On the other hand, if you can't trust OpenSSL for security, a major open source project whose entire purpose is security, who can you trust in the OS world?
That's all true. Notifications of IP and time of my last logins help judging if my account is cohabited. Indeed, they are often available. IP and time of bad logins are less often available, and I never saw them being collected. A password's crackability is not measured in time units, but in number of failed attempts. So it would be useful to collect them.
If there is evidence, or even likelihood, of a compromise, such as stealing a password file or using plain login on unencrypted connections, the relevant passwords are to be changed ASAP. I don't know how long it takes for a compromised account to be sold, but it's useless to wait for the password to expire, in such situations. During normal wear and tear, IMHO, it is more important to educate users than to impose policies. And it seems that the latter two tasks are conflicting with one another.
As a user, I hate it when a security rule requires to change password. Why?
The only practical reason why a password would smell is that it is weak and somebody tried to guess it a few times. However, to implement that policy, I'd need to track attempts. Given the number of attempts and an estimate of the entropy, a system can say when it's time to change a password, without inordinate annoyance.
Why isn't it customary to track failed logins per account?
Would users choose better passwords if they were rewarded with proportional expiration times?
Forum passwords need not be strong because they're unimportant, or because nobody actually tries to crack them?
Albeit he says so, Mr. Spock is not at all "logical, purely rational, that it is detached and value-free," as the OP says.
On the other hand, "official" religions have not endeavored into intellectually challenging arguments for several centuries now. They are becoming tedious, to the point that many scientists, even if they are not atheists, consider their religious commitment detached from their work.
No hair-splitting. Laptops can get annoyingly slow if they happen to bootstrap in a low-signal area and init has to wait for DHCP, e.g. for NFS. My understanding is that that's what upstart or other parallel init is expected to overcome. On the opposite, servers, as well as various workstations, enjoy very well controlled network connections.
Of course, laptops form a much wider market. Nevertheless, I hope traditional SysV init will remain. We seem to agree on that. Doing parallel init may require some more kernel options, which people wouldn't call a split if they were compiling their own kernels anyway.
Besides tuning, the real, outstanding difference between servers and laptops is the number of times you switch them on and off. Hence, it may really make sense to split bootstrapping. On a server, for example, I'd opt for a well known, traditional SysV init over whatever systemd-like, weird contraption one may want to invent. I don't think splitting distros is necessary, but will consider migrating if Debian mandate upstart.
This is simple economics. If the demand for programmers can not be met then there is more opportunity and money for me. Why should I reduce my personal money making capability?
That's true for mathematics as well. Why do kids have to learn long division algorithms which are useless for them as well as for they future employers? The hourglass-shaped division of labor is nicely recounted in Calling a spade a spade: Mathematics in the new pattern of division of labour. Unlike programming, mathematics education can be compared with how it was in 1897, when Post Office entrance tests included exctracting the square root of 331930385956.
Now just find a perfect way to codify "hard to read" in a way that all algorithms and designs may be encoded in a way that is not "hard to read".
Each language codifies how it works. When the emphasis is on DWIM, a language if favoring writing over reading. Perl is better at roughing out utilities than coding highly maintainable systems, by language design.
Debuggers should be simple, minimal, and reliable, so that the 1-2 times a year that you need them, they get the job done correctly and without having to remember a lot of complicated stuff.
Much more than 1-2 times a year. An easy-to-use debugger turns out to be the most convenient way to read the code.
By sending several ships each day it would be possible to keep Earth's population under control.
Contraception would be a rather cheaper way of achieving that aim. Or regular wars.
Yes, but both methods imply some frustration.
Massive migration is a behavior common to many species; it satisfies the need to grow and multiply. Besides humans, also lemmings are famous for their large, risky migrations. The fact that so many humans never met a lemming can be considered an instance of Fermi's paradox.
Maybe we're just the first to develop? Or simply faster than light travel hasn't been invented.
We could start thinking about sending out 100,000 - 1,000,000 people ships. A moon lift, in-orbit assemblage, hydroponic cultures, photonic sails would help carrying people to exoplanets in a few generations' time. By sending several ships each day it would be possible to keep Earth's population under control.
Luckily we have about 10,000 - 1,000,000 years worth of energy in uranium and thorium (depending on how fast you think energy needs will grow). Plenty of time to work out fusion and expand into space.
Bah, I'd bet we'll have fucked up the environment in 100 - 1,000 years if we go on with fission.
I agree stupid is the right word. It is been a long long time since Christian religion proposed an intellectually challenging plan. (Clever popes have a try at it, but it is hard.) Internet came with a full hand of myths, such as the upcoming Information Age, then non-observant practitioners took the lead... Perhaps there is something else which is taking away both.
MITM proxies are among us, and there is nothing the IETF can do to stop corporate networks forcing their clients into such bad practice. The proxy sinthesizes a certificate for each https requests made by the client. The client has to trust the corporate CA, of course. There are various shortcomings with that model. For example, for opt-out to be occasionally possible, the client browser needs to know about the MITM proxy, rather than unwittingly trust the corporate CA. The "Explicit Trusted Proxy in HTTP/2.0" draft just aims at introducing browser awareness into that game.
Oh, you misunderstand me. I think Bitcoin is a neo-libertarian utopian fantasy, based on the same thing all neo-libertarian philosophy relies, the "If only..."
What Bitcoin managed to make clear is the need for "miners". They don't mine useful stuff (assuming gold is useful by itself) but do a completely useless activity, which is only needed as a proof of work to authorize the ownership of an abstract good. While that corresponds to what banks and other institutions do, the uselessness of their activity was never stated so clearly before.
Getting food is useful, so long as it will eventually be eaten, whether the chimp who caught it ate it himself or exchanged it for sex. Bitcoin has the merit to illustrate how come that the largest slices are owned by the supervisors for doing nothing, and it does so down to the level of detail the implementation requires. Is that enough to understand the nature of money?
Bitcoin is an undergrad economics project, writ large, and co-opted by criminals and the elite.
It think because it's about out of control security apparatus, so it's kind of topical?
Yeah, I think an editor went a little knee-jerk. It's customs, not security. Customs has been pissing people off since the Union was founded.
There was a post on laptop stripping in New Zealand, last month. So this is the agricultural equivalent, in case someone had thought hackers are treated worse than musicians.
DRM is fine as long as it doesn't inconvenience the end user.
It does inconvenience the end user, because chances are you buy a product that you won't be able to use. That happens with blu-ray discs too, and after it happened to me I stopped buying that stuff for several months —guess what I did instead...
My personal laptop is setup to wipe itself if you fail to give the correct credentials enough times. "No" you may not have my password, or better yet, "Password99" Try using that one a few times;-)
Wiping the laptop is the only option anyway. Once they have your password, they most likely install plenty of trojans, spyware, and keysniffers —at least, that's what NSA was reported to do, even without having their hands on the equipment.
Whatever it is, that's what we've come to. And it's no surprise. For all the reasons that broadcasts have ever been appropriately restricted, so should the internet be.
Now, you can certainly complain with the way that it's done. You can be upset at the sheer number of false positives. You can be correct in saying that it may actually be impossible or unfeasible to enforce. But then that becomes the debate, not the need for the restriction in the first place.
Not quite. The way it's done resembles blowing up that downtown building because they don't accept what's painted onto its side. By "complaining with the way it's done" I'd understand saying something like they should have used carefully placed dynamite charges rather than air-to-ground missiles. Instead, I want to say they really should leave the building in place. By design, there is no proper way to restrict the Internet! Safe browsing —for those who don't want to inadvertently see those sites— is a different story. The minister is not trying to safeguard people who cannot accept the publication. He targets those dangerous extremists who are actively looking for it, not reckoning that such technique is neither effective nor legitimate.
There's an EU opinion published a few days ago. (Oddly enough, no English version there, you may want to read The Telegraph instead.) The means for blocking which the EU advocate mentions are DNS blocks, not compatible with DNSSEC, and routing blocks, which are even worse. The advocate also says those blocks can be easily circumvented even by unexperienced users —e.g. using Tor— while they require a good deal of work to be set up. Nevertheless, he finds them not disproportionate. Here again, they consider that the copyright law must be protected, without reckoning that the Internet has a larger impact than printing industry, after which the copyright law started in the early 1700s.
IMHO, it's governments who are turning old-fashioned.
Except for emergency cases, people tend to change job when that entails a better pay. Hence, the longer the experience, the higher the cost. For programmer positions, IME, non-programming managers tend to prefer a young and unexperienced employee over a top-notch coder, also because the latter will not let marketing guys impose inconsistent specifications as easily as a neophyte would. They like to mold their personnel, they say.
It didn't pass in Switzerland, and probably won't anywhere else. But it's good food for thought.
Furthermore, what exactly is the problem with a CEO making 500x the rate of the lowest (or even median) paid worker? Inherently, nothing. What matters is the wealth and progression of the middle class and the freedom to move freely through the classes, based on ones' abilities and desires[2]. I would much rather live in a world with a strong middle class where the CEO's make 1500x what the average worker makes than a world where the middle class barely squeaks by while the CEO's only make 20x what the average worker makes.
Assuming the wages are proportional to the worthiness of the labor, 500x implies that average workers —the majority of people— are severely underutilized. The community is not leveraging their potential, possibly did not provide them a suitable education, and is barely entertaining them by employing them in useless jobs. That looks more like intensive humans farming than free-range and freedom to move. Now that the industrial revolution is over, we should be able to devise better means to carry out repetitive, unskilled jobs.
It is wishful thinking to establish a max ratio by law. However, unrealistic ratios are an indicator of an ill society. For example, say a good CEO can run 40 yards in under 5 seconds. Would you deem realistic that the average needs more than 40 minutes to cover the same distance? That's 500x.
After all, it is not the CEO's who own corporations, but the shareholders. As such, it is the shareholders who ultimately decide upon the pay of the CEO. If the owners of a company decide that it is in the company's best interest to entice the top executives with $x, there is absolutely nothing wrong with that.
Good point. A law stating that an individual is not allowed to make decisions about his/her own pay would sound better than the Swiss proposal, for fiscal reasons. Establishing one's own pay is a hidden (albeit possibly temporary) ownership, even if the ensuing approval of a general assembly is required. BTW, I admire those companies where top management have a formal salary of $1.00.
It is common practice to buy shares without being engaged in a company's mission. Many shareholders just look for means of maintaining their small capital by buying and selling shares according to market fluctuations. That's not bad by itself, of course. But maximizing profit can be at odds with making ethical decisions. Here I'm using the term "ethical" with a hunch of how human brains work: Any computer can run the min-max algorithm, while ethical thinking involves different abilities. IMHO, min-max can be good for short term, tactical decisions, but a sane society should not allow long term strategies to be decided on the basis of someone's maximum earning, lest blindly spiral toward unsustainable phases.
From the article: "Those energy sources cannot scale up fast enough" to deliver the amount of cheap and reliable power the world needs, "
But nuclear power is neither cheap nor reliable. So why do they suggest that as a replacement for renewables. As to the "fast enough" part of that, solar and wind can be ramped up much faster than nuclear. The rationale of the article is not logical.
The rationale looks obvious if you think of a reiable way to make money fast enough, by selling cheap energy to the masses. If you allow each household to run their own wind mill, solar cell, or geothermal heat, you get fewer monthly bills. With nuclear plants, in addition, the long term expenses related to thousands of yaers nuclear waste disposal come for free.
Slashdot Mirror
On the other hand, if you can't trust OpenSSL for security, a major open source project whose entire purpose is security, who can you trust in the OS world?
U mean GnuTLS?
--
Bugs happen
Well said. But there is still much room for improvement and stabilization of free software processes.
Sure. But in those cases the strength of the password doesn't matter, and periodic rotation might not be enough to prevent damage.
That's all true. Notifications of IP and time of my last logins help judging if my account is cohabited. Indeed, they are often available. IP and time of bad logins are less often available, and I never saw them being collected. A password's crackability is not measured in time units, but in number of failed attempts. So it would be useful to collect them.
If there is evidence, or even likelihood, of a compromise, such as stealing a password file or using plain login on unencrypted connections, the relevant passwords are to be changed ASAP. I don't know how long it takes for a compromised account to be sold, but it's useless to wait for the password to expire, in such situations. During normal wear and tear, IMHO, it is more important to educate users than to impose policies. And it seems that the latter two tasks are conflicting with one another.
As a user, I hate it when a security rule requires to change password. Why?
The only practical reason why a password would smell is that it is weak and somebody tried to guess it a few times. However, to implement that policy, I'd need to track attempts. Given the number of attempts and an estimate of the entropy, a system can say when it's time to change a password, without inordinate annoyance.
Why isn't it customary to track failed logins per account?
Would users choose better passwords if they were rewarded with proportional expiration times?
Forum passwords need not be strong because they're unimportant, or because nobody actually tries to crack them?
Albeit he says so, Mr. Spock is not at all "logical, purely rational, that it is detached and value-free," as the OP says. On the other hand, "official" religions have not endeavored into intellectually challenging arguments for several centuries now. They are becoming tedious, to the point that many scientists, even if they are not atheists, consider their religious commitment detached from their work.
No hair-splitting. Laptops can get annoyingly slow if they happen to bootstrap in a low-signal area and init has to wait for DHCP, e.g. for NFS. My understanding is that that's what upstart or other parallel init is expected to overcome. On the opposite, servers, as well as various workstations, enjoy very well controlled network connections.
Of course, laptops form a much wider market. Nevertheless, I hope traditional SysV init will remain. We seem to agree on that. Doing parallel init may require some more kernel options, which people wouldn't call a split if they were compiling their own kernels anyway.
What makes it a "Server" versus "Workstation"?
Besides tuning, the real, outstanding difference between servers and laptops is the number of times you switch them on and off. Hence, it may really make sense to split bootstrapping. On a server, for example, I'd opt for a well known, traditional SysV init over whatever systemd-like, weird contraption one may want to invent. I don't think splitting distros is necessary, but will consider migrating if Debian mandate upstart.
This is simple economics. If the demand for programmers can not be met then there is more opportunity and money for me. Why should I reduce my personal money making capability?
That's true for mathematics as well. Why do kids have to learn long division algorithms which are useless for them as well as for they future employers? The hourglass-shaped division of labor is nicely recounted in Calling a spade a spade: Mathematics in the new pattern of division of labour. Unlike programming, mathematics education can be compared with how it was in 1897, when Post Office entrance tests included exctracting the square root of 331930385956.
Now just find a perfect way to codify "hard to read" in a way that all algorithms and designs may be encoded in a way that is not "hard to read".
Each language codifies how it works. When the emphasis is on DWIM, a language if favoring writing over reading. Perl is better at roughing out utilities than coding highly maintainable systems, by language design.
Debuggers should be simple, minimal, and reliable, so that the 1-2 times a year that you need them, they get the job done correctly and without having to remember a lot of complicated stuff.
Much more than 1-2 times a year. An easy-to-use debugger turns out to be the most convenient way to read the code.
Contraception would be a rather cheaper way of achieving that aim. Or regular wars.
Yes, but both methods imply some frustration.
Massive migration is a behavior common to many species; it satisfies the need to grow and multiply. Besides humans, also lemmings are famous for their large, risky migrations. The fact that so many humans never met a lemming can be considered an instance of Fermi's paradox.
Maybe we're just the first to develop? Or simply faster than light travel hasn't been invented.
We could start thinking about sending out 100,000 - 1,000,000 people ships. A moon lift, in-orbit assemblage, hydroponic cultures, photonic sails would help carrying people to exoplanets in a few generations' time. By sending several ships each day it would be possible to keep Earth's population under control.
Luckily we have about 10,000 - 1,000,000 years worth of energy in uranium and thorium (depending on how fast you think energy needs will grow). Plenty of time to work out fusion and expand into space.
Bah, I'd bet we'll have fucked up the environment in 100 - 1,000 years if we go on with fission.
Atheism: I'm not playing your stupid game.
I agree stupid is the right word. It is been a long long time since Christian religion proposed an intellectually challenging plan. (Clever popes have a try at it, but it is hard.) Internet came with a full hand of myths, such as the upcoming Information Age, then non-observant practitioners took the lead... Perhaps there is something else which is taking away both.
MITM proxies are among us, and there is nothing the IETF can do to stop corporate networks forcing their clients into such bad practice. The proxy sinthesizes a certificate for each https requests made by the client. The client has to trust the corporate CA, of course. There are various shortcomings with that model. For example, for opt-out to be occasionally possible, the client browser needs to know about the MITM proxy, rather than unwittingly trust the corporate CA. The "Explicit Trusted Proxy in HTTP/2.0" draft just aims at introducing browser awareness into that game.
Oh, you misunderstand me. I think Bitcoin is a neo-libertarian utopian fantasy, based on the same thing all neo-libertarian philosophy relies, the "If only..."
What Bitcoin managed to make clear is the need for "miners". They don't mine useful stuff (assuming gold is useful by itself) but do a completely useless activity, which is only needed as a proof of work to authorize the ownership of an abstract good. While that corresponds to what banks and other institutions do, the uselessness of their activity was never stated so clearly before.
Getting food is useful, so long as it will eventually be eaten, whether the chimp who caught it ate it himself or exchanged it for sex. Bitcoin has the merit to illustrate how come that the largest slices are owned by the supervisors for doing nothing, and it does so down to the level of detail the implementation requires. Is that enough to understand the nature of money?
Bitcoin is an undergrad economics project, writ large, and co-opted by criminals and the elite.
Yes, that's what it has become in practice.
It think because it's about out of control security apparatus, so it's kind of topical?
Yeah, I think an editor went a little knee-jerk. It's customs, not security. Customs has been pissing people off since the Union was founded.
There was a post on laptop stripping in New Zealand, last month. So this is the agricultural equivalent, in case someone had thought hackers are treated worse than musicians.
DRM is fine as long as it doesn't inconvenience the end user.
It does inconvenience the end user, because chances are you buy a product that you won't be able to use. That happens with blu-ray discs too, and after it happened to me I stopped buying that stuff for several months —guess what I did instead...
My personal laptop is setup to wipe itself if you fail to give the correct credentials enough times. "No" you may not have my password, or better yet, "Password99" Try using that one a few times ;-)
Wiping the laptop is the only option anyway. Once they have your password, they most likely install plenty of trojans, spyware, and keysniffers —at least, that's what NSA was reported to do, even without having their hands on the equipment.
Whatever it is, that's what we've come to. And it's no surprise. For all the reasons that broadcasts have ever been appropriately restricted, so should the internet be.
Now, you can certainly complain with the way that it's done. You can be upset at the sheer number of false positives. You can be correct in saying that it may actually be impossible or unfeasible to enforce. But then that becomes the debate, not the need for the restriction in the first place.
Not quite. The way it's done resembles blowing up that downtown building because they don't accept what's painted onto its side. By "complaining with the way it's done" I'd understand saying something like they should have used carefully placed dynamite charges rather than air-to-ground missiles. Instead, I want to say they really should leave the building in place. By design, there is no proper way to restrict the Internet! Safe browsing —for those who don't want to inadvertently see those sites— is a different story. The minister is not trying to safeguard people who cannot accept the publication. He targets those dangerous extremists who are actively looking for it, not reckoning that such technique is neither effective nor legitimate.
There's an EU opinion published a few days ago. (Oddly enough, no English version there, you may want to read The Telegraph instead.) The means for blocking which the EU advocate mentions are DNS blocks, not compatible with DNSSEC, and routing blocks, which are even worse. The advocate also says those blocks can be easily circumvented even by unexperienced users —e.g. using Tor— while they require a good deal of work to be set up. Nevertheless, he finds them not disproportionate. Here again, they consider that the copyright law must be protected, without reckoning that the Internet has a larger impact than printing industry, after which the copyright law started in the early 1700s.
IMHO, it's governments who are turning old-fashioned.
children?
I don't think that makes much of a difference.
Except for emergency cases, people tend to change job when that entails a better pay. Hence, the longer the experience, the higher the cost. For programmer positions, IME, non-programming managers tend to prefer a young and unexperienced employee over a top-notch coder, also because the latter will not let marketing guys impose inconsistent specifications as easily as a neophyte would. They like to mold their personnel, they say.
It didn't pass in Switzerland, and probably won't anywhere else. But it's good food for thought.
Furthermore, what exactly is the problem with a CEO making 500x the rate of the lowest (or even median) paid worker? Inherently, nothing. What matters is the wealth and progression of the middle class and the freedom to move freely through the classes, based on ones' abilities and desires[2]. I would much rather live in a world with a strong middle class where the CEO's make 1500x what the average worker makes than a world where the middle class barely squeaks by while the CEO's only make 20x what the average worker makes.
Assuming the wages are proportional to the worthiness of the labor, 500x implies that average workers —the majority of people— are severely underutilized. The community is not leveraging their potential, possibly did not provide them a suitable education, and is barely entertaining them by employing them in useless jobs. That looks more like intensive humans farming than free-range and freedom to move. Now that the industrial revolution is over, we should be able to devise better means to carry out repetitive, unskilled jobs.
It is wishful thinking to establish a max ratio by law. However, unrealistic ratios are an indicator of an ill society. For example, say a good CEO can run 40 yards in under 5 seconds. Would you deem realistic that the average needs more than 40 minutes to cover the same distance? That's 500x.
After all, it is not the CEO's who own corporations, but the shareholders. As such, it is the shareholders who ultimately decide upon the pay of the CEO. If the owners of a company decide that it is in the company's best interest to entice the top executives with $x, there is absolutely nothing wrong with that.
Good point. A law stating that an individual is not allowed to make decisions about his/her own pay would sound better than the Swiss proposal, for fiscal reasons. Establishing one's own pay is a hidden (albeit possibly temporary) ownership, even if the ensuing approval of a general assembly is required. BTW, I admire those companies where top management have a formal salary of $1.00.
It is common practice to buy shares without being engaged in a company's mission. Many shareholders just look for means of maintaining their small capital by buying and selling shares according to market fluctuations. That's not bad by itself, of course. But maximizing profit can be at odds with making ethical decisions. Here I'm using the term "ethical" with a hunch of how human brains work: Any computer can run the min-max algorithm, while ethical thinking involves different abilities. IMHO, min-max can be good for short term, tactical decisions, but a sane society should not allow long term strategies to be decided on the basis of someone's maximum earning, lest blindly spiral toward unsustainable phases.
Nope, we cannot do a revolution, because we have free elections. If we had regimes we could.
From the article: "Those energy sources cannot scale up fast enough" to deliver the amount of cheap and reliable power the world needs, "
But nuclear power is neither cheap nor reliable. So why do they suggest that as a replacement for renewables. As to the "fast enough" part of that, solar and wind can be ramped up much faster than nuclear. The rationale of the article is not logical.
The rationale looks obvious if you think of a reiable way to make money fast enough, by selling cheap energy to the masses. If you allow each household to run their own wind mill, solar cell, or geothermal heat, you get fewer monthly bills. With nuclear plants, in addition, the long term expenses related to thousands of yaers nuclear waste disposal come for free.