Terrorists are people, who feel more threatened by a drawing than by drones, Terrorists are people, who fear small girls with books more than death, Terrorists are people, who use bullets because their mind cannot work with words, they are not scared by torture or surveillance, but truth and freedom.
The version bought in the UK have German voice acting as option. But I play my games in English anyway. German voice acting is usually cheaply done and prone to insert errors instead of humor.
In SI units, (40m^3 for 400.000km^2) it would be easier to calculate;-).
The four inch or 10 centimeters are required in the aquifers in southern California.
First that is about 1/3 of the area. So we go to 30cm or 1 foot. That is still manageable.
Then we need to take into account that only a small part (optimistic: 25%) goes into the aquifers. That quadrupels it to 4 feet or 120cm. That is quite a lot.
To take that optimistic assumption, not too much must go into runoff and evaporation. So we need continuous light rain (1mm per day) with overcast sky.
In effect this means 4 years of continuous light rain.
Several readers have pointed out that disabling automatic Windows Updates is bad advice, and while thatâ(TM)s a fair argument I have to disagree.
It is really a BAD advice. The average PC user is not an ops person. If an update bricks his PC, he will notice and can get help. If his PC is insecure, he will notice nothing and help (if ever) will be asked for much too late.
His arguments amount to one thing: avoid changes. Any change is a risk. But so is crossing the street. In the long run, a change-averse strategy will lead to worse results than the occasional botched change (exceptions apply, but those are rare). And the only way for the average user to do changes is to automate them.
My favorite solution would be by disbanding them. But that is not realistic.
The German version of the General Accounting Office does a pretty good job of spotting squandering. So a new oversight should be established based on their model. That focuses more on depth than width and a non-predictive cycling of topics.
Due to the nature of intelligence services, you will never get them really compliant (that's why I mentioned my favorite method), but you can curb them.
a) Space Theory: German law does not apply in space, so their satellites (or those from agencies of "friends") are not bound by the constitution.
b) Function Owner Theory: When someone is acting within his/her capacity as a function owner, he is no longer a person protected by the constitution.
c) The Meta Data Theory: Meta data does not contain privacy protected information.
Thanks to Snowden this mess came to light. This now needs to be cleaned up. All three approaches will be shot down, with or without the governments approval.ï
Most parliamentarians agree, that the intelligence services practically beg for a shorter leash. Power struggles and party politics will delay it, but they will get it.
The idea does not work: If you do this, i can lock you out from your service every 5 minutes. The prevention of password guessing is a bit harder and therefor you need a bit more.
If you choose 4 English, non-trivial words, you already have about 40bit of entropy. Searching only 1% of the namespace would take Trillions of tries.
To have those tries, the provider (not the user) must have already screwed up. The user cannot defend against screwups of the provider of the password protected service efficiently
"Hard to guess" is aimed at direct, human guessing. If I know you love "Sarah", so "Sarah4me" makes a bad password. That would be your screwup.
My primary goal is: burden the user only what naturally belongs in his domain. Trying to offload your security as a company to the users (e.g. to reduce costs) usually backfire.
1) It has been memorized by the user 2) It is difficult to guess for a third person (even if he/she knows the user well)
But in most cases another requirement is thrown into the mix:
3) The password shell be complex (have a high entropy) Usually the requirements take the form of a password policy like this:
The password must be at least 8 characters long The password must contain upper- and lower-case letters The password must contain a number The password must contain a non-alphanumeric character
You notice anything? Yep, this policy only focuses on the third requirement. And it does so at the expense of the first requirement and (knowing human psychology) it also has a negative impact on the second requirement.
THREATS TO PASSWORDS
Let us take look at how the security of password can be compromised:
- The input of the password has been observed (by eavesdropping, key-loggers or by the ordinary Mark 1 Eyeball)
- The password has been re-used by the user in a different context where the attacker has access to it
- The attacker gained access to the encrypted storage of password and managed to extract it from there
- The password has been guessed by the attacker
How does having a complex password help you against these attacks?
In case of an attacker observing the user entering the password, no complexity will help. Rather the contrary, a password with mixed upper/lower-case, numbers and special characters is entered at a significantly slower pace. This helps an attacker observing the password by good old-fashioned peeking.
If the password is known to the attacker from the use in a different context, the complexity is no help either. Knowing the psychological side, cryptic passwords are rather compound the problem. Once a user has found a password that fits the typical policy, he tends to use it wherever such a password policy is in place and therefor increases the chances of an attacker to use a known password of the user in a different context.
In case of access to the encrypted password store, the complexity clearly helps to hamper the attacker (if the password is encrypted properly).
One would expect that password policy should help making a password un-guessable for a third person. From my personal observation the contrary is true. Under the watchful eye of a password policy they tend to stick to first names, upper-casing the first or last letter, replacing characters by similar looking special characters or numbers and/or adding numbers at the end (like birthdays).
Summary: Only in one attack scenario choosing a complex password helps, in all other scenarios it does not have any or even a negative impact. So let us look at this scenario a bit more detailed.
DECRYPTING PASSWORDS
To decrypt the password of a user, the attacker has first to have access to the password storage. At which point the first and most critical security failure has already occurred. And the user had nothing to do with it.
When it comes to decrypting a password, the algorithm used is a more important than the complexity of the password. If the service provider has not done his home work, complex passwords offer only little protection. This is another critical point, where the user has no influence whatsoever.
But in case of the service provider having botched the safety of his password file but made everything correct when choosing the algorithm the complexity of the user passwords can offer extra protection against the attacker.
Does this case justify all the negative impact?
I want to point out, that the safety of the encrypted password is not the responsibility of the user. So would say: Don't make him part of the process here. Don't shift the responsibility to to him where the service provider is responsible.
Remark: I did not specifically address the issue of an attacker
Is the duty for password complexity correctly placed on the users shoulder? I think not...
The users has two jobs:
1. Select a password he can remember 2. Choosing a password someone else does not associate with him
Raising password complexity requirements makes those two jobs harder. In my observation, with rising password complexity, the users tend to re-use passwords more often (which is more detrimental to security than a less complex password).
For password complexity to matter, the service provider must have failed (lost the data) and succeeded (choosen a half-way decent algorithm) at the same time.
Therefor i consider the burden of password complexity wrongly plaxced at the users end.
I hope the Nest Thermostat is better than the Nest Protect Smoke Detector. Those gave me a case of serious "early adopter burn".
The Nest Protect detectors have the tendency to generate false alarms in clean air (no smoke, no dust, no steam) and are very hard to disable (get a ladder, dismount, get a screw driver, open device, remove battery). The idea of disabling a false alarm by WIFI has not occurred to them yet:-(.
If it is any consolation, the level of competence of political decisionmakers in Germany is about at the same level. The ballpen is the last technological inovation they use.
Actually, i think Google knows that it is getting too big: the breakneck speed of acquisitions is the result of the intent, to get as big as they can before a more confining regulation sets in.
Slashdot Mirror
Terrorists are people, who feel more threatened by a drawing than by drones,
Terrorists are people, who fear small girls with books more than death,
Terrorists are people, who use bullets because their mind cannot work with words,
they are not scared by torture or surveillance, but truth and freedom.
I nominate this study for the Ig Noble Prize.
The version bought in the UK have German voice acting as option. But I play my games in English anyway. German voice acting is usually cheaply done and prone to insert errors instead of humor.
Game pricing is great mystery. I tend to buy my games in the UK. Even with shipping they are 30% below the German prices.
Buying games here locally feels like being ripped off. And the price difference to other countries is even bigger....
Hah, he is just hoping they will finish Clang! for him in order to save him from angry investors....
In SI units, (40m^3 for 400.000km^2) it would be easier to calculate ;-).
The four inch or 10 centimeters are required in the aquifers in southern California.
First that is about 1/3 of the area. So we go to 30cm or 1 foot. That is still manageable.
Then we need to take into account that only a small part (optimistic: 25%) goes into the aquifers. That quadrupels it to 4 feet or 120cm. That is quite a lot.
To take that optimistic assumption, not too much must go into runoff and evaporation. So we need continuous light rain (1mm per day) with overcast sky.
In effect this means 4 years of continuous light rain.
It wasn't a glitch at Amazon but from a third party software. But headlines never were the strong point of Slashdot ;-)
Several readers have pointed out that disabling automatic Windows Updates is bad advice, and while thatâ(TM)s a fair argument I have to disagree.
It is really a BAD advice. The average PC user is not an ops person. If an update bricks his PC, he will notice and can get help. If his PC is insecure, he will notice nothing and help (if ever) will be asked for much too late.
His arguments amount to one thing: avoid changes. Any change is a risk. But so is crossing the street. In the long run, a change-averse strategy will lead to worse results than the occasional botched change (exceptions apply, but those are rare). And the only way for the average user to do changes is to automate them.
My favorite solution would be by disbanding them. But that is not realistic.
The German version of the General Accounting Office does a pretty good job of spotting squandering. So a new oversight should be established based on their model. That focuses more on depth than width and a non-predictive cycling of topics.
Due to the nature of intelligence services, you will never get them really compliant (that's why I mentioned my favorite method), but you can curb them.
They (BND) created several new theories:
a) Space Theory: German law does not apply in space, so their satellites (or those from agencies of "friends") are not bound by the constitution.
b) Function Owner Theory: When someone is acting within his/her capacity as a function owner, he is no longer a person protected by the constitution.
c) The Meta Data Theory: Meta data does not contain privacy protected information.
Thanks to Snowden this mess came to light. This now needs to be cleaned up. All three approaches will be shot down, with or without the governments approval.ï
Most parliamentarians agree, that the intelligence services practically beg for a shorter leash. Power struggles and party politics will delay it, but they will get it.
The idea does not work: If you do this, i can lock you out from your service every 5 minutes. The prevention of password guessing is a bit harder and therefor you need a bit more.
If you choose 4 English, non-trivial words, you already have about 40bit of entropy. Searching only 1% of the namespace would take Trillions of tries.
To have those tries, the provider (not the user) must have already screwed up. The user cannot defend against screwups of the provider of the password protected service efficiently
"Hard to guess" is aimed at direct, human guessing. If I know you love "Sarah", so "Sarah4me" makes a bad password. That would be your screwup.
My primary goal is: burden the user only what naturally belongs in his domain. Trying to offload your security as a company to the users (e.g. to reduce costs) usually backfire.
Thx for looking it up and not blasting me ;-).
I didn't want to do self-advertisement, so i did not link to my blog.
Good, bad & ugly - Your password
PASSWORD REQUIREMENTS
A good password must have two properties:
1) It has been memorized by the user
2) It is difficult to guess for a third person (even if he/she knows the user well)
But in most cases another requirement is thrown into the mix:
3) The password shell be complex (have a high entropy)
Usually the requirements take the form of a password policy like this:
The password must be at least 8 characters long
The password must contain upper- and lower-case letters
The password must contain a number
The password must contain a non-alphanumeric character
You notice anything? Yep, this policy only focuses on the third requirement. And it does so at the expense of the first requirement and (knowing human psychology) it also has a negative impact on the second requirement.
THREATS TO PASSWORDS
Let us take look at how the security of password can be compromised:
- The input of the password has been observed (by eavesdropping, key-loggers or by the ordinary Mark 1 Eyeball)
- The password has been re-used by the user in a different context where the attacker has access to it
- The attacker gained access to the encrypted storage of password and managed to extract it from there
- The password has been guessed by the attacker
How does having a complex password help you against these attacks?
In case of an attacker observing the user entering the password, no complexity will help. Rather the contrary, a password with mixed upper/lower-case, numbers and special characters is entered at a significantly slower pace. This helps an attacker observing the password by good old-fashioned peeking.
If the password is known to the attacker from the use in a different context, the complexity is no help either. Knowing the psychological side, cryptic passwords are rather compound the problem. Once a user has found a password that fits the typical policy, he tends to use it wherever such a password policy is in place and therefor increases the chances of an attacker to use a known password of the user in a different context.
In case of access to the encrypted password store, the complexity clearly helps to hamper the attacker (if the password is encrypted properly).
One would expect that password policy should help making a password un-guessable for a third person. From my personal observation the contrary is true. Under the watchful eye of a password policy they tend to stick to first names, upper-casing the first or last letter, replacing characters by similar looking special characters or numbers and/or adding numbers at the end (like birthdays).
Summary: Only in one attack scenario choosing a complex password helps, in all other scenarios it does not have any or even a negative impact. So let us look at this scenario a bit more detailed.
DECRYPTING PASSWORDS
To decrypt the password of a user, the attacker has first to have access to the password storage. At which point the first and most critical security failure has already occurred. And the user had nothing to do with it.
When it comes to decrypting a password, the algorithm used is a more important than the complexity of the password. If the service provider has not done his home work, complex passwords offer only little protection. This is another critical point, where the user has no influence whatsoever.
But in case of the service provider having botched the safety of his password file but made everything correct when choosing the algorithm the complexity of the user passwords can offer extra protection against the attacker.
Does this case justify all the negative impact?
I want to point out, that the safety of the encrypted password is not the responsibility of the user. So would say: Don't make him part of the process here. Don't shift the responsibility to to him where the service provider is responsible.
Remark: I did not specifically address the issue of an attacker
Pure datacenter are: 2 firewalls, 1 Sun X2100, 1 QNAP NAS, 1 PC, 1 Raspberry, 1 VoIP-Gateway, 1 Homematic automation server, WLAN Controller
In the network: 5 mobile devices, 2 PC, 1 Notebook, BluRay-Player, 4 Audio Devices (Sonos), 2 Access Points, 2 USB-via-IP extender, Printer, Scanner, multiple IP-based sensors
I wish i had known that i knew nothing ;-). Because at that time i thought i knew everything...
What does this mean for StarCitizen? AFAIK their complete work is based on the CRYTEK engine...
Is the duty for password complexity correctly placed on the users shoulder? I think not...
The users has two jobs:
1. Select a password he can remember
2. Choosing a password someone else does not associate with him
Raising password complexity requirements makes those two jobs harder. In my observation, with rising password complexity, the users tend to re-use passwords more often (which is more detrimental to security than a less complex password).
For password complexity to matter, the service provider must have failed (lost the data) and succeeded (choosen a half-way decent algorithm) at the same time.
Therefor i consider the burden of password complexity wrongly plaxced at the users end.
I hope the Nest Thermostat is better than the Nest Protect Smoke Detector. Those gave me a case of serious "early adopter burn".
The Nest Protect detectors have the tendency to generate false alarms in clean air (no smoke, no dust, no steam) and are very hard to disable (get a ladder, dismount, get a screw driver, open device, remove battery). The idea of disabling a false alarm by WIFI has not occurred to them yet :-(.
It's says "Civilization" in the title, so i will buy it anyway... ;-)
If it is any consolation, the level of competence of political decisionmakers in Germany is about at the same level. The ballpen is the last technological inovation they use.
Even better ;-)
The correct headline would be:
German court refuses to force Valve Steam to allow resale of games
Too complicated?
Yep, but we come back to my argument: The biggest risk for the for Google on the search market is regulation (see EU proceedings).
Actually, i think Google knows that it is getting too big: the breakneck speed of acquisitions is the result of the intent, to get as big as they can before a more confining regulation sets in.