Sure, they're stupid in Kentucky, but I didn't appreciate seeing all those tax-payer bought incredibly over priced apple laptops in mission control.
Suppose average salary in mission control is $100,000 (probably low for high-tech jobs in the area, but we'll round) and that they're all contractors and don't get a penny worth of benefits. That Mac probably cost $1,000 more than the bare minimum Windows laptop that would run their apps (and that's making the rather huge assumption that those apps would be available on Windows, which has approximately zero market share in high level science, and that there would be zero training costs for them to switch to Windows). Finally, assume that the Macs will irreparably break the day after their three year warranty and deprecation schedules have expired.
Congratulations. Your plan to stick them with Windows laptops, in the best case, would save $333 per year - or 0.3% of their salary - in the absolute best case scenario.
Only the government would pay gobs of cash for a locked down version of BSD.
...and every major company I've been around, all of which seem to understand the concept of "penny wise, pound foolish" that eludes you.
Did you really expect him to say "well then i just take out this other CD and it has an app to instantly unlock whatever encryption you have..."?
Kind of, yes. He was a fellow geek showing off his shiny new toys. At the least, I would have expected an "I can't really go into that" or a quick subject change, but he seemed sincere.
Exactly. He told me, basically, that the main (only?) side channel attack was getting the unencrypted backup. And yeah, I strongly suspect that if the NSA had the ability to crack AES, it would only be used for situations that you and I would never hear about. The instant it came out in even the most important of public trials, everyone would stop relying on AES about 30 seconds later.
This is purely anecdotal, but... I was recently on a flight next to a highway patrolman flying back from a conference for computer detectives (my words, not his; I don't remember what the actual job title was). He showed me the modified Ubuntu distro DVD they were passing out - "Look, it has a password cracker!" "Is that John the Ripper?" "You've heard of that?!?" - and we had a pretty nice chat.
During the conversation, I mentioned that iPhones are encrypted now. I asked, "OK, hypothetically, suppose I'm a mafia drug dealer and you get my encrypted cell phone. How screwed am I?" He said that they'd get a subpoena for my house, show up with a search warrant, and read the backup off my Mac's hard drive, "and then we run this app [opens it to show it to me] and have full access to all your data!" I told him that was pretty impressive, "but... what if I turn on FileVault and encrypt my whole hard drive?" He looked like I'd kicked his puppy and said that most criminals aren't smart enough to do that, but in that case, yeah, there was nothing he could do.
Feel free to take that with a grain of salt, but I had a detective tell me - in an unguarded two-geeks-talking moment with no apparent motive or visible sign of deceit - that the only way they could recover an encrypted iPhone's contents was through examining the unencrypted backup from an unencrypted hard drive. Now this was a state highway patrol guy and not an NSA analyst, and maybe the higher-up guys have access to emergency use stuff they're not talking about, but my takeaway was that the state-level police really don't have any way to defeat the encryption.
I don't have an iPhone or an iPod. I have an HTC Desire and a Sandisk Sansa (with Rockbox). What do people say to me?
"Hipster." I have a Sansa with Rockbox, too, but stopped using it approximately the first time I ever saw an iPod Touch.
I don't believe there actually is a tablet market. Just an iPad market. No one wants tablets, just something that makes them look cool and hip. Like everyone else.
Well, that's just precious! In the real world, people love tablets. There are a lot of people who want portable, Internet-capable devices without lugging around laptops. I'm sure there's some tiny portion of the tablet market who likes being seen with them, but the owners I've seen tend to use them while lounging around their houses watching Netflix or playing games.
Note: I don't have an iPad and I'm not defending my own purchasing decisions. I have a Nook Simple Touch that I use purely as an ebook reader because I don't really have a need for anything else between my phone and laptop. But it's sheer ignorance to claim that tablets are a fad just because you don't like them. Lots of people do, and manufacturers have made a few billion dollars selling them without an end in sight.
But the Conservative amongst you will argue, don't you think that a billion dollar, millions of visitors, holding fast amounts of private data site NEEDS to be extremely secure? And it shows much you don't get it if you think that. I said the NEXT facebook, which will start out as a small site with a shoestring budget and bankruptcy just a bill away. Then you need to deliver a product BEFORE yesterday and all the fancy stuff can come later when you are rich and can afford to hire the terminally slow.
LOLWUT? I'm pretty far to the left of his spectrum (duck typing FTW!) but I'd have to bitchslap a coworker who counted security as "fancy stuff that can come later". You can write dynamic Lisp all day long if you want to, but leak my credit card and unencrypted password because you "didn't have time to do it the 'paranoid' way" and I'll rain the wrath of a thousand angry gods down upon you.
Specifically, these security questions are exactly identical to a password that is stored in the clear (no hash, no salt) and is intended to be communicated to humans, and for which an attacker only has to guess one out of 4 correctly?
I agree with your general premise that these are just secondary passwords. That's actually how I treat them: I use my password manager to generate and remember random strings of characters as my security question answers. What was my first elementary school's name? "QQw9i?7JJq[m".
However, these don't have to be stored in cleartext any more than your primary password. Ideally, the authenticating system should hash your reply and compare it to the hashed version from their database just like you would normally. I don't think there's any inherent reason why your security answers need to be human-readable.
Translation: "I'm bored with what I'm working on and I want a shiny new project to play with."
I'd be willing to bet that a few guys got tired of working on Unity, and there wasn't a whole lot going on elsewhere in Gnome, so they're trying to find something fun to do. I don't think that bodes well.
Oh, I'm familiar with the story. But my problem with the Facebook app is that server queries take ages or time out. If I open it and go into the search bar and search for a friend, it may take 30 seconds to get the results. A more-native app isn't going to fix those types of latencies. Once the server sends the data, the app seems to be reasonably quick to act on it.
You can't make me believe that's for performance purposes. When I do a search in the current, awful iOS app, it's not the app that's taking 45 seconds to reply with a list of results.
I was born in "ew0M-?6IMpZr". At least, that's what my password generator told me this time. It'll tell me something different for the next website I create an account on.
On the referenced blog, I asked whether they'd repeated the test for a 64-bit Linux distro to directly compare to the 64-bit Windows installation they used. Unfortunately, my comment there got deleted. Does anyone have any insight as to what effect switching to a 64-bit distro might have? On one hand, x86-64 has a reputation for being more compiler-friendly than x86-32, what with more explicitly-named registers and all the other goodness. On the other hand, it'd have to sling around longer pointers (and possibly waste more space on 8-byte-aligned data structures? Is that true?). What would the net result likely be?
Put another way, I wish they'd eliminated that rather large test environment variable before publishing their numbers.
I'd have to agree. I'm wearing jeans and a Hawaiian shirt today, but that's completely appropriate to my workplace. We're a tech company and have very few outside visitors or customer tours, and even the VPs regularly wear jeans and loafers.
I should mention that I work in San Francisco, and a techie wearing business casual here would be presumed a consultant, and therefore likely to pick your pocket.
Within a few weeks of my arrival the office in general started dressing better. Now even those in the casual camp are dressing better and putting in some effort to personal appearance.
Mod parent up. I've had a great time making interesting friends on Twitter. Maybe parts of it are cesspools? I wouldn't know because I don't go there. Follow cool people and read cool stuff, or follow trash and read trash.
Imagine Twitter as a mailing list with no set topic and a perfect killfile so that you only hear from the people you want to. What's not to like?
I'd definitely go the ddrescue route and make a backup image before attempting anything else. If I were attempting this, my next step would be to install UAE on the P3 and created a filesystem-backed disk for it, so that saving a file inside UAE to SYS:/foo actually writes the file to ~deroby/amigadisk/foo, for instance. Make a copy of the image you got from ddrescue and mount that inside UAE as a second hard drive. Finally, inside UAE copy MyFiles:* to SYS:Backup/ (or whatever names you come up with). Then you'll be able to retrieve them from ~deroby/amigadisk/Backup.
Why trust a possibly-incompatible FFS implementation when you can use the real one?
A "friend" gave me a Seagate 50MB SCSI drive back when it was just a little bit outdated. It powered up to a horrible grinding, shredding sound but still managed to read out maybe 10KB/s of data. That grew old quickly because I really wanted the sweet, sweet Amiga warez stored on it. Fearing that it was going to die at any moment and figuring I had nothing to lose, I flipped it over and squirted some 3-in-1 oil into the bearing.
The grinding smoothed into a high-speed whine and I watched with glee as the transfer rates crept up to a more civilized 700KB/s. I copied its contents onto my palatial 250MB drive and put the geezer out of its misery.
I have not before or since sped up a computer by oiling it.
What exactly is this whole GNOME or KDE package for?
Providing a whole slew of handy things that a program can reuse for its own ends. For instance, KDE provides "KIO slaves" so that apps loading and saving files through a KDE backend can read/write with any filesystem that KDE supports. If you install the SFTP KIO slave, every KDE app gains the ability to save files to an SFTP server instead of having to implement that functionality themselves. That's what GNOME and KDE are for.
All packages for Fedora and Ubuntu, and I'd be massively surprised if the case wasn't the same for OpenBSD, are signed with a project key.
But that doesn't prevent you from creating your own packages. In fact, they explain how to make your own self-signed packages should you want to build your own internal package repository. It just stops you from releasing a package that looks like it's coming from OpenBSD.
This isn't analogous to the Secure Boot fiasco where it's significantly harder for end users to get their own signing keys, and therefore can't create their own signed bootloader that would act like the one that OpenBSD would be distributing.
MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.
Is not wanting to "be the new Microsoft" worth being unprepared for a "disaster?"
Yes, when it involves completely selling out the ideals you've dedicated your life's work to. OpenBSD was founded on openness. They don't allow binary blobs into the OS for maintenance, security, and freedom reasons. What's a signed bootloader, where De Raadt et al would be contractually forbidden from releasing the signing key required for end users to build it for themselves, if not a binary blob?
It would be convenient for OpenBSD to distribute a signed bootloader. And proprietary video drivers. And closed network drivers. Those are short-term conveniences at the cost of a lot of freedom, though, and OpenBSD realizes that and avoids them.
So the onus is on you to come up with a plan that preserves OpenBSD's goals while simultaneously respecting Microsoft's empire-building wishes. If you were Theo, what would you do that he's not?
Nothing you just said disagrees with anything I just said. Mac is using the same quality hardware as in other good laptops. My comment about neighboring machines not getting leases was a commentary on the junk hardware used on some low-end laptops, in comparison with my Macbook which was decidedly non-finicky on the same networks.
Objectively, Macs are nicely specced, designed, and built. That doesn't imply that there are no good non-Apple laptop vendors. I'm in a conference room filled with equal numbers of Macbook Pros and ThinkPads, and they all seem to be chugging away happily.
Slashdot Mirror
Sure, they're stupid in Kentucky, but I didn't appreciate seeing all those tax-payer bought incredibly over priced apple laptops in mission control.
Suppose average salary in mission control is $100,000 (probably low for high-tech jobs in the area, but we'll round) and that they're all contractors and don't get a penny worth of benefits. That Mac probably cost $1,000 more than the bare minimum Windows laptop that would run their apps (and that's making the rather huge assumption that those apps would be available on Windows, which has approximately zero market share in high level science, and that there would be zero training costs for them to switch to Windows). Finally, assume that the Macs will irreparably break the day after their three year warranty and deprecation schedules have expired.
Congratulations. Your plan to stick them with Windows laptops, in the best case, would save $333 per year - or 0.3% of their salary - in the absolute best case scenario.
Only the government would pay gobs of cash for a locked down version of BSD.
...and every major company I've been around, all of which seem to understand the concept of "penny wise, pound foolish" that eludes you.
Did you really expect him to say "well then i just take out this other CD and it has an app to instantly unlock whatever encryption you have..."?
Kind of, yes. He was a fellow geek showing off his shiny new toys. At the least, I would have expected an "I can't really go into that" or a quick subject change, but he seemed sincere.
Exactly. He told me, basically, that the main (only?) side channel attack was getting the unencrypted backup. And yeah, I strongly suspect that if the NSA had the ability to crack AES, it would only be used for situations that you and I would never hear about. The instant it came out in even the most important of public trials, everyone would stop relying on AES about 30 seconds later.
This is purely anecdotal, but... I was recently on a flight next to a highway patrolman flying back from a conference for computer detectives (my words, not his; I don't remember what the actual job title was). He showed me the modified Ubuntu distro DVD they were passing out - "Look, it has a password cracker!" "Is that John the Ripper?" "You've heard of that?!?" - and we had a pretty nice chat.
During the conversation, I mentioned that iPhones are encrypted now. I asked, "OK, hypothetically, suppose I'm a mafia drug dealer and you get my encrypted cell phone. How screwed am I?" He said that they'd get a subpoena for my house, show up with a search warrant, and read the backup off my Mac's hard drive, "and then we run this app [opens it to show it to me] and have full access to all your data!" I told him that was pretty impressive, "but... what if I turn on FileVault and encrypt my whole hard drive?" He looked like I'd kicked his puppy and said that most criminals aren't smart enough to do that, but in that case, yeah, there was nothing he could do.
Feel free to take that with a grain of salt, but I had a detective tell me - in an unguarded two-geeks-talking moment with no apparent motive or visible sign of deceit - that the only way they could recover an encrypted iPhone's contents was through examining the unencrypted backup from an unencrypted hard drive. Now this was a state highway patrol guy and not an NSA analyst, and maybe the higher-up guys have access to emergency use stuff they're not talking about, but my takeaway was that the state-level police really don't have any way to defeat the encryption.
I don't have an iPhone or an iPod. I have an HTC Desire and a Sandisk Sansa (with Rockbox). What do people say to me?
"Hipster." I have a Sansa with Rockbox, too, but stopped using it approximately the first time I ever saw an iPod Touch.
I don't believe there actually is a tablet market. Just an iPad market. No one wants tablets, just something that makes them look cool and hip. Like everyone else.
Well, that's just precious! In the real world, people love tablets. There are a lot of people who want portable, Internet-capable devices without lugging around laptops. I'm sure there's some tiny portion of the tablet market who likes being seen with them, but the owners I've seen tend to use them while lounging around their houses watching Netflix or playing games.
Note: I don't have an iPad and I'm not defending my own purchasing decisions. I have a Nook Simple Touch that I use purely as an ebook reader because I don't really have a need for anything else between my phone and laptop. But it's sheer ignorance to claim that tablets are a fad just because you don't like them. Lots of people do, and manufacturers have made a few billion dollars selling them without an end in sight.
But the Conservative amongst you will argue, don't you think that a billion dollar, millions of visitors, holding fast amounts of private data site NEEDS to be extremely secure? And it shows much you don't get it if you think that. I said the NEXT facebook, which will start out as a small site with a shoestring budget and bankruptcy just a bill away. Then you need to deliver a product BEFORE yesterday and all the fancy stuff can come later when you are rich and can afford to hire the terminally slow.
LOLWUT? I'm pretty far to the left of his spectrum (duck typing FTW!) but I'd have to bitchslap a coworker who counted security as "fancy stuff that can come later". You can write dynamic Lisp all day long if you want to, but leak my credit card and unencrypted password because you "didn't have time to do it the 'paranoid' way" and I'll rain the wrath of a thousand angry gods down upon you.
I use my mother's mother's mother's maiden name.
Why? Are you legally obligated to give the correct answer?
Specifically, these security questions are exactly identical to a password that is stored in the clear (no hash, no salt) and is intended to be communicated to humans, and for which an attacker only has to guess one out of 4 correctly?
I agree with your general premise that these are just secondary passwords. That's actually how I treat them: I use my password manager to generate and remember random strings of characters as my security question answers. What was my first elementary school's name? "QQw9i?7JJq[m".
However, these don't have to be stored in cleartext any more than your primary password. Ideally, the authenticating system should hash your reply and compare it to the hashed version from their database just like you would normally. I don't think there's any inherent reason why your security answers need to be human-readable.
Translation: "I'm bored with what I'm working on and I want a shiny new project to play with."
I'd be willing to bet that a few guys got tired of working on Unity, and there wasn't a whole lot going on elsewhere in Gnome, so they're trying to find something fun to do. I don't think that bodes well.
Oh, I'm familiar with the story. But my problem with the Facebook app is that server queries take ages or time out. If I open it and go into the search bar and search for a friend, it may take 30 seconds to get the results. A more-native app isn't going to fix those types of latencies. Once the server sends the data, the app seems to be reasonably quick to act on it.
Even Facebook is making a native app on iOS.
You can't make me believe that's for performance purposes. When I do a search in the current, awful iOS app, it's not the app that's taking 45 seconds to reply with a list of results.
Dropbox, yes, yes, no. I personally use 1Password, but there are plenty of other strong-crypto password vaults to choose from.
I was born in "ew0M-?6IMpZr". At least, that's what my password generator told me this time. It'll tell me something different for the next website I create an account on.
On the referenced blog, I asked whether they'd repeated the test for a 64-bit Linux distro to directly compare to the 64-bit Windows installation they used. Unfortunately, my comment there got deleted. Does anyone have any insight as to what effect switching to a 64-bit distro might have? On one hand, x86-64 has a reputation for being more compiler-friendly than x86-32, what with more explicitly-named registers and all the other goodness. On the other hand, it'd have to sling around longer pointers (and possibly waste more space on 8-byte-aligned data structures? Is that true?). What would the net result likely be?
Put another way, I wish they'd eliminated that rather large test environment variable before publishing their numbers.
I'd have to agree. I'm wearing jeans and a Hawaiian shirt today, but that's completely appropriate to my workplace. We're a tech company and have very few outside visitors or customer tours, and even the VPs regularly wear jeans and loafers.
I should mention that I work in San Francisco, and a techie wearing business casual here would be presumed a consultant, and therefore likely to pick your pocket.
Within a few weeks of my arrival the office in general started dressing better. Now even those in the casual camp are dressing better and putting in some effort to personal appearance.
Just so you know: your coworkers hate you.
Mod parent up. I've had a great time making interesting friends on Twitter. Maybe parts of it are cesspools? I wouldn't know because I don't go there. Follow cool people and read cool stuff, or follow trash and read trash.
Imagine Twitter as a mailing list with no set topic and a perfect killfile so that you only hear from the people you want to. What's not to like?
I'd definitely go the ddrescue route and make a backup image before attempting anything else. If I were attempting this, my next step would be to install UAE on the P3 and created a filesystem-backed disk for it, so that saving a file inside UAE to SYS:/foo actually writes the file to ~deroby/amigadisk/foo, for instance. Make a copy of the image you got from ddrescue and mount that inside UAE as a second hard drive. Finally, inside UAE copy MyFiles:* to SYS:Backup/ (or whatever names you come up with). Then you'll be able to retrieve them from ~deroby/amigadisk/Backup.
Why trust a possibly-incompatible FFS implementation when you can use the real one?
A "friend" gave me a Seagate 50MB SCSI drive back when it was just a little bit outdated. It powered up to a horrible grinding, shredding sound but still managed to read out maybe 10KB/s of data. That grew old quickly because I really wanted the sweet, sweet Amiga warez stored on it. Fearing that it was going to die at any moment and figuring I had nothing to lose, I flipped it over and squirted some 3-in-1 oil into the bearing.
The grinding smoothed into a high-speed whine and I watched with glee as the transfer rates crept up to a more civilized 700KB/s. I copied its contents onto my palatial 250MB drive and put the geezer out of its misery.
I have not before or since sped up a computer by oiling it.
What exactly is this whole GNOME or KDE package for?
Providing a whole slew of handy things that a program can reuse for its own ends. For instance, KDE provides "KIO slaves" so that apps loading and saving files through a KDE backend can read/write with any filesystem that KDE supports. If you install the SFTP KIO slave, every KDE app gains the ability to save files to an SFTP server instead of having to implement that functionality themselves. That's what GNOME and KDE are for.
All packages for Fedora and Ubuntu, and I'd be massively surprised if the case wasn't the same for OpenBSD, are signed with a project key.
But that doesn't prevent you from creating your own packages. In fact, they explain how to make your own self-signed packages should you want to build your own internal package repository. It just stops you from releasing a package that looks like it's coming from OpenBSD.
This isn't analogous to the Secure Boot fiasco where it's significantly harder for end users to get their own signing keys, and therefore can't create their own signed bootloader that would act like the one that OpenBSD would be distributing.
"There will be a mechanism to turn off this method of booting on x86 hardware."
What's OpenBSD supposed to do on ARM, where Microsoft has mandated that Secure Boot can't be disabled? From the Microsoft "Windows Hardware Certification Requirements", page 116:
OpenBSD is on a lot more platforms than just x86.
Is not wanting to "be the new Microsoft" worth being unprepared for a "disaster?"
Yes, when it involves completely selling out the ideals you've dedicated your life's work to. OpenBSD was founded on openness. They don't allow binary blobs into the OS for maintenance, security, and freedom reasons. What's a signed bootloader, where De Raadt et al would be contractually forbidden from releasing the signing key required for end users to build it for themselves, if not a binary blob?
It would be convenient for OpenBSD to distribute a signed bootloader. And proprietary video drivers. And closed network drivers. Those are short-term conveniences at the cost of a lot of freedom, though, and OpenBSD realizes that and avoids them.
So the onus is on you to come up with a plan that preserves OpenBSD's goals while simultaneously respecting Microsoft's empire-building wishes. If you were Theo, what would you do that he's not?
Nothing you just said disagrees with anything I just said. Mac is using the same quality hardware as in other good laptops. My comment about neighboring machines not getting leases was a commentary on the junk hardware used on some low-end laptops, in comparison with my Macbook which was decidedly non-finicky on the same networks.
Objectively, Macs are nicely specced, designed, and built. That doesn't imply that there are no good non-Apple laptop vendors. I'm in a conference room filled with equal numbers of Macbook Pros and ThinkPads, and they all seem to be chugging away happily.
But lets not pretend that theyre the only option out there for "well built".
For the record, I never said or implied anything of the like.