AND we all had the flu shot this year - I'm reluctant to think we all got shot up with a bad batch, since we each got our shots from different doctors, about a month apart.
From what I've heard (speaking with people that read the CDC flu reports) the strains in the flu shot this past year were not those that spread widely. Basically, when the A and B strains were picked last year, the prediction wasn't that good.
It's a southern thing. There were at one time Piggly-Wiggly knock-offs called Hoggly-Woggly. It's the same store as Kroger, Publix, Winn-Dixie or Meijer (but without clothes and other-non food goods). It just has a goofy name.
The ones who play guitar know pretty much the same songs
What songs do geeks that play guitar all know? Being a geek and a quitarist, I'm wondering if I'm missing out on songs I should know how to play. A short list of the songs I play would include:
Stairway to heaven
Dust in the wind
Brown-eyed girl
Ain't Talkin' `bout love
Runnin' with the devil
Welcome home (sanitarium)
Sweet child o' mine
Love song
Enter sandman
Smells like teen spirit
Plush
Outshined
of course, there are several others but those are some of my favorites. Any other geek-centric songs?
Let's see. I can rent a disc for $X, or I can watch a disc once for $X+C. HMMM....
If C = -X then it sounds like a good idea . . .
Re:Common Sense
on
Real Security?
·
· Score: 2, Interesting
My first instinct, when I first read the password policy above, was to wonder whether such a restrictive policy would actually make it easier for an attacker to brute force because it shouldn't be all that difficult for an attacker to build a password cracker that simply skipped all of the enforced restrictions and only tried valid passwords. My question, for someone more educated in statistics or security than I, is this: would filtering for these password restrictions really result in a significantly smaller average search time before a match is found?
I actually had a discussion about this when the global security counsel of a larGE company (I won't name it here;-) I formerly worked for announced the new password policy. The policy stated that passwords were to be a minimum of 7 characters containing at least 1 lowercase letter, 1 uppercase letter and 1 number or special character.
If you recall the days of the Lanman password hash, the hash was broken into two 8 byte fields. For passwords less than 8 characters, the second 8 bytes were always the same. Here is where the policy causes problems. According to the policy, the minimum length is 7 characters, so if we know the password is less than eight characters from the hash, we know it is exactly 7 characters.
So now consider the imaginary case that we have a hash for a password that's less than 8 characters. The password policy tells us that we won't need to attempt any passwords 1 to 6 characters in length. It also removes any seven character passwords that don't meet the criteria above.
Please forgive any math mistakes; these are only meant to be rough estimates. Using the character space of 26 lowercase, 26 uppercase and 42 numbers and special characters the entire password space is: 94^7 + 94^6 + 94^5 + 94^4 + 94^3 + 94^2 + 94^1 + 1 which is roughly 6.55 * 10^13. Removing the 1 to 6 character passwords reduces the space by a little more than 1 percent.
Once you remove combinations not allowed by the policy (all lowercase, all uppercase, all numbers and special characters, lowercase plus uppercase, lowercase plus numbers and special characters, uppercase plus numbers and special characters) you take away roughly 1.47 * 10^13 possibilities, leaving about 76.5 percent of the original password space. If the policy implements positional requirements (i.e. must start with a lowercase letter) the space will reduce even further.
On the other hand, the space is still pretty big. Keep in mind that l0phtcrack style dictionary attacks cover more than just standard OED words. If an intruder had access to the password hashes on an NT system of mine, I would be more worried about a modified dictionary attack (even with the policy you mentioned) than the password space that the intruder had to search.
Re:Common Sense
on
Real Security?
·
· Score: 5, Interesting
fail to put any thought into what is needed to be effective
I recently got into an argument with the head of the security program at the university I'm attending over a similar situation.
When resetting my password, which was not expired, I was required to go through a 20 minute online "security training" seminar. It was only 10 questions, but the site was so incredibly slow that clicking through the 10 questions (about 3 pages per question) took 20 minutes. The questions covered the basics of security (don't give out your password, etc.). Two of the "correct" answers were technically wrong.
After expressing my displeasure with the questionnaire and pointing out the technical problems, the administrator chastised me for "not thinking that security education was a good idea." I pointed out that I thought it was necessary, only he did a poor job of it. He missed the same thing that several security programs miss when educating the users:
Security training is useless if the user ignores it.
I was going to add is annoyed by it, but I can think of one security awareness activity that pissed off several people, but was highly effective.
After weeks of notifications about laptops needing to be secured when not attended (i.e. overnight), we went on a laptop finding mission. Any person that left a laptop not physically secured to his/her desk came in the next morning to find a slip of paper telling them where they could claim their laptop. Several people were very upset, but also remembered to lock up their laptops before leaving.
While you may dismiss this as more annecdotal evidence, I currently have VoIP running over 802.11b in a large manufacturing environment. I wouldn't suggest VoIP over 802.11b in a muli-company building, but on a large campus it works quite well.
The equipment is all Cisco and works flawlessly. The only time I can tell that someone is calling from a wireless VoIP phone is when I hear manufacturing noises in the background. The call quality is much better than a cell phone in my experience. Plus, you get all the features of your desk phone anywhere on campus (directory, etc.). It does mean that you lose the ability to use "I was away from my desk" as an excuse for missing a call.
Actually, you don't need to modify the microwave at all. Any $20 Wal-Mart microwave produces enough interference to disrupt 802.11b, especially if it is significantly closer to the access point than the host.
I support a manufacturing plant that uses 802.11b for some robots on the assembly line. During lunchtime the Wal-Mart microwaves were knocking robots offline. We ended up buying industrial microwaves that were designed not to give off excess radiation.
Except that the car chopped for it's parts hurts the automaker.
You have a very good point. During the late 90s in Atlanta, GA there was a huge spree of air bags being stolen from Honda Civics. Turns out the dealer cost for the replacement was in the neighborhood of $500, so many "independant" shops were paying thieves $100 for a stolen one.
From one report that I read a qualified thief could smash a window and take the airbag in something insane like 20 seconds.
The Bush Administration is trying to make changes to the law to stop OT pay all together for most workers and instead let the employer "repay" you by giving you time off at THEIR conveinience. Interesting
I just went through a re-org where my functionality fell under a department at a different, larger location within the company. At this location, no one gets overtime. If they put in more than 40 hours, they get the time off you speak of. My new boss sat down with me to talk about it.
I simply pointed out that if we started this policy Jan 1 2004 and I worked about the same amount of hours that I did this year, he would have to give me October through December off. He quickly decided that paying for OT would be fine.
Really - I can't stress this enough. Keep your boss up-to-date on what you're doing, and let him guide your priorities. If anything or anyone is straining those priorities, let him deal with it.
This is the absolute truth. I'm the sole Network/Network Security person for a company of about 1000 associates, spread across four sites in North America. Production down emergencies come first, but after that everything is prioritized.
I keep a list of every outstanding task I have, and regularly ask my supervisor to look at the list to see if priorities need to be changed. That way, when people come to me with what they consider to be emergencies, I can decide where I think it should go on my list. If they find that unacceptable, they can talk to my supervisor.
I think it also helps to explain risks when I push back on requests. When poor planning results in someone wanting a network change during the day, I explain to them that if they change they request doesn't work, it could affect all 1000 people in the company and ask if it is really that important. Anything that is actually that important usually gets support from my supervisor, his supervisor, etc.
Trying to manage people's expectations will also help. If people know that task X takes Y days, it helps them plan and also gives you better ground to stand on when you have to push back. One of the best things I did was to put in place a policy that non-emergency changes would only occur Wednesday and Sunday nights. It fits my schedule and forces people to plan.
A good phrase is, "Poor planning on your part does not constitue an emergency on mine." If you can figure out a nice way to say that, let me know.
From a quick search, I can't find a direct reference to cutting off the arms of children, but this article specifcally mentions cutting off the arms of people sympathetic to the government.
Other articles from the google search mention the torture of women and children, but don't go into specifics
Actually I'm comparing retail price to what you can get for it from anyone. I spent several months trying ebay, classified ads and word of mouth before I finally found the dealer that I mentioned in my previous post.
Just as an example, I'll show you what ebay is like. Look at this ebay auction that ended a few hours ago. It's a.89 carat princess cut diamond with F/G color and SI1/SI2 clarity. It's set in white gold with.37 carats of baguettes surrounding it. The ring went for $956.72.
Then go to this site and do a search for.89 carat princess cut diamonds with the same color and clarity as above. You'll find the price range in between $2200 and $3000 without a setting or additional stones. That means that the ring went for about 31% to 44% of retail. Once again, I'm comparing the price of the ring to just a stone, without a setting or additional stones.
I realize that this is only one example, but my research said that this was actually on the high end of the norm.
And just in case you want to talk about appraisals, the "value" you get from an appraisal is the "estimated cost to replace," not the "value" of the stone/piece.
I'd be interested in seeing facts that indicate that diamonds have some real worth, but almost every non-DeBeer's source I have seen points to the artifical demand created by the cartel to drive up prices.
That's funny, I always thought Celine Dion sounded like a dying cat.
Re:The names may change, but
on
Diamonds & the RIAA
·
· Score: 4, Interesting
Did you see Bill Maher's newest comedy special? In it he discusses the methods used by the controlling groups in Africa to keep the villagers in the mines. He said that they go as far as to cut off the arms of small children to keep the adults working.
He then recounts the time he told this to one of his female friends. He describes her as one of the nicest people you could ever meet. After telling her that the soldiers/work masters actually cut off the arms of small children, she made a sad face and said, "Both arms?"
It's worth what you spend. The $5 ring is worth $5. And the $1000 ring is worth $1000
The only problem I have with that logic is that you cannot sell a diamond for (anywhere near) what you paid for it. Ignoring the setting and assuming you spent all the money on the stone, your $1000 ring will most likely bring you $150-$200. When I went to sell a diamond I found about three dealers in the entire US that specialize in non-estate used diamonds. I was lucky enough to get almost 60% of what I paid for my ring, but it was a lot of work.
Slashdot Mirror
From what I've heard (speaking with people that read the CDC flu reports) the strains in the flu shot this past year were not those that spread widely. Basically, when the A and B strains were picked last year, the prediction wasn't that good.
It's a southern thing. There were at one time Piggly-Wiggly knock-offs called Hoggly-Woggly. It's the same store as Kroger, Publix, Winn-Dixie or Meijer (but without clothes and other-non food goods). It just has a goofy name.
Hopefully before anyone else points this out, I meant guitarist
The ones who play guitar know pretty much the same songs
What songs do geeks that play guitar all know? Being a geek and a quitarist, I'm wondering if I'm missing out on songs I should know how to play. A short list of the songs I play would include:
of course, there are several others but those are some of my favorites. Any other geek-centric songs?
I don't see what you mean. Embiggens is a perfectly cromulent word.
If C = -X then it sounds like a good idea . . .
I actually had a discussion about this when the global security counsel of a larGE company (I won't name it here ;-) I formerly worked for announced the new password policy. The policy stated that passwords were to be a minimum of 7 characters containing at least 1 lowercase letter, 1 uppercase letter and 1 number or special character.
If you recall the days of the Lanman password hash, the hash was broken into two 8 byte fields. For passwords less than 8 characters, the second 8 bytes were always the same. Here is where the policy causes problems. According to the policy, the minimum length is 7 characters, so if we know the password is less than eight characters from the hash, we know it is exactly 7 characters.
So now consider the imaginary case that we have a hash for a password that's less than 8 characters. The password policy tells us that we won't need to attempt any passwords 1 to 6 characters in length. It also removes any seven character passwords that don't meet the criteria above.
Please forgive any math mistakes; these are only meant to be rough estimates. Using the character space of 26 lowercase, 26 uppercase and 42 numbers and special characters the entire password space is: 94^7 + 94^6 + 94^5 + 94^4 + 94^3 + 94^2 + 94^1 + 1 which is roughly 6.55 * 10^13. Removing the 1 to 6 character passwords reduces the space by a little more than 1 percent.
Once you remove combinations not allowed by the policy (all lowercase, all uppercase, all numbers and special characters, lowercase plus uppercase, lowercase plus numbers and special characters, uppercase plus numbers and special characters) you take away roughly 1.47 * 10^13 possibilities, leaving about 76.5 percent of the original password space. If the policy implements positional requirements (i.e. must start with a lowercase letter) the space will reduce even further.
On the other hand, the space is still pretty big. Keep in mind that l0phtcrack style dictionary attacks cover more than just standard OED words. If an intruder had access to the password hashes on an NT system of mine, I would be more worried about a modified dictionary attack (even with the policy you mentioned) than the password space that the intruder had to search.
I recently got into an argument with the head of the security program at the university I'm attending over a similar situation.
When resetting my password, which was not expired, I was required to go through a 20 minute online "security training" seminar. It was only 10 questions, but the site was so incredibly slow that clicking through the 10 questions (about 3 pages per question) took 20 minutes. The questions covered the basics of security (don't give out your password, etc.). Two of the "correct" answers were technically wrong.
After expressing my displeasure with the questionnaire and pointing out the technical problems, the administrator chastised me for "not thinking that security education was a good idea." I pointed out that I thought it was necessary, only he did a poor job of it. He missed the same thing that several security programs miss when educating the users:
Security training is useless if the user ignores it.
I was going to add is annoyed by it, but I can think of one security awareness activity that pissed off several people, but was highly effective.
After weeks of notifications about laptops needing to be secured when not attended (i.e. overnight), we went on a laptop finding mission. Any person that left a laptop not physically secured to his/her desk came in the next morning to find a slip of paper telling them where they could claim their laptop. Several people were very upset, but also remembered to lock up their laptops before leaving.
If you don't get it, see Bring the Pain, the first Chris Rock commedy special.
The equipment is all Cisco and works flawlessly. The only time I can tell that someone is calling from a wireless VoIP phone is when I hear manufacturing noises in the background. The call quality is much better than a cell phone in my experience. Plus, you get all the features of your desk phone anywhere on campus (directory, etc.). It does mean that you lose the ability to use "I was away from my desk" as an excuse for missing a call.
Actually, you don't need to modify the microwave at all. Any $20 Wal-Mart microwave produces enough interference to disrupt 802.11b, especially if it is significantly closer to the access point than the host.
I support a manufacturing plant that uses 802.11b for some robots on the assembly line. During lunchtime the Wal-Mart microwaves were knocking robots offline. We ended up buying industrial microwaves that were designed not to give off excess radiation.
Now that you've told us where QM is, we'll never know how fast it's progressing.
I can't hear you son. I'm wearing a Jacuzzi suit.
You have a very good point. During the late 90s in Atlanta, GA there was a huge spree of air bags being stolen from Honda Civics. Turns out the dealer cost for the replacement was in the neighborhood of $500, so many "independant" shops were paying thieves $100 for a stolen one.
From one report that I read a qualified thief could smash a window and take the airbag in something insane like 20 seconds.
My boss told me we work half days here. I didn't realize he meant 8:00 A.M. to 8:00 P.M.
I just went through a re-org where my functionality fell under a department at a different, larger location within the company. At this location, no one gets overtime. If they put in more than 40 hours, they get the time off you speak of. My new boss sat down with me to talk about it.
I simply pointed out that if we started this policy Jan 1 2004 and I worked about the same amount of hours that I did this year, he would have to give me October through December off. He quickly decided that paying for OT would be fine.
Losers always whine about their best. Winners go home and fuck the prom queen.
This is the absolute truth. I'm the sole Network/Network Security person for a company of about 1000 associates, spread across four sites in North America. Production down emergencies come first, but after that everything is prioritized.
I keep a list of every outstanding task I have, and regularly ask my supervisor to look at the list to see if priorities need to be changed. That way, when people come to me with what they consider to be emergencies, I can decide where I think it should go on my list. If they find that unacceptable, they can talk to my supervisor.
I think it also helps to explain risks when I push back on requests. When poor planning results in someone wanting a network change during the day, I explain to them that if they change they request doesn't work, it could affect all 1000 people in the company and ask if it is really that important. Anything that is actually that important usually gets support from my supervisor, his supervisor, etc.
Trying to manage people's expectations will also help. If people know that task X takes Y days, it helps them plan and also gives you better ground to stand on when you have to push back. One of the best things I did was to put in place a policy that non-emergency changes would only occur Wednesday and Sunday nights. It fits my schedule and forces people to plan.
A good phrase is, "Poor planning on your part does not constitue an emergency on mine." If you can figure out a nice way to say that, let me know.
From a quick search, I can't find a direct reference to cutting off the arms of children, but this article specifcally mentions cutting off the arms of people sympathetic to the government.
Other articles from the google search mention the torture of women and children, but don't go into specifics
Then go to this site and do a search for .89 carat princess cut diamonds with the same color and clarity as above. You'll find the price range in between $2200 and $3000 without a setting or additional stones. That means that the ring went for about 31% to 44% of retail. Once again, I'm comparing the price of the ring to just a stone, without a setting or additional stones.
I realize that this is only one example, but my research said that this was actually on the high end of the norm.
And just in case you want to talk about appraisals, the "value" you get from an appraisal is the "estimated cost to replace," not the "value" of the stone/piece.
I'd be interested in seeing facts that indicate that diamonds have some real worth, but almost every non-DeBeer's source I have seen points to the artifical demand created by the cartel to drive up prices.
He then recounts the time he told this to one of his female friends. He describes her as one of the nicest people you could ever meet. After telling her that the soldiers/work masters actually cut off the arms of small children, she made a sad face and said, "Both arms?"
That shows you the power of diamonds.
The only problem I have with that logic is that you cannot sell a diamond for (anywhere near) what you paid for it. Ignoring the setting and assuming you spent all the money on the stone, your $1000 ring will most likely bring you $150-$200. When I went to sell a diamond I found about three dealers in the entire US that specialize in non-estate used diamonds. I was lucky enough to get almost 60% of what I paid for my ring, but it was a lot of work.
Or another one like:
Better to be judged by twelve than carried out by six.