them? Been a while since I looked), so you can have 2^16/64s.
Heck, Hurricane Electric assigned me a/64 IPv6 subnet (2^64 addresses available)
Hehe. In IPv6-land a/64 isn't a subnet, it's a host. You can use it as a subnet if you want to, but that's not how it's designed. HE will allocate you a few actual subnets if you want --/48s (2^80 addresses available).
One of our morning talk show hosts -- who's about as conservative as they come -- devoted most of his program to SOPA and PIPA this morming. As a result, a lot of people who'd never heard of it are now very annoyed and are expressing their displeasure toward their Congress Critters.:)
Heh. Heh, heh.
I'm actually feeling pretty encouraged this morning. It has been a while since I felt that way.
I noticed that one of my two Senators' web sites is down this morning. The site of the one who has been publicly opposing PIPA (Mark Udall) is chugging along just fine, but I think the other one (Michael Bennett) has gotten hammered.:-)
Problem is they all bask in this zero effort activism and then will ignore it when SOPA has a name change and is passed attached to the "its bad to smash puppies and kittens with a club" Act of 2012
They will simply change it's name and slide it quieter next time because the public will stop paying attention in about 5 days.
Google isn't going to stop paying attention to it, and neither are the other big sites protesting it today. If need be, the PIPA/SOPA opponents can just repeat this as long as the legislators want, and it'll get easier to explain to people every time "Oh, Congress is just trying to do that SOPA thing again, trying to slide it past us under a different name."
And by "free" I both free as in freedom and free as in beer.
90% of all of the material taught in K-12 and probably 50% of all of the material taught in an non-technology focused undergraduate degree hasn't changed in decades, and a non-trivial chunk of it hasn't changed in centuries. Granted that teaching methodology has improved some, but there's simply no logical reason why we as a society have allowed textbook publishers to bleed us for countless billions the way we have.
It's crazy at the university level and batshit insane at the level of public schools. The average US state spends close to $10M annually buying textbooks for public schools, at prices averaging around $50 per book. What they ought to do is take a chunk of that each year and commission the writing of a half-dozen open source textbooks. A little collaboration and planning between the states and in less than five years the entire K-12 curriculum could be reproduced in a freely available form. Want to put it on tablets and computers? Fine. Or contract a publisher to print paper copies for the cost of materials and labor. Or, heck, when I was in high school almost 30 years ago, we could print and bind high-quality hardcover books in the school's graphic arts shop. It's gotta be even easier now.
The same could easily be done at the university level, especially for generals. I've seen a dozen different Calculus texts and you know what? They're all basically equivalent. Profs will tell you that this author or that author presents the material in a slightly better way, and they're not wrong, but there's also no evidence that it really makes much difference in how well the students learn the material.
For that matter, with open source textbooks, profs could adjust what they don't like themselves and share it with like-minded peers. Github for textbooks! Fork and modify and if others like your patches they can pull them.
There is a volunteer open textbooks movement, but with a little organized focus, attention and money it could easily become the standard way of packaging and distributing educational materials.
Really though, as a customer, you don't look favorably at your security vendor waiting until after a serious breach to refine their processes.
Especially when the "unrefined" processes were mind-bogglingly stupid and betrayed such utter incompetence.
There's no way the RSA token master keys should have been stored in anything other than a FIPS 140-2 level 4 (or 3, but that would be mildly lame) host security module, with tight logical and physical access controls.
you put out queries to your peers, who ask their peers, and so on, performing thousands or even millions of queries between peers in order to retrieve the torrent file
It's not that bad. The Bittorrent DHT guarantees a maximum of log n queries to find any file, where n is the number of nodes in the DHT. If you assume one billion nodes, then it'll still take no more than 40 queries. Of course those queries may be going anywhere in the world, so some of them may be high latency. Also when you start a node up from scratch there's an additional delay, because your node must first join the DHT, which takes up to log n queries plus some time to transfer the data your node is supposed to provide from its "neighbors" (who may be anywhere in the world).
DHT is one of those ideas that seems like it should be workable, barely, in the lab... but turns out to work shockingly well in real life. Kinda like the Internet, actually.
Usually after the prototype the modern inventor will need to raise money to set up factories and production lines to make working devices. (Possibly outsourced, but they'll still want money up front.) This is the purpose of venture capital, IPOs, and the like.
Sure. That's all part of selling working devices. I didn't want to go into all of the complexities there.
You do realize that Rossi has working devices that have been inspected by dozens of scientists, right?
"Scientists", huh?
Talk to me when he's gotten his patents filed (which is a much safer way to protect your ideas than "ingenious" countermeasures against disassembly), and when he's getting factories set up.
in what universe does a nearly thousand fold increase count as "a small amount"?
The universe where $2.10 per hour buys an Amazon EC2 instance capable of computing nearly four billion hashes per second. A thousand-fold increase only matters if the base problem, before the increase, takes non-trivial time.
Also, if a thousand-fold increase is enough to be worth doing, you can get it much more easily just by adding two characters to your password. 88^2 = 7744.
The example with "D0g....................." should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "" or "[*]" or "^-^" . . . but do invent your own!
If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!
The goal is to prevent brute-foce hacking of your password, and the way to do that is by lengthening it. If you pick some long padding and add that to all your passwords, brute-force hacking it becomes prohibitively hard.
Unless the attacker guesses that you're padding your passwords. In that case, even if the attacker doesn't know what your padding character is, or exactly how many times you're repeating it, the brute-force complexity only increases by a small amount.
Biometrics are a form of identification , not authentication.
It should always be used in conjunction with authentication, not to replace authentication.
It's still very usefull , because it saves time : you don't have to fill in your login id : the systems knows who you claim to be, and just requires your password to confirm it.
So it can replace the userid , but never the password.
Biometrics can be used for authentication as well, but only in scenarios where it's possible to ensure that the person authenticating themselves is not using any sort of prosthesis, and where the security of the data acquisition path, the verification engine and the template store can all be assured. In those scenarios, biometrics provide very strong authentication. But that basically requires that all of the infrastructure, including the scanner, be in a physically-secured facility, and that the scanning process be watched closely by trained security personnel.
For most authentication contexts, biometrics don't provide authentication.
There are exceptions, but in general IBM's patents are pretty high-quality. There's a good internal vetting process that is followed before any patent application is filed, and obviousness is the primary focus of the evaluation committee -- and the committee is staffed with both engineers and attorneys. Obviously it's not perfect because some crap does get through, but not much. Many of IBM's patents are of very high quality, around things like fundamental advances in processor design, magnetic storage, etc.
Disclaimer: I used to work for IBM. I don't any more because it became a crappy place to work, and there's much I dislike about the company, but I do respect their patent practices.
I guess it's the visible low rolls that really raise questions. If the party is searching for secret doors and no one rolls above a 5, the players are likely to decide they should search some more because they know that the odds are good that if there was something to find, they missed it. Or do you just disallow that?
Rules light games rely on GM fiat to determine outcomes, despite attempts to be fair, players will eventually build their own perception of whether they think your rulings are 'fair'
Very true, and even more so if your players are teens. Younger players tend to be less interested in the story and more interested in how cool their character is, so when things go badly for them they get upset... but you can't just give them a cakewalk either, because then they get bored. Give them encounters of the right level of difficulty and stick to the rules and the dice and everyone will have a good time.
The current campaigns I play, we do all dice rolls in the open, including GM rolls.
How do you do search and spot checks, etc.? I'm talking about rolls where there's no chance of success because there's nothing there to find, but the players shouldn't know that. If you roll in the open, and they see they got a 20, they know there just isn't anything there (or it's so hard to find they have no chance).
I didn't mean to imply that my list of corporate influence was in any way exhaustive.
As for your comment about free speech zones and economic summits... sure they're used for those. But they're used for virtually every Presidential appearance, which is a lot more.
My point was that almost every example Weaselmancer sited after blaming corporate lobbying -- including all of the most egregious breaches of civil rights -- cannot be blamed on corporate lobbying. So while corporate influence is a problem, it's clearly not the only problem... and if you rank the scariest actions it's far from the biggest problem.
My fear is that too many well-meaning people are aiming their anger at the wrong target, and that is actually contributing to the ability of the government to continue stripping us of our rights.
in Massachusetts, possession of a handgun without a permit, concealed or not, will land you in jail. So this is not good advice for riding the T at all.
But a class A license does allow concealed carry. AFAICT, there is no law making it illegal to carry on subways or buses. However, "no weapons" signs do have the force of law in Massachussetts, so if the T is posted it may be illegal.
The Linux kernel uses goto statements. About 95000 times..
In the absence of exceptions, goto is a great tool for simplifying and clarifying error handling.
In a language with exceptions, goto is much less useful. I won't say it's never useful, but if I'm ever tempted to use goto for anything other than jumping to an error handling block, I know I need to take a step back and rethink the structure of the code, because there's almost certainly a better way.
/128 is a host...
Only if you want to break stateless autoconfig and a lot of other assumptions.
Thanks for the correction. Perhaps that's why Google now considers it (somewhat) safe to turn on IPv6 globally.
Indeed. Udall must be prepping his website for the bill's eventual passing, and is showing the world what a PIPA-compliant website looks like.
s/Udall/Bennett, but yes.
as there used to be a lot of broken IPv6 setups in the wild.
Well there are a lot of broken broadband setups too, with hideous line noise and lag, but I don't see Google withholding access from those people.
The point isn't to withhold access, it's to make sure that when people with broken IPv6 setups try to use Google services, those services actually work as well as everything else on the web.
All web browsers and most other Internet apps these days will try IPv6 first if DNS reports an AAAA name. If IPv6 doesn't actually work, though, you'll get nothing at all until the connection times out and the browser falls back to trying the IPv4 address. This makes for a really bad user experience, especially for Google web search, which prides itself on being extremely fast.
Going global with IPv6 on June 6 (assuming that's the plan), is a pretty gutsy move, because it could well make Google's services less accessible and useful to people than competing services. The problem with be the fault of ISPs, routers, etc., but to the average end user it'll just be "Google is slow and Bing is fast".
Heck, Hurricane Electric assigned me a /64 IPv6 subnet (2^64 addresses available)
Hehe. In IPv6-land a /64 isn't a subnet, it's a host. You can use it as a subnet if you want to, but that's not how it's designed. HE will allocate you a few actual subnets if you want -- /48s (2^80 addresses available).
Duh. Sorry, thinko. /80 is a host, you're right that /64 is a subnet. It's the smallest IPv6 subnet. But HE will allocate you a /48 (I think up to five of them? Been a while since I looked), so you can have 2^16 /64s.
Heck, Hurricane Electric assigned me a /64 IPv6 subnet (2^64 addresses available)
Hehe. In IPv6-land a /64 isn't a subnet, it's a host. You can use it as a subnet if you want to, but that's not how it's designed. HE will allocate you a few actual subnets if you want -- /48s (2^80 addresses available).
Total: 17,891,328
Ah, but how many ports do you have for disambiguating connections? And at what point does the dynamic routing table just become unmanageable?
NAT is a nasty, ugly hack that only mildly breaks in tiny home network cases, but fails badly when you try to scale it.
One of our morning talk show hosts -- who's about as conservative as they come -- devoted most of his program to SOPA and PIPA this morming. As a result, a lot of people who'd never heard of it are now very annoyed and are expressing their displeasure toward their Congress Critters. :)
Heh. Heh, heh.
I'm actually feeling pretty encouraged this morning. It has been a while since I felt that way.
I noticed that one of my two Senators' web sites is down this morning. The site of the one who has been publicly opposing PIPA (Mark Udall) is chugging along just fine, but I think the other one (Michael Bennett) has gotten hammered. :-)
Problem is they all bask in this zero effort activism and then will ignore it when SOPA has a name change and is passed attached to the "its bad to smash puppies and kittens with a club" Act of 2012
They will simply change it's name and slide it quieter next time because the public will stop paying attention in about 5 days.
Google isn't going to stop paying attention to it, and neither are the other big sites protesting it today. If need be, the PIPA/SOPA opponents can just repeat this as long as the legislators want, and it'll get easier to explain to people every time "Oh, Congress is just trying to do that SOPA thing again, trying to slide it past us under a different name."
And by "free" I both free as in freedom and free as in beer.
90% of all of the material taught in K-12 and probably 50% of all of the material taught in an non-technology focused undergraduate degree hasn't changed in decades, and a non-trivial chunk of it hasn't changed in centuries. Granted that teaching methodology has improved some, but there's simply no logical reason why we as a society have allowed textbook publishers to bleed us for countless billions the way we have.
It's crazy at the university level and batshit insane at the level of public schools. The average US state spends close to $10M annually buying textbooks for public schools, at prices averaging around $50 per book. What they ought to do is take a chunk of that each year and commission the writing of a half-dozen open source textbooks. A little collaboration and planning between the states and in less than five years the entire K-12 curriculum could be reproduced in a freely available form. Want to put it on tablets and computers? Fine. Or contract a publisher to print paper copies for the cost of materials and labor. Or, heck, when I was in high school almost 30 years ago, we could print and bind high-quality hardcover books in the school's graphic arts shop. It's gotta be even easier now.
The same could easily be done at the university level, especially for generals. I've seen a dozen different Calculus texts and you know what? They're all basically equivalent. Profs will tell you that this author or that author presents the material in a slightly better way, and they're not wrong, but there's also no evidence that it really makes much difference in how well the students learn the material.
For that matter, with open source textbooks, profs could adjust what they don't like themselves and share it with like-minded peers. Github for textbooks! Fork and modify and if others like your patches they can pull them.
There is a volunteer open textbooks movement, but with a little organized focus, attention and money it could easily become the standard way of packaging and distributing educational materials.
Really though, as a customer, you don't look favorably at your security vendor waiting until after a serious breach to refine their processes.
Especially when the "unrefined" processes were mind-bogglingly stupid and betrayed such utter incompetence.
There's no way the RSA token master keys should have been stored in anything other than a FIPS 140-2 level 4 (or 3, but that would be mildly lame) host security module, with tight logical and physical access controls.
you put out queries to your peers, who ask their peers, and so on, performing thousands or even millions of queries between peers in order to retrieve the torrent file
It's not that bad. The Bittorrent DHT guarantees a maximum of log n queries to find any file, where n is the number of nodes in the DHT. If you assume one billion nodes, then it'll still take no more than 40 queries. Of course those queries may be going anywhere in the world, so some of them may be high latency. Also when you start a node up from scratch there's an additional delay, because your node must first join the DHT, which takes up to log n queries plus some time to transfer the data your node is supposed to provide from its "neighbors" (who may be anywhere in the world).
DHT is one of those ideas that seems like it should be workable, barely, in the lab... but turns out to work shockingly well in real life. Kinda like the Internet, actually.
Usually after the prototype the modern inventor will need to raise money to set up factories and production lines to make working devices. (Possibly outsourced, but they'll still want money up front.) This is the purpose of venture capital, IPOs, and the like.
Sure. That's all part of selling working devices. I didn't want to go into all of the complexities there.
You do realize that Rossi has working devices that have been inspected by dozens of scientists, right?
"Scientists", huh?
Talk to me when he's gotten his patents filed (which is a much safer way to protect your ideas than "ingenious" countermeasures against disassembly), and when he's getting factories set up.
That's what real inventors do.
What a snake oil salesman does:
What a real inventor does:
Give me one counterexample, one case where an inventor acted like the first list and yet really had something significant.
(I wish slashdot would stop screwing up the display of bulleted and numbered lists.)
in what universe does a nearly thousand fold increase count as "a small amount"?
The universe where $2.10 per hour buys an Amazon EC2 instance capable of computing nearly four billion hashes per second. A thousand-fold increase only matters if the base problem, before the increase, takes non-trivial time.
Also, if a thousand-fold increase is enough to be worth doing, you can get it much more easily just by adding two characters to your password. 88^2 = 7744.
From the link:
The example with "D0g....................." should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "" or "[*]" or "^-^" . . . but do invent your own!
If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!
The goal is to prevent brute-foce hacking of your password, and the way to do that is by lengthening it. If you pick some long padding and add that to all your passwords, brute-force hacking it becomes prohibitively hard.
Unless the attacker guesses that you're padding your passwords. In that case, even if the attacker doesn't know what your padding character is, or exactly how many times you're repeating it, the brute-force complexity only increases by a small amount.
Biometrics are a form of identification , not authentication. It should always be used in conjunction with authentication, not to replace authentication.
It's still very usefull , because it saves time : you don't have to fill in your login id : the systems knows who you claim to be, and just requires your password to confirm it.
So it can replace the userid , but never the password.
Biometrics can be used for authentication as well, but only in scenarios where it's possible to ensure that the person authenticating themselves is not using any sort of prosthesis, and where the security of the data acquisition path, the verification engine and the template store can all be assured. In those scenarios, biometrics provide very strong authentication. But that basically requires that all of the infrastructure, including the scanner, be in a physically-secured facility, and that the scanning process be watched closely by trained security personnel.
For most authentication contexts, biometrics don't provide authentication.
There are exceptions, but in general IBM's patents are pretty high-quality. There's a good internal vetting process that is followed before any patent application is filed, and obviousness is the primary focus of the evaluation committee -- and the committee is staffed with both engineers and attorneys. Obviously it's not perfect because some crap does get through, but not much. Many of IBM's patents are of very high quality, around things like fundamental advances in processor design, magnetic storage, etc.
Disclaimer: I used to work for IBM. I don't any more because it became a crappy place to work, and there's much I dislike about the company, but I do respect their patent practices.
I guess it's the visible low rolls that really raise questions. If the party is searching for secret doors and no one rolls above a 5, the players are likely to decide they should search some more because they know that the odds are good that if there was something to find, they missed it. Or do you just disallow that?
Rules light games rely on GM fiat to determine outcomes, despite attempts to be fair, players will eventually build their own perception of whether they think your rulings are 'fair'
Very true, and even more so if your players are teens. Younger players tend to be less interested in the story and more interested in how cool their character is, so when things go badly for them they get upset... but you can't just give them a cakewalk either, because then they get bored. Give them encounters of the right level of difficulty and stick to the rules and the dice and everyone will have a good time.
The current campaigns I play, we do all dice rolls in the open, including GM rolls.
How do you do search and spot checks, etc.? I'm talking about rolls where there's no chance of success because there's nothing there to find, but the players shouldn't know that. If you roll in the open, and they see they got a 20, they know there just isn't anything there (or it's so hard to find they have no chance).
https://github.com/divegeek/uscode
I didn't mean to imply that my list of corporate influence was in any way exhaustive.
As for your comment about free speech zones and economic summits... sure they're used for those. But they're used for virtually every Presidential appearance, which is a lot more.
My point was that almost every example Weaselmancer sited after blaming corporate lobbying -- including all of the most egregious breaches of civil rights -- cannot be blamed on corporate lobbying. So while corporate influence is a problem, it's clearly not the only problem... and if you rank the scariest actions it's far from the biggest problem.
My fear is that too many well-meaning people are aiming their anger at the wrong target, and that is actually contributing to the ability of the government to continue stripping us of our rights.
in Massachusetts, possession of a handgun without a permit, concealed or not, will land you in jail. So this is not good advice for riding the T at all.
But a class A license does allow concealed carry. AFAICT, there is no law making it illegal to carry on subways or buses. However, "no weapons" signs do have the force of law in Massachussetts, so if the T is posted it may be illegal.