Slashdot Mirror


User: raymorris

raymorris's activity in the archive.

Stories
0
Comments
10,114
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,114

  1. Great question on RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video) · · Score: 1

    That's a good question and one I'll have to test. Based on other tests, I'm fairly sure that a Dvorak user who is on a qwerty would be recognized - everyone is familiar enough with qwerty, so their fingers would still tap keys in a similar way. On the other hand, a trained qwerty TYPIST suddenly using dvorak would have that indicator show up as "possible difference". That's because they'd have to switch from typing to hunt-and-peck. Still, that's analogous to your wife getting a totally new hairstyle - you'd notice the difference, but probably not mistake her for an intruder.

  2. If you're not familiar with ACTA... masturbation on Canada Launches ACTA Bill · · Score: 1, Informative

    If you're not familiar with the bill or with ACTA, have another look at that summary. Every other word is loaded - craven, pressure, aweful, spurious, etc.
    Therefore, don't forget the it's OBVIOUSLY so ridiculously slanted as to be completely and utterly useless in understanding what it's about. It's so clear that the author is not just biased, but radically, rabidly so. Therefore, te only use for such a article is for the author similarly rabid people to enjoy reading their own thoughts. Mental masturbation, so to speak.

  3. Happy surprise. Like your wife's haircut. on RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video) · · Score: 1

    Now if I type differently on my laptop than on my desktop (not unlikely, since the keyboard is noticeably different)

    That was one of the very first things I wanted to test, in the proof-of-concept stage. I asked someone who normally uses a laptop to instead use MY desktop keyboard. So they were going from their familiar laptop to an unfamiliar desktop keyboard. I was glad to see that with the elements we were measuring, it still looked like the same person - even on a totally different type of keyboard.

    Understand this is similar to using hair (style and color) as factors in recognizing someone you know. If you see someone from the back who SAYS they are your wife, and their hair is the same COLOR as your wife's, and the same LENGTH as your wife's, and the same STYLE as your wife, and they are the same HEIGHT as your wife, and the same BODY TYPE, and have the same pitch VOICE, you can recognize that's probably your wife. A stranger is not likely to fool you.

    Going the other way, when your wife gets a hair cut, you still recognize her versus an imposter. You may even still be able to detect an intruder even by the hair still, as their hair is likely a different length and more or less curly, etc. A different keyboard, int he worst case, is like a new haircut - it only changes part of the rhythm, and the keying rhythm is only part of the recognition.

  4. Worked for us for millions of logins already on RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video) · · Score: 2

    We've been tracking keystroke rhythm on Girls Gone Wild and some other popular sites for several years. Based on analysis of several million login attempts, it does work.

    In that implementation, at least, the keyboard rhythm is one of SEVERAL factors that are considered. A sprained finger probably wouldn't keep you out, unless you were also a) far from home and b) using a different computer than you normally do. All three factors combined would make it seem likely that it was someone else trying to access your account. Just one factor alone wouldn't trigger anything.

    It's actually a lot like how you recognize people in your offline life everyday. For people you know, there are a dozen or so factors which let you quickly recognize one of your family members even from behind, and from a block away. For people you don't know, you can recognize suspicious people because your brain considers a few dozen factors, such facial expression, body language, dress, anything they have in their hands, etc. You then respond to the combination of all of those factors. Most of the time, you can instantly distinguish between a robber entering a store and a normal customer. That's roughly how these systems can work, how Strongbox works - by considering keying rhythm as one of several factors, just as you can use hair style as one factor in recognizing your boss or your wife from across the room.

  5. and Strongbox has ben doing is for about that long on RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video) · · Score: 1

    Also Strongbox, the security system used by sites like GirlsGoneWIld, has had this for years.
    In that implementation, at least, the keyboard rhythm is one of SEVERAL factors that are considered. A sprained finger probably wouldn't keep you out, unless you were also a) far from home and b) using a different computer than you normally do. All three factors combined would make it seem likely that it was someone else trying to access your account. Just one factor alone wouldn't trigger anything.

  6. Most Google services have paid competitors on Ask Slashdot: Should We Have the Option of Treating Google Like a Utility? · · Score: 2

    Which services, specifically? Most services Google offers have paid competitors. Google Maps? There are plenty of mapping apps. Gmail? Your ISP already provides you email. If you don't trust your ISP, reagan.com has an email service with strong privacy guarantees.

    Have you purchased Streets and Trips, or a Delorme product and do you use it? If not, there's the answer - the premise is flawed because you in fact do NOT choose to pay cash. Rather, you prefer Google's ad based model. I do too, for many services Google offers - I use their navigation and if that gets me an ad for some tourist attraction that's on my route, I'm okay with that. I choose not to use their email service, and pay with my time, maintaining my own email system.

    Facebook / social networking is kind of the oddball. The whole POINT is that it keeps track of who your social circle is, so that really can't be done without a big ass database connecting friends and friends-of-friends.

  7. 2nd grade reading comprehension on Study Suggests Generating Capacity of Wind Farms At Large Scales Overestimated · · Score: 2
    Please read the comment you're replying to:

    The claim is that we could have windmills powering electric cars.

    The greenies ARE wanting to replace gasoline with wind, so energy IS the right metric. Unless of course you're saying electric cars won't ever work, that cars will always have to run on gasoline?

    I suppose you could say "wind could provide a fraction of our needs, as long we don't have any electric cars and factories keep running on coal and natural gas." You would be correct if you said "electric cars make renewable energy impossible", but I'm guessing that's not what you're trying to prove.

  8. A planet full of windfarms could power half the US on Study Suggests Generating Capacity of Wind Farms At Large Scales Overestimated · · Score: 1

    From your wikipedia link: "Primary energy use in the United States was 25,155 TWh In 2009"

    At 8,760 hours per year, that's 2.85 TW AVERAGE, about 5TW peak. So covering the entire planet with nothing but wind farms could power half of the US. The claim is that we could have windmills powering electric cars. Not on this earth, the math just doesn't work.

  9. Re:Ethics on PunkSPIDER Project Puts Vulnerabilities On (Searchable) Display · · Score: 5, Informative

    In the past hackers used to notify the owners and give them a chance to fix problems and the owners would either do nothing or even threaten to sue. Any slashdot reader should know this.

    Anyone claiming to know anything about the topic of web security should know the procedure used to remedy ~90% of all vulnerabilities. Those security updates you get each week don't appear out of nowhere. Someone like myself files a security ticket with the vendor or affected party. The vulnerability is confirmed and analyzed, then other vendors who are likely to have similar vulnerabilities are notified. A patch is pushed, THEN a CVE is issued. After that, more mainstream sites like slashdot pick up on, and link to, the CVE which explains what the vulnerability was is links to the update to fix it. That's typically about a week after the vulnerability is teported and 2-3 days after the fix is available. That's how securitu issues are normally handled, they aren't ignored. (If they were ignored we wouldn't average 100 security notices per week, would we?)

    When I found the PowerDNS vulnerability I could have come straight to Slashdot with "how to take down wikipedia and millions of other sites". If I were a scumball attention whore I would have done so. Instead, I reported it through proper channels. Wikipedia was patched within 36 hours, then other sites. The next day, the CVE went out, THEN you heard about it. I still get to brag - I just do it AFTER a) wikipedia and other responsive sites are safe and b) I have something worth bragging about, having protected wikipedia from being exploited.
    This jackass is merely attention whoting at other people's expense. He hasn't done anything special - just ran Nessus - but is advertising himself via the results rather than handling them responsibly.

    Suppose for a moment that some of the sites could leak sensitive information. Suppose also that sites which leak sensitive information should be slapped. Well, the slashvertised site, the cracker's search engine, is most certainly leaking sensitive information, ergo he should be slapped!

  10. Maybe. 99% are not on PunkSPIDER Project Puts Vulnerabilities On (Searchable) Display · · Score: 1

    some of the of sites are likely entrusted

    And 99.97% are some guy trying to make ends meet by offering online chemistry lessons or showing you how to hook up your home theatre. IF there were any sites found that held personal information, the right thing to do would be to contact those sites, not encourage people to hack the personal information.

    Certainly it does no good whatsoever to give script kiddies a list of sites to deface. The most popular hosting is Godaddy, with their $10 / month hosting account. (35% of sites are Godaddy sites.) The sites with hosting budgets of around $10-$50 month make up 95% of all sites. So that's mostly who is affected - some elementary school art teacher selling used computer parts online in his spare time.

  11. Next - SE for houses without security systems on PunkSPIDER Project Puts Vulnerabilities On (Searchable) Display · · Score: 1

    Well hours next project be a search engine showing which houses don't have good security systems, or showing the weaknesses in each home's security? What an aweful way to attention whore - by giving criminals a list of defenseless people.

  12. No, they have show exactly what you ripped off X6 on Copyright Alert System To Launch Monday · · Score: 2

    No, it's after you get busted ripping other people off SIX TIMES. Someone who produces software or content, like myself, has to catch you stealing my work that I put my time into programing and file a complaint. I have to show exactly what software I wrote that you ripped off, when you did so, from where, etc. Then the ISP slows your connection so you can rip me off at a slower pace. Or, if you want the software I wrote, you can spend the $5 to buy it from me.

    Or, in the case of most of the software I write, you don't even have to buy it. It's free. All you have to is follow the GPL or Apache license that I give it to you under. I had to file a cease and desist against Plesk because they were pirating Apache licensed software I wrote. It's FREE! I'm GIVING it to you. Why the hell they were stealing free software I'll never understand. Just leave the license file in the package, how hard is that?

  13. Most electricity used when people aren't home? on New Process Takes Energy From Coal Without Burning It · · Score: 1

    > But the majority of electricity usage occurs at exactly the same point in the day when solar power is the most abundant That's very interesting. I would have thought that around noon, when the solar power is most abundant, most people would be at work or school, so they wouldn't be using electricity at home. In my house, we use electricity early in the morning getting ready for work and around dinner time. So roughly around sunrise and sunset, when solar is pretty much useless.

  14. You're on the right track, but we can ID computers on CAPTCHA Using Ad-Based Verification · · Score: 1

    We do identify computers pretty reliably. You mentioned five factors that can be used. You pointed out none of those five factors BY ITSELF is sufficient. But the COMBINATION of all five factors you mentioned plus a few you didn't mention works pretty darn well. I can't identify you by the first digit of your phone number, nor by the second digit, nor by the tenth. But if I look at all the digits together I can have pretty good idea of who it is.

    Add to that we're confirming that you are indeed who you claim to be, so we just need a yes/no answer, we don't have to figure out who you are. Lastly, in most practical scenarios, saying "it is probably the same person" or "it is probably not the same person" is sufficient - we don't have to 100% prove it. Credit / debit card fraud detection is a great example. I use my debit card daily. Out of thousands of transactions, I've received only about three calls from the fraud detection department to verify something - once when I was 1,000 miles from home and hadn't used my card on the way there, once 100 miles from home while buying expensive electronics, and one other time. The fraud detection works well by considering the strong combination of weak factors - location, type of store, amount of purchase, etc. are each weak in themselves. However, if my card is beng used in Florida, 1,000 miles from were I live AND it's the first time it's ever been used at a nail salon AND that comes 30 minutes after I used it in Texas AND that's the fifth transaction in the last 30 minutes, there may be something funny going on.

    CAPTCHAS and identifying computers are just like that, if done correctly. A system like Strongbox examines ALL available information and thereby does a good job of flagging something suspicious.

  15. That's what we do with Strongbox, one captcha ever on CAPTCHA Using Ad-Based Verification · · Score: 1

    That's what we do with the CAPTCHAS in our security system - you only have to do the CAPTCHA once, then never again for most people.
    In our case, we use the CAPTCHA to reduce brute force on a login-in system. Once you enter the CAPTCHA correctly once, you don't have to enter again as long as you enter your user name and password correctly. If you start entering incorrect user names and passwords, that could be a brute force attack, so you have to enter CAPTCHAS again.

  16. still spending 2 1/2 times more than Clinton on How Sequestration Will Affect Federal Research Agencies · · Score: 2

    And, even with sequestration, Washington would still be spending over TWICE as much as they did during the Clinton administration. Sequestration is means "cutting" about 4% from the planned budget. (While still spending more than last year.)

    It's widely believed that Clinton-style budgets were good. If you believe that, you should ask for sequestration times fifteen, cutting the projected budget by 60% to get back to Clinton-like spending.

  17. Re:Scaling is the Key! on New Process Takes Energy From Coal Without Burning It · · Score: 1

    Solar is powering my home, and it was a one time cost. Well, there was a little cost in changing over to LED lights, a laptop, and other low power appliances

    I take it you've had your new solar power system for less them three years, then? So haven't quite hint the point where you have to spend thousands of dollars replacing those lead acid batteries that provide power after sunset, on cloudy days, etc.? That's cool. I'm glad you feel good about replacing carbon dioxide with lead and acid.

  18. It'd be just like standard power plants on New Process Takes Energy From Coal Without Burning It · · Score: 1

    If the CO2 were accidentally released, that'd be a lot like the other option - power plants that release it on purpose. You know, the way we've been doing it since the discovery of fire.

    There is one similarity with nuclear waste, though. You're probably aware that nuclear plants generate dangerous waste. You're probably also aware that nuclear plants generate a significant amount of waste. What they didn't tell you is that it's two different kinds of waste! Nuclear does NOT generate much dangerous waste. There's a few pounds of dangerous stuff which can be easily encased in heavy steel and buried two miles deep, and then there's a bunch of low level waste you could earth for breakfast. (It'd be safer than what RMS eats, anyway.) So nuclear waste is purely a POLITICAL problem, a made up issue. There's no technical problem at all. In that sense, it's the same as sequestered CO2 - a political problem, not a safety problem.

  19. RAISES the question. There's no begging. on Google Patents Staple of '70s Mainframe Computing · · Score: 1

    Saying "beg the question" in the incorrect, recent, sense doesn't even make any sense - there's no begging going on. It's just a matter of hearing "____ the question" and paying no attention the words one is parroting. I would agree that in most cases it doesn't much matter - it's just silly to completely ignore the meaning of the words you're saying.

    Howeve,r you said "make yourself acquainted with the following word: context". Indeed, context matters. Let's consider context. If grandma says her old computer is "running out of memory" in the context of complaining about always needing to buy new stuff to replace old, it's okay if she really means "running out of hard drive space. In the context of a computer science discussion, you don't want to say "memory" when you mean storage space - it's important to be clear about what you mean.

    The context, in this case, is the context of a debating an issue. That is precisely the context in which "begs the question" is a specific term of art. Misusing "begs the question" in the context of debating a policy issue is like misusing "running out memory" to mean drive space in the context of a computer science paper. Just as "memory" has a specific meaning in the context of computer science, "beg the question" has a specific meaning in the context of policy debate.

  20. LMGTFY on Google Patents Staple of '70s Mainframe Computing · · Score: 1
  21. No, the patent doesn't use an expire date on Google Patents Staple of '70s Mainframe Computing · · Score: 1

    I can't see a significant difference. In both cases they are using a metadata *expire* date.

    No, the process patented by Google does not use an expire date in the metadata, so there's one big difference. In fact, the main utility of the patented process is that it does NOT pre-determine an arbitrary expiration date ahead of time. Read the abstract .

    The problem with "a metadata *expire* date" as you describe is that I might do as I did just the other day - create a file which I intend to use for one day. Three days later, I'm still using it, so I don't want it deleted. With "a metadata *expire* date" it would have been deleted while I was using it.

    The process patented by Google has time to live in the path, which is multiplied by the inverse of the quota usage and the result of that calculation is added to the greatest of several last modified times to calculate whether or not the file should be deleted now, based on the calculation of all three factors together. That way, files are not deleted just because back when they were created someone thought they wouldn't be needed for very long. Instead, they are deleted only if three things all all true - a) the file is marked as short term (TTL), b) the file hasn't been used in a while and c) they are running low on disk space. The patent covers te exact calculation used to combine those three factors.

  22. Or the summary is misleading propaganda on Google Patents Staple of '70s Mainframe Computing · · Score: 4, Informative

    The "summary" wholly misrepresents what the patent is about. It's not about having an expiration date in the filename at all. When someone advocating a position lies to me, as this submitter did, I figure the reason they are lying about the issue is because they realize that the truth doesn't support their position.

    Rather than choosing an expiration date ahead of time, the patented method deletes a file (or not) based on multiplying the time to live by the inverse of the user's quota usage, plus the latest of several modification times. The patent covers only using that specific algorithm, and only when the TTL is represented within the filename.

    Is that algorithm obvious? Several Slashdot commentors who say the are programmers read the explanation of the algorithm and still didn't understand it at all. One might say that if it's explained to you and you don't "get it", it's probably not obvious.

  23. Finishing school, what students want. Moodle modul on Ask Slashdot: What Does the FOSS Community Currently Need? · · Score: 2

    Since you are finishing school, you know something about what students want, and could easily get feedback about what teachers want. Many schools do online classes using the Moodle framework, a modular learning management system. The Moodle forums and bugzilla have ideas for new modules. Someone above mentioned a fast, lightweight quiz system. That's something that Moodle users need - there have been multiple requests for it recently. Specifically, people have need for a quiz system which loads separately from Moodle, but talks to the Moodle database or webservice. Currently the existing quiz system is integrated into Moodle, so opening a quiz page drags in a MILLION lines of Moodle code. That's not scalable. People want a lightweight quiz so that 20,000 students can take the quiz at the same time, then send the data to Moodle, either directly to the database or import it from a file.

  24. If you're getting paid you need a license on Ask Slashdot: Inexpensive SOHO Crime Deterrence and Monitoring? · · Score: 1

    Separately from the permit for the alarm itself, you also need to be licensed if you're being paid to install a system. In Texas, it's a third degree FELONY, I think, to install systems for pay without a license. Other US states are mostly similar. * The same agency that regulates security professionals regulates PIs. Unlicensed PI work is a felony. Unlicensed security work may be a class A misdemeanor, in which caae max penalty would be 1 year jail.

  25. Watch again - Mythbusters yanked axles on Ask Slashdot: Inexpensive SOHO Crime Deterrence and Monitoring? · · Score: 2

    Watch the Mythbusters episode again. What they considered "busted" was the part in the movie where the car rose up over the rear wheels and kept going. Instead, the rear axle broke loose of the suspension, but the wheel wells kept it from being left behind. AFTER trashing the suspension and the underside of trunk, the cable broke. Mythbusters said "this car will not be driving any further". The Mythbusters test can be seen here: https://www.youtube.com/watch?v=HRHMNc5WyB4&feature=youtube_gdata_player