If a few more people were interested in actually presenting facts, there might not be controversy in the first place.
Honestly I've been very reluctant to accept AGW. There are plenty of people of people I respect who are sure that it is exaggerated or completely false. I hear them recount their points over and over and each article or soundbite in favor of their perspective gets discussed with enthusiasm.
I've done my own research and found that most people who write in favor of AGW do so without actually checking the science. They tend to be an abusive and dismissive group. That doesn't actually persuade me that AGW is bogus, I'm willing to accept that truth can be supported by assholes, but it does make it hard to find information. It is a lot easier to find deniers using facts and referencing studies. Again, that doesn't convince me since plenty of whackjobs think they have reliable sources.
I've heard the Mars talking point plenty of times and recall some doubt after looking it up myself, but it would have been nice to see a link to information rather than abuse.
Would you take a mop out of the closet and scrub a floor at the office if you noticed it dirty?
Yes. If it needed done.
Do what needs done. Use your time wisely. If you manage both of those things, then you're doing more than most people.
On my first day, my boss, who is past retirement age and still keeps up with current technology, stopped to pick up trash from the floor. I noticed. It impressed the hell out of me and the lesson stuck. Here is a guy at the top of a company who still takes time to do what he can in any capacity to make sure that what needs done gets done, no matter how menial. Today he set up a workstation, not because it needed his personal time but because he likes to know how things are being done. He has staff that he depends on to manage setting up the workstations (and servers and manage contracts and interact with vendors and develop in house applications.) Still, he wants to learn how our images are working, what we build them with and what we have to set up on individual machines. He carries tremendous responsibility in the company and makes decisions that account for a large portion of the company budget. His mistakes cost us tremendous amounts of money and time and his good decisions save us tremendous time and money. This same guy takes time to fix a printer when he is at hand and it needs someone with only the most rudimentary mechanical skill. I've seen him study the bios on a PC when he has staff that he could assign to become experts. He makes it obvious that no task is too small or too menial to do if it needs doing.
We have different IT philosophies in some significant areas and he drives me absolutely crazy sometimes. Still, I respect somebody that does what needs done. Everybody respects the guy that does what needs done when it needs done. The majority of his time is spent managing, researching and reporting, but he makes time to learn new things and spends time on tasks he could assign somebody to assign somebody to do because he cares to know what is going on and why.
xTrashcat:
What is the average age of your workplace? We range from 18 to late 60s, average is probably 45.
How easily do your coworkers accept and absorb new technology? I'd guess maybe 5% jump on learning new tech, 70% learn it with mild reluctance and 25% actively hate having to deal with it.
Are most IT environments like this, where people refuse to learn anything about new technology they don't like, or did I just get stuck with a batch of stubborn case-screws? I've worked in five IT environments. Every instance had some people who hated new tech and a rare few who embraced learning about it.
Your group doesn't sound special, it just sounds like the mentality is one of entrenchment against dealing with unnecessary new skills. It probably stems from a lack of reward in the past, but such views can be slowly won over with patience.
Do what needs doing. Learn about the new BIOS settings if that's what is called for. When you're of age to be "that old guy in IT" you can be like my boss, the guy who does what needs to be done.
Your explanation was good, but it didn't use a car metaphor so it kinda confused me. Now I feel obligated to offer one:
I accept the premise that practically everyone needs transport sometimes
The luxury sedan part of the Everyone Transported act sounds good
The heated seats provision sounds good
The GPS for all is great
All car payments come with free gas is good
I do NOT LIKE that my car payment tripled
Humm...
I'm against the act, but not because of the mandate/tax. I'm not against the provisions. The idea that health insurance and health care could use some legislative improvement is acceptable to me. I am against the idea that the only way to solve the problems is to force an entire nation to use one idea instead of letting 50 governments try solutions.
"I predict future happiness for Americans, if they can prevent the government from wasting the labors of the people under the pretense of taking care of them."
- Thomas Jefferson
"My reading of history convinces me that most bad government results from too much government."
- Thomas Jefferson
"Government is not reason, it is not eloquence - it is force. Like fire, it is a dangerous servant and fearful master."
- George Washington
Maybe the default should be what most people seem to prefer, or perhaps the one that causes the least customer loss. You know, instead of turning the default to the setting that gets you banned in schools?
Maybe you should split off potentially offensive content to a different sub-domain so it can be easily blocked by people want to block it and ignored by people who don't care.... like Bing does.
Ha! Ha.... no wait, that makes more sense than I expected.
Why do we need an OS that is installed? I've used Ubuntu, CentOS, Slax and other live CDs and been impressed with how well they do what I want. With Novell Suse Studio I could build my own Customized OS which isn't ever installed on the computer. I already store all my important data on a pair of external USB drives, but I'd rather have my main hard drive handle the job. If I didn't have to worry about installing the OS, I could boot every time to the same system until I wanted an update and just burn a new CD or update the usb stick I boot from.
I heard a Staples guy talk about how he was doing exactly that sort of thing and it bugs me. I've never been able to get an OS on a stick to meet my demands, but I should be able to. In the future, I'd love to see computers sold with "and here is your OS stick, it comes with Window 9, Ubuntu, PC-BSD and Mac Alleycat but you can update those or come back and get an updated version anytime you like for $99."
I thought of that flaw and as an experienced programmer, I would have prompted the user to re-enter and then verify again the entered password. I didn't add that to my comment because it was already suffering from "too long, didn't read" syndrome.
Your solution of expiring the password immediately could be bad, very bad. Instead of having a few callers per day complaining about the problem, you would instantly have hundreds and maybe thousands of additional callers.
That is a simplification though, If you were my boss and said "no, I don't like it, I want them to have to enter a new password" then I would have done it differently. I would have built in a graduated delay so that on day 1, all usernames beginning with the letter 'A' were prompted for a new password, with 'B' on day 2 and so on. If I felt like a month of higher call volume would exceed the metrics of the call center, I would have switched it to 'A[A-M]' and so on.
Your concern is valid, but you are showing exactly the limited foresight that young and inexpensive programmers are dangerous for. Granted, had I been willing to add a few more words to my explanation, you might not have made that error, but a wise programmer wouldn't have made it in the first place.
Don't think that my criticism of your solution is a critique of your intelligence however. I consider myself to be an intelligent person and ten years ago, I would have made the same mistake.
As someone with a rather embarassingly similar system to support, I can sympathize with your concern. We railed against the limitations of the software vendor when we switched to it, but their attempts to fix it caused new issues. At first we had a system that truncated the longer passwords our users had on the old system, and then later when they tried to expand the length of input, those users with longer passwords they'd been transparently using were suddenly getting told their password was incorrect because the stored truncated version didn't match the longer version they were typing in.
As an example the password "iLikeLongPassword$ican'tT3ll@Lie" was stored internally as "iLikeLongP" and happily accepted, but the new password "iLikeLongP@sswordsButChangeWhenIrritated" was treated as a duplicate. When they implemented a fix, it started comparing "iLikeLongP" to "iLikeLongPassword$" and gave an authentication error. To prevent the overlap, they limited new password entries to ten (example only, not necessarily reality) and users were rightfully indignant thinking (incorrectly) their older password had been more secure.
Rather than have the system recognize truncated versions of the same password and prompt the user that the system had been updated and their longer password was now stored, they rolled back the "fix" to the older more limited system.
What they should have done was update the system to read the full password entered by the end user, and submit that to the authentication system, and if it failed, submit the truncated password to the authentication system. If the truncated version matched, it should have then alerted the user that it was now storing the fully complex password and then updated the stored version.
Why? is what you asked though. The short answer is that it probably relies on backend systems that were historically much more limited and weren't designed with modern security issues in mind. In some cases the password storage was designed to be able to be decrypted, in others the database was designed with a specific length for that entry. "Why don't they fix it" is the obvious followup question, but the answer is long so I won't repeat it here for the sake of brevity.
When will some bright CS geek invent a real solution to this problem.
Answer: they have and do, and even when they get around all the pre-existing patents (either by licensing or finding yet another idea) the sell and implementation are difficult hurdles to overcome. First the example you give is one very close to another I've seen sold by a company and I'm sure is patented. That makes it either expensive or out of the question right up front. Then there are other issues to keep it from being implemented.
Often the writers of the software that is in the backend of the system are long since gone from the companies that depend on them. Rather than hire expensive work done to correct the problem, companies choose instead to attempt to bend the front end of the system to meet the requirements of the back end. While that at least is possible in most cases, that requires a programmer that is willing and competent to put the work into such a system and, again, those programmers tend to be the experienced and expensive ones.
Take unix systems that used to only allow for six or eight characters. It would be possible to rewrite the login prompt to take the input of up to 500 characters, salt it against itself and then using the result, determine which pair of a hundred tables of random characters the original would be xor'd against and then hashed to where the resulting hash of the process uses a full ascii set with a limited resulting length matching the maximum original limited length to then submit that as a final password to the underlying authentication. The concept isn't horribly complex and the results would be good, but you have to find somebody that you can get to rewrite the login prompt, somebody else with expertise to validate the procedure and potentially in the future, someone to modify it if demands change or add it to new systems that are authenticating on top of it. On top of that, you have to be able to present a credible defense to outside auditing companies if the data you're protecting is in any way valuable. Alternatively you could hire somebody to update the existing backend validation system and handle the transition process with minimal impact. Either choice is feasible, but both are expensive and in many cases give you a custom system that is no longer supported by default from the upstream software provider.
Don't underestimate the requirement to satisfy auditors either. Auditors are rightly suspicious of home grown security systems. The auditor probably understands "the standard Microsoft requirement for a minimum length of ten characters with no less than three non-alphanumeric characters that doesn't duplicate any of the last eight passwords and updated every ninety days." The auditor probably doesn't understand "A scored input system requiring a minimum complexity of 30 bits processed using salts and algrothims to determine xor tables, then processed with a modified sha2 for an eight character ascii value drawn from the full ascii set, then reprocessed as a standard submission."
Take Windows as an example. There are a variety of alternative authentication systems you can add on for example, but if you do then you can't hire a random windows admin and have them administer the system without additional training. Even if you do, then you have to prepare yourself to maintain the system and have a sufficiently documented system to present to auditors each time they review your system. It is far simpler and cheaper to use the standard "every 90 days, and this type of requirement" policy everybody is already familiar with.
People are scared by a nuclear disaster, so you shut down nuclear. Then people are frustrated by shortages, and you meanwhile start pushing news about "new nuclear technology and preventing people from making the mistakes they made in the past." Sure, companies are doing without air-con but consumers will start experiencing a world without Internet, lights and television. In two years, I expect the population will support the "new wave of safe nuclear" that eliminates the shortages. I'm sure that much attention will be paid to the increased role of alternative energy in a supporting role as nuclear quietly reassumes more electrical production than it did prior to the disaster.
In ten years, expect Japan to be proud of their ability to manage clean energy resources in parallel with safe "new" nuclear generation.
In ten years, you and I will will both be a little older and hopefully a little wiser. You suggest that Japan will become a bastion of "clean" energy, and I suggest that they'll pay it lip service while relying more than ever on nuclear as their primary "clean" energy. I wonder which of us will look back and think we were naive. I've rarely found myself too pessimistic in retrospect, but often found I wasn't pessimistic enough.
Personally I think I agree with you, but would like to refine and discuss a counter point. I believe that federal government money should not be involved in the creation or propping up of business and industry. I think the point is that it creates a climate where the government takes action on behalf of the people in the attempt to gain power (votes) at the expense of the freedom of the voters. (i.e. Our government supports green energy sounds better than our government lets oil companies profit. Votes are garnered because people don't realize it means the same thing as we take your money and spend it our way because we are smarter than you.)
Federal government is different from state government though in that state government more closely reflects the will of the governed and promotes the competition of ideas. This is where there is a reasonable counter argument that should be considered.
If a state such as California believes that government control of power is a benefit to the citizens, they can establish a monopoly and price controls. They might believe that it is in the best interest of the citizens of CA to have a move to centralized electrical generation because centralized production of electricity can achieve efficiencies and enforceable environmental standards that couldn't be achieved in the free market. They can subsidize and promote such a move by taxing gasoline and diesel purchases and using some of the additional revenue to give tax incentives or even partial funding to the electric monopoly. By making these choices, they are controlling the decisions available to their citizens for a goal of benefiting the citizens.
Oregon may feel that a less controlled electric market has a greater potential to provide service reliably and that their citizens benefit more from having lower fuel prices than from the potential of a controlled energy market. Oregon then may decide to offer no additional tax breaks to either potential industry in the hope that what the consumer chooses will be the most cost effective and generally beneficial option.
This is where it gets interesting. If CA has high gasoline and deisel prices, but lower cost electricity, then they may benefit from increased demand for electric cars and find citizens are benefiting from a cleaner environment and cheaper electricity. OR may find that their environment is more polluted and their electricity costs more to the consumer. Alternatively however, CA may find that the structure and prices for electricity are insufficient to match demand and there is insufficient revenue to prevent brown and blackouts state wide. OR may find that their consumers have more income available due to the lower costs of energy and have a more vibrant economy as the money that isn't spent on energy is applied to other products.
By having two states with differing policy and application, the rest of the nation benefits in making their own policy decisions. What works or fails for CA and OR can be reapplied in all the states that have the same goals resulting in a majority benefit. It isn't as great as a government that always makes the best decisions, but few people would suggest that our federal governmetn always makes the best decisions.
I didn't examine the examples I gave, they're hypothetical only. Please don't worry about the state particulars, I'm happy to admit that CA and OR energy policy is likely not exactly, possibly not even close, to what I described. I'm focusing on the concepts, not real world examples. Feel free to offer real world examples however, if they address the concepts.
There are plenty of examples in science that may not have 100% acceptance but which still have a common consensus. Even science that provokes rabid denials from a small group like: evolution, the moon landings or the 9/11 attacks have a common consensus. With everything I've mentioned so far, you'd be hard pressed to find many well respected scientists who vary from the consensus. There is a difference between these types of consensus and AGW.
I think the comparison most enlightening is the theory of dark matter. Most experts in the field agree with the dark matter theory, but there are a significant number of well respected scientists in the field who don't agree with the theory and support alternative theories. This is pretty much exactly the case that I found when I researched the science behind AGW. There are solid theories and data to support the idea, but there are solid arguments made by respected science against it.
The huge difference between dark matter theories and AGW is the kind of discussion that happens if you happen to disagree with one of them. Personally, I previously preferred quantum gravity theory. I could say so and people might disagree with me or point out the flaws in the theory or point out the evidence for dark matter, but nobody called me a denialist. Nobody suggested that doubting the preferred theory was unreasonable. People were interested and even passionate about it, but they argued the facts rather than suggesting that scientists were being dishonest or that it was some massive conspiracy. Nobody said "You've bought into the propaganda machine hook, line and sinker." When new evidence (the Bullet Cluster) was presented, I changed my mind. I still like the elegance of TeVeS, but I'm now more inclined to believe the dark matter and energy theories. Waiting for new evidence wasn't irrational but heaven forbid you take that stance on AGW because you get hit by both sides as if you were an enemy.
AGW is a reasonable theory with substantial data to support it. It is supported by credible scientists. To say that all the data supports it or that any expert in the field who disagrees with it is disingenuous or uneducated is unfair, inaccurate and bluntly unreasonable. The fact is that both proponents and opponents of the theory tend toward emotional rather than logical discourse. That is why I find the issue so frustrating. It IS different because people attach almost a religious significance to it, unlike pretty much any other young scientific theory. (I know you're thinking 'evolution!' but evolution isn't what I'd call a new theory regardless of how much religious significance people attach to it.)
This is exactly the issue I have with AWG. It seems to degenerate into a shouting match instead of a discussion of facts. I find that if I do enough reading, I can understand most science topics, cancer research and quantum physics included. I decided that I really wanted to understand what was going on with global warming, at least reasonably well and spent a long time reading to understand. What I discovered is that most of the people that are cited as being authorities on internet forums aren't considered reliable by established scientists, and there are opposing viewpoints from scientists that are credible.
I won't say it is a trick and I don't think any credible scientist is saying it is all a hoax, but there are a wealth of opinions on what the data means and reasonable theories on how significant AGW is. I'd absolutely agree that AGW exists and any actual scientist will concede that humans must have some sort of impact on climate, but the degree of impact is only the first issue that is not agreed on. The second is the vectors of impact. Certainly CO2 is a factor, but how does that compare to the impact of the cattle industry or agriculture? Again, there are varied opinions. Finally, if you pick one or two opinions from those two issues which support the concern that AGW is a significant danger to our society, there is still the issue of reaction. Perhaps the best use of resources isn't to try to limit fossil fuel consumption, but to instead invest in fusion, or promote traditional nuclear fission reactors. Maybe the best reaction is to massively seed algae.
If there was a consensus on the data, it escaped my ability for research (about a year ago, I'm probably due to repeat it again soon.) If we can get a consensus on the data, and a reliable theory, then I hope we'll see rational discussion about responses... but I'm afraid I'm not optimistic.
Likely no matter what results are found and no matter what arguments are put forth, somebody will say something to me like: "You've bought into the propaganda machine hook, line and sinker."
Really? I tunnel through a VPN on 443 (SSL) and our firewall/filter blocks that stuff too.
The GPO block is harder to get around, you have to be able to boot from your own media (thumb or CD is handy) and our stations BIOS are locked down with a password, but of course, if you open the case and boot your own drive as primary, then you're golden.
Warning: Some cases have alarms on them that they've been opened, most don't. Test with a neighbor's first.
The way I understand it, it isn't possible to tell SSL from VPN traffic without setting up MITM, which is not foolproof, trivial or necessarily legal.
Oh, and yesterday I discovered the desktop sharing software Mikogo, which doesn't require installation and apparently uses an encrypted connection over 443. It isn't blocked by the system by default either. (Mikogo says they "work with" your existing proxies and firewalls. "Work despite" might have been a more accurate phrasing.)
Disclaimer: I am the admin, I don't have to work around the restrictions, but I use the VPN as a way of testing from external IPs. I know what is possible and why in part because I have to worry about people getting past it.
Exactly. I've been looking for somebody to say this.
I see a lot of concern posted about running a server on the hospital network that will cause the auditors to flip out. There may be a very simple potential alternate solution: Don't run it on their network. Take it home and put it on DynDNS and you're looking at an extra $30 annually. Do it well and you could offset the costs with a donation page.
Better yet, find a small tech company and have them host it for you. See if you can trade off server resources for free hosting or get it from Cousin Larry's crazy friend hosting. Then you're independently purchasing a service for convenience from a third party which should put it right out of the auditor's interest.
"What? Oh, I subscribe to a scheduling application, it's really rather handy and they specialize in just the kind of scheduling we do. It's sort of like Google Calendar (not sure why that wouldn't have worked better actually) but it does what we want."
You're exposing our trade secrets! When did you work at our company and didn't we make you sign a NDA? Oh wait, you said "government" where we do that with other branches of our company.
Slashdot Mirror
Thanks man.
If a few more people were interested in actually presenting facts, there might not be controversy in the first place.
Honestly I've been very reluctant to accept AGW. There are plenty of people of people I respect who are sure that it is exaggerated or completely false. I hear them recount their points over and over and each article or soundbite in favor of their perspective gets discussed with enthusiasm.
I've done my own research and found that most people who write in favor of AGW do so without actually checking the science. They tend to be an abusive and dismissive group. That doesn't actually persuade me that AGW is bogus, I'm willing to accept that truth can be supported by assholes, but it does make it hard to find information. It is a lot easier to find deniers using facts and referencing studies. Again, that doesn't convince me since plenty of whackjobs think they have reliable sources.
I've heard the Mars talking point plenty of times and recall some doubt after looking it up myself, but it would have been nice to see a link to information rather than abuse.
Yes. If it needed done.
Do what needs done. Use your time wisely. If you manage both of those things, then you're doing more than most people.
On my first day, my boss, who is past retirement age and still keeps up with current technology, stopped to pick up trash from the floor. I noticed. It impressed the hell out of me and the lesson stuck. Here is a guy at the top of a company who still takes time to do what he can in any capacity to make sure that what needs done gets done, no matter how menial. Today he set up a workstation, not because it needed his personal time but because he likes to know how things are being done. He has staff that he depends on to manage setting up the workstations (and servers and manage contracts and interact with vendors and develop in house applications.) Still, he wants to learn how our images are working, what we build them with and what we have to set up on individual machines. He carries tremendous responsibility in the company and makes decisions that account for a large portion of the company budget. His mistakes cost us tremendous amounts of money and time and his good decisions save us tremendous time and money. This same guy takes time to fix a printer when he is at hand and it needs someone with only the most rudimentary mechanical skill. I've seen him study the bios on a PC when he has staff that he could assign to become experts. He makes it obvious that no task is too small or too menial to do if it needs doing.
We have different IT philosophies in some significant areas and he drives me absolutely crazy sometimes. Still, I respect somebody that does what needs done. Everybody respects the guy that does what needs done when it needs done. The majority of his time is spent managing, researching and reporting, but he makes time to learn new things and spends time on tasks he could assign somebody to assign somebody to do because he cares to know what is going on and why.
xTrashcat:
We range from 18 to late 60s, average is probably 45.
I'd guess maybe 5% jump on learning new tech, 70% learn it with mild reluctance and 25% actively hate having to deal with it.
I've worked in five IT environments. Every instance had some people who hated new tech and a rare few who embraced learning about it.
Your group doesn't sound special, it just sounds like the mentality is one of entrenchment against dealing with unnecessary new skills. It probably stems from a lack of reward in the past, but such views can be slowly won over with patience.
Do what needs doing. Learn about the new BIOS settings if that's what is called for. When you're of age to be "that old guy in IT" you can be like my boss, the guy who does what needs to be done.
Your explanation was good, but it didn't use a car metaphor so it kinda confused me. Now I feel obligated to offer one:
Humm...
I'm against the act, but not because of the mandate/tax. I'm not against the provisions. The idea that health insurance and health care could use some legislative improvement is acceptable to me. I am against the idea that the only way to solve the problems is to force an entire nation to use one idea instead of letting 50 governments try solutions.
"I predict future happiness for Americans, if they can prevent the government from wasting the labors of the people under the pretense of taking care of them."
- Thomas Jefferson
"My reading of history convinces me that most bad government results from too much government."
- Thomas Jefferson
"Government is not reason, it is not eloquence - it is force. Like fire, it is a dangerous servant and fearful master."
- George Washington
Really? Like Bing? (explicit.bing.net).
Where is it illegal to not block it?
Maybe the default should be what most people seem to prefer, or perhaps the one that causes the least customer loss. You know, instead of turning the default to the setting that gets you banned in schools?
Maybe you should split off potentially offensive content to a different sub-domain so it can be easily blocked by people want to block it and ignored by people who don't care.... like Bing does.
Ha! Ha. ... no wait, that makes more sense than I expected.
Why do we need an OS that is installed? I've used Ubuntu, CentOS, Slax and other live CDs and been impressed with how well they do what I want. With Novell Suse Studio I could build my own Customized OS which isn't ever installed on the computer. I already store all my important data on a pair of external USB drives, but I'd rather have my main hard drive handle the job. If I didn't have to worry about installing the OS, I could boot every time to the same system until I wanted an update and just burn a new CD or update the usb stick I boot from.
I heard a Staples guy talk about how he was doing exactly that sort of thing and it bugs me. I've never been able to get an OS on a stick to meet my demands, but I should be able to. In the future, I'd love to see computers sold with "and here is your OS stick, it comes with Window 9, Ubuntu, PC-BSD and Mac Alleycat but you can update those or come back and get an updated version anytime you like for $99."
I thought of that flaw and as an experienced programmer, I would have prompted the user to re-enter and then verify again the entered password. I didn't add that to my comment because it was already suffering from "too long, didn't read" syndrome.
Your solution of expiring the password immediately could be bad, very bad. Instead of having a few callers per day complaining about the problem, you would instantly have hundreds and maybe thousands of additional callers.
That is a simplification though, If you were my boss and said "no, I don't like it, I want them to have to enter a new password" then I would have done it differently. I would have built in a graduated delay so that on day 1, all usernames beginning with the letter 'A' were prompted for a new password, with 'B' on day 2 and so on. If I felt like a month of higher call volume would exceed the metrics of the call center, I would have switched it to 'A[A-M]' and so on.
Your concern is valid, but you are showing exactly the limited foresight that young and inexpensive programmers are dangerous for. Granted, had I been willing to add a few more words to my explanation, you might not have made that error, but a wise programmer wouldn't have made it in the first place.
Don't think that my criticism of your solution is a critique of your intelligence however. I consider myself to be an intelligent person and ten years ago, I would have made the same mistake.
As someone with a rather embarassingly similar system to support, I can sympathize with your concern. We railed against the limitations of the software vendor when we switched to it, but their attempts to fix it caused new issues. At first we had a system that truncated the longer passwords our users had on the old system, and then later when they tried to expand the length of input, those users with longer passwords they'd been transparently using were suddenly getting told their password was incorrect because the stored truncated version didn't match the longer version they were typing in.
As an example the password "iLikeLongPassword$ican'tT3ll@Lie" was stored internally as "iLikeLongP" and happily accepted, but the new password "iLikeLongP@sswordsButChangeWhenIrritated" was treated as a duplicate. When they implemented a fix, it started comparing "iLikeLongP" to "iLikeLongPassword$" and gave an authentication error. To prevent the overlap, they limited new password entries to ten (example only, not necessarily reality) and users were rightfully indignant thinking (incorrectly) their older password had been more secure.
Rather than have the system recognize truncated versions of the same password and prompt the user that the system had been updated and their longer password was now stored, they rolled back the "fix" to the older more limited system.
What they should have done was update the system to read the full password entered by the end user, and submit that to the authentication system, and if it failed, submit the truncated password to the authentication system. If the truncated version matched, it should have then alerted the user that it was now storing the fully complex password and then updated the stored version.
Why? is what you asked though. The short answer is that it probably relies on backend systems that were historically much more limited and weren't designed with modern security issues in mind. In some cases the password storage was designed to be able to be decrypted, in others the database was designed with a specific length for that entry. "Why don't they fix it" is the obvious followup question, but the answer is long so I won't repeat it here for the sake of brevity.
Answer: they have and do, and even when they get around all the pre-existing patents (either by licensing or finding yet another idea) the sell and implementation are difficult hurdles to overcome. First the example you give is one very close to another I've seen sold by a company and I'm sure is patented. That makes it either expensive or out of the question right up front. Then there are other issues to keep it from being implemented.
Often the writers of the software that is in the backend of the system are long since gone from the companies that depend on them. Rather than hire expensive work done to correct the problem, companies choose instead to attempt to bend the front end of the system to meet the requirements of the back end. While that at least is possible in most cases, that requires a programmer that is willing and competent to put the work into such a system and, again, those programmers tend to be the experienced and expensive ones.
Take unix systems that used to only allow for six or eight characters. It would be possible to rewrite the login prompt to take the input of up to 500 characters, salt it against itself and then using the result, determine which pair of a hundred tables of random characters the original would be xor'd against and then hashed to where the resulting hash of the process uses a full ascii set with a limited resulting length matching the maximum original limited length to then submit that as a final password to the underlying authentication. The concept isn't horribly complex and the results would be good, but you have to find somebody that you can get to rewrite the login prompt, somebody else with expertise to validate the procedure and potentially in the future, someone to modify it if demands change or add it to new systems that are authenticating on top of it. On top of that, you have to be able to present a credible defense to outside auditing companies if the data you're protecting is in any way valuable. Alternatively you could hire somebody to update the existing backend validation system and handle the transition process with minimal impact. Either choice is feasible, but both are expensive and in many cases give you a custom system that is no longer supported by default from the upstream software provider.
Don't underestimate the requirement to satisfy auditors either. Auditors are rightly suspicious of home grown security systems. The auditor probably understands "the standard Microsoft requirement for a minimum length of ten characters with no less than three non-alphanumeric characters that doesn't duplicate any of the last eight passwords and updated every ninety days." The auditor probably doesn't understand "A scored input system requiring a minimum complexity of 30 bits processed using salts and algrothims to determine xor tables, then processed with a modified sha2 for an eight character ascii value drawn from the full ascii set, then reprocessed as a standard submission."
Take Windows as an example. There are a variety of alternative authentication systems you can add on for example, but if you do then you can't hire a random windows admin and have them administer the system without additional training. Even if you do, then you have to prepare yourself to maintain the system and have a sufficiently documented system to present to auditors each time they review your system. It is far simpler and cheaper to use the standard "every 90 days, and this type of requirement" policy everybody is already familiar with.
People are scared by a nuclear disaster, so you shut down nuclear. Then people are frustrated by shortages, and you meanwhile start pushing news about "new nuclear technology and preventing people from making the mistakes they made in the past." Sure, companies are doing without air-con but consumers will start experiencing a world without Internet, lights and television. In two years, I expect the population will support the "new wave of safe nuclear" that eliminates the shortages. I'm sure that much attention will be paid to the increased role of alternative energy in a supporting role as nuclear quietly reassumes more electrical production than it did prior to the disaster.
In ten years, expect Japan to be proud of their ability to manage clean energy resources in parallel with safe "new" nuclear generation.
In ten years, you and I will will both be a little older and hopefully a little wiser. You suggest that Japan will become a bastion of "clean" energy, and I suggest that they'll pay it lip service while relying more than ever on nuclear as their primary "clean" energy. I wonder which of us will look back and think we were naive. I've rarely found myself too pessimistic in retrospect, but often found I wasn't pessimistic enough.
Personally I think I agree with you, but would like to refine and discuss a counter point. I believe that federal government money should not be involved in the creation or propping up of business and industry. I think the point is that it creates a climate where the government takes action on behalf of the people in the attempt to gain power (votes) at the expense of the freedom of the voters. (i.e. Our government supports green energy sounds better than our government lets oil companies profit. Votes are garnered because people don't realize it means the same thing as we take your money and spend it our way because we are smarter than you.)
Federal government is different from state government though in that state government more closely reflects the will of the governed and promotes the competition of ideas. This is where there is a reasonable counter argument that should be considered.
If a state such as California believes that government control of power is a benefit to the citizens, they can establish a monopoly and price controls. They might believe that it is in the best interest of the citizens of CA to have a move to centralized electrical generation because centralized production of electricity can achieve efficiencies and enforceable environmental standards that couldn't be achieved in the free market. They can subsidize and promote such a move by taxing gasoline and diesel purchases and using some of the additional revenue to give tax incentives or even partial funding to the electric monopoly. By making these choices, they are controlling the decisions available to their citizens for a goal of benefiting the citizens.
Oregon may feel that a less controlled electric market has a greater potential to provide service reliably and that their citizens benefit more from having lower fuel prices than from the potential of a controlled energy market. Oregon then may decide to offer no additional tax breaks to either potential industry in the hope that what the consumer chooses will be the most cost effective and generally beneficial option.
This is where it gets interesting. If CA has high gasoline and deisel prices, but lower cost electricity, then they may benefit from increased demand for electric cars and find citizens are benefiting from a cleaner environment and cheaper electricity. OR may find that their environment is more polluted and their electricity costs more to the consumer. Alternatively however, CA may find that the structure and prices for electricity are insufficient to match demand and there is insufficient revenue to prevent brown and blackouts state wide. OR may find that their consumers have more income available due to the lower costs of energy and have a more vibrant economy as the money that isn't spent on energy is applied to other products.
By having two states with differing policy and application, the rest of the nation benefits in making their own policy decisions. What works or fails for CA and OR can be reapplied in all the states that have the same goals resulting in a majority benefit. It isn't as great as a government that always makes the best decisions, but few people would suggest that our federal governmetn always makes the best decisions.
I didn't examine the examples I gave, they're hypothetical only. Please don't worry about the state particulars, I'm happy to admit that CA and OR energy policy is likely not exactly, possibly not even close, to what I described. I'm focusing on the concepts, not real world examples. Feel free to offer real world examples however, if they address the concepts.
There are plenty of examples in science that may not have 100% acceptance but which still have a common consensus. Even science that provokes rabid denials from a small group like: evolution, the moon landings or the 9/11 attacks have a common consensus. With everything I've mentioned so far, you'd be hard pressed to find many well respected scientists who vary from the consensus. There is a difference between these types of consensus and AGW.
I think the comparison most enlightening is the theory of dark matter. Most experts in the field agree with the dark matter theory, but there are a significant number of well respected scientists in the field who don't agree with the theory and support alternative theories. This is pretty much exactly the case that I found when I researched the science behind AGW. There are solid theories and data to support the idea, but there are solid arguments made by respected science against it.
The huge difference between dark matter theories and AGW is the kind of discussion that happens if you happen to disagree with one of them. Personally, I previously preferred quantum gravity theory. I could say so and people might disagree with me or point out the flaws in the theory or point out the evidence for dark matter, but nobody called me a denialist. Nobody suggested that doubting the preferred theory was unreasonable. People were interested and even passionate about it, but they argued the facts rather than suggesting that scientists were being dishonest or that it was some massive conspiracy. Nobody said "You've bought into the propaganda machine hook, line and sinker." When new evidence (the Bullet Cluster) was presented, I changed my mind. I still like the elegance of TeVeS, but I'm now more inclined to believe the dark matter and energy theories. Waiting for new evidence wasn't irrational but heaven forbid you take that stance on AGW because you get hit by both sides as if you were an enemy.
AGW is a reasonable theory with substantial data to support it. It is supported by credible scientists. To say that all the data supports it or that any expert in the field who disagrees with it is disingenuous or uneducated is unfair, inaccurate and bluntly unreasonable. The fact is that both proponents and opponents of the theory tend toward emotional rather than logical discourse. That is why I find the issue so frustrating. It IS different because people attach almost a religious significance to it, unlike pretty much any other young scientific theory. (I know you're thinking 'evolution!' but evolution isn't what I'd call a new theory regardless of how much religious significance people attach to it.)
This is exactly the issue I have with AWG. It seems to degenerate into a shouting match instead of a discussion of facts. I find that if I do enough reading, I can understand most science topics, cancer research and quantum physics included. I decided that I really wanted to understand what was going on with global warming, at least reasonably well and spent a long time reading to understand. What I discovered is that most of the people that are cited as being authorities on internet forums aren't considered reliable by established scientists, and there are opposing viewpoints from scientists that are credible.
I won't say it is a trick and I don't think any credible scientist is saying it is all a hoax, but there are a wealth of opinions on what the data means and reasonable theories on how significant AGW is. I'd absolutely agree that AGW exists and any actual scientist will concede that humans must have some sort of impact on climate, but the degree of impact is only the first issue that is not agreed on. The second is the vectors of impact. Certainly CO2 is a factor, but how does that compare to the impact of the cattle industry or agriculture? Again, there are varied opinions. Finally, if you pick one or two opinions from those two issues which support the concern that AGW is a significant danger to our society, there is still the issue of reaction. Perhaps the best use of resources isn't to try to limit fossil fuel consumption, but to instead invest in fusion, or promote traditional nuclear fission reactors. Maybe the best reaction is to massively seed algae.
If there was a consensus on the data, it escaped my ability for research (about a year ago, I'm probably due to repeat it again soon.) If we can get a consensus on the data, and a reliable theory, then I hope we'll see rational discussion about responses... but I'm afraid I'm not optimistic.
Likely no matter what results are found and no matter what arguments are put forth, somebody will say something to me like: "You've bought into the propaganda machine hook, line and sinker."
Really? I tunnel through a VPN on 443 (SSL) and our firewall/filter blocks that stuff too.
The GPO block is harder to get around, you have to be able to boot from your own media (thumb or CD is handy) and our stations BIOS are locked down with a password, but of course, if you open the case and boot your own drive as primary, then you're golden.
Warning: Some cases have alarms on them that they've been opened, most don't. Test with a neighbor's first.
The way I understand it, it isn't possible to tell SSL from VPN traffic without setting up MITM, which is not foolproof, trivial or necessarily legal.
Oh, and yesterday I discovered the desktop sharing software Mikogo, which doesn't require installation and apparently uses an encrypted connection over 443. It isn't blocked by the system by default either. (Mikogo says they "work with" your existing proxies and firewalls. "Work despite" might have been a more accurate phrasing.)
Disclaimer: I am the admin, I don't have to work around the restrictions, but I use the VPN as a way of testing from external IPs. I know what is possible and why in part because I have to worry about people getting past it.
Exactly. I've been looking for somebody to say this.
I see a lot of concern posted about running a server on the hospital network that will cause the auditors to flip out. There may be a very simple potential alternate solution: Don't run it on their network. Take it home and put it on DynDNS and you're looking at an extra $30 annually. Do it well and you could offset the costs with a donation page.
Better yet, find a small tech company and have them host it for you. See if you can trade off server resources for free hosting or get it from Cousin Larry's crazy friend hosting. Then you're independently purchasing a service for convenience from a third party which should put it right out of the auditor's interest.
"What? Oh, I subscribe to a scheduling application, it's really rather handy and they specialize in just the kind of scheduling we do. It's sort of like Google Calendar (not sure why that wouldn't have worked better actually) but it does what we want."
You're exposing our trade secrets! When did you work at our company and didn't we make you sign a NDA? Oh wait, you said "government" where we do that with other branches of our company.