Just to add for clarity: of course salting is very important and highly useful, but it's only applicable when your generator has the strength of SHA-2. If you're "only" capable of doing MD5 in your head then salting has demonstrable weaknesses.
I understand your position, but I think it has flaws in general applicability.
From a more structured approach: we ask where to draw the randomness (=strength) for your password from. If your generator (boxcar+ID -> f-a2#s:d__x1y) is extremely strong, "boxcar" simply salts the projection and you can keep the ID part very short. Is having such a complex mental generator preferable to rote memorisation of pseudorandom strings? I guess it might as well be, as the ID part can be as few as 2 characters.
But that's conditional on the strength of the generator, so when recommending a password scheme to your kids and grandmother, how confident are you that they'll not mess up? Case in point: ID=sitename as proposed in the thread branch below, so you get simply boxcarfacebook.com as login password. I fear with many users "boxcar" would be false security when applied to all their passwords.
This used to be my main password scheme, but I've gradually shifted it out for the other one over the years. Instead of relying on generating pseudoentropy through a memorised algorithm, it's preferrable to have a randomised and unconnected (but easily memorisable) seed in the first place! In general, drawing additonal entropy from a highly biased source (fixed string like "boxcar") makes me uneasy (as it should everyone with a CS background).
You're either not understanding what I'm saying or need to try applying the Charity Principle more.
Um. Yeah. It kind of is. If I made a *local* html script and run it on my local machine. I'm fairly certain it's not sending passwords out cleartext over the internet. You can make it so that it just copies a result to the clipboard, etc.
Your local HTML script (a HTML file with JavaScript?) generally can't decide whether to send information to an arbitrary server encrypted or not. For example with a login web page, either the server offers TLS/SSL (the URL starts with https) to your browser, in which case you send your login credentials encrypted, or it doesn't, in which case you can't choose to send them encrypted. What you do locally is of no consequence.
As for the NSA argument, well that's several steps up from people looking at your screen in a crowded room or train. And it necessiates getting rid of the display as soon as possible. And again, throwing clear text passwords onto your drive (like you did in your bash example) is a very bad idea, I hope everyone can agree with that? That's why it's a terrible example.
Its a standalone everything. There is no grease money. I don't try to inject my password into pages.
Hehe, not "grease money", you give off the impression as if you don't care about reading carefully what your discussion partners have to say;) For example, I'm assuming your script can help you remember a password to log into, say, your airline customer account you created two years ago in order to change some bookings. If it could inject it automatically into the field (say through the context menu as a Firefox or Chromium extension) from the clipboard, that'd be a nice bonus, no?
I'm aware that you can write a password vault in bash script:) But the ggp doesn't show this and instead proposes a highly questionable example as a "quick and simple" solution, which - my point - it's not.
Besides, I don't like the "space before command" because it doesn't default to omitting history entries on zsh (you can set it up of course). And due to being a tiny visual clue... it's almost as inelegant as shooting down the session. The best way to solve this problem is to not even pose the question: don't set up your workflow in a way where you have to work around entering sensitive information on screen while often sitting in different places.
In a world where dictionary attacks weren't as common as they are, you'd be right. That one particular xkcd always bothered me. Algorithmically, "correcthorsebatterystaple" is as secure as any other 4-token password like "hanx". Note that "hand" would be a 1-token password and only marginally more secure than only "h" (due to a larger dictionary size, but since its order 1, we're talking about a constant factor).
So typing out the sentence only makes a difference in security if it can't be effectively tokenised to a canonical version, or if the feasible brute force attack lies above the only-first-letter version but below the typed-out version due to dictionary size difference (tokenisation cost). This is not the case with current (and near future) machines for the grandparent's examples. It does however always make a difference having to type several dozen characters...
I made a javascript that does it locally (no sending my passwords cleartext over the internet).
It's usually not your choice whether or not to send the password in clear text over the internet, but I strongly recommend simply not using services that don't offer encryption. But that has nothing to do with my previous comment... again: I don't want my password to be visible on screen (neither the "salt" one, nor the resulting hashed password). And if it gets saved anywhere on disk in clear text (like it does with your bash one-liner), even worse! You shouldn't present such a bad example as a viable method only to mention in a follow-up comment that you have something actually usable. I assume your JavaScript (which presumably is geared to web logins?) shows a "password" dialog (the input characters starred) and then enters the result into the password entry field on your current web page? Is it Greasemonkey script or a plugin?
If SSH to my home computer is compromised a password to Slashdot is the least I have to worry about. SSH is also protected with Google Authenticator so I have to have my phone with me to log in with 2-factor.
Good, but I'm not sure why you bring that up. The topic is how to teach people to remember passwords to arbitrary (website among others) logins efficiently.
LastPass, SeaHorse and all the other vaults are good options with only few drawbacks (for example that you have to have the software with you). A solid mental scheme as I presented further above is another option.
Hmm, I strongly dislike the idea of sitting in a public place and typing my "salt password" visibly into a prompt (especially if it litters the bash history), and then also getting the resulting login password in clear text.
I guess you're not proposing to remember those pseudorandom login passwords, because that's a pain for dozens of accounts (and you could then simply use any input or even sites like http://www.passwordgenerator.e...)
I've been using this scheme (base word + something connected to what the service does, usually in leetspeak) for about 15 years now to help me remember passwords for obscure/rarely used accounts. The most important insight is: use it ONLY for unimportant/throwaway stuff and PLEASE stop recommending it as a general method to people. I have more than three dozen accounts and passwords. At some point one of those WILL be breached, probably without you ever being aware of it, and without any blame on your side. It happens even to the likes of Amazon. And then what? Anybody who takes more than 5 seconds to look at your password, or even a malicious system maintainer who grabs passwords at login, will be in a position where your passwords are just 3-4 token variations (and we're all are aware how quickly you can break 4 character passwords even by hand). Sure, it's not very vulnerable to automation (unless somebody decides that enough people are using this and couples it to pattern matching with the service and identified base words as input, and a brute forcer), but once a human mind sets you as a target, your online world is SOL.
IMO the best password scheme is still 8+ tokens (letters like 'a', words like "house", numbers like 123) that have absolutely NO CONNECTION to the service that offers the account or to publicly available information about you. A good pattern (among many others) is to draw from an unrelated memorable sentence at the time you are creating the account. For example if you joined Slashdot last month while listening to the news, you may have thought "Hopefully the Russian annexation of Crimea doesn't start a war" and take the first letter of every word: "HtRaoCdsaw". Or for a shorter sentence ("Let's not have a war again") every second word: "notaagain", but note that these are only 3 tokens, i.e. as bad as a 3 character password, so you have to spice it up through punctuation and leetspeak, according to a personal scheme of yours. But the important part is that when someone discovers and understands your scheme by looking at a leaked password, they will still have no chance of cracking your other accounts because the base sentence is unrelated. And since you picked something memorable, the mnemonic hook will help you remember it for years.
Hmm, so let me go ad absurdum here for a moment...
You witness someone falling into a big water tank, the rim is just out of arms reach and it becomes obvious that person can't swim. Nobody else is around, so you're expected to walk over and give him a hand, no big deal. But you refuse, claiming that it's too much of an effort to pull up a grown person and you'd probably experience some strain pain, and might get wet... all such things that put stress/pain on your body. So you don't do it, the person drowns, you claim innocence before the law because of the sovereignty of your own body.
Regardless of the "asshole-level" of your actions, in my country (Switzerland) you'd go to jail for Failure to Rescue, which I and obviously my fellow citizens think is correct. So where do you draw the line between this example and yours?
Please elaborate a bit more on your first sentence. I don't live there, so I have to rely on Wikipedia etc., but the population of Crimea is around 2 million, out of which 58% (1.16m) are Russians and 12% (0.24m) are Tatars, with 24% Ukraininans. If 100% of Sevastopol (population of 380'000) were Russian, that still leaves 780'000 Russians vs 240'000 Tatars for the rest of Crimea. I'd say if anything, Crimea on the whole is ethnically Russian.
Maybe you're referring to the historical development. But I don't see how 3 centuries of Tatar rule take precedence over 4 centuries of Bulgarian rule, 2 centuries of Kievan Rus' rule (both slavic) and all the others (Greeks, Goths, Huns,....) before the Tatars arrived in the 15th century. And for the Russian rule since the 18th century, afaict the whole pretext for the subjugation was that the Crimea was slavic lands.
Your example in the first paragraph isn't really applicable: imagine if the majority of Iraq's population were Americans... completely different context.
Also, keep in mind that the USA had several opportunities to resolve the WMD inspection problem (like allowing the EU to chose the inspectors) but they always chose the escalating "my way or the highway" option. IMO it's pretty hard to argue that the primary reason for the Iraq invasion was not oil and financial imperialism. Just look at who controls all of Iraq's oil exports right now.
Not sure how that works. If somebody just fixes a handful of characters, they aren't eligible for copyright in either the Apache or Linux code... so that sort of drive-by patchers aren't relevant for the discussion.
But if I "drive-by contribute" nontrivial code to someone with Apache commit access, that code is still under my copyright and the committer is not allowed to push it under the CLA unless I agree to the CLA as well (or resign my copyright to the committer). Which brings us back to square one.
Got a raging one for Steam? Steam is hardly original, except maybe on Windows.
No real App Store? Are you aware that you can buy proprietary software, music, etc. in the Software Center on Ubuntu, Mint and Suse right now? Sure, it's not universal across all distros, but Fedora and Debian reject proprietary offerings on principle (and still have tens of thousands of non-proprietary programs in their sofware managers) and the rest are irrelevant in terms of market share, so Steam for Linux follows the same distribution curve.
Steam has friend lists and achievement notifications, but that's not exactly needed for an application store... while both APT and RPM are technically vastly superior (Steam doesn't even support delta updates, version hold-ups, downgrades or concurrent dependency resolution) and have been around quite a bit longer.
However, I'm pretty confident it'll find a niche because of the built-in social networking, where it has to compete with Desura. But it doesn't "standardise Linux for developers" except in the packaging (which is somewhat around 1% of a porting effort), doesn't offer "stable binary APIs" (that'd be drivers, kernel and middleware/engines) and can't hope to improve on the present library version management.
That said, yeah, it's nice to have one more option! Sorry if I've damped your enthusiasm, no offense meant, but your comment struck me as starry-eyed;)
I've served as field transmission soldier and command staffer in our military for 10 months... reasonable is not exactly a fitting adjective. There's no enemy (except for jokingly mentioning Lichtenstein etc.) we could hold up against, and our main defensive strategy (still basically the Reduit/Bison plan) is just WTF-ish: fully abandon the ~20 biggest cities, most of the population, all industry, nearly all agriculture and hole up in the alps waging guerilla warfare.
We're a country of 8 million and had a military strength of ~0.8 million 30 years ago (keep in mind it's a militia system, that's basically 800k Ueli's [=Joe Public] with a rifle). After the reductions are completed, we'll have roughly 80k militia by 2020. If you want to use the word "reasonable", the continuation of this trend would be a good subject to apply it on.
The military expenses remain mainly penis enlargements for traditionalists, but as has been the case since even long before the French invasion, we absolutely have to rely on allies with actually large/modern militaries (probably northern/western Europe) to bail us out should pretty much any nontrivial invader decide to give it a go.
Diplomacy is our best defensive weapon and has been sufficient for the last two centuries (also: money). Plus there's not even a remote threat on the horizon except for "The Terrorists", though tanks and artillery have not exactly proven effective against those.
Since it would be patently stupid for the Syrian regime to deploy chemical weapons given the current situation, and we can agree that Assad is somewhat intelligent (regardless of him being an asshole), wouldn't Occam's Razor dictate that the CIA had clandestine agents deploy the weapons against the Syrians in order to facilitate a strike? They have the intelligence, agents, capability and most of all motivation. It's against some foreign population, which has been shown they don't really care about. At a very convenient point in time for the USA.
The CIA or Mossad are the most likely candidate, so that would actually be the simplest explanation, no?
The big difference between corporations and government is accountability.
Corporations nowadays are semi-directly accountable to a comparatively small group of stakeholders, and they are basically designed to be sociopaths. All I can do is vote-with-my-wallet, the feasibility/effectiveness of which is highly dependent on circumstances and usually just an after-the-fact measure. Governments in a democratic society are designed to be fully accountable to the public, e.g. you and me. There is absolutely no problem in letting such an entity become really big, as long as it can do nothing else but represent and serve the people. Corruption is always a problem, so anti-corruption efforts should be a major goal.
Now in the particular case of the USA: I don't think you can honestly claim that this government democratically represents the interests of the population of the USA. Fix that, don't just treat the symptoms by aiming for a smaller yet still corrupt government, while at the same time (inevitably by the efforts of current libertarians) giving more power to corporations who are guaranteed to behave like sociopaths.
Limiting organisations to 100 members is interesting, but they would form coalitions of 100 members (each a 100-member organisation) and meta-coalitions and so forth (even if it's just inofficial). Not far from divisions and subsidiaries today. Instead, I think accountability is more worthwhile (e.g. employee-owned corps)... or its little cousin, transparency (e.g. all board meetings should be broadcasted to each employee or even the public).
If by "developing its capabilities" you mean "analysing, understanding and applying NASA knowledge from the last 5 decades" to which they have full access then yes, they did that at some point and are still doing it. However, I'd be very surprised if their own research added even close to 1% to the heap. Just look at the outright silly disparity in amount, scale and scope of experiments, the size of the funding and R&D staff, etc. between the two.
They are basically a private extension of NASA with a significantly less risk averse decision making process, but also much less accountability. Not that I have anything against that, I think SpaceX is awesome, but I also do think that Tyson is mostly right.
I swear that if you took random sunsets from Google Maps and turned them into artistic-looking drawings/paintings they'd pass the "Turing test" with flying colors without any human being directly involved in the capture or composition.
Who tells the machine to take a sunset? Who enables it to choose? The artist. This robot and any software picking & repainting google images is exactly as intelligent as the painters brush, just a bit more complex, and has no more self-initiative or creativity than a piece of wood. Taking a picture with an expensive DSLR doesn't make the camera the artist, and mounting it on a self-driving car that randomly takes snapshots still gives all the credit to the person that built this. And photographing the Mona Lisa with a lens that introduces imperfections (that's what is done here) is of questionable artistic value whether done by a human with a camera or a human with a robot..
Don't get me wrong, I'm often annoyed by those interpret-the-world-into-three-strokes types (likewise, literature teachers who "know" that the author meant to convey this or that theory), but pushing more of the manual work into the tool (brush or camera or robot) doesn't make it an artist. For comparison, a machine will never own a copyright under our current concept of the idea, only the user/initiator/owner/... of the machine will, no matter how automated it is.
In summary, both the guy spraying paint from his ass and the one building and programming a highly complex robot to paint pictures produce art, but it's not the robot or the rectal muscles who take the responsibility and are called artists.
Who cares about a post-apocalypse tribal society on a pre-modern tech stage trying to restore mankinds' knowledge? Give them 10k more years and they'll manage to do it with femtocell lasers just fine. Or 50k years, it really doesn't matter, it simply shrinks compared to the idea that some cataclysm just wiped out all books accessible in the world, all professional knowledge, reading skills, parents-teaching-offspring, dozens of other information carrying media types (respectively it's usage knowledge) that would be around anyway etc. which could allow them to get up and running more quickly... but somehow left a few humans alive.
This storage type is not meant for a post-apocalypse tribal society restoring mankinds' knowledge. But some of us would be happy if the now often unreadable magnetic records from 70 years ago would have been stored on something more durable.
We have no problem paying for what we use. But we dont want to pay for the things we dont use. Like the wars, the spying, the surveillance. And the things that we do use, we want provided in a competitive market-place where abusive unresponsive or otherwise problematic suppliers cannot simply continue to bill us as much as they wish and use it for whatever they want!
I'll hijack this here, because that's an important point. One of the strongest correlators of crime is the (inverse) quality of public education [0]. Paying a small share for the education of your neighbours kids, even if you don't have any on your own, means paying for things you don't use. Yet the reduced stealing, robbing and killing 10 years down the road will benefit you personally. If everyone has a choice, many will not pay. If you don't pay, either you expect others to and are leeching off of them, or nobody does and you don't have whatever benefits come from highly scaled solidarity/collectivism. You're losing something valuable.
IMO education and health care clearly fall under this category (and I claim most people who lived in a country with universal public health care would agree), along with the obvious infrastructural stuff. The spying, offensive wars, etc. definitely don't. As mentioned, the modern state can be used for both good and bad, and instead of removing all of it (which leaves you in a worse situation, even though Libertarians call it paradise), why not fix it by returning your government to its intended role as a servant to the people? That's the point of democracy, and the symptoms you are fighting are results non-democratic seizure of power by special interests. You can say that there will always be corruption, or that the powers that be will not allow change, but the first can be mitigated in various ways, and if the second holds, your fight would be futile to begin with.
[0] Before anyone brings it up (aka inb4 guns), as a simple example for why gun control doesn't matter that much: check Honduras (high gun proliferation) and Jamaica (very strict gun laws), versus Switzerland (high gun proliferation) and the UK (very strict gun laws). The first two have high crime rates (and below average public education) while the second two rank lowly in world crime statistics (and have what is considered high quality public education). The main effect of gun policy is the percentage of gun related deaths and the location of crimes.
And in the system I advocate, you could say that, while in the system you defend, you cannot. Or you can, but it wont fly, of course. Find a way to refuse (difficult in europe, where the money is nearly always taxed before you get it) and you will eventually see why we say the power of the state grows out of the barrel of the gun.
If it's completely optional, in the (for the lack of a better expression) "heat of the opportunity" 500 of the 1000 will refuse because they really need the money for something specific right now, and they already helped some guy last month, and, and.... Another 300 will refuse out of greed, another 150 will point out that they have a choice, and this doesn't match their ideology or they don't feel compelled enough morally. So my share grows twenty-fold, can't give that much because I also divert a share of my income to maintaining our roads, electricity infrastructure, military, etc. And for some it snowballs into reducing their willingness to pledge help because it leaves them with too little disposable income. You go hungry. Solidarity requires broad coverage to work. Voluntary charities don't cut it, at least there is no example of sufficient equivalency out there, e.g. funding a national education infrastructure or healthcare program. Also, the overhead of your proposal leads to higher bureaucracy if it is to handle a similar volume of money assignment.
But why should I try to refuse paying taxes? Excuse the crass example: try to enslave people, which might be good for your personal profit if you could keep it that way (and "some" people would do so if it were optional)... you'll still get stopped at gunpoint, presumably by the government. I think both enforcing taxes and personal freedom is justified ethically and in terms of the net benefits, and accordingly required/guaranteed by law.
One paradox you face is that while a relatively wealthy nation with a culture that values work and production can maintain a welfare state and pay for it with taxes without destroying your productivity overnight, you still sap the very qualities that make this possible in the longer term. Which is to say, over time doing this makes you a less wealthy nation with a culture that places less value on productive work.
I require proof of that. Clearly you can't give it for now, but I'd like to point out that this is a problem of blame attribution: you see the cracks (which are always there in some form or another) and attribute them to a certain ideology you're compelled to oppose. I'm guilty of this too, it's human nature, but still not a good argument when reasoning about the merits of a system. As for your proposed alternative, I see how Libertarian state could work in theory, but not under the requirement that it matches a metric like the GNH (yes, I'm actually serious about that) of current states. As mentioned, IMO absolutely not worth aiming for.
With regards to the "USA protecting the world", I wouldn't say the out-of-bounds spending on your military-industrial complex is benefitial to Europe's safety. Apart from that, Europe is easily second, so there's only one entity in the world we'd have to watch out for...;)
On Sweden: they have utterly failed in their immigration/integration policy. You can blame it on the conservatives if you like, but claiming to see the writing on the wall for their whole system is far fetched. See blame attribution above. And you'd have to elaborate on the Swedish educational system being libertarian in nature, because most Americans so far have called its current form socialist (or communist, you get my point).
Not enough. I had a very bad year, broke my leg and been out of work for months. Got me an the missus and 7 kids. A small portion aint gonna do it buddy. Now where's our food?
I'm still only going to give you a small portion of my income. 0.1% should suffice. And my 1000 friends here will too, so you'll be fully funded instantly - such is the power of collectivism. And once you don't need it anymore you'll work with net gain by yourself again, because we're living in a capitalistic economy. And society won't have a valuable contributor starved, plus one of your 7 might be the next Einstein, so it'd be a shame if he/she missed out on a complete high quality education because it wasn't free or very cheap.
Surprisingly I hear from some US citizens that this wouldn't work, which doesn't make sense since most of Europe is proof that it does.
I know that you don't want to forbid the farmer from helping (PoC), but the case for forcing him to help (within reasonable bounds obviously, though that's another debate) is far stronger IMO. I don't understand where you see the indications that this is the path to failure, and such reasoning seems irrational to me. Why should it lead to breakdown and not prosperity, as shown by societies that apply on a large scale (some of) what we already practise within a family. Likewise, Marx' claims that all capitalism inevitably leads to breakdown and then communism still lack any indication of proof, and he made a highly elaborate case.
Let me ask you in return: how would a society as proposed (how I understood it) by the Libertarians not devolve into right-of-strength anarcho-capitalism? I don't see such a place as desirable to live in.
I agree that world hunger is technically a distribution problem, caused by a political problem. So how to fix this and similar issues? Obviously "fix" the entity responsible for politics, i.e. the government, only that our ideas of "fixing" are highly divergent. I've made a proposal here. The key idea is to make the government fully accountable to the people, not remove most of it. In this regard, I couldn't have written mrthoughtful's comment below better myself. What you call "the modern state" in your reply is a highly useful concept, similar to money or mass media (all of which can be used for bad).
His definitions are not faulty, they just don't match yours. The farmer can and should be forced to give a small portion of his sellable produce to fulfill someone elses right not go hungry.
I assume you live in the USA, a country that is currently way closer to your ideals than his. He's stated to be living in Germany, which is organised in a manner closer to the philosophy he describes. You seem to hate the way your society is organised, he seems quite happy.
The liberty to do what you want with 100% of your work without any obligations to society is... well, it's a goal some may choose to pursue, but why should we put it above things that are more important in the real world?
Disclaimer: as a western European with a center-right political attitude, I don't agree with all of what he said in his original comment, but the first paragraph and the fact that taxation is a Good Thing (TM) is pretty much common sense.
The US badly needs something like the Swiss referendum and initiative, where the population can overturn pretty much any government decision, although the executive ones are harder to get at because it goes indirectly. I think that'd shut up the "sole arbiter" complaints (disclosure: I'm Swiss). And if you then also increase transparency and accountability of the government agencies, the whole Libertarian Party starts to look as silly as it would if we had one over here.
Give me a dumb framebuffer _with_ network transparency and I'll happily shut up. If they finalise the design and only tack on networking afterwards, it'll be probably less efficient than it could have been.
I for one want them to prioritise it during the earlies phases. They are telling me (indirectly) that they probably won't do it at all and leave it to someone else. That's fine, but also means Wayland is designed to not be used by me and people like me. And when distros start pushing it as default, there will be a big ruckus... I'd rather them to be sensible and support network transparency at least as well as X11 does, and that it "just works" the first time I have a Wayland server in front of me, for all applications that don't have Wayland releases (and obviously the new ones too).
Slashdot Mirror
Just to add for clarity: of course salting is very important and highly useful, but it's only applicable when your generator has the strength of SHA-2. If you're "only" capable of doing MD5 in your head then salting has demonstrable weaknesses.
I understand your position, but I think it has flaws in general applicability.
From a more structured approach: we ask where to draw the randomness (=strength) for your password from. If your generator (boxcar+ID -> f-a2#s:d__x1y) is extremely strong, "boxcar" simply salts the projection and you can keep the ID part very short.
Is having such a complex mental generator preferable to rote memorisation of pseudorandom strings? I guess it might as well be, as the ID part can be as few as 2 characters.
But that's conditional on the strength of the generator, so when recommending a password scheme to your kids and grandmother, how confident are you that they'll not mess up? Case in point: ID=sitename as proposed in the thread branch below, so you get simply boxcarfacebook.com as login password.
I fear with many users "boxcar" would be false security when applied to all their passwords.
This used to be my main password scheme, but I've gradually shifted it out for the other one over the years.
Instead of relying on generating pseudoentropy through a memorised algorithm, it's preferrable to have a randomised and unconnected (but easily memorisable) seed in the first place!
In general, drawing additonal entropy from a highly biased source (fixed string like "boxcar") makes me uneasy (as it should everyone with a CS background).
You're either not understanding what I'm saying or need to try applying the Charity Principle more.
Um. Yeah. It kind of is. If I made a *local* html script and run it on my local machine. I'm fairly certain it's not sending passwords out cleartext over the internet. You can make it so that it just copies a result to the clipboard, etc.
Your local HTML script (a HTML file with JavaScript?) generally can't decide whether to send information to an arbitrary server encrypted or not. For example with a login web page, either the server offers TLS/SSL (the URL starts with https) to your browser, in which case you send your login credentials encrypted, or it doesn't, in which case you can't choose to send them encrypted. What you do locally is of no consequence.
As for the NSA argument, well that's several steps up from people looking at your screen in a crowded room or train. And it necessiates getting rid of the display as soon as possible. And again, throwing clear text passwords onto your drive (like you did in your bash example) is a very bad idea, I hope everyone can agree with that?
That's why it's a terrible example.
Its a standalone everything. There is no grease money. I don't try to inject my password into pages.
Hehe, not "grease money", you give off the impression as if you don't care about reading carefully what your discussion partners have to say ;)
For example, I'm assuming your script can help you remember a password to log into, say, your airline customer account you created two years ago in order to change some bookings. If it could inject it automatically into the field (say through the context menu as a Firefox or Chromium extension) from the clipboard, that'd be a nice bonus, no?
I'm aware that you can write a password vault in bash script :)
But the ggp doesn't show this and instead proposes a highly questionable example as a "quick and simple" solution, which - my point - it's not.
Besides, I don't like the "space before command" because it doesn't default to omitting history entries on zsh (you can set it up of course). And due to being a tiny visual clue... it's almost as inelegant as shooting down the session. The best way to solve this problem is to not even pose the question: don't set up your workflow in a way where you have to work around entering sensitive information on screen while often sitting in different places.
In a world where dictionary attacks weren't as common as they are, you'd be right.
That one particular xkcd always bothered me. Algorithmically, "correcthorsebatterystaple" is as secure as any other 4-token password like "hanx".
Note that "hand" would be a 1-token password and only marginally more secure than only "h" (due to a larger dictionary size, but since its order 1, we're talking about a constant factor).
So typing out the sentence only makes a difference in security if it can't be effectively tokenised to a canonical version, or if the feasible brute force attack lies above the only-first-letter version but below the typed-out version due to dictionary size difference (tokenisation cost). This is not the case with current (and near future) machines for the grandparent's examples.
It does however always make a difference having to type several dozen characters...
I made a javascript that does it locally (no sending my passwords cleartext over the internet).
It's usually not your choice whether or not to send the password in clear text over the internet, but I strongly recommend simply not using services that don't offer encryption.
But that has nothing to do with my previous comment... again: I don't want my password to be visible on screen (neither the "salt" one, nor the resulting hashed password). And if it gets saved anywhere on disk in clear text (like it does with your bash one-liner), even worse! You shouldn't present such a bad example as a viable method only to mention in a follow-up comment that you have something actually usable.
I assume your JavaScript (which presumably is geared to web logins?) shows a "password" dialog (the input characters starred) and then enters the result into the password entry field on your current web page? Is it Greasemonkey script or a plugin?
If SSH to my home computer is compromised a password to Slashdot is the least I have to worry about. SSH is also protected with Google Authenticator so I have to have my phone with me to log in with 2-factor.
Good, but I'm not sure why you bring that up. The topic is how to teach people to remember passwords to arbitrary (website among others) logins efficiently.
LastPass, SeaHorse and all the other vaults are good options with only few drawbacks (for example that you have to have the software with you). A solid mental scheme as I presented further above is another option.
Hmm, I strongly dislike the idea of sitting in a public place and typing my "salt password" visibly into a prompt (especially if it litters the bash history), and then also getting the resulting login password in clear text.
I guess you're not proposing to remember those pseudorandom login passwords, because that's a pain for dozens of accounts (and you could then simply use any input or even sites like http://www.passwordgenerator.e...)
I've been using this scheme (base word + something connected to what the service does, usually in leetspeak) for about 15 years now to help me remember passwords for obscure/rarely used accounts.
The most important insight is: use it ONLY for unimportant/throwaway stuff and PLEASE stop recommending it as a general method to people.
I have more than three dozen accounts and passwords. At some point one of those WILL be breached, probably without you ever being aware of it, and without any blame on your side. It happens even to the likes of Amazon. And then what? Anybody who takes more than 5 seconds to look at your password, or even a malicious system maintainer who grabs passwords at login, will be in a position where your passwords are just 3-4 token variations (and we're all are aware how quickly you can break 4 character passwords even by hand).
Sure, it's not very vulnerable to automation (unless somebody decides that enough people are using this and couples it to pattern matching with the service and identified base words as input, and a brute forcer), but once a human mind sets you as a target, your online world is SOL.
IMO the best password scheme is still 8+ tokens (letters like 'a', words like "house", numbers like 123) that have absolutely NO CONNECTION to the service that offers the account or to publicly available information about you.
A good pattern (among many others) is to draw from an unrelated memorable sentence at the time you are creating the account. For example if you joined Slashdot last month while listening to the news, you may have thought "Hopefully the Russian annexation of Crimea doesn't start a war" and take the first letter of every word: "HtRaoCdsaw".
Or for a shorter sentence ("Let's not have a war again") every second word: "notaagain", but note that these are only 3 tokens, i.e. as bad as a 3 character password, so you have to spice it up through punctuation and leetspeak, according to a personal scheme of yours. But the important part is that when someone discovers and understands your scheme by looking at a leaked password, they will still have no chance of cracking your other accounts because the base sentence is unrelated. And since you picked something memorable, the mnemonic hook will help you remember it for years.
Hmm, so let me go ad absurdum here for a moment...
You witness someone falling into a big water tank, the rim is just out of arms reach and it becomes obvious that person can't swim. Nobody else is around, so you're expected to walk over and give him a hand, no big deal. But you refuse, claiming that it's too much of an effort to pull up a grown person and you'd probably experience some strain pain, and might get wet... all such things that put stress/pain on your body. So you don't do it, the person drowns, you claim innocence before the law because of the sovereignty of your own body.
Regardless of the "asshole-level" of your actions, in my country (Switzerland) you'd go to jail for Failure to Rescue, which I and obviously my fellow citizens think is correct. So where do you draw the line between this example and yours?
Please elaborate a bit more on your first sentence. I don't live there, so I have to rely on Wikipedia etc., but the population of Crimea is around 2 million, out of which 58% (1.16m) are Russians and 12% (0.24m) are Tatars, with 24% Ukraininans.
If 100% of Sevastopol (population of 380'000) were Russian, that still leaves 780'000 Russians vs 240'000 Tatars for the rest of Crimea. I'd say if anything, Crimea on the whole is ethnically Russian.
Maybe you're referring to the historical development. But I don't see how 3 centuries of Tatar rule take precedence over 4 centuries of Bulgarian rule, 2 centuries of Kievan Rus' rule (both slavic) and all the others (Greeks, Goths, Huns, ....) before the Tatars arrived in the 15th century. And for the Russian rule since the 18th century, afaict the whole pretext for the subjugation was that the Crimea was slavic lands.
Your example in the first paragraph isn't really applicable: imagine if the majority of Iraq's population were Americans... completely different context.
Also, keep in mind that the USA had several opportunities to resolve the WMD inspection problem (like allowing the EU to chose the inspectors) but they always chose the escalating "my way or the highway" option. IMO it's pretty hard to argue that the primary reason for the Iraq invasion was not oil and financial imperialism. Just look at who controls all of Iraq's oil exports right now.
Not sure how that works.
If somebody just fixes a handful of characters, they aren't eligible for copyright in either the Apache or Linux code... so that sort of drive-by patchers aren't relevant for the discussion.
But if I "drive-by contribute" nontrivial code to someone with Apache commit access, that code is still under my copyright and the committer is not allowed to push it under the CLA unless I agree to the CLA as well (or resign my copyright to the committer). Which brings us back to square one.
Unless I'm completely missing something. Please enlighten me.
Got a raging one for Steam? Steam is hardly original, except maybe on Windows.
No real App Store? Are you aware that you can buy proprietary software, music, etc. in the Software Center on Ubuntu, Mint and Suse right now? Sure, it's not universal across all distros, but Fedora and Debian reject proprietary offerings on principle (and still have tens of thousands of non-proprietary programs in their sofware managers) and the rest are irrelevant in terms of market share, so Steam for Linux follows the same distribution curve.
Steam has friend lists and achievement notifications, but that's not exactly needed for an application store... while both APT and RPM are technically vastly superior (Steam doesn't even support delta updates, version hold-ups, downgrades or concurrent dependency resolution) and have been around quite a bit longer.
However, I'm pretty confident it'll find a niche because of the built-in social networking, where it has to compete with Desura. But it doesn't "standardise Linux for developers" except in the packaging (which is somewhat around 1% of a porting effort), doesn't offer "stable binary APIs" (that'd be drivers, kernel and middleware/engines) and can't hope to improve on the present library version management.
That said, yeah, it's nice to have one more option! ;)
Sorry if I've damped your enthusiasm, no offense meant, but your comment struck me as starry-eyed
I've served as field transmission soldier and command staffer in our military for 10 months... reasonable is not exactly a fitting adjective. There's no enemy (except for jokingly mentioning Lichtenstein etc.) we could hold up against, and our main defensive strategy (still basically the Reduit/Bison plan) is just WTF-ish: fully abandon the ~20 biggest cities, most of the population, all industry, nearly all agriculture and hole up in the alps waging guerilla warfare.
We're a country of 8 million and had a military strength of ~0.8 million 30 years ago (keep in mind it's a militia system, that's basically 800k Ueli's [=Joe Public] with a rifle). After the reductions are completed, we'll have roughly 80k militia by 2020. If you want to use the word "reasonable", the continuation of this trend would be a good subject to apply it on.
The military expenses remain mainly penis enlargements for traditionalists, but as has been the case since even long before the French invasion, we absolutely have to rely on allies with actually large/modern militaries (probably northern/western Europe) to bail us out should pretty much any nontrivial invader decide to give it a go.
Diplomacy is our best defensive weapon and has been sufficient for the last two centuries (also: money). Plus there's not even a remote threat on the horizon except for "The Terrorists", though tanks and artillery have not exactly proven effective against those.
Since it would be patently stupid for the Syrian regime to deploy chemical weapons given the current situation, and we can agree that Assad is somewhat intelligent (regardless of him being an asshole), wouldn't Occam's Razor dictate that the CIA had clandestine agents deploy the weapons against the Syrians in order to facilitate a strike?
They have the intelligence, agents, capability and most of all motivation. It's against some foreign population, which has been shown they don't really care about. At a very convenient point in time for the USA.
The CIA or Mossad are the most likely candidate, so that would actually be the simplest explanation, no?
</DevilsAdvocate>
The big difference between corporations and government is accountability.
Corporations nowadays are semi-directly accountable to a comparatively small group of stakeholders, and they are basically designed to be sociopaths. All I can do is vote-with-my-wallet, the feasibility/effectiveness of which is highly dependent on circumstances and usually just an after-the-fact measure.
Governments in a democratic society are designed to be fully accountable to the public, e.g. you and me. There is absolutely no problem in letting such an entity become really big, as long as it can do nothing else but represent and serve the people. Corruption is always a problem, so anti-corruption efforts should be a major goal.
Now in the particular case of the USA: I don't think you can honestly claim that this government democratically represents the interests of the population of the USA. Fix that, don't just treat the symptoms by aiming for a smaller yet still corrupt government, while at the same time (inevitably by the efforts of current libertarians) giving more power to corporations who are guaranteed to behave like sociopaths.
Limiting organisations to 100 members is interesting, but they would form coalitions of 100 members (each a 100-member organisation) and meta-coalitions and so forth (even if it's just inofficial). Not far from divisions and subsidiaries today.
Instead, I think accountability is more worthwhile (e.g. employee-owned corps)... or its little cousin, transparency (e.g. all board meetings should be broadcasted to each employee or even the public).
If by "developing its capabilities" you mean "analysing, understanding and applying NASA knowledge from the last 5 decades" to which they have full access then yes, they did that at some point and are still doing it. However, I'd be very surprised if their own research added even close to 1% to the heap. Just look at the outright silly disparity in amount, scale and scope of experiments, the size of the funding and R&D staff, etc. between the two.
They are basically a private extension of NASA with a significantly less risk averse decision making process, but also much less accountability. Not that I have anything against that, I think SpaceX is awesome, but I also do think that Tyson is mostly right.
I swear that if you took random sunsets from Google Maps and turned them into artistic-looking drawings/paintings they'd pass the "Turing test" with flying colors without any human being directly involved in the capture or composition.
Who tells the machine to take a sunset? Who enables it to choose? The artist.
This robot and any software picking & repainting google images is exactly as intelligent as the painters brush, just a bit more complex, and has no more self-initiative or creativity than a piece of wood.
Taking a picture with an expensive DSLR doesn't make the camera the artist, and mounting it on a self-driving car that randomly takes snapshots still gives all the credit to the person that built this.
And photographing the Mona Lisa with a lens that introduces imperfections (that's what is done here) is of questionable artistic value whether done by a human with a camera or a human with a robot..
Don't get me wrong, I'm often annoyed by those interpret-the-world-into-three-strokes types (likewise, literature teachers who "know" that the author meant to convey this or that theory), but pushing more of the manual work into the tool (brush or camera or robot) doesn't make it an artist. For comparison, a machine will never own a copyright under our current concept of the idea, only the user/initiator/owner/... of the machine will, no matter how automated it is.
In summary, both the guy spraying paint from his ass and the one building and programming a highly complex robot to paint pictures produce art, but it's not the robot or the rectal muscles who take the responsibility and are called artists.
Who cares about a post-apocalypse tribal society on a pre-modern tech stage trying to restore mankinds' knowledge?
Give them 10k more years and they'll manage to do it with femtocell lasers just fine. Or 50k years, it really doesn't matter, it simply shrinks compared to the idea that some cataclysm just wiped out all books accessible in the world, all professional knowledge, reading skills, parents-teaching-offspring, dozens of other information carrying media types (respectively it's usage knowledge) that would be around anyway etc. which could allow them to get up and running more quickly... but somehow left a few humans alive.
This storage type is not meant for a post-apocalypse tribal society restoring mankinds' knowledge. But some of us would be happy if the now often unreadable magnetic records from 70 years ago would have been stored on something more durable.
We have no problem paying for what we use. But we dont want to pay for the things we dont use. Like the wars, the spying, the surveillance. And the things that we do use, we want provided in a competitive market-place where abusive unresponsive or otherwise problematic suppliers cannot simply continue to bill us as much as they wish and use it for whatever they want!
I'll hijack this here, because that's an important point. One of the strongest correlators of crime is the (inverse) quality of public education [0]. Paying a small share for the education of your neighbours kids, even if you don't have any on your own, means paying for things you don't use. Yet the reduced stealing, robbing and killing 10 years down the road will benefit you personally.
If everyone has a choice, many will not pay. If you don't pay, either you expect others to and are leeching off of them, or nobody does and you don't have whatever benefits come from highly scaled solidarity/collectivism. You're losing something valuable.
IMO education and health care clearly fall under this category (and I claim most people who lived in a country with universal public health care would agree), along with the obvious infrastructural stuff. The spying, offensive wars, etc. definitely don't. As mentioned, the modern state can be used for both good and bad, and instead of removing all of it (which leaves you in a worse situation, even though Libertarians call it paradise), why not fix it by returning your government to its intended role as a servant to the people? That's the point of democracy, and the symptoms you are fighting are results non-democratic seizure of power by special interests.
You can say that there will always be corruption, or that the powers that be will not allow change, but the first can be mitigated in various ways, and if the second holds, your fight would be futile to begin with.
[0] Before anyone brings it up (aka inb4 guns), as a simple example for why gun control doesn't matter that much: check Honduras (high gun proliferation) and Jamaica (very strict gun laws), versus Switzerland (high gun proliferation) and the UK (very strict gun laws). The first two have high crime rates (and below average public education) while the second two rank lowly in world crime statistics (and have what is considered high quality public education). The main effect of gun policy is the percentage of gun related deaths and the location of crimes.
And in the system I advocate, you could say that, while in the system you defend, you cannot. Or you can, but it wont fly, of course. Find a way to refuse (difficult in europe, where the money is nearly always taxed before you get it) and you will eventually see why we say the power of the state grows out of the barrel of the gun.
If it's completely optional, in the (for the lack of a better expression) "heat of the opportunity" 500 of the 1000 will refuse because they really need the money for something specific right now, and they already helped some guy last month, and, and ....
Another 300 will refuse out of greed, another 150 will point out that they have a choice, and this doesn't match their ideology or they don't feel compelled enough morally.
So my share grows twenty-fold, can't give that much because I also divert a share of my income to maintaining our roads, electricity infrastructure, military, etc. And for some it snowballs into reducing their willingness to pledge help because it leaves them with too little disposable income. You go hungry.
Solidarity requires broad coverage to work. Voluntary charities don't cut it, at least there is no example of sufficient equivalency out there, e.g. funding a national education infrastructure or healthcare program. Also, the overhead of your proposal leads to higher bureaucracy if it is to handle a similar volume of money assignment.
But why should I try to refuse paying taxes? Excuse the crass example: try to enslave people, which might be good for your personal profit if you could keep it that way (and "some" people would do so if it were optional)... you'll still get stopped at gunpoint, presumably by the government.
I think both enforcing taxes and personal freedom is justified ethically and in terms of the net benefits, and accordingly required/guaranteed by law.
One paradox you face is that while a relatively wealthy nation with a culture that values work and production can maintain a welfare state and pay for it with taxes without destroying your productivity overnight, you still sap the very qualities that make this possible in the longer term. Which is to say, over time doing this makes you a less wealthy nation with a culture that places less value on productive work.
I require proof of that. Clearly you can't give it for now, but I'd like to point out that this is a problem of blame attribution: you see the cracks (which are always there in some form or another) and attribute them to a certain ideology you're compelled to oppose. I'm guilty of this too, it's human nature, but still not a good argument when reasoning about the merits of a system.
As for your proposed alternative, I see how Libertarian state could work in theory, but not under the requirement that it matches a metric like the GNH (yes, I'm actually serious about that) of current states. As mentioned, IMO absolutely not worth aiming for.
With regards to the "USA protecting the world", I wouldn't say the out-of-bounds spending on your military-industrial complex is benefitial to Europe's safety. Apart from that, Europe is easily second, so there's only one entity in the world we'd have to watch out for ... ;)
On Sweden: they have utterly failed in their immigration/integration policy. You can blame it on the conservatives if you like, but claiming to see the writing on the wall for their whole system is far fetched. See blame attribution above. And you'd have to elaborate on the Swedish educational system being libertarian in nature, because most Americans so far have called its current form socialist (or communist, you get my point).
Not enough. I had a very bad year, broke my leg and been out of work for months. Got me an the missus and 7 kids. A small portion aint gonna do it buddy. Now where's our food?
I'm still only going to give you a small portion of my income. 0.1% should suffice. And my 1000 friends here will too, so you'll be fully funded instantly - such is the power of collectivism. And once you don't need it anymore you'll work with net gain by yourself again, because we're living in a capitalistic economy. And society won't have a valuable contributor starved, plus one of your 7 might be the next Einstein, so it'd be a shame if he/she missed out on a complete high quality education because it wasn't free or very cheap.
Surprisingly I hear from some US citizens that this wouldn't work, which doesn't make sense since most of Europe is proof that it does.
I know that you don't want to forbid the farmer from helping (PoC), but the case for forcing him to help (within reasonable bounds obviously, though that's another debate) is far stronger IMO.
I don't understand where you see the indications that this is the path to failure, and such reasoning seems irrational to me.
Why should it lead to breakdown and not prosperity, as shown by societies that apply on a large scale (some of) what we already practise within a family.
Likewise, Marx' claims that all capitalism inevitably leads to breakdown and then communism still lack any indication of proof, and he made a highly elaborate case.
Let me ask you in return: how would a society as proposed (how I understood it) by the Libertarians not devolve into right-of-strength anarcho-capitalism? I don't see such a place as desirable to live in.
I agree that world hunger is technically a distribution problem, caused by a political problem. So how to fix this and similar issues? Obviously "fix" the entity responsible for politics, i.e. the government, only that our ideas of "fixing" are highly divergent. I've made a proposal here.
The key idea is to make the government fully accountable to the people, not remove most of it. In this regard, I couldn't have written mrthoughtful's comment below better myself. What you call "the modern state" in your reply is a highly useful concept, similar to money or mass media (all of which can be used for bad).
His definitions are not faulty, they just don't match yours. The farmer can and should be forced to give a small portion of his sellable produce to fulfill someone elses right not go hungry.
I assume you live in the USA, a country that is currently way closer to your ideals than his. He's stated to be living in Germany, which is organised in a manner closer to the philosophy he describes. You seem to hate the way your society is organised, he seems quite happy.
The liberty to do what you want with 100% of your work without any obligations to society is... well, it's a goal some may choose to pursue, but why should we put it above things that are more important in the real world?
Disclaimer: as a western European with a center-right political attitude, I don't agree with all of what he said in his original comment, but the first paragraph and the fact that taxation is a Good Thing (TM) is pretty much common sense.
The US badly needs something like the Swiss referendum and initiative, where the population can overturn pretty much any government decision, although the executive ones are harder to get at because it goes indirectly.
I think that'd shut up the "sole arbiter" complaints (disclosure: I'm Swiss). And if you then also increase transparency and accountability of the government agencies, the whole Libertarian Party starts to look as silly as it would if we had one over here.
Give me a dumb framebuffer _with_ network transparency and I'll happily shut up. If they finalise the design and only tack on networking afterwards, it'll be probably less efficient than it could have been.
I for one want them to prioritise it during the earlies phases. They are telling me (indirectly) that they probably won't do it at all and leave it to someone else. That's fine, but also means Wayland is designed to not be used by me and people like me. And when distros start pushing it as default, there will be a big ruckus... I'd rather them to be sensible and support network transparency at least as well as X11 does, and that it "just works" the first time I have a Wayland server in front of me, for all applications that don't have Wayland releases (and obviously the new ones too).