No, he was right. And not just in the "it's not the fall that kills you" line of reasoning.
Speed limits have been moved up and down on the rural portions interstate highways in recent years -- same road, same drivers, different speed. There is no clear correlation between increased speed and increased fatalities, nor any clear correlation between decreased speeds and decreased fatalities.
Obviously there are reasonable maximums speeds for a given combination of road, vehicle, weather, traffic, etc. And I'm even willing to accept that we should compromise on those factors and just post a maximum based on the one constant -- the road. But if you think that maximum is commonly represented by the posted speed limits you must drive the world's least safe vehicle.
I was with you until "they improve safety". Traffic laws may have been written to improve safety. If enforced they may actually improve safety. But they also may hinder safety, and they may have been written to generate revenue without any regard for safety (or even in the face of it).
I think it's silly to pretend traffic laws are a separate class of quasi-law that can be blatantly violation and even whined about when enforced, but that's as much a problem with the intent, enforcement and effect of the laws as it is with the people whining about it.
Re:Shell as a scripting language...
on
Bash Cookbook
·
· Score: 1
Unless the things you're doing involve launching lots of programs -- it's a lot easier to redirect file descriptors and launch programs in bash than perl. You get a lot more options in perl, but there's a lot more code required too.
You're assuming the two are mutually exclusive. In most of the examples I've seen, I can both be annoyed/locked out regularly AND have someone else gain access. Even with the recently mandated two-factor systems, many banks still as you to log in using a 4-digit numeric PIN, plus some bit of personal trivia -- better than just a PIN, but probably not as good as a strong password.
Not to mention the shared passwords required on joint accounts at many banks. I trust my partner with my money, but that doesn't mean I want them to impersonate me when logging in -- access control and authentication should be separated. This problem is only complicated by the personal-trivia questions, as you now have to remember someone else's personal trivia and capitalization habits.
Is there some reason the bank couldn't just send me a list of one-time passwords on a wallet-sized card every month (or whenever I exhaust the list)? A one-time password plus my usual account password would be much better security, and easier to use. It would cost almost nothing, it would have no relation to public data or my personal preferences, and there's nothing I need to remember beyond my standard password.
Unless you mean "help-desk drone" or some other position that only requires following instructions provided by others, you can't be a "good tech guy" and know nothing about business, because businesses define "good tech guys" as people who help them achieve their business goals, not as people with l33t technical skills.
It doesn't turn your landline into a softphone, it turns your landline into a landline, which works just as any other landline.
So you want to mute your computer when the POTS phone rings; why can't you ask that question instead of pretending that you have some magically non-VoIP softphone?
That being said, I think an standard audio compression and mixer is the right choice; prioritize the POTS audio and the computer will automatically be reduced in volume when the POTS line is active.
Classic pinned locks are perfectly valid security devices. How about you stop pretending that a "security device" must be impenetrable to be so named? Seriously, that's like suggesting that passwords are equivalent to no security mechanism, just because some people choose bad passwords.
Even if the lock could be bypassed in 14 seconds by someone with no experience, training, or tools, it's still a valid security device. For one thing, it clearly communicates the desire to keep people out -- that alone is sufficient to turn "standing in my kitchen, uninvited" into "trespassing", not to mention the deterrence effect.
Moreover even 14 seconds spent bypassing a lock is a suspicious activity that gives my other security mechanisms time to respond -- time they would not have if there was no lock.
Finally, if I have to do any prep work like "see a copy of the key" or even "determine what type of lock is in use" that requisite preparation step adds complexity to the attack, which again, gives my other security measures time to react, and which has a deterrence effect.
In most states in the US, if a shop goes union, you *must* join the union to work there and you *must* accept the entire collective bargaining agreement, including the tenure-based pay system that severely penalizes anyone who wants to change jobs.
Or take the Iowa teacher's union. All teachers were already required to be subject to the collective bargaining agreement. Because it's the government you can't be forced to join the union, but as of 2007 you now must pay union dues even if you don't join the union. So as a teacher you're limited to the collective bargaining agreement, must pay dues, and don't even necessarily get access to union resources. Good times.
I don't want to count my work hours -- I'll take flexibility over 40-hours max I don't want a pension -- I'd take higher pay over an employer-funded plan that prevents me from changing jobs I don't want my employer to control my investment plans -- I'd take higher pay over an employer-funded plan that prevents me from changing jobs I don't want my employer to control my health plan -- I'd take higher pay over an employer-funded plan that prevents me from changing jobs I don't want paid vacation time -- I'd take higher pay and unpaided leave instead
So now that we've established that unions don't do what everyone wants, and in fact can damage the ability of employes to seek out new and better employment because they'd lose employer-controlled deferred compensation, can we stop trying to force people into them?
The difference is in discreteness. If the ball goes through a hoop you get points, and if it doesn't you don't. There are virtually no circumstances in which the points would be disallowed, or in which points would be awarded without the ball going through the hoop, and even those circumstances are very discrete in nature.
Holding a pose is must less discrete. Is it perfect, just shy of perfect, mediocre or poor in terms of form? Or duration? Or transition from the previous pose? Several skilled judges could (and do) watch the same routine and arrive at different scores. Such scoring deviation rarely occurs in basketball.
The point is you'd have to actually implement a MiM attack, not just record the data and later mine it for useful information. You'd have to be in a position to bi-directionally intercept and retransmit IP packets along the path of the data, and have a machine in-place that can either deny transmission of the original packet or be fast enough to produce the expected reply before the original arrives.
I agree that it's important not to mistake encryption for authentication, but they are *both* useful, even individually.
I don't know where your hackers sit, but most of mine are not in a position to bidirectionally intercept and re-transmit IP packets. Are there some people in the chain that could do that -- certainly: anyone on the same LAN segment at either end, and a handful of routers in the middle -- but that's not really a large number of potential hackers.
I agree authentication is a good thing, but it's stilly to pretend the a MiM attack is easy to implement.
$14.99 is not a ridiculous price for one website, but when try the pricing on wildcard certificates for *.mydomain.com. And then try that pricing on when you are just trying to protect your personal data and not selling anything.
Setting up your own CA takes only a couple of minutes and lets you provide both encryption and (uni-or-bidirectional) authentication just like other CAs for any domain you like at no cost. The only expense is having to manually import the CA cert on machines where you want authentication and not just encryption.
Channel noise can be overcome via increased redundancy in transmission/storage, thereby reducing the effective transfer rate/storage density. Film at 11.
I could be wrong, but I'm pretty sure this is why we have on-disk (and on-bus) checksums and ECC RAM. And frankly if your mission-critical data is being ruined by DVD scratches, adding RS codes to your DVDs is probably not going to solve the fundamental problem of system administrator incompetence.
/ Seriously, these days Fark has more technically competent and interesting articles than/.
That's not really true though. While unlikely, it is *possible* that a hash collision occurs on two inputs that vary only by one bit. In most cases we expect a one-bit change in the input to upset about 50% of the bits in the has output, but that's certainly not true for every possible pair of inputs. Checksums are useful for detecting most small errors, but redundant storage and comprehensive bit-by-bit comparison is the only way to be absolutely sure, and that's generally considered too expensive for use in commodity computing.
Really, seriously? You must be uber-leet to spout off 20-year-old propaganda about how the NSA can break anything ever -- the easiest way for them to break you crypto is to convince you it's not worthwhile to do in the first place.
Now, it's possible that there is some algorithmic flaw in AES or RSA that the NSA has discovered and no one else has noticed. But neither algorithm is something that some no-name math student slapped together and got published, nor was the NSA even vaguely involved in their development, which is where many of the concerns (and FUD) about DES originated.
And I actually have studied the GPG implementations of both AES and RSA, and verified by hand that their binaries produce the same output as my calculations. I've also studied the primes and nonce selection and padding algorithms and have likewise convinced myself that they are valid. There may be other bugs in the program, but I have satisfied myself that they are not broken in any way that produces known exploits.
Do you have any specific reason to doubt the algorithmic soundness of RSA or AES, to believe that GPG doesn't have valid implementations, or to believe that the NSA or anyone else has the ability to crack either algorithm in a reasonable amount of time without a flaw in the algorithm or implementation?
If their bad programming had the chance to impact someone's safety or freedom, you had darn well better be railing against them. Even if it means getting fired. You aren't doing your kids any favors by being employed and evil vs. being unemployed.
Other than just not wanting to be responsible for the unnecessary injury or incarceration of other, you can pretty easily collect on a wrongful termination suit if you were making reasonable objects to dangerous software.
Beside that, if your fellow programmers really are that bad, it should be pretty easy to make an argument against them that your boss would buy for business purposes -- sufficiently bad programming is almost always bad for business.
Self-signed certificates (or more generally, certificates from a CA you don't already trust) are only vulnerable the very first time you see them -- after that you can certainly detect changes.
But generally speaking, if you're worried about identifying a remote entity and not just encrypting traffic, you *must* at some point transmit verification information out-of-band and trust the integrity of that transmission. Pre-installed CA certificates are one way to do this, but certainly not the only way, and probably not even the best -- they're just the currently most common low-end-user-cost method.
Thousands of people fly every day, miles above the Earth, propelled by a controlled explosion In a machine with a whole lot of moving parts supplied by the lowest bidder. Most people in that situation get a $5, single-strap safety restraint. Even the pilots and crew don't get an $800 restraint system.
I'm not saying space travel is easy, but in real life there's usually some reasonable compromise between "the most safety we can provide at any cost" and "the most safety we can provide at a reasonable cost, considering the inherent risk of this situation". But it doesn't surprise me that you've lost sight of that -- many people have these days.
Slashdot Mirror
No, he was right. And not just in the "it's not the fall that kills you" line of reasoning.
Speed limits have been moved up and down on the rural portions interstate highways in recent years -- same road, same drivers, different speed. There is no clear correlation between increased speed and increased fatalities, nor any clear correlation between decreased speeds and decreased fatalities.
Obviously there are reasonable maximums speeds for a given combination of road, vehicle, weather, traffic, etc. And I'm even willing to accept that we should compromise on those factors and just post a maximum based on the one constant -- the road. But if you think that maximum is commonly represented by the posted speed limits you must drive the world's least safe vehicle.
I was with you until "they improve safety". Traffic laws may have been written to improve safety. If enforced they may actually improve safety. But they also may hinder safety, and they may have been written to generate revenue without any regard for safety (or even in the face of it).
I think it's silly to pretend traffic laws are a separate class of quasi-law that can be blatantly violation and even whined about when enforced, but that's as much a problem with the intent, enforcement and effect of the laws as it is with the people whining about it.
Unless the things you're doing involve launching lots of programs -- it's a lot easier to redirect file descriptors and launch programs in bash than perl. You get a lot more options in perl, but there's a lot more code required too.
You're assuming the two are mutually exclusive. In most of the examples I've seen, I can both be annoyed/locked out regularly AND have someone else gain access. Even with the recently mandated two-factor systems, many banks still as you to log in using a 4-digit numeric PIN, plus some bit of personal trivia -- better than just a PIN, but probably not as good as a strong password.
Not to mention the shared passwords required on joint accounts at many banks. I trust my partner with my money, but that doesn't mean I want them to impersonate me when logging in -- access control and authentication should be separated. This problem is only complicated by the personal-trivia questions, as you now have to remember someone else's personal trivia and capitalization habits.
Is there some reason the bank couldn't just send me a list of one-time passwords on a wallet-sized card every month (or whenever I exhaust the list)? A one-time password plus my usual account password would be much better security, and easier to use. It would cost almost nothing, it would have no relation to public data or my personal preferences, and there's nothing I need to remember beyond my standard password.
"Physical firewalls" are often nothing more than a couple of sheets of type-X drywall: http://en.wikipedia.org/wiki/Sheetrock#Fire_resistance
You start indices at 0, to avoid extra math. But you really should start counting at 1, at least you'd like anyone else to know what's going on.
Unless you mean "help-desk drone" or some other position that only requires following instructions provided by others, you can't be a "good tech guy" and know nothing about business, because businesses define "good tech guys" as people who help them achieve their business goals, not as people with l33t technical skills.
It doesn't turn your landline into a softphone, it turns your landline into a landline, which works just as any other landline.
So you want to mute your computer when the POTS phone rings; why can't you ask that question instead of pretending that you have some magically non-VoIP softphone?
That being said, I think an standard audio compression and mixer is the right choice; prioritize the POTS audio and the computer will automatically be reduced in volume when the POTS line is active.
Classic pinned locks are perfectly valid security devices. How about you stop pretending that a "security device" must be impenetrable to be so named? Seriously, that's like suggesting that passwords are equivalent to no security mechanism, just because some people choose bad passwords.
Even if the lock could be bypassed in 14 seconds by someone with no experience, training, or tools, it's still a valid security device. For one thing, it clearly communicates the desire to keep people out -- that alone is sufficient to turn "standing in my kitchen, uninvited" into "trespassing", not to mention the deterrence effect.
Moreover even 14 seconds spent bypassing a lock is a suspicious activity that gives my other security mechanisms time to respond -- time they would not have if there was no lock.
Finally, if I have to do any prep work like "see a copy of the key" or even "determine what type of lock is in use" that requisite preparation step adds complexity to the attack, which again, gives my other security measures time to react, and which has a deterrence effect.
And if don't use a credit card to buy your tickets, you were already considered a potential terrorist.
On the bright side, now that everyone is a potential terrorist, we can at least stop maintaining the list.
In most states in the US, if a shop goes union, you *must* join the union to work there and you *must* accept the entire collective bargaining agreement, including the tenure-based pay system that severely penalizes anyone who wants to change jobs.
Or take the Iowa teacher's union. All teachers were already required to be subject to the collective bargaining agreement. Because it's the government you can't be forced to join the union, but as of 2007 you now must pay union dues even if you don't join the union. So as a teacher you're limited to the collective bargaining agreement, must pay dues, and don't even necessarily get access to union resources. Good times.
I don't want to count my work hours -- I'll take flexibility over 40-hours max
I don't want a pension -- I'd take higher pay over an employer-funded plan that prevents me from changing jobs
I don't want my employer to control my investment plans -- I'd take higher pay over an employer-funded plan that prevents me from changing jobs
I don't want my employer to control my health plan -- I'd take higher pay over an employer-funded plan that prevents me from changing jobs
I don't want paid vacation time -- I'd take higher pay and unpaided leave instead
So now that we've established that unions don't do what everyone wants, and in fact can damage the ability of employes to seek out new and better employment because they'd lose employer-controlled deferred compensation, can we stop trying to force people into them?
The difference is in discreteness. If the ball goes through a hoop you get points, and if it doesn't you don't. There are virtually no circumstances in which the points would be disallowed, or in which points would be awarded without the ball going through the hoop, and even those circumstances are very discrete in nature.
Holding a pose is must less discrete. Is it perfect, just shy of perfect, mediocre or poor in terms of form? Or duration? Or transition from the previous pose? Several skilled judges could (and do) watch the same routine and arrive at different scores. Such scoring deviation rarely occurs in basketball.
There's a reason why operating a motor vehicle on a public thoroughfare has to be considered a privilege, not a right.
Yeah, because people like you think we should be proactively protected by the government.
The point is you'd have to actually implement a MiM attack, not just record the data and later mine it for useful information. You'd have to be in a position to bi-directionally intercept and retransmit IP packets along the path of the data, and have a machine in-place that can either deny transmission of the original packet or be fast enough to produce the expected reply before the original arrives.
I agree that it's important not to mistake encryption for authentication, but they are *both* useful, even individually.
I don't know where your hackers sit, but most of mine are not in a position to bidirectionally intercept and re-transmit IP packets. Are there some people in the chain that could do that -- certainly: anyone on the same LAN segment at either end, and a handful of routers in the middle -- but that's not really a large number of potential hackers.
I agree authentication is a good thing, but it's stilly to pretend the a MiM attack is easy to implement.
$14.99 is not a ridiculous price for one website, but when try the pricing on wildcard certificates for *.mydomain.com. And then try that pricing on when you are just trying to protect your personal data and not selling anything.
Setting up your own CA takes only a couple of minutes and lets you provide both encryption and (uni-or-bidirectional) authentication just like other CAs for any domain you like at no cost. The only expense is having to manually import the CA cert on machines where you want authentication and not just encryption.
Channel noise can be overcome via increased redundancy in transmission/storage, thereby reducing the effective transfer rate/storage density. Film at 11.
I could be wrong, but I'm pretty sure this is why we have on-disk (and on-bus) checksums and ECC RAM. And frankly if your mission-critical data is being ruined by DVD scratches, adding RS codes to your DVDs is probably not going to solve the fundamental problem of system administrator incompetence.
/ Seriously, these days Fark has more technically competent and interesting articles than /.
That's not really true though. While unlikely, it is *possible* that a hash collision occurs on two inputs that vary only by one bit. In most cases we expect a one-bit change in the input to upset about 50% of the bits in the has output, but that's certainly not true for every possible pair of inputs. Checksums are useful for detecting most small errors, but redundant storage and comprehensive bit-by-bit comparison is the only way to be absolutely sure, and that's generally considered too expensive for use in commodity computing.
Really, seriously? You must be uber-leet to spout off 20-year-old propaganda about how the NSA can break anything ever -- the easiest way for them to break you crypto is to convince you it's not worthwhile to do in the first place.
Now, it's possible that there is some algorithmic flaw in AES or RSA that the NSA has discovered and no one else has noticed. But neither algorithm is something that some no-name math student slapped together and got published, nor was the NSA even vaguely involved in their development, which is where many of the concerns (and FUD) about DES originated.
And I actually have studied the GPG implementations of both AES and RSA, and verified by hand that their binaries produce the same output as my calculations. I've also studied the primes and nonce selection and padding algorithms and have likewise convinced myself that they are valid. There may be other bugs in the program, but I have satisfied myself that they are not broken in any way that produces known exploits.
Do you have any specific reason to doubt the algorithmic soundness of RSA or AES, to believe that GPG doesn't have valid implementations, or to believe that the NSA or anyone else has the ability to crack either algorithm in a reasonable amount of time without a flaw in the algorithm or implementation?
I wouldn't blame the lending institution exclusively, but they had the opportunity to do the same math, and also failed to do so.
If their bad programming had the chance to impact someone's safety or freedom, you had darn well better be railing against them. Even if it means getting fired. You aren't doing your kids any favors by being employed and evil vs. being unemployed.
Other than just not wanting to be responsible for the unnecessary injury or incarceration of other, you can pretty easily collect on a wrongful termination suit if you were making reasonable objects to dangerous software.
Beside that, if your fellow programmers really are that bad, it should be pretty easy to make an argument against them that your boss would buy for business purposes -- sufficiently bad programming is almost always bad for business.
Self-signed certificates (or more generally, certificates from a CA you don't already trust) are only vulnerable the very first time you see them -- after that you can certainly detect changes.
But generally speaking, if you're worried about identifying a remote entity and not just encrypting traffic, you *must* at some point transmit verification information out-of-band and trust the integrity of that transmission. Pre-installed CA certificates are one way to do this, but certainly not the only way, and probably not even the best -- they're just the currently most common low-end-user-cost method.
Nobody makes archives until they delete/corrupt something and don't notice until after they've rotated through all their storage media.
Thousands of people fly every day, miles above the Earth, propelled by a controlled explosion In a machine with a whole lot of moving parts supplied by the lowest bidder. Most people in that situation get a $5, single-strap safety restraint. Even the pilots and crew don't get an $800 restraint system.
I'm not saying space travel is easy, but in real life there's usually some reasonable compromise between "the most safety we can provide at any cost" and "the most safety we can provide at a reasonable cost, considering the inherent risk of this situation". But it doesn't surprise me that you've lost sight of that -- many people have these days.