They have this at my employers and it has always worried me.
For this to work they'll have to store the password in clear somewhere so they can make comparisons.
If they used the conventional approach of passing the given text through a few iterations of SHA then even just bit difference in given passwords would make a huge change to the encrypted one - so how could they tell if the new one was similar to the older one?
I would hire a gifted musician, painter, or journalist that shows the seed of understanding good design, over a humdrum programmer
False dichotomy. Sure a gifted musician may be better than a bad programmer. But why not hire a gifted programmer? Then you get the technical skills along with the creativity.
Engineers and programmers are more likely to be creative in the first place, since a desire to "create stuff" is why they chose to major in engineering or CS. Most liberal arts majors chose their major because of low SAT scores.
As a tech employer, I would not hire a liberal arts major for a technical position, nor would their degree count for anything more than a HS diploma when hiring for a non-tech position. Liberal arts majors have not been trained to think logically and solve problems. They have also screwed up the one major life decision they have made so far: Their college major.
Also, I have no interest whatsoever in hiring "well-rounded" employees. They may be better people, and engage in interesting conversation at the water cooler, but they are not better employees, and are not going to add as much to the bottom line as a workaholic nerd with no social life.
Yep, from an employer's point of view the more generally ignorant a worker is the better and the less of a life they have the better.
After thirty years of no working for assholes who couldn't give a shit about the people that work for them I can only say, on behalf of your employees that either don't know any better or don't dare - fuck you.
Does this mean I won't have to change my password from password01 to password02, password03 ect?
You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.
Simple1! fulfills most companys password requirements.
If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy
It will have to stop changing on a arbitrary basis.
At least some authentication systems can stop you from using a new password that is too much like your old password.
Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
OK - got it.
Funny but the re-use logic goes in both directions.
This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.
Let me guess - you work at the white house supporting Hillary?
That's what I do now, I basically classify things as low, medium, or high security.
Me too so I set all my passwords to 'low', 'medium' and 'high' depending on security level so I won't forget which is which.
Damned websites keep complaining that my password has to be longer than three characters though - and I have no way to say 'but your site doesn't matter to me so three is just fine'.
They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.
If your bank hasn't provided you a token then find another bank. No excuse for forcing users to use using password logins at this point.
You memorize a single strong password for a key storage program like Keepass.
I've always wondered if the password storage programs are targets for attack and if so how secure they actually are. They seem vulnerable to keyloggers, for example, or password attacks on the master password.
So it doesn't matter that the cost goes on forever. It isn't even worth arguing about the fact that in-house costs also go on forever. Because it just doesn't matter.
How's that nihilistic cynicism workin' out for ya?
Typical - conversation doesn't go your way so you sideline into an insult.
Depreciation over time vs. cloud being an operating expense which is 100% deductable as you pay it so yes, from that point of view it is also better on the bottom line.
But the expense goes on forever.
I never said it fixes jack shit incidentally - just that CEOs/CFOs are going to go for it because it's cheap.
If there is high demand, it won't be cheap for long. And if the cloud provider goes out of business orloses your data, it's not so cheap. And you are just another customer.
Guess it's just a matter of falling off that bridge when we get to it. It''s just another inhouse vs outsource argument. And outsourcing is always cheaper until it isn't
CEOs don't think in terms of forever. They think in terms of 'how can I maximize profits NOW so that I can make a huge bonus and move on to the next company that I can rape for even more money?'.
Nothing else goes through their heads. Nothing. Ever.
So it doesn't matter that the cost goes on forever. It isn't even worth arguing about the fact that in-house costs also go on forever. Because it just doesn't matter.
iTranslate — speak into the mic and hear translations in over 90 languages.
That would be hard to understand. Did they mention an option to only hear once language at a time?
If you take a tourist boat on the Seine in Paris, each announcement is made in at least five languages one after the other. By the time they get to Japenese (the last) what's being announced has absolutely nothing to do with anything that is still in sight as the boat has long since moved on.
Are you including depreciation of capital equipment?
Sorry what's your point?
The point is that somehow, someway cloud eliminates all your problems. When I had a part time business, my capital equipment was depreciated over time, giving me tax benefits. Which was in answer to including the labor costs of non-cloud operations, s a fatal indictment of non-cloud operations.
Because it doesn't eliminate all your problems, it isn't all blue sky, puppydogs and unicorns.
Depreciation over time vs. cloud being an operating expense which is 100% deductable as you pay it so yes, from that point of view it is also better on the bottom line.
I never said it fixes jack shit incidentally - just that CEOs/CFOs are going to go for it because it's cheap.
Wonder how many more times we're going to hear of cloud architectures being compromised before that idiotic mentality changes.
You have to keep in mind that most CEOs aren't going to give a shit if it's really secure as all they care about is the bottom line - which means cutting labor costs - which means going to a cloud service.
In reality a hosted cloud is more expensive and less secure in almost all cases. When will people wake up and realize that cloud was created not to provide any particular service that can't be provided locally, but is just a way to turn something you used to pay for once into a monthly forever and ever payment. Cloud is cheaper up front, but almost always more expensive in duration.
Are you including labor costs of non-cloud support in that calculation...?
The key in your statement is backdoors and people suspect that some may have been put in to things like bitlocker, Android and iOS full device encrypt and other closed source products. This however doesn't prevent you from using things like TrueCrypt (included because there hasn't been shown to be any real red flags even with the limited audit), PGP/GPG, the various TrueCrypt successors, other encryption programs. Something that requires 2^256 bit flips is going to be awfully energy intensive even if it is done with the magic of quantum computers which can speed up the process but not that much (I want to say it can cut the exponent in half but I may not be remembering it correctly). So if we take an optimistic view with quantum computers that still means it takes 2^128 bit flips and good luck finding enough energy to do that. Basically proper cryptography without backdoors or flaws is something that cannot be broken even using all of the available energy in the universe. If that doesn't offer enough protection then you could always use a one time pad.
You're making the assumption that those attacking it are using the same technology that you are aware of - which may be the case. Then again it may not.
Whatever you rely on, there will be ways around it and governments just have a lot more resource to throw at something than you do. Of course they probably don't care enough to make the effort.
Slashdot Mirror
They have this at my employers and it has always worried me.
For this to work they'll have to store the password in clear somewhere so they can make comparisons.
If they used the conventional approach of passing the given text through a few iterations of SHA then even just bit difference in given passwords would make a huge change to the encrypted one - so how could they tell if the new one was similar to the older one?
By decrypting them? :-)
I would hire a gifted musician, painter, or journalist that shows the seed of understanding good design, over a humdrum programmer
False dichotomy. Sure a gifted musician may be better than a bad programmer. But why not hire a gifted programmer? Then you get the technical skills along with the creativity.
Engineers and programmers are more likely to be creative in the first place, since a desire to "create stuff" is why they chose to major in engineering or CS. Most liberal arts majors chose their major because of low SAT scores.
Completely wrong:
http://www.businessinsider.com...
But don't let your general ignorance stop you from spouting nonsense.
As a tech employer, I would not hire a liberal arts major for a technical position, nor would their degree count for anything more than a HS diploma when hiring for a non-tech position. Liberal arts majors have not been trained to think logically and solve problems. They have also screwed up the one major life decision they have made so far: Their college major.
Also, I have no interest whatsoever in hiring "well-rounded" employees. They may be better people, and engage in interesting conversation at the water cooler, but they are not better employees, and are not going to add as much to the bottom line as a workaholic nerd with no social life.
Yep, from an employer's point of view the more generally ignorant a worker is the better and the less of a life they have the better.
After thirty years of no working for assholes who couldn't give a shit about the people that work for them I can only say, on behalf of your employees that either don't know any better or don't dare - fuck you.
Unfortunately, they are part time minimum wage jobs replacing full time salaried positions, so it is a net negative.
Not negative at all for the people who have benefits due to having those full time positions.
The quality of jobs is as important as their quantity.
Does this mean I won't have to change my password from password01 to password02, password03 ect?
You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.
Simple1! fulfills most companys password requirements.
If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy
It will have to stop changing on a arbitrary basis.
At least some authentication systems can stop you from using a new password that is too much like your old password.
Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
OK - got it.
Funny but the re-use logic goes in both directions.
This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.
Let me guess - you work at the white house supporting Hillary?
That's what I do now, I basically classify things as low, medium, or high security.
Me too so I set all my passwords to 'low', 'medium' and 'high' depending on security level so I won't forget which is which.
Damned websites keep complaining that my password has to be longer than three characters though - and I have no way to say 'but your site doesn't matter to me so three is just fine'.
They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.
If your bank hasn't provided you a token then find another bank. No excuse for forcing users to use using password logins at this point.
You memorize a single strong password for a key storage program like Keepass.
I've always wondered if the password storage programs are targets for attack and if so how secure they actually are. They seem vulnerable to keyloggers, for example, or password attacks on the master password.
So it doesn't matter that the cost goes on forever. It isn't even worth arguing about the fact that in-house costs also go on forever. Because it just doesn't matter.
How's that nihilistic cynicism workin' out for ya?
Typical - conversation doesn't go your way so you sideline into an insult.
Go away now :-)
Isn't it only *until* you read his post? Or is there a special heisenberg state for /. comments ;-) ?
Not at all. It's always an 'if' because there's no guarantee that one will open something.
At that point there is nothing left tying me to Windows.
Other than Linux failing to suspend and resume correctly on a laptop.
There is also Apple that resumes just fine. I refuse to buy their mobile products but I'm fine with using the computers.
Depreciation over time vs. cloud being an operating expense which is 100% deductable as you pay it so yes, from that point of view it is also better on the bottom line.
But the expense goes on forever.
I never said it fixes jack shit incidentally - just that CEOs/CFOs are going to go for it because it's cheap.
If there is high demand, it won't be cheap for long. And if the cloud provider goes out of business orloses your data, it's not so cheap. And you are just another customer.
Guess it's just a matter of falling off that bridge when we get to it. It''s just another inhouse vs outsource argument. And outsourcing is always cheaper until it isn't
CEOs don't think in terms of forever. They think in terms of 'how can I maximize profits NOW so that I can make a huge bonus and move on to the next company that I can rape for even more money?'.
Nothing else goes through their heads. Nothing. Ever.
So it doesn't matter that the cost goes on forever. It isn't even worth arguing about the fact that in-house costs also go on forever. Because it just doesn't matter.
"New Siri feature allows you to speak to your iPhone whether you're powered on or not."
Because my phone should not be listening to me when its powered off. Period. Ever.
iTranslate — speak into the mic and hear translations in over 90 languages.
That would be hard to understand. Did they mention an option to only hear once language at a time?
If you take a tourist boat on the Seine in Paris, each announcement is made in at least five languages one after the other. By the time they get to Japenese (the last) what's being announced has absolutely nothing to do with anything that is still in sight as the boat has long since moved on.
This is a First Post, and yet it is not... I have successfully achieved the simultaneous on/off state of First Posts....
You would be but only if we opened your post.
Are you including depreciation of capital equipment?
Sorry what's your point?
The point is that somehow, someway cloud eliminates all your problems. When I had a part time business, my capital equipment was depreciated over time, giving me tax benefits. Which was in answer to including the labor costs of non-cloud operations, s a fatal indictment of non-cloud operations.
Because it doesn't eliminate all your problems, it isn't all blue sky, puppydogs and unicorns.
Depreciation over time vs. cloud being an operating expense which is 100% deductable as you pay it so yes, from that point of view it is also better on the bottom line.
I never said it fixes jack shit incidentally - just that CEOs/CFOs are going to go for it because it's cheap.
Seriously?
Wonder how many more times we're going to hear of cloud architectures being compromised before that idiotic mentality changes.
You have to keep in mind that most CEOs aren't going to give a shit if it's really secure as all they care about is the bottom line - which means cutting labor costs - which means going to a cloud service.
Are you including depreciation of capital equipment?
Sorry what's your point?
In reality a hosted cloud is more expensive and less secure in almost all cases. When will people wake up and realize that cloud was created not to provide any particular service that can't be provided locally, but is just a way to turn something you used to pay for once into a monthly forever and ever payment. Cloud is cheaper up front, but almost always more expensive in duration.
Are you including labor costs of non-cloud support in that calculation...?
No agency, governmental or otherwise, willingly gives up surveillance or information. We must ignore their claims to do so, and;
Require watchdogs, monitors, and direct supervision.
>
But who can watch the watchmen?
- Juvenal, Satires
I keep a folder of mugshots as a trophy for removing this garbage app.
Of course you're getting signed permission from these users to keep those pics so that you don't end up in jail yourself.
The key in your statement is backdoors and people suspect that some may have been put in to things like bitlocker, Android and iOS full device encrypt and other closed source products. This however doesn't prevent you from using things like TrueCrypt (included because there hasn't been shown to be any real red flags even with the limited audit), PGP/GPG, the various TrueCrypt successors, other encryption programs. Something that requires 2^256 bit flips is going to be awfully energy intensive even if it is done with the magic of quantum computers which can speed up the process but not that much (I want to say it can cut the exponent in half but I may not be remembering it correctly). So if we take an optimistic view with quantum computers that still means it takes 2^128 bit flips and good luck finding enough energy to do that. Basically proper cryptography without backdoors or flaws is something that cannot be broken even using all of the available energy in the universe. If that doesn't offer enough protection then you could always use a one time pad.
You're making the assumption that those attacking it are using the same technology that you are aware of - which may be the case. Then again it may not.
Whatever you rely on, there will be ways around it and governments just have a lot more resource to throw at something than you do. Of course they probably don't care enough to make the effort.
Cryptographers are our best hope.
What is this headline supposed to suggest? Trust cloud providers? LOL.
I'll see your cryptographers (in the public domain) and raise you an NSA with a virtually unlimited budget and fuckloads of computing power.
Cryptographers in the corporate world are at the mercy of corporate interests that are willing to take money to install backdoors.