Yes, because clearly paying taxes isn't a return on the government's investment.
The money for student loans comes from private banks, not the government. The government sets up the marketplace for student loans and provides a small amount of subsidies, but the money you owe is owed to a private institution, not the government.
those highly educated people who are returning to China and India are bringing knowledge and skills that will allow them to replicate some of the wonders of California in India and China. How is that a bad thing?
Whether it is good or bad depends on which side of the ocean you are on. As an American, I think it is terrible that we are losing brilliant people. It is these types of people that advance the state of the art and create new companies and industries. Because I am selfish, I want that to happen in my own country so that I can benefit from this.
For those in China and India, this is obviously a great thing. It means that they are starting to be able to compete with the US for the best and brightest. Instead of watching their brightest stars go to the US and get rich creating jobs for Americans, they get to have this right in their backyard.
I agree with you that this is a natural part of free trade, but that does not mean we have to just accept it. This should be a wake up call to us that we have to compete harder than ever before to keep the smartest people here. In the past, we could win this competition without even trying, but now we will have to start working at it.
Considering how much red tape and utter nonsense is baked into the system it isn't any surprise that a lot of educated people want the hell out of here.
This is completely true because our immigration system was designed to solve a very different problem. The current system is designed to keep people out to protect jobs. This generally means keeping out unskilled labor who would compete with unskilled Americans for low wage jobs. When politicians try to reform the immigration system, they are hounded with accusations that hordes of Mexicans will cross the border and take all of our jobs.
The real problem, though, is that the US must compete to keep the smartest workers. In our economy, the country with the smartest labor pool will win. We need to do anything we can to keep smart people here. If you think outsourcing is bad, wait until we have to start competing with companies that are purely owned and operated by Indian and Chinese entrepeneurs with a lower cost base than we can ever hope to achieve. The thought of Bangalore being a serious rival to Silicon Valley is a scary proposition. It is also something that we can prevent by making it easy for smart people to stay in this country and create these companies here.
we educate foreign students at the cost of displacing domestic students
I would like to see some evidence to back that claim because that does not match my experience. In my CS department, US citizens are almost automatically accepted into the graduate program, while foreign students have to compete with each other to get in. (My professor is on the admissions committee.) The reason is that there are so few US citizens that apply that they have to take as many as they can get. The only people being turned away are foreigners who got beat out by more qualified foreigners.
The fact is that the US has half of the world's colleges and universities. It is the large number of foreign students that allows us to have so many universities and that gives domestic students a wide range of choices.
I'm not complaining about the vagueness. I think it is necessary to keep up with the times. But there are many people who are very concerned about the extent to which the Commerce Clause, for example, has been stretched in the past. I suspect that our current Federal Government is much larger than most of our founding fathers would have imagined. I don't necessarily have a problem with that, but Libertarians and the Ron Paul branch of the Republican party certainly do. The vagueness in the constitution will always be a source of contention, but that gives our system a lot of flexibility.
And when will everyone wake up and realize that the government isn't granted authority by the constitution it is RESTRICTED by the constitution.
Actually, the constitution both grants and restricts the government. Congress has the authority to pass laws because the constitution grants it. The President is the commander-in-chief because the constitution grants him that authority. The constitution also restricts the scope of these powers by drawing (often vague) boundaries around those powers.
Whether individuals are granted freedoms by the constitution is often a controversial statement. When people get nominated by the Supreme Court, they are often asked if they believe there is a "right to privacy". If you think rights are granted by the constitution, then you kind of have to say no because it clearly does not say that. On the other hand, there is a line of thinking that says that individuals have inherent rights (the Declaration of Independence makes that argument) and so the constitution need not grant those rights. The bill of rights in the constitution protects those rights by explicitly constraining the government. In that thinking, a "right to privacy" may very well exist.
The DOE and DARPA (and others) are huge users of HPC (high performance computing) applications. The have a vested interest in having the state of the art advance in parallel computing and so they tend to provide lots of research grants to fund that. They also routinely let outsiders use some of their computing facilities for the same reason (not all of their labs do classified work). There are many computing facilities that need enormous computing power as shown on the Top 500 list. But they are seeing that there are times where researchers need computational power, but not at such a large scale and not for long periods of time. If medium powered computational facilities could be made available to researchers cheaply and quickly, they would be widely used.
I think the point here is that Microsoft's behavior is being driven by the market. The market is clearly saying that they like a lot of the FOSS solutions. If Microsoft tries to pretend like these solutions does not exist, then they will allow a software ecosystem to develop in which they have no influence. A dominant player simply cannot allow that to happen.
In the case of FOSS, there is no way to bankrupt or buyout the competition. They still try to compete with marketing FUD, but it is obvious that that is only good for trying to slow the growth of FOSS.
This isn't about Microsoft turning over a new leaf. The real story is that market acceptance of FOSS solutions has grown to the point where none of the major players (including Microsoft) can afford to ignore it. For someone like me who has used Linux seriously for 15 years, seeing this kind of growth and acceptance is amazing. Linux used to be ignored, but now it is respected.
Related, in that regular people may not realize what they're doing but why would you use Gmail, Hotmail, or Yahoo for financial communications?
Why not? I don't see those as being any more or less secure than any ISP's normal email services. Email is fundamentally insecure anyway. Most people have one email address that they regularly use and so that is what will be provided to financial institutions.
However my ISP allows users to use a whitelist [wikipedia.org], I have an online address book and only email from someone in it is send directly to my inbox.
But that has nothing to do with security. Your "suspected" folder contains all messages that did not make it past the whitelist filter, but that does not mean that you can trust what the whitelist filter allows through. It is trivial to send an email that matches what you think a legit banking email will look like.
I think the reason that most people don't realize that email can be trivially forged is because it is such a stupid idea to design a system like that. It can't possibly make sense for me to sit here in the comfort of my home and send an email to you that looks like it came from Bank of America and so non-experts assume that there must be some sort of mechanism to stop that. That is a very reasonable assumption, and we engineers are morons for not providing a communication abstraction that lives up to that.
The question is, why is someone that "non-technical" in charge of cybercrime for the FBI?
He is not in charge of cybercrime. He is the director of the entire FBI. I imagine that he has a huge amount of knowledge of things you and I know nothing about so I am willing to cut him some slack. We engineers have built a communication system that looks simple and secure to average folk and yet actually requires the detailed knowledge of how it all works to use it securely.
Every time one of these stories comes up, I am troubled by the attitude that is taken in so many Slashdot comments that the victim (or near victim) must be a complete idiot. We make a system that makes it far too easy to deceive people and then ridicule the victim for being tricked. We will never be able to improve the situation with this attitude.
It is right to be suspicious of any email claiming to be from your bank, but the fact is that my banks have sent me legitimate emails from them. Those emails have never been digitally signed so verifying their authenticity is tough. So the banks have some responsibility for using email in an unsafe way. But what if they did sign their emails? Well, it still wouldn't matter because Gmail and Yahoo and Hotmail have no provision for verifying digital signatures so the tools used by millions lack a fundamental security feature.
Actually, though it doesn't reduce the set much, there is a bias: If you are a paranoid admin, I know not to bother trying dictionary words or other basic stuff.
That is technically true, but in reality that makes no difference to the amount of work to be done. Let us assume that we know that a password is 8 characters and that it uses only letters (upper and lower case allowed) and numbers. Each character of the password has 62 possibilities. The total search space is 62^8 > 200 trillion. The number of words you will get from the dictionary is around 200,000. This is less than the rounding error in the approximation that I just gave.
Even in the simple case I gave, the state space is huge. In reality, it is even bigger because most systems allow special characters in the password and much longer passwords.
News at 11: once you have been compromised, you're sunk. Time to reimage or rollback the VM.
Anyone interested in log monitoring should already know that.
Since this sub-thread is about log monitoring, your comment was, er, offtopic/superfluous, although I suppose you got the Interesting mod for the TSA story.
Oh please. Why not actually participate in the conversation instead of complaining that the mods don't see things your way.
We all know what to do in the event that a compromise is detected. But how do you detect the compromise? My (very relevant) point is that you cannot trust anything on something that might be attacked to tell you whether it is compromised or not because it might be compromised. System logs give you valuable information if the system can be trusted but you cannot use them to determine whether to trust the system or not.
My server just mails me its daily security run, and most days there is a couple of brute force attempts.
Of course if the server were compromised, would you expect it to mail you a log that showed that it was compromised? If someone gets in with root access (and they know what they are doing), they could just modify the logs to not show what just happened. As long as you keep getting the same type of security summary, you will be happy.
It reminds me of a time I was in an airport going through the TSA security line to go into the terminal. The agent checked my ID and boarding pass and then got distracted by a bunch of flight attendants she had to let through. She then turned back around and asked me if she had checked my ID. I gave her a hard time because in this system I am assumed to be untrustworthy until she says otherwise so she shouldn't trust anything I tell her.
The point is that if something is a potential attack vector, then you must assume that any information it gives you might be a lie.
Port knocking is a good way to conceal that ssh is available.
I guess it depends on what type of attacker you are trying to protect against. For attackers that are trolling around looking for easy targets, then things like this that add obscurity probably make sense. On the other hand, if I were in charge of a high value target, then I probably wouldn't bother. A high value target will have knowledgeable attackers who are very focused on exploiting you. In those cases, things like this are only mild inconveniences that will not make them give up. The port knocking sequence needed to open up ssh is not exactly a secret. It gets exposed in the clear to the network on every ssh connection. For high value targets, I would actually want the system as simple as possible to reduce the possiblity that a bug in one of the obscurity features actually becomes the attack vector.
Using port knocking is like locking my car door. It makes it harder for lazy, stupid thieves to get into my car, but it does absolutely nothing for someone who really, really wants to steal my car because a good thief can bypass it in a trivial amount of time.
Now notice I said can. There is no guarantee that it will be successful. But there is a guarantee that you will not need to comb through all 292 billion possible combinations to get access so dwelling on that number is misleading.
You are not understanding how the total number of possible passwords affects things. With a secure password, there is no bias so there is no ordering of the total possible passwords to improve your odds. Everyone knows that you will almost never have to guess all of the possible passwords. The odds of hitting the correct password on that final 292 billionth password is the same as hitting it on the first guess.
The proper way to use the number is to look at how many guesses will get you at a 50% probability of getting the right password. Lets say that you figure someone could guess a million passwords before you change your password. To cause the attacker to have less than a 50% chance of success, you need to have at least 2 million possible passwords. For a 25% chance, you need 4 million. For a one in a million chance of success, you need 1 trillion possible passwords.
So the key numbers are the number of possible attempts that a system will allow in the time frame that a given password will be valid and what is the ratio of the number of attempts to the total password space. The nice thing is that adding one additional character greatly increases the password space and causes an exponential growth in the amount of passwords an attacker must try to have a x% chance of success.
I agree that the pace is a bit of a problem. It was really bad for the PATRIOT act. One thing that you and I don't see, though, is that there is a great body of legislative language already out there waiting for an opportunity to go into a bill. People have been coming up with and studying health care proposals for decades. Putting together the bill means taking a piece from group A's FOO proposal and a different piece from group B's BAR proposal and mashing that all up together. Everybody who is an expert on health care policy already knows who A and B are and what is in FOO and BAR which means that a huge bill can be crafted overnight and everyone (who matters, anyway) knows exactly what is in it and not a single person has actually read it.
The killer in the current health care debate is cost. Many of the proposals are well thought out and vetted, except for where the money will come from. People talk a lot about lowering costs, but there is no reputable study that suggests that the needed cost savings are feasible. In fact, many studies suggest that preventative care actually raises costs (health quality improves, but the costs are higher). It takes some time to understand the economic implications of thousands of pages of legalese even when the experts know what is in the bill and that is a realy problem when a bill is being rushed through. Two different groups can literally come up with spending estimates that are an order of magnitude (or more) off from each other and neither of them are even trying to exaggerate their claims.
To me, the worse thing about this process is that it is trivial for committee chairmen to tack on pet projects that benefit their district and no one can do anything about it. You can't expect people to vote down a hundred billion dollar bill that solves real problems just because Senator X is getting a million dollars for a bridge in his state. You especially don't vote that down if you think a million dollars for your own bridge is important.
What I do not understand, is where are the lobbyists for the larger document management companies, (Documentum, Hummingbird, Filenet, or any others, and no I'm not endorsing here). Why is this space so quiet from those seemingly interested in Profit$?
It would probably not be profitable for them. Developing a special system for Congress gives you exactly one customer. To be profitable with only one customer you have to charge a huge amount of money for your system. That makes doing business with the government a completely different beast than anything else you do. And then since the government is spending public money there are all sorts of arcane procedures in place to prevent abuse and you have to know how to work that system.
In general, companies that do business with the government specialize in it (or have a separate business division that does). Everyone else realizes that it is just a distraction and that there is more money to be made by concentrating on the private sector.
So if he won't read the legislation, and says he can't understand it, why the fuck is he on any committee that is tasked with looking at specific pieces of legislation?
Because being a lawyer is not a requirement of being elected. To read and understand the legal language you have to have significant legal training. Just because he is not an expert on the legal language does not mean he does not understand the broader policy objectives. The healthcare debate is hugely complicated and is going to have far reaching consequences on hundreds of millions of people for decades to come. I would much rather have my representative become an expert on these health issues and farm out the actual legal language to staffers who are experts in just this kind of thing.
Have you seen the size of these bills? That size and the complexity of the language means that there is no way any congress person could have read the bill. Even the author of the bill, has probably not read the complete text.
That is not as big a problem as it sounds, though. Each congress person and the committees have staffers whose job it is to do just this type of thing. They have teams of technical experts (analogous to software developers) who understand the code of the law. This is one reason that policy debates often focus on reports from all sorts of obscure government agencies. You need highly technical experts to comb through this stuff and make sense of it. The policy debates get down to which set of experts you believe and trust.
I think a lot of us think of congress people as coders who are working on the law, but they are really more like vice presidents directing teams of coders in broad policy directions. In that sense, it is okay (and even preferable) that they not micromanage too much.
The problem is that patenting of software didn't come from Congress in the first place, it came from the courts.
That isn't completely true. The courts use the law as guidance in determining the scope of patent protection. There is nothing in the laws passed by Congress excluding software patents. In fact, the laws are intentionally vague so as not to accidentally exclude technological innovation from patent protection. So while software patent protections are directly derived from court rulings, those rulings are derived from an interpretation of the laws passed by Congress.
The argument against software patents isn't that the law specifically prohibits them. The argument is that it is just bad policy. These patents are unnecessary and only serve to stifle innovation. This sort of policy decision really has to come from Congress. The executive has a bit of influence in that the PTO could raise the bar required to receive patents on software, but they can only go so far. If they raise the bar too high, someone will take a rejected patent to court and the court will rule that the PTO is in violation of the law and we will be back where we started.
I completely agree that most K-12 textbooks are trash. That has always been the case. It has been a long time since I was a high school student but I think the best teachers I ever had would agree with me since none of them ever used a text book. They used their own notes, current events, and an occasional xerox'd copy of a reputable article.
I don't agree, though, that copyright should be reserved for only the good stuff. This isn't like patents. Even trash like Harry Potter books deserve copyright protection.
Besides, research is done all the time on the best ways to teach people of different ages. If someone comes up with a good way of teaching science to 6th graders, I want them to make a lot of money with their superior textbooks.
But that is a totally different situation than I was addressing. That is a case where the scientists want to pursue a specific line of research that the funding won't support. It isn't so much a case of rejecting money as it is a case not finding money that will support research that requires stem cells.
If money is available that lets researchers pursue the questions that they are interested in, they are taking it and they aren't going to be concerned with how much money publishers get to make based off of their work.
I think there are several reasons why fewer people attended college in the past than they do today. One reason is that they didn't have to. It used to be that you could come out of high school and get a good job in a factory (e.g. Detroit) or oil fields (Texas and Louisiana) or any number of fields where muscles are a primary resource. Those jobs have greatly diminished so the job market demands a degree to be competitive.
Another reason is that it is more affordable. While college costs have risen, there is plenty of money available for financial assistance. I was able to fund my undergrad degree with mostly student loans and pay off all of the loans by 3 years after graduation. I considered that a great deal. In the past, for a lower income person to get through school they almost had to get a full scholarship and that meant they had to be brilliant.
I don't buy the case, though, that college every required above average intelligence to get through. Rich families have been pumping their average intelligence prodigy through Ivy league schools for decades. Getting through college requires discipline and work. It is easier if you are really smart, but anyone should be able to do it. (A steady diet of C's will get you through an undergrad degree.) I've never meet someone who dropped out of college because they were too dumb, but I've met plenty who dropped out because they didn't want to put any effort into it.
Is Don Knuth a "copyright troll" for publishing The Art of Computer Programming? Almost everything in there is derived from research he did not do. Most textbooks cover such a wide range of material that no one person could do that much research. The textbook author has the task of reviewing all of the research and identifying what is important and what is not. He standardizes all of the terminology so that it is easy to see how things relate (cutting edge research often has different people inventing different names for essentially the same things). They come up with exercises so that you can test your knowledge and understanding of the material. (In fact, the most valuable part of The Art of Computer Programming is the exercises.) That is a lot of work and it is original and worthy of copyright protection.
I don't dispute that there are plenty of crappy textbooks out there and that publishers often push unnecessary editions out there to try to kill the used textbook market. But none of that means that every textbook is a simple reprint of public domain material by a "copyright troll".
Accepting a gift from the government is like accepting a gift from the mafia. You might think you know what the conditions of that money/bailout/protection is but those parties can arbitrarily decide to change the deal. The government did that with much of the banking bailout money for the banks. They convinced many healthy banks to take the money so as not to draw too much attention to the unhealthy ones. Then they came back and started talking about regulating executive compensation packages. The healthy banks couldn't give that money back to the government fast enough.
I guess my point is that refusing money because you don't like the strings is one thing, but when the government starts retroactively adding on strings that is something else. It is hard to know whether the government is offering you a good deal when they can arbitrarily alter it whenever they want.
Slashdot Mirror
Yes, because clearly paying taxes isn't a return on the government's investment.
The money for student loans comes from private banks, not the government. The government sets up the marketplace for student loans and provides a small amount of subsidies, but the money you owe is owed to a private institution, not the government.
those highly educated people who are returning to China and India are bringing knowledge and skills that will allow them to replicate some of the wonders of California in India and China. How is that a bad thing?
Whether it is good or bad depends on which side of the ocean you are on. As an American, I think it is terrible that we are losing brilliant people. It is these types of people that advance the state of the art and create new companies and industries. Because I am selfish, I want that to happen in my own country so that I can benefit from this.
For those in China and India, this is obviously a great thing. It means that they are starting to be able to compete with the US for the best and brightest. Instead of watching their brightest stars go to the US and get rich creating jobs for Americans, they get to have this right in their backyard.
I agree with you that this is a natural part of free trade, but that does not mean we have to just accept it. This should be a wake up call to us that we have to compete harder than ever before to keep the smartest people here. In the past, we could win this competition without even trying, but now we will have to start working at it.
Considering how much red tape and utter nonsense is baked into the system it isn't any surprise that a lot of educated people want the hell out of here.
This is completely true because our immigration system was designed to solve a very different problem. The current system is designed to keep people out to protect jobs. This generally means keeping out unskilled labor who would compete with unskilled Americans for low wage jobs. When politicians try to reform the immigration system, they are hounded with accusations that hordes of Mexicans will cross the border and take all of our jobs.
The real problem, though, is that the US must compete to keep the smartest workers. In our economy, the country with the smartest labor pool will win. We need to do anything we can to keep smart people here. If you think outsourcing is bad, wait until we have to start competing with companies that are purely owned and operated by Indian and Chinese entrepeneurs with a lower cost base than we can ever hope to achieve. The thought of Bangalore being a serious rival to Silicon Valley is a scary proposition. It is also something that we can prevent by making it easy for smart people to stay in this country and create these companies here.
we educate foreign students at the cost of displacing domestic students
I would like to see some evidence to back that claim because that does not match my experience. In my CS department, US citizens are almost automatically accepted into the graduate program, while foreign students have to compete with each other to get in. (My professor is on the admissions committee.) The reason is that there are so few US citizens that apply that they have to take as many as they can get. The only people being turned away are foreigners who got beat out by more qualified foreigners.
The fact is that the US has half of the world's colleges and universities. It is the large number of foreign students that allows us to have so many universities and that gives domestic students a wide range of choices.
I'm not complaining about the vagueness. I think it is necessary to keep up with the times. But there are many people who are very concerned about the extent to which the Commerce Clause, for example, has been stretched in the past. I suspect that our current Federal Government is much larger than most of our founding fathers would have imagined. I don't necessarily have a problem with that, but Libertarians and the Ron Paul branch of the Republican party certainly do. The vagueness in the constitution will always be a source of contention, but that gives our system a lot of flexibility.
And when will everyone wake up and realize that the government isn't granted authority by the constitution it is RESTRICTED by the constitution.
Actually, the constitution both grants and restricts the government. Congress has the authority to pass laws because the constitution grants it. The President is the commander-in-chief because the constitution grants him that authority. The constitution also restricts the scope of these powers by drawing (often vague) boundaries around those powers.
Whether individuals are granted freedoms by the constitution is often a controversial statement. When people get nominated by the Supreme Court, they are often asked if they believe there is a "right to privacy". If you think rights are granted by the constitution, then you kind of have to say no because it clearly does not say that. On the other hand, there is a line of thinking that says that individuals have inherent rights (the Declaration of Independence makes that argument) and so the constitution need not grant those rights. The bill of rights in the constitution protects those rights by explicitly constraining the government. In that thinking, a "right to privacy" may very well exist.
The DOE and DARPA (and others) are huge users of HPC (high performance computing) applications. The have a vested interest in having the state of the art advance in parallel computing and so they tend to provide lots of research grants to fund that. They also routinely let outsiders use some of their computing facilities for the same reason (not all of their labs do classified work). There are many computing facilities that need enormous computing power as shown on the Top 500 list. But they are seeing that there are times where researchers need computational power, but not at such a large scale and not for long periods of time. If medium powered computational facilities could be made available to researchers cheaply and quickly, they would be widely used.
I think the point here is that Microsoft's behavior is being driven by the market. The market is clearly saying that they like a lot of the FOSS solutions. If Microsoft tries to pretend like these solutions does not exist, then they will allow a software ecosystem to develop in which they have no influence. A dominant player simply cannot allow that to happen.
In the case of FOSS, there is no way to bankrupt or buyout the competition. They still try to compete with marketing FUD, but it is obvious that that is only good for trying to slow the growth of FOSS.
This isn't about Microsoft turning over a new leaf. The real story is that market acceptance of FOSS solutions has grown to the point where none of the major players (including Microsoft) can afford to ignore it. For someone like me who has used Linux seriously for 15 years, seeing this kind of growth and acceptance is amazing. Linux used to be ignored, but now it is respected.
Related, in that regular people may not realize what they're doing but why would you use Gmail, Hotmail, or Yahoo for financial communications?
Why not? I don't see those as being any more or less secure than any ISP's normal email services. Email is fundamentally insecure anyway. Most people have one email address that they regularly use and so that is what will be provided to financial institutions.
However my ISP allows users to use a whitelist [wikipedia.org], I have an online address book and only email from someone in it is send directly to my inbox.
But that has nothing to do with security. Your "suspected" folder contains all messages that did not make it past the whitelist filter, but that does not mean that you can trust what the whitelist filter allows through. It is trivial to send an email that matches what you think a legit banking email will look like.
I think the reason that most people don't realize that email can be trivially forged is because it is such a stupid idea to design a system like that. It can't possibly make sense for me to sit here in the comfort of my home and send an email to you that looks like it came from Bank of America and so non-experts assume that there must be some sort of mechanism to stop that. That is a very reasonable assumption, and we engineers are morons for not providing a communication abstraction that lives up to that.
The question is, why is someone that "non-technical" in charge of cybercrime for the FBI?
He is not in charge of cybercrime. He is the director of the entire FBI. I imagine that he has a huge amount of knowledge of things you and I know nothing about so I am willing to cut him some slack. We engineers have built a communication system that looks simple and secure to average folk and yet actually requires the detailed knowledge of how it all works to use it securely.
Every time one of these stories comes up, I am troubled by the attitude that is taken in so many Slashdot comments that the victim (or near victim) must be a complete idiot. We make a system that makes it far too easy to deceive people and then ridicule the victim for being tricked. We will never be able to improve the situation with this attitude.
It is right to be suspicious of any email claiming to be from your bank, but the fact is that my banks have sent me legitimate emails from them. Those emails have never been digitally signed so verifying their authenticity is tough. So the banks have some responsibility for using email in an unsafe way. But what if they did sign their emails? Well, it still wouldn't matter because Gmail and Yahoo and Hotmail have no provision for verifying digital signatures so the tools used by millions lack a fundamental security feature.
Actually, though it doesn't reduce the set much, there is a bias: If you are a paranoid admin, I know not to bother trying dictionary words or other basic stuff.
That is technically true, but in reality that makes no difference to the amount of work to be done. Let us assume that we know that a password is 8 characters and that it uses only letters (upper and lower case allowed) and numbers. Each character of the password has 62 possibilities. The total search space is 62^8 > 200 trillion. The number of words you will get from the dictionary is around 200,000. This is less than the rounding error in the approximation that I just gave.
Even in the simple case I gave, the state space is huge. In reality, it is even bigger because most systems allow special characters in the password and much longer passwords.
News at 11: once you have been compromised, you're sunk. Time to reimage or rollback the VM.
Anyone interested in log monitoring should already know that.
Since this sub-thread is about log monitoring, your comment was, er, offtopic/superfluous, although I suppose you got the Interesting mod for the TSA story.
Oh please. Why not actually participate in the conversation instead of complaining that the mods don't see things your way.
We all know what to do in the event that a compromise is detected. But how do you detect the compromise? My (very relevant) point is that you cannot trust anything on something that might be attacked to tell you whether it is compromised or not because it might be compromised. System logs give you valuable information if the system can be trusted but you cannot use them to determine whether to trust the system or not.
My server just mails me its daily security run, and most days there is a couple of brute force attempts.
Of course if the server were compromised, would you expect it to mail you a log that showed that it was compromised? If someone gets in with root access (and they know what they are doing), they could just modify the logs to not show what just happened. As long as you keep getting the same type of security summary, you will be happy.
It reminds me of a time I was in an airport going through the TSA security line to go into the terminal. The agent checked my ID and boarding pass and then got distracted by a bunch of flight attendants she had to let through. She then turned back around and asked me if she had checked my ID. I gave her a hard time because in this system I am assumed to be untrustworthy until she says otherwise so she shouldn't trust anything I tell her.
The point is that if something is a potential attack vector, then you must assume that any information it gives you might be a lie.
Port knocking is a good way to conceal that ssh is available.
I guess it depends on what type of attacker you are trying to protect against. For attackers that are trolling around looking for easy targets, then things like this that add obscurity probably make sense. On the other hand, if I were in charge of a high value target, then I probably wouldn't bother. A high value target will have knowledgeable attackers who are very focused on exploiting you. In those cases, things like this are only mild inconveniences that will not make them give up. The port knocking sequence needed to open up ssh is not exactly a secret. It gets exposed in the clear to the network on every ssh connection. For high value targets, I would actually want the system as simple as possible to reduce the possiblity that a bug in one of the obscurity features actually becomes the attack vector.
Using port knocking is like locking my car door. It makes it harder for lazy, stupid thieves to get into my car, but it does absolutely nothing for someone who really, really wants to steal my car because a good thief can bypass it in a trivial amount of time.
Now notice I said can. There is no guarantee that it will be successful. But there is a guarantee that you will not need to comb through all 292 billion possible combinations to get access so dwelling on that number is misleading.
You are not understanding how the total number of possible passwords affects things. With a secure password, there is no bias so there is no ordering of the total possible passwords to improve your odds. Everyone knows that you will almost never have to guess all of the possible passwords. The odds of hitting the correct password on that final 292 billionth password is the same as hitting it on the first guess.
The proper way to use the number is to look at how many guesses will get you at a 50% probability of getting the right password. Lets say that you figure someone could guess a million passwords before you change your password. To cause the attacker to have less than a 50% chance of success, you need to have at least 2 million possible passwords. For a 25% chance, you need 4 million. For a one in a million chance of success, you need 1 trillion possible passwords.
So the key numbers are the number of possible attempts that a system will allow in the time frame that a given password will be valid and what is the ratio of the number of attempts to the total password space. The nice thing is that adding one additional character greatly increases the password space and causes an exponential growth in the amount of passwords an attacker must try to have a x% chance of success.
I agree that the pace is a bit of a problem. It was really bad for the PATRIOT act. One thing that you and I don't see, though, is that there is a great body of legislative language already out there waiting for an opportunity to go into a bill. People have been coming up with and studying health care proposals for decades. Putting together the bill means taking a piece from group A's FOO proposal and a different piece from group B's BAR proposal and mashing that all up together. Everybody who is an expert on health care policy already knows who A and B are and what is in FOO and BAR which means that a huge bill can be crafted overnight and everyone (who matters, anyway) knows exactly what is in it and not a single person has actually read it.
The killer in the current health care debate is cost. Many of the proposals are well thought out and vetted, except for where the money will come from. People talk a lot about lowering costs, but there is no reputable study that suggests that the needed cost savings are feasible. In fact, many studies suggest that preventative care actually raises costs (health quality improves, but the costs are higher). It takes some time to understand the economic implications of thousands of pages of legalese even when the experts know what is in the bill and that is a realy problem when a bill is being rushed through. Two different groups can literally come up with spending estimates that are an order of magnitude (or more) off from each other and neither of them are even trying to exaggerate their claims.
To me, the worse thing about this process is that it is trivial for committee chairmen to tack on pet projects that benefit their district and no one can do anything about it. You can't expect people to vote down a hundred billion dollar bill that solves real problems just because Senator X is getting a million dollars for a bridge in his state. You especially don't vote that down if you think a million dollars for your own bridge is important.
What I do not understand, is where are the lobbyists for the larger document management companies, (Documentum, Hummingbird, Filenet, or any others, and no I'm not endorsing here). Why is this space so quiet from those seemingly interested in Profit$?
It would probably not be profitable for them. Developing a special system for Congress gives you exactly one customer. To be profitable with only one customer you have to charge a huge amount of money for your system. That makes doing business with the government a completely different beast than anything else you do. And then since the government is spending public money there are all sorts of arcane procedures in place to prevent abuse and you have to know how to work that system.
In general, companies that do business with the government specialize in it (or have a separate business division that does). Everyone else realizes that it is just a distraction and that there is more money to be made by concentrating on the private sector.
So if he won't read the legislation, and says he can't understand it, why the fuck is he on any committee that is tasked with looking at specific pieces of legislation?
Because being a lawyer is not a requirement of being elected. To read and understand the legal language you have to have significant legal training. Just because he is not an expert on the legal language does not mean he does not understand the broader policy objectives. The healthcare debate is hugely complicated and is going to have far reaching consequences on hundreds of millions of people for decades to come. I would much rather have my representative become an expert on these health issues and farm out the actual legal language to staffers who are experts in just this kind of thing.
Have you seen the size of these bills? That size and the complexity of the language means that there is no way any congress person could have read the bill. Even the author of the bill, has probably not read the complete text.
That is not as big a problem as it sounds, though. Each congress person and the committees have staffers whose job it is to do just this type of thing. They have teams of technical experts (analogous to software developers) who understand the code of the law. This is one reason that policy debates often focus on reports from all sorts of obscure government agencies. You need highly technical experts to comb through this stuff and make sense of it. The policy debates get down to which set of experts you believe and trust.
I think a lot of us think of congress people as coders who are working on the law, but they are really more like vice presidents directing teams of coders in broad policy directions. In that sense, it is okay (and even preferable) that they not micromanage too much.
The problem is that patenting of software didn't come from Congress in the first place, it came from the courts.
That isn't completely true. The courts use the law as guidance in determining the scope of patent protection. There is nothing in the laws passed by Congress excluding software patents. In fact, the laws are intentionally vague so as not to accidentally exclude technological innovation from patent protection. So while software patent protections are directly derived from court rulings, those rulings are derived from an interpretation of the laws passed by Congress.
The argument against software patents isn't that the law specifically prohibits them. The argument is that it is just bad policy. These patents are unnecessary and only serve to stifle innovation. This sort of policy decision really has to come from Congress. The executive has a bit of influence in that the PTO could raise the bar required to receive patents on software, but they can only go so far. If they raise the bar too high, someone will take a rejected patent to court and the court will rule that the PTO is in violation of the law and we will be back where we started.
I completely agree that most K-12 textbooks are trash. That has always been the case. It has been a long time since I was a high school student but I think the best teachers I ever had would agree with me since none of them ever used a text book. They used their own notes, current events, and an occasional xerox'd copy of a reputable article.
I don't agree, though, that copyright should be reserved for only the good stuff. This isn't like patents. Even trash like Harry Potter books deserve copyright protection.
Besides, research is done all the time on the best ways to teach people of different ages. If someone comes up with a good way of teaching science to 6th graders, I want them to make a lot of money with their superior textbooks.
But that is a totally different situation than I was addressing. That is a case where the scientists want to pursue a specific line of research that the funding won't support. It isn't so much a case of rejecting money as it is a case not finding money that will support research that requires stem cells.
If money is available that lets researchers pursue the questions that they are interested in, they are taking it and they aren't going to be concerned with how much money publishers get to make based off of their work.
I think there are several reasons why fewer people attended college in the past than they do today. One reason is that they didn't have to. It used to be that you could come out of high school and get a good job in a factory (e.g. Detroit) or oil fields (Texas and Louisiana) or any number of fields where muscles are a primary resource. Those jobs have greatly diminished so the job market demands a degree to be competitive.
Another reason is that it is more affordable. While college costs have risen, there is plenty of money available for financial assistance. I was able to fund my undergrad degree with mostly student loans and pay off all of the loans by 3 years after graduation. I considered that a great deal. In the past, for a lower income person to get through school they almost had to get a full scholarship and that meant they had to be brilliant.
I don't buy the case, though, that college every required above average intelligence to get through. Rich families have been pumping their average intelligence prodigy through Ivy league schools for decades. Getting through college requires discipline and work. It is easier if you are really smart, but anyone should be able to do it. (A steady diet of C's will get you through an undergrad degree.) I've never meet someone who dropped out of college because they were too dumb, but I've met plenty who dropped out because they didn't want to put any effort into it.
Is Don Knuth a "copyright troll" for publishing The Art of Computer Programming? Almost everything in there is derived from research he did not do. Most textbooks cover such a wide range of material that no one person could do that much research. The textbook author has the task of reviewing all of the research and identifying what is important and what is not. He standardizes all of the terminology so that it is easy to see how things relate (cutting edge research often has different people inventing different names for essentially the same things). They come up with exercises so that you can test your knowledge and understanding of the material. (In fact, the most valuable part of The Art of Computer Programming is the exercises.) That is a lot of work and it is original and worthy of copyright protection.
I don't dispute that there are plenty of crappy textbooks out there and that publishers often push unnecessary editions out there to try to kill the used textbook market. But none of that means that every textbook is a simple reprint of public domain material by a "copyright troll".
Accepting a gift from the government is like accepting a gift from the mafia. You might think you know what the conditions of that money/bailout/protection is but those parties can arbitrarily decide to change the deal. The government did that with much of the banking bailout money for the banks. They convinced many healthy banks to take the money so as not to draw too much attention to the unhealthy ones. Then they came back and started talking about regulating executive compensation packages. The healthy banks couldn't give that money back to the government fast enough.
I guess my point is that refusing money because you don't like the strings is one thing, but when the government starts retroactively adding on strings that is something else. It is hard to know whether the government is offering you a good deal when they can arbitrarily alter it whenever they want.