The document/approach I read/have adopted is to stop requiring users role their passwords every month. I now request users to role their passwords every 3 months (once per quarter).
To make this roughly equally secure, you also need to slow down (or eventually lock out) repeated login attempts so that it takes 3 times longer to brute force guess them.
Re:Too many passwords - so I write 'em down!
on
Real Security?
·
· Score: 1
So what do I (and presumably everyone else) do? I write them down somewhere.
People who carry handheld computers (PalmOS or PocketPC) can store a large number of passwords in a number of encrypted databases (several dozen apps available of varying quality; and you don't to use only one which might be susceptable to a single point of failure). You can then store a bunch of completely random passwords under a much smaller number of strong but memorable passwords.
Or better yet for systems under your control, have your handheld, after entering a PIN, generate a new one-time password for each login, so even keylogging is useless without also lifting your handheld to get at the seed and/or algorithm. This gets closer to 2 factor authentication.
If the GPL *is* invalid, as SCO claim, then the code reverts back to being the copyright of the individual contributers, who can then sue them for breach.
If the GPL is somehow held invalid by the courts, there may still be the issue of whether distributing ones code under the GPL, without consideration or expectation of compensation from an unknown number of users, and freely to countries with unknown IP laws, might somehow impair ones right to selectively sue for copyright infringement.
If the GPL is unenforceable, then unless SCO got written permission to distribute the code by all the myriad other kernel contributors (and in fact the developers of every other bit of GPL'ed software that they are distributing in their own distr - still available via FTP) then they themselves are in breach of all those people's copyright over code they wrote.
If the GPL is held to be unenforceable in a meaningful fashion, it means that the copyrights themselves must have been held by the courts to have become somehow unenforceable. This could happen if the act of distributing code under the GPL (without any thought of any compensation or consideration to an unknown number of parties including to countries with unknown intellectual property laws) was held to give the author the same rights to enforcement as if they had placed the code into the public domain. Or requiring compensation only from programmers who are capable of modifying the code and do so might be considered unfair in some manner, or against some interstate commerce regulations on fairness in pricing.
So how should one go about verifying that code escrow really exists?
For the small developer, what's the lowest cost solution for legally verifiable code escrow? (That my brother has a copy of my backups isn't likely to be an acceptable answer... unless my brother is a major banks trusts & estates officer, and the code is held in a legal trust by the bank (== $$$ big legal fee's)).
I'd probably call my plan for world domination file "ILikefluffyKittens.rtf" or something equally innocuous. Or better yet, "readme.txt", since nobody ever reads READMEs.
Or perhaps developers need to name their README's, "Plan for World Domination.txt". Then more users might read actually them!:)
One brute force method would be 1 dictionary word + 1 random character, 2 dictionary words + 2 random characters, etc. and permutations. That would be considerably more efficient than hunting through the keyspace of 16 random ASCII characters, assuming that the passphrase length was already guessed somehow.
In any case, the password setup routine should tell the user that it estimates the password entered can be broken in X seconds, where X might be small enough number to concern careful users.
Cell phones take too long to develop and get regulatory/network approvals. And fashionable cell phones are getting too small for many PDA applications.
It's not that PDA's are dead, but that the disconnected PDA is dead (which is why all Palm's have a HotSync port). Eventually, every PDA will have wireless capability instead (wifi, bluetooth, cellular but maybe using the same account as ones cell phone, or some combination of the previous). People will buy PDA's with readable size displays to use to configure their cell phones, many of which will still have awful user interfaces on tiny displays in order to stay small and fashionable. The fashion cell phone market is far larger than the geek market.
The internet (as used back then) is dead, and it will die again. Almost no one uses gopher any longer. NNTP is now a tiny percentage of internet traffic. The current protocols support the dumping of near infinite amounts of raw sewage onto the bandwidth paid for by others. I expect the people who pay to move onto greener pastures (new more-secure protocols), leaving unauthenticated SMTP ports and such open only on a few research and archeologists networks.
Sure the internet as we know it won't die, but the percentage of users and networks that allow the current protocols will go to zero (rounded to the nearest percent).
WHY wasn't ICF turned on by default in XP Home? WHY aren't there pamphlets included with new computers about keeping AV up to date and not opening unknown e-mail attachments?
In the early days, one could drive a car, or even fly an airplane, without any licensing requirements, any seatbelts, etc. After enough costly accidents and bad publicity, nowadays one certainly can't take off piloting a large aircraft without thousands of hours of training, licenses, medical exams, inspections, following books full of regulations, etc. etc. What makes you think that the same thing won't happen to being able to run a server (any PC with open ports) on a broadband connection?
Open connections require ISPs to do nothing, therefore those connections should cost nothing.
Closed connections cost even less, since they consume no network bandwidth on the providers inner network, and probably generate less complaints due to unpatched hacked machines causing problems (dDoS, smtp relay, etc.) on the net. Why should a port be exposed if the user doesn't even know enough about its existance to put in an "open it please" request?
If you don't have inbound ports open, your machine will tend to generate less inbound traffic for their routers to have to handle, and a lower probability of complaints due to an unblocked machine getting hacked and then used for dDoS, et.al.
I think all inbound ports should be blocked by default unless the user is clueful enough to specify the exact port numbers and services that he/she specifically wants (e.g. almost all linux admins, but much fewer windows users).
As it is I would have rather seen the T2's price drop.
The T2 price did drop with the announcement of the T|T3, and it's still a good product in Palm's lineup because it has noticeably bettery battery life than the T3.
Of course, this is totally ignoring the Newton, which is where Palm did well to steal a lot of ideas for PalmOS, although ignoring a handful of very important architectural elements.
Also ignoring several design elements that resulted in the Newton being a very unprofitable and low volume seller (versus over 30 million PalmOS devices sold).
Also note that the two new Sony Clie models, the TJ25 and TJ35, have rebates available, which can reduce the net cost to $180 and $220, respectively. See the sony style web site for details.
The new Sony models also use a faster processor (200 MHz Motorola MX) than the new Palm Zire21 and Tungsten|E (126 MHz TI OMAP) models.
One thing that I need to consider at my current job is that you can NOT trust employees computers at home, even if you can trust employees - if they are running Windows, they are potential virus and worm vectors, and needs to be shielded off,... We've solved the most immediate problem by allowing only ssh
Allowing running ssh from a box that is potentially 0wn3d and running a key logger is a big hole in your security. Requiring a hardware firewall/VPN box on home systems could at least temporarily keep the key loggers from phoning home.
Make basic cable come with a username/password and leave support at that. No tech support, no customer service, just a low speed (100k down, 30k up or something) thing for users of whatever cable service. If you want tech/CS/more speed, you'll pay the premium!
This could work. Many clueless people would use this service. The cable company would only have to charge enough for any support call to make even more money per bandwidth unit then from their subscribing customers.
Sounds like a solid plan...now to get a certificate signed for a decent price is the challenge."
A major problem with the current system is that domain names and (misused, temporary or stolen) IP address are nearly free. Thus spammers can collect zillions, and the blacklists become unstable (where collateral damage effects some people worse than the spam). The way to avoid this with mail transport certificates is to make them costly enough that spammers can't collect them by the busload, and that also cost enough to pay for determining that the applicant is a real person with a verified contact address (where, say, papers could get served for forgery and violating UCE laws, etc.).
People (and spammers) who can't afford an account on a server with a proper certificate can still use SMTP. But, unless I'm a police/medical/whistleblowers tipline, or have family in Nigeria, I don't have to accept such email.
> the remedy for this violation of the copyright law does not include forcing them to comply with the GPL
In this case, there would be no right to distribute.
Unless publicly and freely distributing code to anonymous parties without a written contract or a requirement for monetary consideration was consider by the court as legally equivalent to putting the source code in the public domain. I don't know if there is legal precedent about doing something that looks and feels like placing material in the public domain, and then trying to selectively enforce the loss of distribution rights using copyright law. (But IANAL).
Slashdot Mirror
To make this roughly equally secure, you also need to slow down (or eventually lock out) repeated login attempts so that it takes 3 times longer to brute force guess them.
People who carry handheld computers (PalmOS or PocketPC) can store a large number of passwords in a number of encrypted databases (several dozen apps available of varying quality; and you don't to use only one which might be susceptable to a single point of failure). You can then store a bunch of completely random passwords under a much smaller number of strong but memorable passwords.
Or better yet for systems under your control, have your handheld, after entering a PIN, generate a new one-time password for each login, so even keylogging is useless without also lifting your handheld to get at the seed and/or algorithm. This gets closer to 2 factor authentication.
If the GPL is somehow held invalid by the courts, there may still be the issue of whether distributing ones code under the GPL, without consideration or expectation of compensation from an unknown number of users, and freely to countries with unknown IP laws, might somehow impair ones right to selectively sue for copyright infringement.
If the GPL is held to be unenforceable in a meaningful fashion, it means that the copyrights themselves must have been held by the courts to have become somehow unenforceable. This could happen if the act of distributing code under the GPL (without any thought of any compensation or consideration to an unknown number of parties including to countries with unknown intellectual property laws) was held to give the author the same rights to enforcement as if they had placed the code into the public domain. Or requiring compensation only from programmers who are capable of modifying the code and do so might be considered unfair in some manner, or against some interstate commerce regulations on fairness in pricing.
For the small developer, what's the lowest cost solution for legally verifiable code escrow? (That my brother has a copy of my backups isn't likely to be an acceptable answer... unless my brother is a major banks trusts & estates officer, and the code is held in a legal trust by the bank (== $$$ big legal fee's)).
Or perhaps developers need to name their README's, "Plan for World Domination.txt". Then more users might read actually them! :)
One brute force method would be 1 dictionary word + 1 random character, 2 dictionary words + 2 random characters, etc. and permutations. That would be considerably more efficient than hunting through the keyspace of 16 random ASCII characters, assuming that the passphrase length was already guessed somehow.
In any case, the password setup routine should tell the user that it estimates the password entered can be broken in X seconds, where X might be small enough number to concern careful users.
It's not that PDA's are dead, but that the disconnected PDA is dead (which is why all Palm's have a HotSync port). Eventually, every PDA will have wireless capability instead (wifi, bluetooth, cellular but maybe using the same account as ones cell phone, or some combination of the previous). People will buy PDA's with readable size displays to use to configure their cell phones, many of which will still have awful user interfaces on tiny displays in order to stay small and fashionable. The fashion cell phone market is far larger than the geek market.
Sure the internet as we know it won't die, but the percentage of users and networks that allow the current protocols will go to zero (rounded to the nearest percent).
In the early days, one could drive a car, or even fly an airplane, without any licensing requirements, any seatbelts, etc. After enough costly accidents and bad publicity, nowadays one certainly can't take off piloting a large aircraft without thousands of hours of training, licenses, medical exams, inspections, following books full of regulations, etc. etc. What makes you think that the same thing won't happen to being able to run a server (any PC with open ports) on a broadband connection?
Closed connections cost even less, since they consume no network bandwidth on the providers inner network, and probably generate less complaints due to unpatched hacked machines causing problems (dDoS, smtp relay, etc.) on the net. Why should a port be exposed if the user doesn't even know enough about its existance to put in an "open it please" request?
If you don't have inbound ports open, your machine will tend to generate less inbound traffic for their routers to have to handle, and a lower probability of complaints due to an unblocked machine getting hacked and then used for dDoS, et.al.
I think all inbound ports should be blocked by default unless the user is clueful enough to specify the exact port numbers and services that he/she specifically wants (e.g. almost all linux admins, but much fewer windows users).
a) run Hello World in Java
b) run Hello World in C (including booting up Linux)
Which one is faster?
print "Hello World"
in Basic, on an Apple II (or equivalent), is much faster than either when you include machine boot time. Does this make Basic the better language?
The HP48 emulator won't run on many of the PalmOS models that are significantly cheaper than a real HP48.
Some people do their serious work standing up and moving about. These palm-sized devices fit in a shirt pocket or on a belt-clip.
The T2 price did drop with the announcement of the T|T3, and it's still a good product in Palm's lineup because it has noticeably bettery battery life than the T3.
But given that a T|T3 benchmarks around 3 double-precision megaflops, PalmOS devices should blow away calculators for some handheld uses.
Also ignoring several design elements that resulted in the Newton being a very unprofitable and low volume seller (versus over 30 million PalmOS devices sold).
The new Sony models also use a faster processor (200 MHz Motorola MX) than the new Palm Zire21 and Tungsten|E (126 MHz TI OMAP) models.
PalmOS devices for the educational market? Alphasmart agrees with you.
Allowing running ssh from a box that is potentially 0wn3d and running a key logger is a big hole in your security. Requiring a hardware firewall/VPN box on home systems could at least temporarily keep the key loggers from phoning home.
This could work. Many clueless people would use this service. The cable company would only have to charge enough for any support call to make even more money per bandwidth unit then from their subscribing customers.
A major problem with the current system is that domain names and (misused, temporary or stolen) IP address are nearly free. Thus spammers can collect zillions, and the blacklists become unstable (where collateral damage effects some people worse than the spam). The way to avoid this with mail transport certificates is to make them costly enough that spammers can't collect them by the busload, and that also cost enough to pay for determining that the applicant is a real person with a verified contact address (where, say, papers could get served for forgery and violating UCE laws, etc.).
People (and spammers) who can't afford an account on a server with a proper certificate can still use SMTP. But, unless I'm a police/medical/whistleblowers tipline, or have family in Nigeria, I don't have to accept such email.
The gate width of the final clock buffer in the early DEC Alpha chips was about a meter (folded, of course).
In this case, there would be no right to distribute.
Unless publicly and freely distributing code to anonymous parties without a written contract or a requirement for monetary consideration was consider by the court as legally equivalent to putting the source code in the public domain. I don't know if there is legal precedent about doing something that looks and feels like placing material in the public domain, and then trying to selectively enforce the loss of distribution rights using copyright law. (But IANAL).