HTTP/2, like Java, was written with the time frame in mind, ad it was decided that it's better to release a good specification soon than insist on a perfect specification that's never finished and deployed. There is a reason for that - a number of reasons, actually, but the #1 reason is IPv6.
On April Fool's day 2002 I announced that the backbones, root name servers, and other core infrastructure would be doing a cutover to IPv6 and we expected a few hours of downtime for the internet as a whole. The story was believable because IPv6 had been in the works for a couple of years and switchover at that point seemed logical, if the reader wasn't a network engineer.
Thirteen years later, 95% of internet traffic is still IPv4. Ten or twenty years from now, do we want to be using a better version of HTTP, or still be using HTTP/1.1 and talking about HTTP/2?
It might work well. Community college is pretty cheap, and can nearly double one's income early on. One BIG variable is that a lot of community colleges already have a high drop-out rate and that's among people who are motivated enough to pay for it. If it was free, many more people might start without being highly motivated to do the hard work to finish.
I'd like to see what happens with the one state that's already trying it before forcing it on the other 49 states. I say give that a year or two and see how it works so we know a) does it make any sense at all vs other uses for the money and b) HOW should it be done - what exactly went wrong and what went right in that state.
I suspect that with an objective, dispassionate analysis of just how the experiment went in that one state, we could come up with something that would work well nationwide. It might end up being very different from what the president has in mind, but still the same concept. Maybe certain programs are taxpayer funded - if the nation needs more nurses, subsidize nursing school, but don't subsidise the study of Victorian art or whatever. Let's have a look in a couple years and see what we can learn from the state that's doing it. Then, spend billions of your money in the way that seems to make the most sense based on actual results.
> The majority were the result of lax user passwords, social engineering, or internal access to systems. Any design around these issues has a direct result of reducing functionality.
I don't know that most of the major incidents were, but let's just assume that's true for a moment. Those are all security. Security is more than just the firewall.
A complete answer would run 600 pages, but here are some solutions in summary.
Lax user pass words - pass words are so 1980. Use pass phrases and keys. Just doing a search and replace to say "pass phrase" or "secret sentence" every where we've written "password" would largely solve that problem.
Internal access - has normally been COMPLETELY UNNECESSARY internal access. Snowden didn't need access to all of those documents to do his job, and that's the NSA, an organization that should have good security. Right now at work we're auditing internal access. Everyone should, because in most organizations some people have far, far more access than what makes sense.
Social engineering - test and reward. Call up a few employees at random maybe once per year with a social engineering pen test. Employees who properly refuse to give out sensitive information get a gift card for dinner or some other recognition for doing a good job. Tell employees ahead of time that you plan to do that this year. When the attacker calls, employees will think "maybe this is security calling, here's my chance to show I know better and win".
Those are a few examples. For technical vulnerabilities, it requires changing the mindset from "does the system give good output when fed good input?" to also include "what happens if a bad guy feeds it unexpected input?". My coworkers are slowly starting to realize that if they announce "the new system works, you type your password and it logs you in", I'm going to ask "what happens if I type in SQL code instead of my password?".
Not just what happens when everything goes right, but what happens when things go wrong? This has the side effect of producing far more reliable systems. For example, ALL providers in a certain blind of business had the same bug in their software - it would all empty the data file if the disk was full. That's because they all wrote the new version of the data on top of the old. We made patched copies of all their software that gracefully handles disk full. What happens when things aren't as you expect. At work, we had lots of intermittent errors that were hard to track down, so they were just tolerated for years, with people cleaning up the mess they made every week. Asking "what happens if things don't go as expected?" revealed these were concurrency issues that were easily solved. So these security threats are not only solvable, but the changed perspective results in better, more reliable systems, and therefore less time-consuming and error-prone manual handling of errors.
>. You will need to talk to the 4-year university (not the 2-year college) to see which 2-year college courses apply to what before you take them
Yes. As an example, I live next to Texas A&M. Next to A&M is Blinn, a community college. They have very specific agreements that this two-year degree counts as two years toward this four-year. So IF you plan ahead, you have a guarantee. A large percentage of students follow that plan, both to save money and some students need a good GPA at Blink before they are qualified to be admitted at A&M. That's probably pretty typical of major flagship universities.
The Texas A&M System has six other universities, such as Prairie View. One flagship, six other state schools in the system. Which means MOST state universities aren't the big-name flagships. Prairie View and the others are a bit more lenient on transfer credits. Some accept any class that's ACE accredited - which includes some that aren't even taught by colleges. That class taught by the Forest Service may be ACE accredited and accepted by many non-flagship universities.
I recently went back to school after having run my own companies for twenty years, riding the internet revolution. I chose a university that is a state school in Texas and 18 other states, Western Governors University. It is designed largely for adult students with job experience, so they'll accept all sorts of things for transfer credit. For example, industry certifications; if you have one of Microsoft's or CompTIA's more advanced certifications, they accept that in place of a similar class.
So you don't HAVE to take another three and half years if you already did two. You CAN get your degree from a state university like Prairie View rather than Texas A&M, or you can even do WGU and get credit for that system you designed and built at work, if it proves you know the subject matter.
If you want to go to a major flagship school, the kind where most applicants don't get in, then you better plan ahead and be aware of the specifics of the matriculation agreement.
Source: I manage a campus where we offer ACE accredited courses and have matriculation agreements. We're part of the Texas A&M System, but we're not a university.
>. Of course you can, but that's like looking at your opponents cards while they are playing. You still would have no idea what "hand" the other robot is playing.
You CAN know, with sufficient precision to matter, what cards the opponent holds . We can know if it has a strong hand, a medium hand, or a weak hand. That's the difference between a competent poker player and a pro. That's the whole point of everything you learn after your first few poker games. I'll explain.
Consider the first bet. The bot bets based on its hole cards only. Obviously you'd bet pocket aces and you wouldn't bet 3-7 off suit. In between are a number of different hand possibilities, each with a defined rank - you can trivially say one pair of cards is better or worse than another pair. Therefore, your computerized rule for the first bet comes down to one value - bet if your hand is better than X, check fold if it's X or worse. A good player will notice that every time the not bets, it has at least a pair of threes. So when the not bets, we know it has at least a pair of threes.
Suppose we have a pair of twos and the not bets. We know that we should fold, because the bot has us beat with a pair of threes or better. Suppose the bot plays first and checks. We know it doesn't have a pair of threes, so if web have that or better we should check.
By watching what the bot does and what cards it later reveals, we learn its rules for those questionable situations. We can invert those rules to know whether it has good, great, or poor cards this time. Suppose the bot throws in a bit of randomness. No problem since Bayes theorem in 1700s. We want to know the probability of a strong hand, given the bet. That's written as P(S|B). We calculate that as P(S|B) = P(B|S) * P(S) / P(B). P(S) we just look up from any of the sources who have calculated the odds of getting a sttong hand. We have P(B) and P(B|S) empirically, from its betting history.
You make a good point. Also, every other day we see another story of "XXX million lost in hack".
It's become so frequent we almost get completely numb to it. A week ago, someone posted here that Microsoft hadn't had any significant issues in a while - 48 hours after their Xbox network was taken down for several days. Having the whole network down for a several days is so common that we forget all about it a couple of days later. That's how common major security issues are right now. We need to make some significant changes in how we develop systems.
> a 2-year degree from a community college does not knock off anywhere near 2 years from a 4-year bachelor's degree.
You may be thinking of jacking around taking two years of random classes, as opposed to getting an associate's degree. Or getting a two-year degree in liberal arts and trying to apply it to a four-year degree in the hard sciences. Most community colleges have matriculation agreements with nearby universities. These agreements GUARANTEE that those two years transfer.
Of course you want to look at the agreement before you select your program - a two-year degree in Art will probably transfer to a four-year degree in Art. If you switch to Physics at the university, that's when only one year of general education classes might transfer. If you pay attention to what you're doing, though, you can have guaranteed that all of your credits transfer. You just have to select one of the two-year programs that applies to your four-year degree plans.
If you don't know what you want to do for your four-year, you can choose "general education" for your two-year, which means taking all the common requirements, a bit of math, a bit of science, a bit of history, etc. Those will apply to most any four-year degree. It means you can't take American History 101-401, though; because most 4-year degrees only include two history classes, not four.
> We need real laptops which can at least run prime calculation at advertised turbo boost speed, full cores/threads for an entire day.
Intel says:
Intel Turbo Boost Technology 2.0 allows the processor to operate at a power level that is higher than its TDP configuration and data sheet specified power for short durations to maximize performance.
Turbo Boost is designed to kick in for one to two seconds while rendering some enormously complex page or something. The CPUs are not designed to run at Turbo Boost speeds all day; so says Intel, and I suppose they know something about Intel processors.
Non-obligatory car analogy: Nitrous Boost would have been a more analogous name. It's used for seconds, like nitrous oxide, not all day, like a turbo can be.
> apparently when the attackers connect from Eastern Europe: "it's a proxy server" but if they connect from an IP address inside a regime the CIA has a hard-on for pressuring economically: it's a smoking gun.
Actually, in this case it actually is good evidence. Eastern Europe is full of open proxies, and you can tell they are open proxies by actually using them as proxies. North Korea has a total of 1024 IP addresses assigned, and fewer than that in use. US intelligence has mapped most of those to individual people or offices. So yeah, when messages come from the IP of the appropriate NK government offices, it actually is reasonably strong evidence.
Google did not say they support regulating broadband as if it were POTS. Their letter is pretty short - the first page pretty well covers their position, then there are 2 1/2 pages supporting it.
The "penalty of perjury" clause of the DMCA applies to identifying yourself, but the DMCA isn't the only law. Recklessly causing harm was a tort before the DMCA, and it still is. I believe there has been at least one law suit for tortuous interference and I'd like to see more. I think the plaintiffs could prevail where the notices were sent out recklessly.
In some cases, the person CONTINUED to send notices after being notified that many of them were clearly invalid. One can argue that they TRIED to come up with a good list of URLs, but once they've been informed that their list is crap, it's reckless to continue sending them.
Of course it's possible that they could show that they sent out 10,000 notices and 9,990 of those were perfectly correct. With a 99.9% accuracy rate the claim that they were reckless would be tougher to argue.
> only if they have this relationship millions of times with the same key. Y
You're referring the March 2013 revelations about RC4 as used in SSL/TLS. That's just one in a long line of issues. In 2001, we knew that RC4 had a flaw, but we didn't think it could be exploited. It was soon used to break RC4 in WEP, though slowly. In 2005 Fluhrer, Mantin and Shamir improved the attack to crack WEP RC4 in under a minute (aircrack-ptw). In 2013, even worse news for RC4. In 2016, the attacks on RC4 expand to ???. I'm not betting MY customers' security on the answer.
If you're transferring large amounts of information, including X-Forwarding AND never access systems with very sensitive data such as credit cards, RC4 is probably okay FOR NOW. However, weak attacks tend to become complete breaks. It's entirely reasonable to expect that RC4 may well be utterly broken in a year, or two or three. If you're going to review your algorithm choices annually, you can probably keep RC4 for 2015. You'll need to check again in 2016 though. Personally, I'd rather not reconfigure all my systems' ssh very frequently, so I'd remove any algorithms that have been weakened, before they are completely broken.
Around 1% of RSA keys are easily broken, meaning you could decrypt your data without paying the ransom. This is because about 1% of keys are weak in one way or another. I wonder about the key generation function this malware uses. If they are using one of the weaker algorithms to generate keys, many victims may be able to decrypt fairly easily.
We use two strategies. First, the backup device is ONLY a backup device. It doesn't have a web browser and it's not used for email. We use very large servers to backup our customer data, but on a small scale you could use a Raspberry Pi, an old router with OpenWRT, or a smart NAS. Because the device handling backups has no desktop or services, it shouldn't get infected. Access is strictly limited - either console only or strong ssh keys, perhaps through a VPN first. The backup device can be so restricted because it doesn't need to be useable for anything but pulling backups.
Its access to the machines it backs up can also be extremely limited. The ssh key of the backup device is only allowed to run rsync with pull arguments. So even if the backup device were compromised, it can do no harm.
You won't normally find me talking about the federal government being very effective at anything, but they have done some things right with cyber security. For example, their series of free online classes covering cyber security is much better than I would have expected.
Of course they did contract that out to a STATE agency, and a rather unique one that whose budget process and operations is more like a private business - if people don't like the product (the classes), the agency doesn't get paid. So maybe I can acknowledge the good results without it being political heresy.:)
Disclaimer - I work nearby the cyber security program that made the classes, so I may not be objective. Then again, I don't praise most people I work with. I was expecting the classes to not be very good, and I was genuinely surprised at how good they are.
Icy roads? Yeah, when I was 16 I took my driving test in Denver Colorado, in December. So several feet of snow on each side of the road and plenty of ice around. Come to think of it, that was kind of dumb.
> There was a time when Slashdot was full of people who'd think more than two seconds about their brave new economic ideas, rather than just demanding a pony.
Yep, that time was October 5th, 1997. Then the second user joined the site, and the idiocy began.
Just another symptom of thinking that software architecture and development is mostly about a language. Yes, knowing the language used in your field is important - that's why lower-level college classes have plenty of vocabulary. A developer should know the words, abbreviations, and symbols used in software development, just like an archeologists should know the words, abbreviations, and symbols used in archeology, and a fire marshall should know the words, abbreviations, and symbols used in fire protection. None of these fields is ABOUT the vocabulary, though. The words and symbols are used to record what you've done, but they are ancillary to the field.
Really, saying "C# developer" is like saying "Spanish anthropologist" or "English physicist". Maybe Stephen Hawking only speaks English - a certain German guy named Al Einstein showed how much language matters when he came to the US.
Sometimes I forget what language I'm writing in, and end up with excellent, reliable code written in two languages at once. Sometimes, most of my functions will compile and run in two or three different languages = X + 3 is x + 3 in most languages.
If my browser sends an order to buy drugs, based on me clicking things like "Submit Order", I used my computer and browser to make the order. Clearly I'm responsible. Whether I place the order by using cash, a telephone, or a browser, the person running it made the purchase.
If my bot infects your computer, based on me typing code like: for each ip in network do
try_to_infect(ip) done
I used a Word macro to infect you. Clearly, I am responsible. It doesn't mater if I use a Word macro, a boot-sector virus, or a hammer to destroy your computer - I did it, the hammer or macro is just the tool I used.
If I use my computer to submit an order for illegal drugs by typing:
while true do
buy_random_item(piratebay) done
Then once I again, I bought drugs using a program I wrote as the tool. I'd be the one who chose to order random stuff from someone selling illegal stuff. The bot I wrote is just the tool I used to place the order.
The most comprehensive recount was a $1 million effort sponsored by the Associated Press, New York Times, Wall Street Journal, CNN, St. Petersburg Times, Palm Beach Post, Washington Post and the Tribune Co., which owns papers including the Los Angeles Times, Chicago Tribune, Orlando Sentinel and Baltimore Sun. That press recount, the big one, found that Bush still won, even without the military votes.
One last time, if you think there was some other recount that found different, LINK TO IT.
There was one well known study afterwards claiming a Gore victory - not a recount, but an analysis of the press recount bases on applying different rules in different precincts. That's probably what you're thinking of. If you count dimpled ballots for Gore, while throwing out hanging chads for Bush, and throw out the military vote, you can get whatever result you want.
>. (if you can prove that you ALWAYS destroy your data after X days/ x failed writes/ etc. then you're not culpable if you do what you always do just prior to being served).
Yep, that's one reason to have a data retention policy. One footnote though - it is unlawful to destroy evidence if you have reason to believe it's about to be subpoenaed. See Rose law firm, Clinton et al.
I wrote one as a Grease Monkey script, but I've never seen it as an app. Of course I haven't lookeed - maybe there is an app. It sets display: none on any posts that are extremely long like the cleanmypc ones, any that mention a certain file used to map host names to IP addresses, and any users I blacklist.
90% of forums run on one of two or three popular forum scripts, so one app could work on most forums.
A couple of people have mentioned success with Fedora. That doesn't surprise me because Fedora is supposed to have all the latest packages, with the latest in touchscreen features and the newest version of drivers for the newest hardware. However, balance that against the other side of the coin. Because Fedora is based on the latest and newest, they don't provide the type of long term support for older versions that Ubuntu and some others do.
If you choose Fedora, realise that pretty soon you'll have to decide to either a) upgrade to the next version of Fedora or b)stick with the versions you have of all the software. Don't plan on installing the 2017 version of a program on a 2014 version of Fedora. Plan to either upgrade the whole OS or upgrade nothing in a few years.
Ubuntu and CentOS are more about long term stability. The current version of CentOS will be getting updated packages by years from now, so you can keep using the same version of CentOS and update packages as needed.
The downside to the more long term stable distros is that they may not have the latest and greatest touch screen features - they'll have well-tested packages that have already proved themselves in Fedora for a year before they are added to CentOS (debranded RHEL).
HTTP/2, like Java, was written with the time frame in mind, ad it was decided that it's better to release a good specification soon than insist on a perfect specification that's never finished and deployed. There is a reason for that - a number of reasons, actually, but the #1 reason is IPv6.
On April Fool's day 2002 I announced that the backbones, root name servers, and other core infrastructure would be doing a cutover to IPv6 and we expected a few hours of downtime for the internet as a whole. The story was believable because IPv6 had been in the works for a couple of years and switchover at that point seemed logical, if the reader wasn't a network engineer.
Thirteen years later, 95% of internet traffic is still IPv4. Ten or twenty years from now, do we want to be using a better version of HTTP, or still be using HTTP/1.1 and talking about HTTP/2?
It might work well. Community college is pretty cheap, and can nearly double one's income early on. One BIG variable is that a lot of community colleges already have a high drop-out rate and that's among people who are motivated enough to pay for it. If it was free, many more people might start without being highly motivated to do the hard work to finish.
I'd like to see what happens with the one state that's already trying it before forcing it on the other 49 states. I say give that a year or two and see how it works so we know a) does it make any sense at all vs other uses for the money and b) HOW should it be done - what exactly went wrong and what went right in that state.
I suspect that with an objective, dispassionate analysis of just how the experiment went in that one state, we could come up with something that would work well nationwide. It might end up being very different from what the president has in mind, but still the same concept. Maybe certain programs are taxpayer funded - if the nation needs more nurses, subsidize nursing school, but don't subsidise the study of Victorian art or whatever. Let's have a look in a couple years and see what we can learn from the state that's doing it. Then, spend billions of your money in the way that seems to make the most sense based on actual results.
I'm a Republican.
> The majority were the result of lax user passwords, social engineering, or internal access to systems. Any design around these issues has a direct result of reducing functionality.
I don't know that most of the major incidents were, but let's just assume that's true for a moment. Those are all security. Security is more than just the firewall.
A complete answer would run 600 pages, but here are some solutions in summary.
Lax user pass words - pass words are so 1980. Use pass phrases and keys. Just doing a search and replace to say "pass phrase" or "secret sentence" every where we've written "password" would largely solve that problem.
Internal access - has normally been COMPLETELY UNNECESSARY internal access. Snowden didn't need access to all of those documents to do his job, and that's the NSA, an organization that should have good security. Right now at work we're auditing internal access. Everyone should, because in most organizations some people have far, far more access than what makes sense.
Social engineering - test and reward. Call up a few employees at random maybe once per year with a social engineering pen test. Employees who properly refuse to give out sensitive information get a gift card for dinner or some other recognition for doing a good job. Tell employees ahead of time that you plan to do that this year. When the attacker calls, employees will think "maybe this is security calling, here's my chance to show I know better and win".
Those are a few examples. For technical vulnerabilities, it requires changing the mindset from "does the system give good output when fed good input?" to also include "what happens if a bad guy feeds it unexpected input?". My coworkers are slowly starting to realize that if they announce "the new system works, you type your password and it logs you in", I'm going to ask "what happens if I type in SQL code instead of my password?".
Not just what happens when everything goes right, but what happens when things go wrong? This has the side effect of producing far more reliable systems. For example, ALL providers in a certain blind of business had the same bug in their software - it would all empty the data file if the disk was full. That's because they all wrote the new version of the data on top of the old. We made patched copies of all their software that gracefully handles disk full. What happens when things aren't as you expect. At work, we had lots of intermittent errors that were hard to track down, so they were just tolerated for years, with people cleaning up the mess they made every week. Asking "what happens if things don't go as expected?" revealed these were concurrency issues that were easily solved. So these security threats are not only solvable, but the changed perspective results in better, more reliable systems, and therefore less time-consuming and error-prone manual handling of errors.
>. You will need to talk to the 4-year university (not the 2-year college) to see which 2-year college courses apply to what before you take them
Yes. As an example, I live next to Texas A&M. Next to A&M is Blinn, a community college. They have very specific agreements that this two-year degree counts as two years toward this four-year. So IF you plan ahead, you have a guarantee. A large percentage of students follow that plan, both to save money and some students need a good GPA at Blink before they are qualified to be admitted at A&M. That's probably pretty typical of major flagship universities.
The Texas A&M System has six other universities, such as Prairie View. One flagship, six other state schools in the system. Which means MOST state universities aren't the big-name flagships. Prairie View and the others are a bit more lenient on transfer credits. Some accept any class that's ACE accredited - which includes some that aren't even taught by colleges. That class taught by the Forest Service may be ACE accredited and accepted by many non-flagship universities.
I recently went back to school after having run my own companies for twenty years, riding the internet revolution. I chose a university that is a state school in Texas and 18 other states, Western Governors University. It is designed largely for adult students with job experience, so they'll accept all sorts of things for transfer credit. For example, industry certifications; if you have one of Microsoft's or CompTIA's more advanced certifications, they accept that in place of a similar class.
So you don't HAVE to take another three and half years if you already did two. You CAN get your degree from a state university like Prairie View rather than Texas A&M, or you can even do WGU and get credit for that system you designed and built at work, if it proves you know the subject matter.
If you want to go to a major flagship school, the kind where most applicants don't get in, then you better plan ahead and be aware of the specifics of the matriculation agreement.
Source: I manage a campus where we offer ACE accredited courses and have matriculation agreements. We're part of the Texas A&M System, but we're not a university.
>. Of course you can, but that's like looking at your opponents cards while they are playing. You still would have no idea what "hand" the other robot is playing.
You CAN know, with sufficient precision to matter, what cards the opponent holds . We can know if it has a strong hand, a medium hand, or a weak hand. That's the difference between a competent poker player and a pro. That's the whole point of everything you learn after your first few poker games. I'll explain.
Consider the first bet. The bot bets based on its hole cards only. Obviously you'd bet pocket aces and you wouldn't bet 3-7 off suit. In between are a number of different hand possibilities, each with a defined rank - you can trivially say one pair of cards is better or worse than another pair. Therefore, your computerized rule for the first bet comes down to one value - bet if your hand is better than X, check fold if it's X or worse. A good player will notice that every time the not bets, it has at least a pair of threes. So when the not bets, we know it has at least a pair of threes.
Suppose we have a pair of twos and the not bets. We know that we should fold, because the bot has us beat with a pair of threes or better. Suppose the bot plays first and checks. We know it doesn't have a pair of threes, so if web have that or better we should check.
By watching what the bot does and what cards it later reveals, we learn its rules for those questionable situations. We can invert those rules to know whether it has good, great, or poor cards this time. Suppose the bot throws in a bit of randomness. No problem since Bayes theorem in 1700s. We want to know the probability of a strong hand, given the bet. That's written as P(S|B). We calculate that as P(S|B) = P(B|S) * P(S) / P(B). P(S) we just look up from any of the sources who have calculated the odds of getting a sttong hand. We have P(B) and P(B|S) empirically, from its betting history.
You make a good point. Also, every other day we see another story of "XXX million lost in hack".
It's become so frequent we almost get completely numb to it. A week ago, someone posted here that Microsoft hadn't had any significant issues in a while - 48 hours after their Xbox network was taken down for several days. Having the whole network down for a several days is so common that we forget all about it a couple of days later. That's how common major security issues are right now. We need to make some significant changes in how we develop systems.
> a 2-year degree from a community college does not knock off anywhere near 2 years from a 4-year bachelor's degree.
You may be thinking of jacking around taking two years of random classes, as opposed to getting an associate's degree. Or getting a two-year degree in liberal arts and trying to apply it to a four-year degree in the hard sciences. Most community colleges have matriculation agreements with nearby universities. These agreements GUARANTEE that those two years transfer.
Of course you want to look at the agreement before you select your program - a two-year degree in Art will probably transfer to a four-year degree in Art. If you switch to Physics at the university, that's when only one year of general education classes might transfer. If you pay attention to what you're doing, though, you can have guaranteed that all of your credits transfer. You just have to select one of the two-year programs that applies to your four-year degree plans.
If you don't know what you want to do for your four-year, you can choose "general education" for your two-year, which means taking all the common requirements, a bit of math, a bit of science, a bit of history, etc. Those will apply to most any four-year degree. It means you can't take American History 101-401, though; because most 4-year degrees only include two history classes, not four.
> We need real laptops which can at least run prime calculation at advertised turbo boost speed, full cores/threads for an entire day.
Intel says:
Intel Turbo Boost Technology 2.0 allows the processor to operate at a power level that is higher than its TDP configuration and data sheet specified power for short durations to maximize performance.
Turbo Boost is designed to kick in for one to two seconds while rendering some enormously complex page or something. The CPUs are not designed to run at Turbo Boost speeds all day; so says Intel, and I suppose they know something about Intel processors.
Non-obligatory car analogy: Nitrous Boost would have been a more analogous name. It's used for seconds, like nitrous oxide, not all day, like a turbo can be.
> apparently when the attackers connect from Eastern Europe: "it's a proxy server" but if they connect from an IP address inside a regime the CIA has a hard-on for pressuring economically: it's a smoking gun.
Actually, in this case it actually is good evidence. Eastern Europe is full of open proxies, and you can tell they are open proxies by actually using them as proxies. North Korea has a total of 1024 IP addresses assigned, and fewer than that in use. US intelligence has mapped most of those to individual people or offices. So yeah, when messages come from the IP of the appropriate NK government offices, it actually is reasonably strong evidence.
Google did not say they support regulating broadband as if it were POTS. Their letter is pretty short - the first page pretty well covers their position, then there are 2 1/2 pages supporting it.
https://s3.amazonaws.com/s3.do...
If one page is too long for you to read, here's the one sentence summary of what Google said:
If you assholes have bureaucrats set our pricing under title II, you'd better also give us access to poles under title II.
It's like telling the dentist "if you pull out my tooth, use novacain" - that doesn't mean you want the tooth pulled.
The "penalty of perjury" clause of the DMCA applies to identifying yourself, but the DMCA isn't the only law. Recklessly causing harm was a tort before the DMCA, and it still is. I believe there has been at least one law suit for tortuous interference and I'd like to see more. I think the plaintiffs could prevail where the notices were sent out recklessly.
In some cases, the person CONTINUED to send notices after being notified that many of them were clearly invalid. One can argue that they TRIED to come up with a good list of URLs, but once they've been informed that their list is crap, it's reckless to continue sending them.
Of course it's possible that they could show that they sent out 10,000 notices and 9,990 of those were perfectly correct. With a 99.9% accuracy rate the claim that they were reckless would be tougher to argue.
> only if they have this relationship millions of times with the same key. Y
You're referring the March 2013 revelations about RC4 as used in SSL/TLS. That's just one in a long line of issues. In 2001, we knew that RC4 had a flaw, but we didn't think it could be exploited. It was soon used to break RC4 in WEP, though slowly. In 2005 Fluhrer, Mantin and Shamir improved the attack to crack WEP RC4 in under a minute (aircrack-ptw). In 2013, even worse news for RC4. In 2016, the attacks on RC4 expand to ???. I'm not betting MY customers' security on the answer.
If you're transferring large amounts of information, including X-Forwarding AND never access systems with very sensitive data such as credit cards, RC4 is probably okay FOR NOW. However, weak attacks tend to become complete breaks. It's entirely reasonable to expect that RC4 may well be utterly broken in a year, or two or three. If you're going to review your algorithm choices annually, you can probably keep RC4 for 2015. You'll need to check again in 2016 though. Personally, I'd rather not reconfigure all my systems' ssh very frequently, so I'd remove any algorithms that have been weakened, before they are completely broken.
Around 1% of RSA keys are easily broken, meaning you could decrypt your data without paying the ransom. This is because about 1% of keys are weak in one way or another. I wonder about the key generation function this malware uses. If they are using one of the weaker algorithms to generate keys, many victims may be able to decrypt fairly easily.
We use two strategies. First, the backup device is ONLY a backup device. It doesn't have a web browser and it's not used for email. We use very large servers to backup our customer data, but on a small scale you could use a Raspberry Pi, an old router with OpenWRT, or a smart NAS. Because the device handling backups has no desktop or services, it shouldn't get infected. Access is strictly limited - either console only or strong ssh keys, perhaps through a VPN first. The backup device can be so restricted because it doesn't need to be useable for anything but pulling backups.
Its access to the machines it backs up can also be extremely limited. The ssh key of the backup device is only allowed to run rsync with pull arguments. So even if the backup device were compromised, it can do no harm.
You won't normally find me talking about the federal government being very effective at anything, but they have done some things right with cyber security. For example, their series of free online classes covering cyber security is much better than I would have expected.
Of course they did contract that out to a STATE agency, and a rather unique one that whose budget process and operations is more like a private business - if people don't like the product (the classes), the agency doesn't get paid. So maybe I can acknowledge the good results without it being political heresy. :)
Disclaimer - I work nearby the cyber security program that made the classes, so I may not be objective. Then again, I don't praise most people I work with. I was expecting the classes to not be very good, and I was genuinely surprised at how good they are.
Icy roads? Yeah, when I was 16 I took my driving test in Denver Colorado, in December. So several feet of snow on each side of the road and plenty of ice around. Come to think of it, that was kind of dumb.
> There was a time when Slashdot was full of people who'd think more than two seconds about their brave new economic ideas, rather than just demanding a pony.
Yep, that time was October 5th, 1997. Then the second user joined the site, and the idiocy began.
I said:
> X + 3 is x + 3 in most languages.
Uhm, no. But x + 3 is x + 3 in many different languages. If x=4, then X + 3 is a compiler error in sane languages, and a PITA in silly languages.
Just another symptom of thinking that software architecture and development is mostly about a language. Yes, knowing the language used in your field is important - that's why lower-level college classes have plenty of vocabulary. A developer should know the words, abbreviations, and symbols used in software development, just like an archeologists should know the words, abbreviations, and symbols used in archeology, and a fire marshall should know the words, abbreviations, and symbols used in fire protection. None of these fields is ABOUT the vocabulary, though. The words and symbols are used to record what you've done, but they are ancillary to the field.
Really, saying "C# developer" is like saying "Spanish anthropologist" or "English physicist". Maybe Stephen Hawking only speaks English - a certain German guy named Al Einstein showed how much language matters when he came to the US.
Sometimes I forget what language I'm writing in, and end up with excellent, reliable code written in two languages at once. Sometimes, most of my functions will compile and run in two or three different languages = X + 3 is x + 3 in most languages.
If my browser sends an order to buy drugs, based on me clicking things like "Submit Order", I used my computer and browser to make the order. Clearly I'm responsible. Whether I place the order by using cash, a telephone, or a browser, the person running it made the purchase.
If my bot infects your computer, based on me typing code like:
for each ip in network
do
try_to_infect(ip)
done
I used a Word macro to infect you. Clearly, I am responsible. It doesn't mater if I use a Word macro, a boot-sector virus, or a hammer to destroy your computer - I did it, the hammer or macro is just the tool I used.
If I use my computer to submit an order for illegal drugs by typing:
while true
do
buy_random_item(piratebay)
done
Then once I again, I bought drugs using a program I wrote as the tool. I'd be the one who chose to order random stuff from someone selling illegal stuff. The bot I wrote is just the tool I used to place the order.
The most comprehensive recount was a $1 million effort sponsored by the Associated Press, New York Times, Wall Street Journal, CNN, St. Petersburg Times, Palm Beach Post, Washington Post and the Tribune Co., which owns papers including the Los Angeles Times, Chicago Tribune, Orlando Sentinel and Baltimore Sun. That press recount, the big one, found that Bush still won, even without the military votes.
One last time, if you think there was some other recount that found different, LINK TO IT.
There was one well known study afterwards claiming a Gore victory - not a recount, but an analysis of the press recount bases on applying different rules in different precincts. That's probably what you're thinking of. If you count dimpled ballots for Gore, while throwing out hanging chads for Bush, and throw out the military vote, you can get whatever result you want.
>. (if you can prove that you ALWAYS destroy your data after X days/ x failed writes/ etc. then you're not culpable if you do what you always do just prior to being served).
Yep, that's one reason to have a data retention policy. One footnote though - it is unlawful to destroy evidence if you have reason to believe it's about to be subpoenaed. See Rose law firm, Clinton et al.
I wrote one as a Grease Monkey script, but I've never seen it as an app. Of course I haven't lookeed - maybe there is an app. It sets display: none on any posts that are extremely long like the cleanmypc ones, any that mention a certain file used to map host names to IP addresses, and any users I blacklist.
90% of forums run on one of two or three popular forum scripts, so one app could work on most forums.
A couple of people have mentioned success with Fedora. That doesn't surprise me because Fedora is supposed to have all the latest packages, with the latest in touchscreen features and the newest version of drivers for the newest hardware. However, balance that against the other side of the coin. Because Fedora is based on the latest and newest, they don't provide the type of long term support for older versions that Ubuntu and some others do.
If you choose Fedora, realise that pretty soon you'll have to decide to either a) upgrade to the next version of Fedora or b)stick with the versions you have of all the software. Don't plan on installing the 2017 version of a program on a 2014 version of Fedora. Plan to either upgrade the whole OS or upgrade nothing in a few years.
Ubuntu and CentOS are more about long term stability. The current version of CentOS will be getting updated packages by years from now, so you can keep using the same version of CentOS and update packages as needed.
The downside to the more long term stable distros is that they may not have the latest and greatest touch screen features - they'll have well-tested packages that have already proved themselves in Fedora for a year before they are added to CentOS (debranded RHEL).