Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.
Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.
You're job is to get work done, and act in the best interests of your employer. If you are doing both, no good manager will complain.
Which is why the GP is likely not a troll, but an InfoSec person (coming off like an know-it-all/asshole/troll is sometimes an occupational hazard when wearing that hat) as the usability vs security tradeoff swings all the way to the far right and legitimate users are criminalized for legitimately trying to get work done.
In all fairness, part of the problem is that "good managers" typically swing to the far left ("just get work done") so there is some provocation for the attitude.
Bottom line is in a perfect world, you could formally document your suggestion and present it for review under your organisation's change control procedures and have something positive happpen, but I'd ask the GP to honestly consider what his (gender assumption) reaction would be if a request to use an alternative form of authentication/access control rather than the "approved" VPN solution landed on his desk. I'd expect it would be similar to some of the derisive quotes in the GP's post.
InfoSecurity has been evolving for a while and is struggling with the very difficult challenges of securing data on and access to insecure machines connected to an insure Internet. All you (as a mere "user") can do is to try and influence policy to try and balance security with your need to actually get work done.
Oh, and I'd agree with the GP's suggestion to read any AUP docs that you're asked to sign, and suggest that you note any ammendments that you feel are applicable for you to do your job.
After reading the FA *only* to find out what TPM was (since the rest was even at a quick glance the "same-old-same-old") it hit me that the RIAA should turn to Celebrity Jeopardy for a "friendly-sounding" name for their technology that doles out what you can do with media:
an album cover
It's even Retro!
Sad comments on a great book
on
Perl Best Practices
·
· Score: 3, Insightful
...The same tired "Perl is a write-only scripting language that looks like line noise. XXXX is much cooler" If XXXX works for you, have a blast. Hell, maybe there's a good book about it and you can make those insightful comments in a review about *it*. You can write unmaintainable code in *any* language.
More to the point, you will write crap in any language if you don't understand the conventions, idioms, and best practices of the language.
Perl is a lot like Lisp. You need to think in terms of lists before you see anything but the sigils and you tend to write "C in Perl". Further, until you see *good* Perl code, it's hard to know any better. Before this book, the book I'd refer people to was "Effective Perl Programming" by Hall & Schwartz. The goal was to get beyond "baby talk" and use the language well.
I'm about 130 pages into "Best Practices" and I like the book a lot. It's definately on the required reading list for any Perl programmers that we hire.
I can't say I agree with Damian about *all* the conventions (I really *like* "unless") but I agree with most of them, and having met him once, I'll admit that he knows more about Perl than I'm ever going to know, and more about computing languages and PROGRAMMING best practices than most of the people that have responded to this topic.
If you code in Perl often enough that you wish your code was better, you should pick up this book.
While watching ROTS, as Obi-Wan picks up Anakin's lighsaber--leaving him to burn to death--all I could think of was the ANH quote "your father wanted you to have it when you were old enough" and damn was that that a stretch. Makes the "betrayed and murdered your father" seem pretty reasonble by comparison...
While I agree there's no way for this board to beat the big boys in 3-D, I'd suggest that building the "reference card for MythTV" should be an early goal.
Nvidia and ATI have yet to really address the MythTV crowd with a passively cooled, inexpensive (who cares about 3D specs for their myth box?) AGP card that can do all the heavy lifting of decoding HD MPEGs.
pchdtv.com amd mythtv.org are pretty much the only places you'd need to "advertise".
You've got a community of enthusiasts that understand the point of open specs, are willing to experiment with hardware to "get it right" and aren't being well served by the incumbents. Sounds like a match to me...
I would probably label it Help me choose and put a "grandma friendly" second dialog box up that requires a specific "ok, I understand the risks" selection to not bail. Style-points aside, that's a brilliant idea.
Could you imagine customers putting up with this kind of stuff in a face-to-face setting? You walk into the bank, and they tell you to go to the "poor people" line?
Fleet Bank (now/soon to be Bank of America) has been doing this for years with a special teller for "premier" customers. Same deal as 1st class lines at airports. Many corps in the past had special 800 #s for "better" customers (1-ring, no hold etc). This just looks like a more transparent way to do the same thing.
Combining the two, I initially read THHG and LOTR fairly close to each other (within a few months) and decided that the Question was "how many orcs did Gimli kill?"
Recently watching the extended Two Towers DVD, it seems that Peter Jackson decided to make it 43 instead. Now Legolas weighs in at 42... No idea why this was changed from the book...
Re:Is there anything in there...
on
Practical mod_perl
·
· Score: 3, Informative
Not having read this book yet (though I just ordered it), I don't know if there's anything in the book to help you, but there ARE some things you can do with just access to httpd.conf.
Since mod_perl compiles the perl code and keeps it resident in your apache children, code that isn't designed for mod_perl can eat a ton of memory. It's often pretty straightforward to fix this kind of thing, often just by "preloading" some modules. Taking it at face value that you have ABSOLUTELY no control of what code is running on your server, what you need to do is have Apache limit how big Apache children can grow.
Check out the mod_perl docs on child memory size http://perl.apache.org/docs/1.0/guide/performance. html#Preventing_Your_Processes_from_Growing
Summarizing, play with MaxRequestsPerChild if you're "in a hurry" and check out Apache::SizeLimit or Apache::GTopLimit if you have the time/inclination to do something less heavy handed.
I agree with grandparent, C/R is a lame response to spam. It puts the burden of your spam problem on those legitimate users that may want to mail you. Forgetting the technical problems, that's just rude. I am *not* your spam filter and, like parent, if I receive a C/R response I will just ignore it.
Email has changed. One way or another, you're going to have to cope. Some buildings have doormen that "challenge" you before you can go up to an apartment. If that offends you so much that you won't visit an apartment, I guess you didn't care enough to see someone. Same deal. It's a screening process that tries to be as non-invasive as possible.
But I guess the important thing is that you weren't bothered by the 0.5% of the spam that might get past a good Bayesian filter.
So... can you explain to me again why C/R is such a good thing?
You just did a pretty good job, yourself. Add up the hours you spend trying to keep your "good Bayesian filter" hitting at 0.5% over an extended peiod of time, plus the time you spend checking your spambox for false positives and compare that with my "spam free existance" My mail works cleanly with minimal effort on my part and that of those I correspond with.
If you email me and get my "prove you're not a spammer" TMDA autoreply then you've never corresponded with me before (with the email address you're using). Any previous correspondence (to or from) and you won't get the autoresponse.
If you care enough to send email to me, you care enough to "hit reply" one time for a "new address". If I started the "conversation" you shouldn't ever get an autoresponder message.
Challenge/response breaks the whole concept of e-mail.
No. Spamming broke the concept of email years ago. The only question is how to fix things. Based on the hoops you're going through with SA, your email sounds just as broken. Been there, done that. If you don't want to email me, I'll cope somehow.
I used to get about 50-100 spams/day. I now don't get ANY spam (using TMDA). It took a fair amount of work to set up but in daily use it's transparent. Any outgoing mail automatically gets added to the whitelist so no one replying to your mail has to know that you're doing any of this.
I used to run a variety of filter-based anti-spam stuff (homegrown and SpamAssassin) and the occasional false-positives kept me constantly checking my "spamtrap" filter. Major PITA.
What I've found since using TMDA is that I've started whitelisting email newsletters/ads that I had previously considered "spamlike" simply because I now have far more bandwidth for email now (human, not network) It's a huge difference to have "1 new message" instead of a hundred (of which 99 are crap)
The solution to this is tagged addresses. This is what TMDA uses (dunno anything about port995.com).
The basic deal is that you tell amazon.com that your email address is someuser-amazon-cryptochecksum@foo.net instead of someuser@foo.net. Any mail sent to that address gets right through to your mailbox. If Amazon ever starts spamming you, you revoke the address. TMDA has some front-end tools to make generating the addresses (handling the crypto) pretty painless.
That's true for programming that you're watching delayed, but as the article noted, certain programming tends to be watched live even by people with PVRs. I hate watching hockey delayed on my Replay box and once you're back to "live" programming, you're back to watching the commercials...
What is likely to happen from this kind of research (if PVRs really get big) is that ad time for sports and "must-see" "talk about around the water cooler the next morning" programming will become really pricey and everything else will drop.
The problem with mail addresses is that you have no control over their spread. If I give one to a company it'll usually leak out in the end and it's open season on my inbox.
I came to this realization driving home from work one night. My immediate follow-up thought was, why not make email addresses disposable, with a nice automated interface to control which ones will fwd to your "real" mailbox? I had worked out a rough framework for how I'd implement this at a site-wide level by the time I got home, only to discover that I wasn't the first one to come up with the idea. A quick google search on "disposable email address" found about half a dozen services that do (more or less) what I'd hashed out.
Doesn't solve everything, but it does give you a lot more control when choosing what to put in the "email" form when you buy something online:)
Um, I have to disagree with this. It really depends on the shop. If by professional you mean formal code reviews by peers, perhaps that would limit some of this stuff. Knowing that you have to stare down a bunch of co-workers is a pretty good way to cause self-censure. Even then it really depends on the attitudes of the people that are going to be looking at your code. Some groups are really anal about comments and others couldn't care less if the code works.
Now when the customers SEE these msgs, you really get to see what kind of company you work for... at a former gig we had a debug mechanism which caused a debug msg to be displayed when the program crashed in in debug mode. Theory was, the customer would never see these msgs but they were helpful for debugging. Some customer happened to run "strings" on the executable and since they're compiled (unlike comments), got to see a whole lot of messages along the lines of "we should never get here" etc. Kind of funny, really. The customer thereafter put out an anual list of interesting strings found in the program and everyone got a chuckle out of it. None of my comments ever made the list tho;)
Slashdot Mirror
Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.
Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.
Mitchell & Webb:
http://www.youtube.com/watch?v=CS9ptA3Ya9E
"For those thinking their "pet" computer is invulnerable to the virus threat -- it's not," SANS said.
Crap. Does anyone know where I can get some antivirus SW for my PET?
You're job is to get work done, and act in the best interests of your employer. If you are doing both, no good manager will complain.
Which is why the GP is likely not a troll, but an InfoSec person (coming off like an know-it-all/asshole/troll is sometimes an occupational hazard when wearing that hat) as the usability vs security tradeoff swings all the way to the far right and legitimate users are criminalized for legitimately trying to get work done.
In all fairness, part of the problem is that "good managers" typically swing to the far left ("just get work done") so there is some provocation for the attitude.
Bottom line is in a perfect world, you could formally document your suggestion and present it for review under your organisation's change control procedures and have something positive happpen, but I'd ask the GP to honestly consider what his (gender assumption) reaction would be if a request to use an alternative form of authentication/access control rather than the "approved" VPN solution landed on his desk. I'd expect it would be similar to some of the derisive quotes in the GP's post.
InfoSecurity has been evolving for a while and is struggling with the very difficult challenges of securing data on and access to insecure machines connected to an insure Internet. All you (as a mere "user") can do is to try and influence policy to try and balance security with your need to actually get work done.
Oh, and I'd agree with the GP's suggestion to read any AUP docs that you're asked to sign, and suggest that you note any ammendments that you feel are applicable for you to do your job.
an album cover
It's even Retro!
More to the point, you will write crap in any language if you don't understand the conventions, idioms, and best practices of the language.
Perl is a lot like Lisp. You need to think in terms of lists before you see anything but the sigils and you tend to write "C in Perl". Further, until you see *good* Perl code, it's hard to know any better. Before this book, the book I'd refer people to was "Effective Perl Programming" by Hall & Schwartz. The goal was to get beyond "baby talk" and use the language well.
I'm about 130 pages into "Best Practices" and I like the book a lot. It's definately on the required reading list for any Perl programmers that we hire.
I can't say I agree with Damian about *all* the conventions (I really *like* "unless") but I agree with most of them, and having met him once, I'll admit that he knows more about Perl than I'm ever going to know, and more about computing languages and PROGRAMMING best practices than most of the people that have responded to this topic.
If you code in Perl often enough that you wish your code was better, you should pick up this book.
I challenge anyone who thinks movies today aren't scientific to watch the original Jurassic Park.
"Hey this is Unix. I know Unix"
Right up there with the product placement for Stevens' "Unix Network Programming" at the end of "Wayne's World 2"
That's a UNIX book... cool
One of the best series I've ever read goes into some of the implications of multiple death sentences:
http://mostlyfiction.com/scifi/simmons.htm
While watching ROTS, as Obi-Wan picks up Anakin's lighsaber--leaving him to burn to death--all I could think of was the ANH quote "your father wanted you to have it when you were old enough" and damn was that that a stretch. Makes the "betrayed and murdered your father" seem pretty reasonble by comparison...
"Trying to make bits uncopyable is like trying to make water not wet."
--Bruce Schneier
I'd add the following:
"Anyone who says differently is selling something"
--Westley, The Princess Bride
Nvidia and ATI have yet to really address the MythTV crowd with a passively cooled, inexpensive (who cares about 3D specs for their myth box?) AGP card that can do all the heavy lifting of decoding HD MPEGs.
pchdtv.com amd mythtv.org are pretty much the only places you'd need to "advertise".
You've got a community of enthusiasts that understand the point of open specs, are willing to experiment with hardware to "get it right" and aren't being well served by the incumbents. Sounds like a match to me...
Unless the odd grammar above somehow changes the meaning of the sentence, I think Marvin was who you were going for there...
As long as I'm nitpicking, when I think of "an Arthur" I think of http://www.thetick.ws/car8.html
I would probably label it Help me choose and put a "grandma friendly" second dialog box up that requires a specific "ok, I understand the risks" selection to not bail. Style-points aside, that's a brilliant idea.
But would you trust it? Would you REALLY want to use a hack on top of something that somebody else provided for free for your mission-critical data?
Of course not. I'd only put my mission-critical data on RAIGA (Redundant Array of Individual/Inexpensive GMAIL Accounts)
imagine only being able to send an email to someone with the same service
t er -Network_Mail_Guide
Imagine it? Some of us lived it. Then things got "better" in the early '90s and you could gateway mail between services by hand:
http://www.nelson.planet.org.nz/faqs/Updated_In
Fleet Bank (now/soon to be Bank of America) has been doing this for years with a special teller for "premier" customers. Same deal as 1st class lines at airports. Many corps in the past had special 800 #s for "better" customers (1-ring, no hold etc). This just looks like a more transparent way to do the same thing.
Recently watching the extended Two Towers DVD, it seems that Peter Jackson decided to make it 43 instead. Now Legolas weighs in at 42... No idea why this was changed from the book...
Not having read this book yet (though I just ordered it), I don't know if there's anything in the book to help you, but there ARE some things you can do with just access to httpd.conf.
. html#Preventing_Your_Processes_from_Growing
Since mod_perl compiles the perl code and keeps it resident in your apache children, code that isn't designed for mod_perl can eat a ton of memory. It's often pretty straightforward to fix this kind of thing, often just by "preloading" some modules. Taking it at face value that you have ABSOLUTELY no control of what code is running on your server, what you need to do is have Apache limit how big Apache children can grow.
Check out the mod_perl docs on child memory size http://perl.apache.org/docs/1.0/guide/performance
Summarizing, play with MaxRequestsPerChild if you're "in a hurry" and check out Apache::SizeLimit or Apache::GTopLimit if you have the time/inclination to do something less heavy handed.
I agree with grandparent, C/R is a lame response to spam. It puts the burden of your spam problem on those legitimate users that may want to mail you. Forgetting the technical problems, that's just rude. I am *not* your spam filter and, like parent, if I receive a C/R response I will just ignore it.
Email has changed. One way or another, you're going to have to cope. Some buildings have doormen that "challenge" you before you can go up to an apartment. If that offends you so much that you won't visit an apartment, I guess you didn't care enough to see someone. Same deal. It's a screening process that tries to be as non-invasive as possible.
But I guess the important thing is that you weren't bothered by the 0.5% of the spam that might get past a good Bayesian filter.
So... can you explain to me again why C/R is such a good thing?
You just did a pretty good job, yourself. Add up the hours you spend trying to keep your "good Bayesian filter" hitting at 0.5% over an extended peiod of time, plus the time you spend checking your spambox for false positives and compare that with my "spam free existance" My mail works cleanly with minimal effort on my part and that of those I correspond with.
If you email me and get my "prove you're not a spammer" TMDA autoreply then you've never corresponded with me before (with the email address you're using). Any previous correspondence (to or from) and you won't get the autoresponse.
If you care enough to send email to me, you care enough to "hit reply" one time for a "new address". If I started the "conversation" you shouldn't ever get an autoresponder message.
Challenge/response breaks the whole concept of e-mail.
No. Spamming broke the concept of email years ago. The only question is how to fix things. Based on the hoops you're going through with SA, your email sounds just as broken. Been there, done that. If you don't want to email me, I'll cope somehow.
I used to get about 50-100 spams/day. I now don't get ANY spam (using TMDA). It took a fair amount of work to set up but in daily use it's transparent. Any outgoing mail automatically gets added to the whitelist so no one replying to your mail has to know that you're doing any of this.
I used to run a variety of filter-based anti-spam stuff (homegrown and SpamAssassin) and the occasional false-positives kept me constantly checking my "spamtrap" filter. Major PITA.
What I've found since using TMDA is that I've started whitelisting email newsletters/ads that I had previously considered "spamlike" simply because I now have far more bandwidth for email now (human, not network) It's a huge difference to have "1 new message" instead of a hundred (of which 99 are crap)
The solution to this is tagged addresses. This is what TMDA uses (dunno anything about port995.com).
The basic deal is that you tell amazon.com that your email address is someuser-amazon-cryptochecksum@foo.net instead of someuser@foo.net. Any mail sent to that address gets right through to your mailbox. If Amazon ever starts spamming you, you revoke the address. TMDA has some front-end tools to make generating the addresses (handling the crypto) pretty painless.
What is likely to happen from this kind of research (if PVRs really get big) is that ad time for sports and "must-see" "talk about around the water cooler the next morning" programming will become really pricey and everything else will drop.
--Ken
I came to this realization driving home from work one night. My immediate follow-up thought was, why not make email addresses disposable, with a nice automated interface to control which ones will fwd to your "real" mailbox? I had worked out a rough framework for how I'd implement this at a site-wide level by the time I got home, only to discover that I wasn't the first one to come up with the idea. A quick google search on "disposable email address" found about half a dozen services that do (more or less) what I'd hashed out.
Doesn't solve everything, but it does give you a lot more control when choosing what to put in the "email" form when you buy something online
Now when the customers SEE these msgs, you really get to see what kind of company you work for... at a former gig we had a debug mechanism which caused a debug msg to be displayed when the program crashed in in debug mode. Theory was, the customer would never see these msgs but they were helpful for debugging. Some customer happened to run "strings" on the executable and since they're compiled (unlike comments), got to see a whole lot of messages along the lines of "we should never get here" etc. Kind of funny, really. The customer thereafter put out an anual list of interesting strings found in the program and everyone got a chuckle out of it. None of my comments ever made the list tho