The "molten" stories trace back to two original sources. One is describing what they saw, the other is describing a photo. Both refer to red hot beams in the days after. An exact quote is "lifting a molten steel beam". Obviously if it were truly molten, it wouldn't be a beam anymore and noone would be lifting it.
This makes sense, because there's nothing that would maintain molten steel for weeks. About the only things that could do that would be certain types of fault lines or an underground coal seam. Some silly people who have clearly never messed around with thermite have mentioned thermite as if it had some magical properties. From someone who HAS made thermite, I can tell you it burns several milliseconds, not several weeks. That's how it gets so hot - by releasing all of its energy quickly.
> Security for such things is mostly about checklists,
It amazes me that you could have enough of a clue to have heard of SANS, yet still think that. Security is more about an attitude of consistent vigilance, of always looking at from the perspective "this will be attacked, how?", I think.
You're not completely clueless, and you'll find my name on Mitre CVEs so I'm not clueless either, but we have VERY different ideas about core practices.
> The Boomers spent all their social security money on bombers and tax cuts and benefits, and now they sit there with their hands out expecting
There's some truth to that. How old are you, though? The last six years have been a spending spree equal to the everything that came before combined. The baby boomers were irresponsible. Their kids have been beyond irresponsible.
By the way, what Freescale releasrd in February was the world's smallest ARM processor, just 2mm square. It's also the world's most efficient, meaning best battery life. Tiny ARM processors are used in all manner of consumer electronics. Tiny processors aren't really helpful in big devices like "military radar". Size is key in portable devices like smart watches and medical applications such as pacemakers.
More specifically, it collapsed as though the FIRST floor could no longer support the weight of the entire building on top of it. You can see that in the videos.
You can see the exact same thing in your kitchen if you have a gas stove. I know it's more fun to read spy stories than to actually try an experiment, but just know that I'm going to ignore any replies from you until you try the experiment yourself.
Go get a few wire coat hangers or similar metal wire, and some pans. In your kitchen, set up some wire supports to hold a pan four inches above the flame. Try to make the supports symmetrical, like the way a professional building would be designed. Pretend that the wire costs a million dollars per inch, so you'll use the minimum amount of wire necessary to hold the pan up. A bundt cake pan or something with a central opening would be the best simulation, simulating the center elevator columns.
Also keep in mind WTC 7 was tricky to design because the first couple of floors were built around / over an existing power station, so it was designed to use fewer, stronger supports than most buildings would. (You can't put a 40' wide support column right through a part of the power station).
Once the first pan is in place, add three more "floors" (pans), so you have four or more floors, each a few inches apart.
Now tturn the fire on high and wait 5-15 minutes. What Wil happen is that the heat will soften the metal supports just a bit at first, then more so as they heat up. At some point (as high as 500-600 degrees), they'll get soft enough that they collapse under the weight of all those pans. The stack will drop, just like WTC 7.
I KNOW yyou want to argue with me right now. That's cool, you can do that. But first, go in your kitchen and give it a try. Then you can argue from actual knowledge as opposed to repeating silly ghost stories about topics you're unfamiliar with.
You make the assumption that the system is stupid. Most systems ARE stupid, so that's reasonable. However, here I'm talking about a system that isn't stupid. I said a properly designed system.
> I'm going to assume over and over that it's the captcha that I'm just not reading correctly (is that distorted Y character an uppercase or lowercase?).
That would be stupid. Our system doesn't do that. There's no distorted Y, and even if a customer chooses the textual captcha rather than the default , case doesn't matter.
> I couldn't use one of my usual login names because your website required me to use 2 numbers in my login name
That would also be stupid, so we don't do that.
> stupid limitations on what the password can or cannot be
We avoid doing stupid.
> systems which do a permanent lockout (rather than a 20 minute lockout or whatever), which requires a phone call to unlock (a few banks are guilty of this).
That's stupid, so we don't do that. Ours unlocks in a very short period of time in such cases. The automatic unlock period of time varies based on how severe the abuse is. It could be anywhere from one second (user probably forgot password) to 48 hours(definitely an attack) based on intelligent (not stupid) consideration of EXACTLY what pattern we're seeing. Generally, a user who forgot their password isn't that hard to differentiate from an attack.
> super secure system should not leak any info. On the other hand, it's nice when you also make this stuff user friendly.
Leaking that info is tens of thousands of times more useful to the attacker than it is to the account holder. You're right, IF the system is eight kinds of stupid, THEN it's helpful for it to also be stupid and leak the info. If it's NOT stupid in the ways you listed above, then it doesn't need to be stupid and leak the info.
From that comment I take it you've changed your mind and decided that Oxford is correct and comprehensive? Because it doesn't say what you claimed "all dictionaries x say. American Heritage doesn't either.
If so, I guess you've also decided that all fruits are apples, because Oxford says apple is a fruit.
Thegarbz said:
all the major dictionaries define pilot-less remote controlled aircraft as drones providing they can be flown out of line of sight
Then he said: 4. A remote-controlled pilotless aircraft or missile.
Notice Oxford doesn't say anything about line of sight. Indeed, they make no distinction between a typical RC toy and a drone. Therefore, their definition is not useful. If you're talking about remote-control toys, you say "toy plane".* To call a cheap toy a "drone" is misleading.
What you're missing is that dictionaries define a "apple" as "a fruit". That doesn't mean that all fruits are apples. Similarly, the fact that a drone is a remote controlled plane doesn't mean that all RC planes are drones. (Any more than all fruits are apples just because an apple is a fruit.)
* Yes I am aware that some RC planes are EXPENSIVE toys, toys for grownups. I've crashed a few and have the expensive parts on a shelf. That doesn't matter to this discussion. The Oxford definition, if treated as comprehensive, would include Air Hogs as drones, which is silly.
> I can put together a login-driven website using PHP and MySQL and understand that I will have to work hard to stay on top of security issues..."
Yep.
Even better would be "I can put together a login using new features in PHP 5.3 or higher, provided that backwards compatibility settings are disabled, along with clearly risky options such as fopen_url and exec(). I'll watch for security issues by..."
I'm not at my desk, but here's a very brief summary. Do NOT leak any information as to whether:
The username is correct or not (check your "forgot password" form, it should never say "that username was not found )
The password is correct or not
The captcha / human check is correct
Security relockers such as attempt counters have been triggered
In a properly coded system, an dictionary attack should be the most efficient possible, and that should involve trying each possible username with every possible password. In other words, the first term in the equation is the length of the dictionary SQUARED. On the other hand, if anything changes in the response which indicates that the password is wrong (but the username is valid), they no longer have to try every possible combination. Instead, they can try each username with the password "1234 " for the purpose of determining which usernames are valid. Then they only need to try the short list of valid usernames with each password from the dictionary. If the dictionary contains 100,000 entries, a non-leaky implementation will need on the order of 10,000,000,000 tries.* The leaky implementation would require only 1,000,000 tries, which is 99.9.9% less time.
The consequences of leaking information a about relocker activation is left as an exercise for the reader. Consider the compound result of both leaking the relocker parameters, allowing the attacker to set their tool appropriately, while ALSO leaking the validity of user names.
* Numbers used for illustration only. Google the Birthday Paradox for the actual correct calculation.
You sound like the kind of person we may be looking to hire soon. I've hired a few people with your level of experience.
> I can put together a secure login-driven Web site using PHP and MySQL.
Error. One of the companies I own is based on a single product, a SECURE login system. I've been studying security for over 20 years and I've been programming longer than that. We came out with our login security system fifteen years ago and we've been doing real R&D on it ever since. We've found a couple of serious errors we made several years ago. That means that with 10 years of professional programming experience, fifteen years of security experience, and five years of security R&D, we didn't have a secure system. I guarantee you're not far, far smarter than us. If you think you've made a secure authentication and authorization system suitable for the demands of the public web, that's only because of how little you must know about the threats you face.
Have you read the 2001 Pennywize whitepaper, or one of my writings about the Pennywize vulnerability? If not, it's a pretty safe bet that you've coded the exact same vulnerability. That issue makes brute force orders of magnitude easier, such that it becomes pretty trivial to overcome any attempt counting that you think you're doing.
You mentioned you had some publicly available code. If you link to it, I'll be glad to point out two or three significant security issues in your code (if it's for use on the public internet, where it will be attacked daily.).
Assuming you're willing to learn about security, to be humbled, you.can send your resume and a link to ray@bettercgi.com .
The other suggestion I have for you is if you do work these next few years, think mainly about what you can learn from working. Don't consider the salary when deciding whether or not to take a position, but rather accept one (or not) based on what you can learn and who you can meet. Working on autonomous cars at Google for FREE would be wiser than working on yet another message board system for yet another local web design shop for $35,000. The "just another job" option gets you $35 K. Working on the autonomous cars gets you the opportunity to learn from the best and brightest in the world.
> Some people expect the car will coast to a stop just before it. They may be wrong
That's a new one. I've seen estimates of 2032 and 2035, but noone thinks it could survive past 2035 or 2036. When you say "some people", are you talking aboutanyone who even knows what the current population of the US is? The math really isn't all that tricky. Estimates just vary slightly because we don't know _exactly_ how advances in medicine will affect life expectancies over the next 20 years or what the unemployment rate will average over 20 years.
> The government has an obligation to put that money back
Unfortunately, they (we) already spent it. You know those trillion dollar deficits? Alarge portion of those extra trillions that have been spent were social security money. Even in the best case, when tax revenues were higher than expected in Clinton's first two years, he STILL "borrowed" money from social security. That's the Clinton "balanced" budget - he borrowed as much as he spent. We've since spent it - on roads, on defense , and on solar electric scams . It's gone, so now we have a problem we have to fix.
There are of course many options. The main thing is, the longer we wait, the more extreme measures will be required. To continue the car analogy, we can either let off the gas pedal now, or slam on the brakes ten years from now. I think it's best to make small changes now.
Slightly raising the retirement age, gradually, can apparently solve the problem without a major disruption for anyone. Under current law, I would start receiving social security in 25 years, if it weren't for the fact that under current law the system will be broke at that time - there will be no money to pay my benefits with. I would much rather wait two extra years and be able to plan on actually receiving what is promised. Currently, I can't plan on anything, because I know that what is currently promised isn't actually possible. I don't have the exact numbers in front of me right now, but I was surprised at how small of an age adjustment fixes the problem. Something like: Anyone due to get SS within the next five years will get them as planned. Anyone 5-10 years away from retirement waits an extra six months, so if you were planning in 7 years, it'll instead be 7 1/2 years. Anyone more than 10 years out starts receiving payments one year later than the current law.
IIt's unfortunate that the inflation index is such a political football. The index currently being used isn't accurate, and the person who CREATED that index says it shouldn't be used for this purpose. Chained CPI MAY be a more accurate indicator, or we could move beyond 1940s methodology and use the technological resources we now have available to come up with a new, better measure of inflation.
And after you total a car, it won't crash anymore. If nothing unexpected happens, social security might be solvent in 2060, if it still existed. There's just that pesky fault that it can't exist in its current form part the 2030s. We know how many people are in their 40s today, so we know how many people will be in their 60s twenty years from now. From that, it is simple arithmetic to see that we don't have the money to pay those people as promised.
"Attacking social security"? Are you high? When you're about to crash into a wall, is steering around it "attacking" the car? We can see the wall. It's 20 years ahead of us. We WILL crash into the wall if we don't change course. To NOT ccorrect course is to choose to destroy social security, to drive full speed into the wall.
Oxford is probably the most respected dictionary of English and it doesn't use that definition.
> providing they can be flown out of line of sight
A paper airplane can fly around the corner beyond line of site, so by "flown" you must mean "controlled". Control beyond line of site requires the telemetry mentioned in my working definition.
I think you'd also agree that an object that includes a full programmable autopilot, that can be programmed to fly past certain GPS waypoints, is a drone. So at this point we have "it's a drone if it can either be controlled beyond line of site via telemetry or follow a preprogrammed flight path".
A $6 foam glider can have its elevators set to either fly straight or perform a loop. That meets the condition of "follow a preprogrammed flight path", so we need to distinguish between that 30 foot flight and an actual drone. In practice, considering flight time effectively distinguishes drones vs children's toys. That's not a theoretical distinction, but a practical guideline.
To me at least, the primary distinctions between a model aircraft and a drone are a) autopilot of some type (or very good telemetry for remote piloting) and b) range / flight time.
Model aircraft are flown by watching them from the ground. Drones are flown POV through on-board cameras and generally some autopilot capabilities.
Model aircraft typically have the capacity to fly for 10 minutes or so. Drones, an hour or more.
Drones, here defined as remotely piloted or preprogrammed aircraft with a flight time longer than twelve minutes, have not been widely available for decades.
In this particular case, the actual object has not been identified. We only have the report of the jet pilot who saw it. That report does say it was at 2,300 feet from the ground. That means nobody was looking up at it and flying it, in all probability. That altitude strongly suggests it was either following a preprogrammed flight path or was being flown from an onboard video feed.
Since an RC operator wouldn't be looking straight up at it, but would need be looking up at less than a 45 degree angle, someone flying it by remote control would have been a mile away. You can't look at a model a mile away and see whether the wings are level, or what the pitch attitude is. Therefore, it's rather unlikely that this was an RC model.
The full noun phrase was "take a break from programming", so yes, I consider reading Slashdot or some other message boards to be a break from programming.
I don't know if I've ever seen anyone actually do NOTHING, staring, mouth agape, at the wall, not even thinking about anything. I HAVE seen plenty of people watch cat videos on YouTube. That's fine, I suppose. I might get the same refreshment from watching an entertaining TED video instead of a cat. I've seen alot of people chat with their co-workers about sports. It's refreshing to talk to other people. Rather than sports, I like to talk to my co-workers about interesting plans they have for work projects. I get to socialize AND feel productive at the same time, and it's definitely a break from staring at code.
Indeed. My boss, and particularly her boss, is awesome in that way. He takes care of all the politics and also makes sure we get what we need, so we can focus on the task at hand.
Several commenters have pointed out that humans don't stay on task 100% of the time, so the question, as phrased, is silly. HOWEVER, if you don't over-specialize, or encourage people to spend a little time on things other than their core job, they can be productive while taking a break from the routine, instead of spending time on Facebook.
For many years, I ran small companies. The companies did web security software and web hosting. A programmer could, however, take a break from programming and spend half an hour on industry related message boards, which was where most of our sales came from. Answering a support call, they might chat with the customer about all sorts of topics (customer relationships are important).
I've often worked 60+ hours without getting burned out by varying my work. Just for one project I might shop for RAID cards and other components online, customize the hardware with hand tools, assemble the servers, install & configure the OS, write custom software for that server, etc. That way I'm productive almost 100% of the time, but don't get bored like I would in a company where one person does all of the purchasing, another person assembles hardware all day, and another installs software all day.
I now work in a large agency, big enough that you'd expect specialization, but although I'm a programmer most of the time, I'm also invited to participate in other things - long term strategy discussions, designing the architecture of systems other departments are working on, etc. I don't spend any time at work on Facebook. I "slack off" by pitching in on projects that I'm not officially part of, doing work that's different from what I was primarily hired to do.
* Every once in a while, I do look at Slashdot while in my office. Then again, I find work-related news and discussion here, and I also pitch our excellent free cyber-security courses here, so even Slashdot is somewhat productive.
> Personally I like the idea that the underlying reality of the universe is random. I find the idea that the universe is a deterministic clockwork to be depressing.
There is a third option. A butcher from 2,000 years ago could explain that bodies are mechanical systems, with ball joints, plumbing, etc. Later, psychology developed and we began to study what makes humans tick at a different level. The mechanical level if bones and blood vessels is important, of course. To understand people, you have to also look at another level, the psychological level. Mind and body, two different parts of who we are. 2,000 years ago, a guy who built things talked about a third level of humaness, what some people call the spirit. Mind, body, spirit. We don't know much about this "spirit" level yet, but there is a wealth of evidence that SOMETHING is going on, something we can't yet explain well. It's possible that the body is deterministic clockwork, while the spirit may be governed by entirely different rules. In some ways, it seems that spiritual laws like "honesty is the best policy" (the best general rule) are just as true as physical laws like "what goes up must come down". There might be a reason for that, and it might not be because of particle physics.
Most of the "benefit" of Nginx is that it forces noatime, whether you like it or not. Noatime can make a big difference in performance, but just set noatime in/etc/fstab and you'll get the same performance from Apache, without the Nginx bugs, and Apache will ACTUALLY behave as it's documentation says it does.
The other thing that makes a difference, largely in RAM usage, is that some distributions ship a default Apache config with almost every possible module enabled. Comment out mod_speling, mod_userdir, mod_webdav etc for better performance and reduced memory usage.
The government buys a lot more copier paper than they do aircraft carriers . 99.99% of light bulbs are just light bulbs, to illuminate some closet or desk in some office building.
I think you missed the point of the article. It wasn't about the great efficiencies of the government procurement process and how there is so much competition. The article was about the fact that so many companies do NOT bid - either because they aren't allowed to, or.more often because the bidding process costs $150,000 for what should bea $250,000 purchase. If you were guaranteed to win, you'd bid at least $$400,000, but your not guaranteed, so spending $150,00 on a bid in HOPES of winning only makes sense if you bid $1 million - the payoff if you win is then high enough to justify spending the time and money on the bid process.
I have a friend who makes his living from a government contract. He buys blood glucose meters from a company for $10,000 and sells them to the government for $25,000. His contract is pretty safe because no competitor wants to spend $25,000 trying to bid a competing contract which they might not win.
> They might be buying a light bulb, but they want one that's ALWAYS going to be EXACTLY the same, and certified as such. They don't want one that's going to be silently changed to a different design... That would cause maintenance nightmares, and/or could get people killed.
> The vendor buys the item for $30 and sells it to the government for $150....
> The added expense may come from the testing and milspec certification of every individual item... Or from being required to stockpile and warehouse the item for 50 years to ensure they can continue to supply the exact item to the government.
Yep, all for a dang lightbulb for some bureaucrat's office. Guess what - nobody is going to die if the desk lamp draws 61 watts instead of 60. 99.9999% of what the government buys isn't a part for a fighter jet. It's office supplies, road salt, and sandwich bags. Do you REALLY need your government forms to be on certified milspec paper?
The "molten" stories trace back to two original sources. One is describing what they saw, the other is describing a photo. Both refer to red hot beams in the days after. An exact quote is "lifting a molten steel beam". Obviously if it were truly molten, it wouldn't be a beam anymore and noone would be lifting it.
This makes sense, because there's nothing that would maintain molten steel for weeks. About the only things that could do that would be certain types of fault lines or an underground coal seam. Some silly people who have clearly never messed around with thermite have mentioned thermite as if it had some magical properties. From someone who HAS made thermite, I can tell you it burns several milliseconds, not several weeks. That's how it gets so hot - by releasing all of its energy quickly.
> Security for such things is mostly about checklists,
It amazes me that you could have enough of a clue to have heard of SANS, yet still think that. Security is more about an attitude of consistent vigilance, of always looking at from the perspective "this will be attacked, how?", I think.
You're not completely clueless, and you'll find my name on Mitre CVEs so I'm not clueless either, but we have VERY different ideas about core practices.
> The Boomers spent all their social security money on bombers and tax cuts and benefits, and now they sit there with their hands out expecting
There's some truth to that. How old are you, though? The last six years have been a spending spree equal to the everything that came before combined. The baby boomers were irresponsible. Their kids have been beyond irresponsible.
By the way, what Freescale releasrd in February was the world's smallest ARM processor, just 2mm square. It's also the world's most efficient, meaning best battery life. Tiny ARM processors are used in all manner of consumer electronics. Tiny processors aren't really helpful in big devices like "military radar". Size is key in portable devices like smart watches and medical applications such as pacemakers.
More specifically, it collapsed as though the FIRST floor could no longer support the weight of the entire building on top of it. You can see that in the videos.
You can see the exact same thing in your kitchen if you have a gas stove. I know it's more fun to read spy stories than to actually try an experiment, but just know that I'm going to ignore any replies from you until you try the experiment yourself.
Go get a few wire coat hangers or similar metal wire, and some pans. In your kitchen, set up some wire supports to hold a pan four inches above the flame. Try to make the supports symmetrical, like the way a professional building would be designed. Pretend that the wire costs a million dollars per inch, so you'll use the minimum amount of wire necessary to hold the pan up. A bundt cake pan or something with a central opening would be the best simulation, simulating the center elevator columns.
Also keep in mind WTC 7 was tricky to design because the first couple of floors were built around / over an existing power station, so it was designed to use fewer, stronger supports than most buildings would. (You can't put a 40' wide support column right through a part of the power station).
Once the first pan is in place, add three more "floors" (pans), so you have four or more floors, each a few inches apart.
Now tturn the fire on high and wait 5-15 minutes. What Wil happen is that the heat will soften the metal supports just a bit at first, then more so as they heat up. At some point (as high as 500-600 degrees), they'll get soft enough that they collapse under the weight of all those pans. The stack will drop, just like WTC 7.
I KNOW yyou want to argue with me right now. That's cool, you can do that. But first, go in your kitchen and give it a try. Then you can argue from actual knowledge as opposed to repeating silly ghost stories about topics you're unfamiliar with.
> blah blah stupid blah blah nearly double tinfoil aliens
Going from $20 to $23 is not "double". Google "Freescale Semiconductor chart" to see the stick price. Everything else you said is equally as accurate.
You make the assumption that the system is stupid. Most systems ARE stupid, so that's reasonable. However, here I'm talking about a system that isn't stupid. I said a properly designed system.
> I'm going to assume over and over that it's the captcha that I'm just not reading correctly (is that distorted Y character an uppercase or lowercase?).
That would be stupid. Our system doesn't do that.
There's no distorted Y, and even if a customer chooses the textual captcha rather than the default , case doesn't matter.
> I couldn't use one of my usual login names because your website required me to use 2 numbers in my login name
That would also be stupid, so we don't do that.
> stupid limitations on what the password can or cannot be
We avoid doing stupid.
> systems which do a permanent lockout (rather than a 20 minute lockout or whatever), which requires a phone call to unlock (a few banks are guilty of this).
That's stupid, so we don't do that. Ours unlocks in a very short period of time in such cases. The automatic unlock period of time varies based on how severe the abuse is. It could be anywhere from one second (user probably forgot password) to 48 hours(definitely an attack) based on intelligent (not stupid) consideration of EXACTLY what pattern we're seeing. Generally, a user who forgot their password isn't that hard to differentiate from an attack.
> super secure system should not leak any info. On the other hand, it's nice when you also make this stuff user friendly.
Leaking that info is tens of thousands of times more useful to the attacker than it is to the account holder. You're right, IF the system is eight kinds of stupid, THEN it's helpful for it to also be stupid and leak the info. If it's NOT stupid in the ways you listed above, then it doesn't need to be stupid and leak the info.
From that comment I take it you've changed your mind and decided that Oxford is correct and comprehensive? Because it doesn't say what you claimed "all dictionaries x say. American Heritage doesn't either.
If so, I guess you've also decided that all fruits are apples, because Oxford says apple is a fruit.
Thegarbz said:
all the major dictionaries define pilot-less remote controlled aircraft as drones providing they can be flown out of line of sight
Then he said:
4. A remote-controlled pilotless aircraft or missile.
Notice Oxford doesn't say anything about line of sight. Indeed, they make no distinction between a typical RC toy and a drone. Therefore, their definition is not useful. If you're talking about remote-control toys, you say "toy plane".* To call a cheap toy a "drone" is misleading.
What you're missing is that dictionaries define a "apple" as "a fruit". That doesn't mean that all fruits are apples. Similarly, the fact that a drone is a remote controlled plane doesn't mean that all RC planes are drones. (Any more than all fruits are apples just because an apple is a fruit.)
* Yes I am aware that some RC planes are EXPENSIVE toys, toys for grownups. I've crashed a few and have the expensive parts on a shelf. That doesn't matter to this discussion. The Oxford definition, if treated as comprehensive, would include Air Hogs as drones, which is silly.
> I can put together a login-driven website using PHP and MySQL and understand that I will have to work hard to stay on top of security issues..."
Yep.
Even better would be "I can put together a login using new features in PHP 5.3 or higher, provided that backwards compatibility settings are disabled, along with clearly risky options such as fopen_url and exec(). I'll watch for security issues by ..."
I'm not at my desk, but here's a very brief summary.
Do NOT leak any information as to whether:
The username is correct or not (check your "forgot password" form, it should never say "that username was not found )
The password is correct or not
The captcha / human check is correct
Security relockers such as attempt counters have been triggered
In a properly coded system, an dictionary attack should be the most efficient possible, and that should involve trying each possible username with every possible password. In other words, the first term in the equation is the length of the dictionary SQUARED. On the other hand, if anything changes in the response which indicates that the password is wrong (but the username is valid), they no longer have to try every possible combination. Instead, they can try each username with the password "1234 " for the purpose of determining which usernames are valid. Then they only need to try the short list of valid usernames with each password from the dictionary. If the dictionary contains 100,000 entries, a non-leaky implementation will need on the order of 10,000,000,000 tries.* The leaky implementation would require only 1,000,000 tries, which is 99.9.9% less time.
The consequences of leaking information a about relocker activation is left as an exercise for the reader. Consider the compound result of both leaking the relocker parameters, allowing the attacker to set their tool appropriately, while ALSO leaking the validity of user names.
* Numbers used for illustration only. Google the Birthday Paradox for the actual correct calculation.
You sound like the kind of person we may be looking to hire soon. I've hired a few people with your level of experience.
> I can put together a secure login-driven Web site using PHP and MySQL.
Error. One of the companies I own is based on a single product, a SECURE login system. I've been studying security for over 20 years and I've been programming longer than that. We came out with our login security system fifteen years ago and we've been doing real R&D on it ever since. We've found a couple of serious errors we made several years ago. That means that with 10 years of professional programming experience, fifteen years of security experience, and five years of security R&D, we didn't have a secure system. I guarantee you're not far, far smarter than us. If you think you've made a secure authentication and authorization system suitable for the demands of the public web, that's only because of how little you must know about the threats you face.
Have you read the 2001 Pennywize whitepaper, or one of my writings about the Pennywize vulnerability? If not, it's a pretty safe bet that you've coded the exact same vulnerability. That issue makes brute force orders of magnitude easier, such that it becomes pretty trivial to overcome any attempt counting that you think you're doing.
You mentioned you had some publicly available code. If you link to it, I'll be glad to point out two or three significant security issues in your code (if it's for use on the public internet, where it will be attacked daily.).
Assuming you're willing to learn about security, to be humbled, you.can send your resume and a link to ray@bettercgi.com .
The other suggestion I have for you is if you do work these next few years, think mainly about what you can learn from working. Don't consider the salary when deciding whether or not to take a position, but rather accept one (or not) based on what you can learn and who you can meet. Working on autonomous cars at Google for FREE would be wiser than working on yet another message board system for yet another local web design shop for $35,000. The "just another job" option gets you $35 K. Working on the autonomous cars gets you the opportunity to learn from the best and brightest in the world.
> Some people expect the car will coast to a stop just before it. They may be wrong
That's a new one. I've seen estimates of 2032 and 2035, but noone thinks it could survive past 2035 or 2036. When you say "some people", are you talking aboutanyone who even knows what the current population of the US is? The math really isn't all that tricky. Estimates just vary slightly because we don't know _exactly_ how advances in medicine will affect life expectancies over the next 20 years or what the unemployment rate will average over 20 years.
> The government has an obligation to put that money back
Unfortunately, they (we) already spent it. You know those trillion dollar deficits? Alarge portion of those extra trillions that have been spent were social security money. Even in the best case, when tax revenues were higher than expected in Clinton's first two years, he STILL "borrowed" money from social security. That's the Clinton "balanced" budget - he borrowed as much as he spent. We've since spent it - on roads, on defense , and on solar electric scams . It's gone, so now we have a problem we have to fix.
There are of course many options. The main thing is, the longer we wait, the more extreme measures will be required. To continue the car analogy, we can either let off the gas pedal now, or slam on the brakes ten years from now. I think it's best to make small changes now.
Slightly raising the retirement age, gradually, can apparently solve the problem without a major disruption for anyone. Under current law, I would start receiving social security in 25 years, if it weren't for the fact that under current law the system will be broke at that time - there will be no money to pay my benefits with. I would much rather wait two extra years and be able to plan on actually receiving what is promised. Currently, I can't plan on anything, because I know that what is currently promised isn't actually possible. I don't have the exact numbers in front of me right now, but I was surprised at how small of an age adjustment fixes the problem. Something like:
Anyone due to get SS within the next five years will get them as planned.
Anyone 5-10 years away from retirement waits an extra six months, so if you were planning in 7 years, it'll instead be 7 1/2 years.
Anyone more than 10 years out starts receiving payments one year later than the current law.
IIt's unfortunate that the inflation index is such a political football. The index currently being used isn't accurate, and the person who CREATED that index says it shouldn't be used for this purpose. Chained CPI MAY be a more accurate indicator, or we could move beyond 1940s methodology and use the technological resources we now have available to come up with a new, better measure of inflation.
And after you total a car, it won't crash anymore.
If nothing unexpected happens, social security might be solvent in 2060, if it still existed. There's just that pesky fault that it can't exist in its current form part the 2030s. We know how many people are in their 40s today, so we know how many people will be in their 60s twenty years from now. From that, it is simple arithmetic to see that we don't have the money to pay those people as promised.
"Attacking social security"? Are you high? When you're about to crash into a wall, is steering around it "attacking" the car? We can see the wall. It's 20 years ahead of us. We WILL crash into the wall if we don't change course. To NOT ccorrect course is to choose to destroy social security, to drive full speed into the wall.
> all the major dictionaries
Oxford is probably the most respected dictionary of English and it doesn't use that definition.
> providing they can be flown out of line of sight
A paper airplane can fly around the corner beyond line of site, so by "flown" you must mean "controlled". Control beyond line of site requires the telemetry mentioned in my working definition.
I think you'd also agree that an object that includes a full programmable autopilot, that can be programmed to fly past certain GPS waypoints, is a drone. So at this point we have "it's a drone if it can either be controlled beyond line of site via telemetry or follow a preprogrammed flight path".
A $6 foam glider can have its elevators set to either fly straight or perform a loop. That meets the condition of "follow a preprogrammed flight path", so we need to distinguish between that 30 foot flight and an actual drone. In practice, considering flight time effectively distinguishes drones vs children's toys. That's not a theoretical distinction, but a practical guideline.
To me at least, the primary distinctions between a model aircraft and a drone are a) autopilot of some type (or very good telemetry for remote piloting) and b) range / flight time.
Model aircraft are flown by watching them from the ground. Drones are flown POV through on-board cameras and generally some autopilot capabilities.
Model aircraft typically have the capacity to fly for 10 minutes or so. Drones, an hour or more.
Drones, here defined as remotely piloted or preprogrammed aircraft with a flight time longer than twelve minutes, have not been widely available for decades.
In this particular case, the actual object has not been identified. We only have the report of the jet pilot who saw it. That report does say it was at 2,300 feet from the ground. That means nobody was looking up at it and flying it, in all probability. That altitude strongly suggests it was either following a preprogrammed flight path or was being flown from an onboard video feed.
Since an RC operator wouldn't be looking straight up at it, but would need be looking up at less than a 45 degree angle, someone flying it by remote control would have been a mile away. You can't look at a model a mile away and see whether the wings are level, or what the pitch attitude is. Therefore, it's rather unlikely that this was an RC model.
The full noun phrase was "take a break from programming", so yes, I consider reading Slashdot or some other message boards to be a break from programming.
I don't know if I've ever seen anyone actually do NOTHING, staring, mouth agape, at the wall, not even thinking about anything. I HAVE seen plenty of people watch cat videos on YouTube. That's fine, I suppose. I might get the same refreshment from watching an entertaining TED video instead of a cat. I've seen alot of people chat with their co-workers about sports. It's refreshing to talk to other people. Rather than sports, I like to talk to my co-workers about interesting plans they have for work projects. I get to socialize AND feel productive at the same time, and it's definitely a break from staring at code.
Indeed. My boss, and particularly her boss, is awesome in that way. He takes care of all the politics and also makes sure we get what we need, so we can focus on the task at hand.
He also reads Slashdot, so "hi Tony, and thanks."
Several commenters have pointed out that humans don't stay on task 100% of the time, so the question, as phrased, is silly. HOWEVER, if you don't over-specialize, or encourage people to spend a little time on things other than their core job, they can be productive while taking a break from the routine, instead of spending time on Facebook.
For many years, I ran small companies. The companies did web security software and web hosting. A programmer could, however, take a break from programming and spend half an hour on industry related message boards, which was where most of our sales came from. Answering a support call, they might chat with the customer about all sorts of topics (customer relationships are important).
I've often worked 60+ hours without getting burned out by varying my work. Just for one project I might shop for RAID cards and other components online, customize the hardware with hand tools, assemble the servers, install & configure the OS, write custom software for that server, etc. That way I'm productive almost 100% of the time, but don't get bored like I would in a company where one person does all of the purchasing, another person assembles hardware all day, and another installs software all day.
I now work in a large agency, big enough that you'd expect specialization, but although I'm a programmer most of the time, I'm also invited to participate in other things - long term strategy discussions, designing the architecture of systems other departments are working on, etc. I don't spend any time at work on Facebook. I "slack off" by pitching in on projects that I'm not officially part of, doing work that's different from what I was primarily hired to do.
* Every once in a while, I do look at Slashdot while in my office. Then again, I find work-related news and discussion here, and I also pitch our excellent free cyber-security courses here, so even Slashdot is somewhat productive.
> Personally I like the idea that the underlying reality of the universe is random. I find the idea that the universe is a deterministic clockwork to be depressing.
There is a third option. A butcher from 2,000 years ago could explain that bodies are mechanical systems, with ball joints, plumbing, etc. Later, psychology developed and we began to study what makes humans tick at a different level. The mechanical level if bones and blood vessels is important, of course. To understand people, you have to also look at another level, the psychological level. Mind and body, two different parts of who we are. 2,000 years ago, a guy who built things talked about a third level of humaness, what some people call the spirit. Mind, body, spirit. We don't know much about this "spirit" level yet, but there is a wealth of evidence that SOMETHING is going on, something we can't yet explain well. It's possible that the body is deterministic clockwork, while the spirit may be governed by entirely different rules. In some ways, it seems that spiritual laws like "honesty is the best policy" (the best general rule) are just as true as physical laws like "what goes up must come down". There might be a reason for that, and it might not be because of particle physics.
Most of the "benefit" of Nginx is that it forces noatime, whether you like it or not. Noatime can make a big difference in performance, but just set noatime in /etc/fstab and you'll get the same performance from Apache, without the Nginx bugs, and Apache will ACTUALLY behave as it's documentation says it does.
The other thing that makes a difference, largely in RAM usage, is that some distributions ship a default Apache config with almost every possible module enabled. Comment out mod_speling, mod_userdir, mod_webdav etc for better performance and reduced memory usage.
The government buys a lot more copier paper than they do aircraft carriers . 99.99% of light bulbs are just light bulbs, to illuminate some closet or desk in some office building.
I think you missed the point of the article. It wasn't about the great efficiencies of the government procurement process and how there is so much competition. The article was about the fact that so many companies do NOT bid - either because they aren't allowed to, or.more often because the bidding process costs $150,000 for what should bea $250,000 purchase. If you were guaranteed to win, you'd bid at least $$400,000, but your not guaranteed, so spending $150,00 on a bid in HOPES of winning only makes sense if you bid $1 million - the payoff if you win is then high enough to justify spending the time and money on the bid process.
I have a friend who makes his living from a government contract. He buys blood glucose meters from a company for $10,000 and sells them to the government for $25,000. His contract is pretty safe because no competitor wants to spend $25,000 trying to bid a competing contract which they might not win.
> They might be buying a light bulb, but they want one that's ALWAYS going to be EXACTLY the same, and certified as such. They don't want one that's going to be silently changed to a different design... That would cause maintenance nightmares, and/or could get people killed.
> The vendor buys the item for $30 and sells it to the government for $150. ...
> The added expense may come from the testing and milspec certification of every individual item... Or from being required to stockpile and warehouse the item for 50 years to ensure they can continue to supply the exact item to the government.
Yep, all for a dang lightbulb for some bureaucrat's office. Guess what - nobody is going to die if the desk lamp draws 61 watts instead of 60. 99.9999% of what the government buys isn't a part for a fighter jet. It's office supplies, road salt, and sandwich bags. Do you REALLY need your government forms to be on certified milspec paper?