Today I ran across a stack class that used for its push function... an overloaded operator new...
I am a reasonably big C++ fan who will staunchly defend the presence of operator overloading in a language, but I cannot comprehend the thought processes that must take place for someone to think that this is a good idea.
In my defense, why was the scale in thousands? Who says "yes, I have 900,000 thousand dollars"? If it was like 5,000 thousand I could see that, but why not either make it 900,000,000 or 900 million?
If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)
What? The credit union I use is pretty big for a local "bank", but it has only $900,000 in total assets. (I don't think that includes ~$700K in outstanding loans.) Even $50K wouldn't be *that* a small a sum for them...
The attacker still has to brute force the passphrase and any sane security policy will detect the attack.
True, but that's also the same if you don't replace characters. If you do your typical 1337 substitutions (e.g. e->3), you just need to do a more sophisticated dictionary attack. Probably increases the keyspace by a couple dozen times at most.
Matt Bishop gives a list of passwords that are easy to guess, at least for an offline attack; it includes "dictionary words with some or all letters capitalized" and "dictionary words with any of the following changes: a->2, e->3, h->4, i->1, l->1, o->0, s->5 or $, z->5"
True but increasing password length by 4 chars is stronger.
Agreed, but if you're on a system that limits you to, say, 8 characters, you don't have much choice. (Like, say, the Penn State CS dept, at least as of a couple years ago.)
A password that contains lower and uppercase alpha, numeric and punctuation chars is considered strong.
1337ing words doesn't count though. It's probably good enough for almost anything, but not good enough to stop a determined hacker.
Any auth system that doesn't set off alarms when some script kid is trying to brute force it is a joke.
Doesn't help if it's an offline attack.
Non-printable chars are security by obscurity, a good idea for OS logins only because script kids often don't think to check for them.
Non-printable chars also increase the key space.
Secondly, security by obscurity isn't a bad thing. It's tossed around as if it's worthless, but it's not. You just can't rely on said security for your whole system.
But I'm not sure non-printables are worth the hassle. I set my Unix password to something with an escape once, but just had to go and change it because when I typed it into the password box in the SSH client that I use, esc acts as cancel.
Actually outsourcing is economics at work. If an Indian can do the same job for cheaper, then they should be the one to be hired.
What if the reason that they can do the same job for cheaper is because their government doesn't have protections in place that the US does, and the company is exploiting the workers? Is it the case that Google SHOULD be in China because it makes just economic sense?
I'm sure the WOOT conference would have been happy to publish "How to 0wn the Internet in Your Spare Time," which, incidentally, has to be the best academic paper title ever.
I'm addressing your post's title rather than content, but here goes...
will any win32 FF users actually go back?
I'm very interested to see the development of the computer industry over the next couple years. I wouldn't go so far as to say Vista is failing, but at the same time it's not exactly flying off the shelves. MS got some things right with it, but missed the mark with a number of others.
The way I see it, one of two things will happen.
- MS will stop goofing around and pull itself together. There are a lot of talented people there, and NT's architecture is a lot better than a lot of people (at least around here) give it credit for. It seems like there should be really no reason for them to have had so many security etc. problems in the past other than that they were just not caring because they were the only folks in town. So if they start caring, maybe they can wade through the bureaucracy put something neat together.
The fact that a lot of people are really praising Office 2007 is a little support for my assertion that MS *should* be able to actually produce something nice, though updating the GUI is a "little" different than writing a kernel. MS Research is also top notch. (Partly because MS is one of the few companies that is actually putting $$ into (non product) research at this point.)
- MS won't actually improve. It could be that the management at MS can't figure out a way to structure things so that they can be productive, or maybe the people there actually aren't so hot. (Or maybe they are in some sense too hackery and don't have the diligence to produce OS-quality software.) In this case, the MS product line continues to stagnate.
In the first case, it's entirely possible that IE could catch back up to FF. IMO there were a few years back there from probably IE 5 until at least Mozilla started to really get going (and possibly not until Firefox) that IE was the best browser around for Windows. Netscape 4.7 was a dog compared to IE, and Netscape 5 or 6 (whichever was publicly released) was horrible. Opera was probably a contender in there at some points too, but when I first used it I don't think it had really matured yet and wasn't all that good, and then I didn't use it again until 2003 or 2004 when things were starting to heat up again because IE 6 was starting to suck comparatively.
This seems to be the nature of things; one product moves ahead while the other falls behind, then it catches back up while another product goes away completely, etc. Look at Intel vs. AMD. Back around 2000s AMDs were a really good buy; their performance per dollar was higher than Intel. At the same time, Intel still had the best chips on the market. But a couple years later, things changed; AMD became not just the leader in the performance per price, but became a serious contender just flat out in the performance category. They were also the first to hit the market with AMD64, which Intel later picked up. At the same time, Intel was sort of floundering. The P4 wasn't all that great. But then last year they released the Core architecture, which not only retook the lead by trouncing AMD's best offering performancewise, but was competitive on a value comparison too. Before, I dunno, 1999 or 2000, I wouldn't have seriously considered getting an Intel knockoff chip. But after AMD was on the scene for a while, from then until the release of the Core 2, I would have gotten an AMD without much of a thought. But now I think I'm back siding with Intel again.
I guess what I'm saying is that FF mustn't become complacent, because that will put them in the same position that MS put itself in that allowed FF to gain as much ground as it has.
This is something that some people have problems with and others don't it seems. I'm not sure what makes the difference, but I certainly can back up his claims.
I would guess it's probably an extension that's causing this, but I'm not sure; I only have a few installed and enabled now.
(I just restarted FF a couple times so now it's only at 55 MB with 2 tabs, but when I posted that comment above I was over 400 MB of mem usage (with a VM size over 900 MB) with 10 tabs.
Replying to myself this much is really lame, but, without opening more tabs or really doing much of anything, I'm up to 422,192K mem usage. Task manager reports a peak mem use of 890,164K.
Oh, hey, look, without doing anything but typing this message, I'm up to 428,628K usage.
I love Firefox, but either it or one of my extensions is absolutely horrible with memory.
Actually, I'm looking at that shot a lot closer now, and it wasn't taken when I thought. It couldn't have been before late Aug. 2005 because I had already done my RAM upgrade by then. The creation date on the file is Nov. 7, 2006, which is a lot more recent than I thought and make it definitely FF 1.5, though it's possible that that time got messed up at some point.
So is your hyperbole. I've had FF -- with 20 extensions -- running for about 6 hours now, and currently have 5 tabs open.
I have 10 tabs open in one window now (I've had a lot more open) and FF running for a while with 8 extensions with 2 disabled.
Windows task manager reports 390 MB of "mem usage". The "VM size" is 953 MB.
I took a screenshot a couple summers ago when I was getting really frustrated with FF mem usage before I found out about some setting in about:config that reduces mem usage by quite a bit. At the time I had less RAM, and my system was pretty swappy, and FF was by far the biggest offender; about once a day I'd have to exit and open it back up. Even if I had exactly the same tabs open, the memory use would be a fraction of what it was before exiting. Keeping in mind that this was at least one and possibly two major releases behind (so either 1.0 or 1.5), this screenshot shows the Windows task manager's performance tab after a fairly typical session of FF. At the point in the graph marked, I quit Firefox. 55 seconds later the process finally had exited, and my page file usage had dropped by about 1.3 GB.
I should probably qualify this by saying that their newest measurements are from 2004. However, there is almost no change over the time period 2000-2004, and what little movement there is *increased* the percentage of files 4K by a couple percent as time went on.
Also, by "but the number of small files isn't going down; it's actually increasing as time goes on", this is because the total number of files is going up rather than the distribution is shifting to small files.
Is that just an artifact of this being designed in 2000? At this point very few files on the average system would be smaller than this.
Actually you are wrong.
A FAST 2007 paper did a five-year longitudinal study of file system metadata within Microsoft. Keeping in mind then that this is highly workload dependent and probably rather OS dependent (though my experience is that this is probably even more true for Unix machines than Windows):
* It's hard to tell from the graph [you should be looking at fig. 3], but somewhere between 10-15% of files are smaller than 512 bytes
* About half of all files are smaller than 4K
Now, if you look at the *size* that those files take up vs. file system size [fig. 5], then it's essentially nothing. But the number of small files isn't going down; it's actually increasing as time goes on.
Today I ran across a stack class that used for its push function... an overloaded operator new...
I am a reasonably big C++ fan who will staunchly defend the presence of operator overloading in a language, but I cannot comprehend the thought processes that must take place for someone to think that this is a good idea.
Glad I could help.
In my defense, why was the scale in thousands? Who says "yes, I have 900,000 thousand dollars"? If it was like 5,000 thousand I could see that, but why not either make it 900,000,000 or 900 million?
Oh wait, I'm an idiot. I take that back.
Those graphs said "(in thousands)"...
If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)
What? The credit union I use is pretty big for a local "bank", but it has only $900,000 in total assets. (I don't think that includes ~$700K in outstanding loans.) Even $50K wouldn't be *that* a small a sum for them...
A Foolproof Way To End Bank Account Phishing?
Anyone who thinks this is underestimating the ingenuity of fools.
I just don't think dictionary attacks are viable when there's unrelated non alpha numeric chars in the pass phrase.
I agree there, at least if it's not something predictable like a couple numbers at the end of a dictionary word.
The attacker still has to brute force the passphrase and any sane security policy will detect the attack.
True, but that's also the same if you don't replace characters. If you do your typical 1337 substitutions (e.g. e->3), you just need to do a more sophisticated dictionary attack. Probably increases the keyspace by a couple dozen times at most.
Matt Bishop gives a list of passwords that are easy to guess, at least for an offline attack; it includes "dictionary words with some or all letters capitalized" and "dictionary words with any of the following changes: a->2, e->3, h->4, i->1, l->1, o->0, s->5 or $, z->5"
True but increasing password length by 4 chars is stronger.
Agreed, but if you're on a system that limits you to, say, 8 characters, you don't have much choice. (Like, say, the Penn State CS dept, at least as of a couple years ago.)
It sounds like this isn't the case here (if it's a web application), but there are very good reasons for not using a salt while hashing passwords.
Not salting passwords is why Kerberos works.
A password that contains lower and uppercase alpha, numeric and punctuation chars is considered strong.
1337ing words doesn't count though. It's probably good enough for almost anything, but not good enough to stop a determined hacker.
Any auth system that doesn't set off alarms when some script kid is trying to brute force it is a joke.
Doesn't help if it's an offline attack.
Non-printable chars are security by obscurity, a good idea for OS logins only because script kids often don't think to check for them.
Non-printable chars also increase the key space.
Secondly, security by obscurity isn't a bad thing. It's tossed around as if it's worthless, but it's not. You just can't rely on said security for your whole system.
But I'm not sure non-printables are worth the hassle. I set my Unix password to something with an escape once, but just had to go and change it because when I typed it into the password box in the SSH client that I use, esc acts as cancel.
Actually outsourcing is economics at work. If an Indian can do the same job for cheaper, then they should be the one to be hired.
What if the reason that they can do the same job for cheaper is because their government doesn't have protections in place that the US does, and the company is exploiting the workers? Is it the case that Google SHOULD be in China because it makes just economic sense?
So, I've heard of bootleg DVDs, bootleg CDs, bootleg Rolex watches... but I think this has to be the world's first bootleg amusement park!
Copyright AND trademark.
I'm all for weaker copyright laws (though not to the extent of some people here), but this is WAY too far IMO.
Personally, I'd send something like that registered snail mail.
In many states, audio recordings of others without their knowledge (and without a court order) is illegal.
Check your laws.
This was 2002, before the P took the place of zero.
But I agree, if it were to be published today, that would be the "proper" title.
I was making fun of the name, not trying to be interesting! Mod me funny dammit! ;-)
I'm sure the WOOT conference would have been happy to publish "How to 0wn the Internet in Your Spare Time," which, incidentally, has to be the best academic paper title ever.
I'm addressing your post's title rather than content, but here goes...
will any win32 FF users actually go back?
I'm very interested to see the development of the computer industry over the next couple years. I wouldn't go so far as to say Vista is failing, but at the same time it's not exactly flying off the shelves. MS got some things right with it, but missed the mark with a number of others.
The way I see it, one of two things will happen.
- MS will stop goofing around and pull itself together. There are a lot of talented people there, and NT's architecture is a lot better than a lot of people (at least around here) give it credit for. It seems like there should be really no reason for them to have had so many security etc. problems in the past other than that they were just not caring because they were the only folks in town. So if they start caring, maybe they can wade through the bureaucracy put something neat together.
The fact that a lot of people are really praising Office 2007 is a little support for my assertion that MS *should* be able to actually produce something nice, though updating the GUI is a "little" different than writing a kernel. MS Research is also top notch. (Partly because MS is one of the few companies that is actually putting $$ into (non product) research at this point.)
- MS won't actually improve. It could be that the management at MS can't figure out a way to structure things so that they can be productive, or maybe the people there actually aren't so hot. (Or maybe they are in some sense too hackery and don't have the diligence to produce OS-quality software.) In this case, the MS product line continues to stagnate.
In the first case, it's entirely possible that IE could catch back up to FF. IMO there were a few years back there from probably IE 5 until at least Mozilla started to really get going (and possibly not until Firefox) that IE was the best browser around for Windows. Netscape 4.7 was a dog compared to IE, and Netscape 5 or 6 (whichever was publicly released) was horrible. Opera was probably a contender in there at some points too, but when I first used it I don't think it had really matured yet and wasn't all that good, and then I didn't use it again until 2003 or 2004 when things were starting to heat up again because IE 6 was starting to suck comparatively.
This seems to be the nature of things; one product moves ahead while the other falls behind, then it catches back up while another product goes away completely, etc. Look at Intel vs. AMD. Back around 2000s AMDs were a really good buy; their performance per dollar was higher than Intel. At the same time, Intel still had the best chips on the market. But a couple years later, things changed; AMD became not just the leader in the performance per price, but became a serious contender just flat out in the performance category. They were also the first to hit the market with AMD64, which Intel later picked up. At the same time, Intel was sort of floundering. The P4 wasn't all that great. But then last year they released the Core architecture, which not only retook the lead by trouncing AMD's best offering performancewise, but was competitive on a value comparison too. Before, I dunno, 1999 or 2000, I wouldn't have seriously considered getting an Intel knockoff chip. But after AMD was on the scene for a while, from then until the release of the Core 2, I would have gotten an AMD without much of a thought. But now I think I'm back siding with Intel again.
I guess what I'm saying is that FF mustn't become complacent, because that will put them in the same position that MS put itself in that allowed FF to gain as much ground as it has.
This is something that some people have problems with and others don't it seems. I'm not sure what makes the difference, but I certainly can back up his claims.
I would guess it's probably an extension that's causing this, but I'm not sure; I only have a few installed and enabled now.
(I just restarted FF a couple times so now it's only at 55 MB with 2 tabs, but when I posted that comment above I was over 400 MB of mem usage (with a VM size over 900 MB) with 10 tabs.
So he's probably not making that up.
Replying to myself this much is really lame, but, without opening more tabs or really doing much of anything, I'm up to 422,192K mem usage. Task manager reports a peak mem use of 890,164K.
Oh, hey, look, without doing anything but typing this message, I'm up to 428,628K usage.
I love Firefox, but either it or one of my extensions is absolutely horrible with memory.
(434,500K)
Actually, I'm looking at that shot a lot closer now, and it wasn't taken when I thought. It couldn't have been before late Aug. 2005 because I had already done my RAM upgrade by then. The creation date on the file is Nov. 7, 2006, which is a lot more recent than I thought and make it definitely FF 1.5, though it's possible that that time got messed up at some point.
So is your hyperbole. I've had FF -- with 20 extensions -- running for about 6 hours now, and currently have 5 tabs open.
I have 10 tabs open in one window now (I've had a lot more open) and FF running for a while with 8 extensions with 2 disabled.
Windows task manager reports 390 MB of "mem usage". The "VM size" is 953 MB.
I took a screenshot a couple summers ago when I was getting really frustrated with FF mem usage before I found out about some setting in about:config that reduces mem usage by quite a bit. At the time I had less RAM, and my system was pretty swappy, and FF was by far the biggest offender; about once a day I'd have to exit and open it back up. Even if I had exactly the same tabs open, the memory use would be a fraction of what it was before exiting. Keeping in mind that this was at least one and possibly two major releases behind (so either 1.0 or 1.5), this screenshot shows the Windows task manager's performance tab after a fairly typical session of FF. At the point in the graph marked, I quit Firefox. 55 seconds later the process finally had exited, and my page file usage had dropped by about 1.3 GB.
It's not hyperbole.
900,000?! What kind of load are you running?
I should probably qualify this by saying that their newest measurements are from 2004. However, there is almost no change over the time period 2000-2004, and what little movement there is *increased* the percentage of files 4K by a couple percent as time went on.
Also, by "but the number of small files isn't going down; it's actually increasing as time goes on", this is because the total number of files is going up rather than the distribution is shifting to small files.
Is that just an artifact of this being designed in 2000? At this point very few files on the average system would be smaller than this.
Actually you are wrong.
A FAST 2007 paper did a five-year longitudinal study of file system metadata within Microsoft. Keeping in mind then that this is highly workload dependent and probably rather OS dependent (though my experience is that this is probably even more true for Unix machines than Windows):
* It's hard to tell from the graph [you should be looking at fig. 3], but somewhere between 10-15% of files are smaller than 512 bytes
* About half of all files are smaller than 4K
Now, if you look at the *size* that those files take up vs. file system size [fig. 5], then it's essentially nothing. But the number of small files isn't going down; it's actually increasing as time goes on.