Slashdot Mirror


User: jonadab

jonadab's activity in the archive.

Stories
0
Comments
5,933
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,933

  1. Re:Emacs Keybindings? on Mozilla Thunderbird 0.4 Released · · Score: 1

    > Does anyone know if or when Thunderbird will support either an Emacs mode

    You do realize, of course, that the source tarball for Emacs is larger than
    the source tarball for Thunderbird? If what you want is Emacs, it would be
    easier to add a mailreader to Emacs than to add an Emacs mode to a mailreader.
    Of course, Emacs already has several mailreaders, the most full-featured and
    powerful being Gnus (so called because it started its life as a newsreader,
    way back in the day, before all this new-fangled "world wide web" stuff).

    > Emacs bindings were supposed to take precedence

    Umm, Emacs lets the user set whatever bindings they want, so I'm not sure
    what you mean by "the Emacs bindings". Emacs does not have any one set of
    bindings. It has some defaults, but the defaults are only defaults, and any
    serious power user will rebind the functions he uses with any frequency to
    keystrokes that are easy to remember and easy to hit.

    Again: if you want Emacs, just use Emacs. Thunderbird will not in the
    forseeable future begin to approach the functionality of Emacs. (This is not
    disrespect to Thunderbird, but Emacs has been under development for a very
    long time by a number of very skilled and dedicated people and so has a huge
    repertoire of functionality not approached by any other piece of software of
    which I am aware, with the possible exception of Perl if you count all the
    modules on CPAN.)

  2. Re:A terrible and never-ending task??? on Mozilla Thunderbird 0.4 Released · · Score: 1
    > just writing a perl script to talk behind the scenes to the Outlook Web Interface

    Sounds like a job for WWW::Mechanize.

  3. Re:Bayesian SPAM filter - Empty "hello" emails on Mozilla Thunderbird 0.4 Released · · Score: 1

    > The way I understand it, all that would do is teach your Bayesian
    > classifier that HTML tags are slightly junkish

    Fundamentally, this isn't going to get you anywhere much. While I get
    approximately zero legitimate messages in text/html format per annum and
    roughly fifty illegitimate such messages per day, nevertheless all common
    HTML tags occur with some frequency in my regular (text/plain) legitimate
    mail, for one reason or another. (I do some amateur web development and
    know some people who do it professionally...)

    More significantly, text/html spam does not generally have a structure that
    lends itself very well to bayesian analysis. The "HTML" tends to be custom
    SGML autogenerated for each message. If you examine some of it closely, you'll
    see this sort of nonsense:

    <b><gcaelielaen>V<roiqwnbmlz>i<oqiwjhxoisdoifd>a <i wqeerqytrxa>g<pomzbelfsk>r <ilenvpwjngie>a</b>

    And so on and so forth. This is designed to abuse the fundamental rule of
    HTML that unknown tags are ignored. It's also designed to be impossible to
    write keyword filters for, and it has the side-effect of also being pretty
    much utterly unfilterable by naive bayesian classification. It is possible
    to do bayesian filtering in a way that defeats this, but something more than
    a garden-variety naive application of the technique is required: you have
    to apply some kind of prefilter before feeding the "words" into your bayes
    engine. One of the things your prefilter can do is find the word obscured
    in all that mess. (The prefilter does not have to know that there's anything
    special or spammy about this word; it just feeds whatever words it finds to
    Bayes.) The prefilter should also find the same word if some of the letters
    are encoded in 1337 (e.g., "\/1@GR@"). Again, the prefilter doesn't have to
    know this word; it only has to know that "\/" is similar to V, "1" in a class
    alongside "l" and "i" and several other characters, and so on. This is not
    a great deal more complex than case folding (okay, multibyte characters like /\/\ make it a little more complex, but this is not insurmountable) and will
    greatly reduce the number of "Vla-gra" advertisements you have to see before
    the bayesian engine has seen all the several hundred possible variations.

    The sort of thing above is also tremendously easy to identify if you have a
    full-blown scripting language at your fingertips. Just keep a list of all
    legitimate or common HTML tags and for every distinct "weird" tag you
    encounter increment the message's weird-tag counter. Messages with more
    than a certain quota of "weird" tags then get subjected to some additional
    rules that attempt to determine whether they're some kind of legitimate
    markup or not, and maybe some rules that expressly look for highly spammy
    words broken up by the tags as above. (You can take your list of highly
    spammy words from the stats database that your bayesian engine produces.)

    Or like I said, you can prefilter it before you feed it to Bayes, adding
    the extracted words to the list of tokens.

  4. Re:Although it is in 0.4 on Mozilla Thunderbird 0.4 Released · · Score: 1

    Stable it may be, but complete it is not. There are still a number of rather
    vital features that remain to be implemented. This doesn't matter much for
    people who don't do a lot with email, but for people who are addicted to a lot
    of poweruser features from mail clients like Pegasus or Gnus, Thunderbird is
    Not Ready Yet.

    Still, it's good to see that progress is being made. The browser is getting
    to be pretty good, so maybe in a couple of years they'll have a mail client
    I can think about using. (That would be saying a lot; I'm picky.)

  5. Re:This is great on Mozilla Thunderbird 0.4 Released · · Score: 1

    I don't use Thunderbird either (nor Communicator, because they're not featureful
    enough) but of all the mail options available, hotmail is categorically the
    absolute worst option, worse even than OE.

    I use Gnus, of course. Gnus is nothing if not featureful.

  6. Re:Lego and employment on New York City, LEGO Style · · Score: 4, Informative

    > The cheapest LEGO available is a 2000 piece tub for $20, or 10 cents a piece.
    > Unfortunately

    Your mistake was buying them all new. Lego has been around for quite some time,
    and so there are a *lot* of them available in secondhand-toy land. When I was
    a kid, we picked up a big cardboard box of them (must have been two feet long
    by a foot wide at least, and there were maybe three inches deep of legos in
    there) at a garage sale for a couple of bucks. Granted, that's an especially
    good deal, but if you hunt around you should be able to pick up used Legos in
    good condition at well less than the new price. You'll probably still have to
    buy some new if you need specialty pieces in certain colours or whatever, but
    for just plain old ordinary regular-sized bricks that you need in bulk, you
    should be able to pick up quite a few of them used.

  7. Re:Two minds about it on Real Security? · · Score: 1

    > By the way, what's "AI-complete"? Do you mean "NP complete"?

    No, I do not mean NP complete. Do a google search for AI complete, or check
    the jargon file or Wikipedia.

  8. Re:Two minds about it on Real Security? · · Score: 1

    > It's only about six thousand times better

    Bear in mind, however, the password it's six thousand times better than is
    considered in the industry to be reasonably secure. Also bear in mind that
    my password is so much easier to remember, there's no comparison.

  9. Re:Two minds about it on Real Security? · · Score: 1

    > An attacker would likely initially try at most 5000 common words

    (5000^6)/2 is still better than (200^8)/2, but I do tend to prefer somewhat
    more literate sentences. Something like "Bob shifted paradigms and established
    a new type of password" is much stronger than "This is my long password". It's
    ten words long, *much* easier to remember than ten random characters like
    "Y7bQ(dH|nZ", and includes a couple of words that will not be in the 5000-word
    dictionary.

    This kind of password cannot be generated by software unless you take it from
    a source of known-good sentences, but that is ill-advised...

    > In real life, you'd attack such a password by picking strings from the
    > fortunes files, books, and other sources of quotes

    Passwords should not be chosen from such sources, because if the attacker
    finds out how you generate your passwords you've just shot your search space
    all to pieces; therefore, the sysadmin or the users should make these
    passwords up by hand. Getting users to be creative enough to do so is
    probably asking too much, but in a world where sysadmins often think nothing
    of assigning someone a password like "UnG8IxwM", I don't know why they would
    balk at handing out passwords like "Trying to recall my password makes my
    mind go all woozy and my brain turn to rice pudding" or "I can remember that
    green fields of wheat make spectacular password mnemonics" or "George always
    keeps live salamanders in the office to frighten the cleaning team" or "The
    pain associated with remembering lengthy passwords is exaggerated."

    Yes, all of these include some words that could be put on a short list of
    "words associated with passwords": recall, remember, password, computer,
    system, access, and so on, and several forms of all those words. However,
    you've still got words like "woozy", "rice", "pudding", "fields",
    "spectacular", "salamanders", "frighten", "associated", and "exaggerated".
    So the search space is decently large, I assure you. Remember, the goal
    was not to make the passwords absolutely unbreakable, but only to make them
    at least as strong as "Be%oPMqR". Also remember that the *real* goal was to
    make them easier to remember so you can tell the user "Memorize this, because
    you can't take the slip of paper with you. I have to burn it and grind the
    ashes to powder. Also, if you're caught telling anyone your password you
    won't get your bonus at the end of the year and we'll put you on the system
    where you get a new password to remember every month."

    Bonus points of the user also has an ID tag with their photo on it that they
    have to swipe when they log in, in addition to punching in the memorized
    password.

  10. Re:Two minds about it on Real Security? · · Score: 1

    > If the cracker knows that your password is a valid English sentence, then
    > the search space is significantly reduced. For example, you can trivially
    > discard any combination that doesn't include a verb.

    Only if he's doing it by hand. The computer isn't smart enough. Determining
    part of speech in English is AI-complete. It may not be so in all languages;
    in particular, it is probably not so in many strongly inflected languages.
    In a word-order language like English, however, which routinely permits the
    verbing of nouns and adjectives, determining what does and does not constitute
    a sentence is famously AI-complete. It would be faster to just try every
    combination of words.

  11. Re:People can make them whatever they like. on Real Security? · · Score: 1

    > If I were building that system I wouldn't give nurses read/write priviliges

    Read privileges alone are enough. Medical record confidentiality and all that.

  12. Re:Good way to circumvent library filters? on MandrakeMove Bootable Linux CD Announced · · Score: 1

    > I'm assuming that most library admins will have [disabled booting from CD]

    I'm a library admin, and on our patron internet stations I've unplugged the
    data and power cables from all the removable drives (those that *have*
    removable drives, which is not my preference). Unfortunately, I do have to
    leave the floppy drives plugged in on the word processing systems, but I do
    disable booting from them in the BIOS.

    If you think these measures aren't necessary, you've never worked in the IT
    department at a public library.

    If I had more control over the budget process, we'd have thin clients.

  13. Re:password quandry on Real Security? · · Score: 1

    > Does anyone really follow these rules? How do you remember all your
    > passwords if you do?

    You can only be so paranoid. *Most* of your passwords (e.g., your slashdot
    password) are generally not worth that kind of trouble. OTOH, a typical
    user probably has one or two passwords that are, and a sysadmin probably
    has a dozen. So...

    > It should be hard to guess, involving a mix of upper and lower case
    > letters and numbers, and involving no personal data.

    Let's rephrase that: it should be hard to guess and hard to bruteforce.
    Whether it involves a mix of upper and lower case and numbers is immateriel;
    that's *one* way to make it hard to brute-force. Sheer length is another way
    that works even better, without making it so hard to remember.

    > It should be different for each site or system.

    You should use a unique, secure password for each *important* thing that
    *needs* to be secure. Your subscription to a given blog, online newspaper,
    or whatnot is not in this category.

    I use an insecure password for my Amazon account -- I can do that, because I
    have not given Amazon any data that needs to be secure (for example, I have
    not given them any credit card numbers; I prefer to pay by check). If
    someone guesses or brute-forces my password, they can order something in my
    name. If they *pay* for it, it'll even get delivered. Whoopee. They could
    do all of that anyway by creating a new account with my name (using, say, a
    free hotmail account for the email) and information out of a phonebook.

    OTOH, the root password for my MySQL database at work is sixteen characters
    long, including both cases and numbers -- and yes, I have it memorized.

    > You should change it often.

    Depends. Passwords you don't use very often don't need to be changed
    very often. You should change your password any time you believe there
    is a chance it may have been compromised (e.g., if someone stands over
    your shoulder while you enter it), and really critical passwords should
    also be rotated from time to time, yeah.

    > You shouldn't write it down or put it in a text file.

    Absolutely don't put it in a text file.

    Don't write it down? Depends. How's the security of your building? Also,
    are you primarily concerned about someone with physical access, or remote
    attacks? There are some passwords that I do write down, because losing them
    is more likely to be a problem than an attack by a person with physical
    access. Now, that said, by "write down" I absolutely do not mean "adhere
    to the monitor on a sticky note" in a public office. Passwords you write
    down should still put where getting/finding them is at least as hard as
    removing the hard drive and mounting it in another system.

    > Does anyone really follow these rules?

    They're guidelines. You also have to use that squishy grey thing between
    your ears.

  14. Re:People can make them whatever they like. on Real Security? · · Score: 1

    > requiring passwords to be so odd isn't really protecting anything, as
    > users will voluntarily do so if it is anything they care about

    There are some situations where the user may not care, but the sysadmin has
    to protect the security of the system anyway. Hospitals are an excellent
    example. Approximately zero percent of nurses understand why passwords on
    hospital systems should be secure, and they will happily use their birthdates
    if permitted to do so. Legally, the hospital absolutely cannot allow that.

  15. Re:Two minds about it on Real Security? · · Score: 5, Informative

    > thisismylongasspassword

    That's better than you think. My /usr/share/dict/words has over 45000 words
    in it, which is probably typical. The above password is six words long (which
    if anything is pretty short, as sentences go). That means you can brute force
    it in about (45000^6)/2 tries, on average. Compare that to a typical "strong"
    eight-character password (e.g., "bVi-Q*cY"), which can be brute forced in
    (N^8)/2 tries, on average, where N is about 100 or 200 or so, depending on
    your character set. The sentence starts looking pretty good -- and it's a
    *lot* easier to remember.

    > thi!$1smyp4$s

    Yes, increasing the length to over 12 characters greatly improves the security
    of a traditional ugly password. (N^13)/2 is about N^5 times better than
    (N^8)/2, so with an N of around 80 characters (upper and lower case letters,
    digits, and about 20 common printable punctuation marks) that's about a
    three-billion-fold improvement in the time needed to brute-force it.

    I personally tend to favour a combination of these approaches. Take your
    sentence (say, "I tend to favour a combination of these approaches.", make
    a handful of key substitutions, and you get a password like this:
    I-t3nd-2-PHavour-a-c0mbinat|on-0f-these-app roacheZ

    The sentence is easy to remember. In addition to the sentence, you have in
    the above example seven substitutions. That's a total of eight things to
    remember, barely (if at all) harder than tB8k^yQp and pretty much impossible
    to brute force. (If you do the arithmetic on this sucker, it's impressive.
    Even assuming a clever modified dictionary attack, the sentence is nine
    words long (nine *words*, not nine chars), and furthermore there are
    several possible ways to mangle each word. The mere electricity your CPUs
    would use up running the possibilities boggles the mind; whatever the
    password is protecting, you could buy it cheaper.) Then you have to worry
    about things like sniffers, surveillance, and rubber hose cryptanalysis, if
    the password unlocks something worth anyone's trouble to bother with all that.

  16. Re:Definitely on Real Security? · · Score: 1

    > Come on, who uses passwords like '%33#Gt(;' nowadays

    Are you kidding? That's too short by half.

  17. w3schools. on Web Publishing Tools for Kids? · · Score: 2, Insightful

    Send her here. Really. I taught myself HTML in my spare moments during a weekend using a much worse tutorial than that, and I was in college at the time. Kids learn faster. In three hours she'll have the HTML figured out and be looking for clip-art.

  18. Re:Don't forget the users! on Freedesktop.org on KDE/Gnome, New Goals · · Score: 1

    > Or, pick a minimal install, then use something like urpmi or apt-get or
    > yum to install just the software you want.

    That would take forever. You'd be days tracking down all the things you want
    and getting them installed. At that point you might just as well use Gentoo.

  19. Re:Wow! on Novell's Certified Linux Engineer · · Score: 1

    > * back out easily. 'rpm -e' or 'pkgrm' are easier than grepping through
    > the Makefiles for all of the installed programs and piping that to
    > 'find / -name $1 -exec rm' or whatever.
    > * copy the package to other servers and install quickly and easily. This
    > allows you create once, install anywhere, and you can even script the
    > installation process.

    You should look into checkinstall, if you haven't already. Basically,
    checkinstall replaces the make install portion of the above procedure
    and builds a package (RPM being one of three package-type options).

    > * avoid overwriting existing files. Any decent package manager will complain
    > if the target file(s) already exists.

    Except in /etc I've never found this to be a problem, unless you are trying
    to have multiple versions of the same package installed, in which case you
    really need to use the prefix option for the configure script anyway. As far
    as /etc, you really should have it mirrored in another directory anyway.

    (Actually, I like some things about the way Gentoo handles /etc, though it
    could use some tweaking yet. e.g., for any given /etc/foo there ought to be /etc/foo.orig which you don't edit, so that your edits could be extracted as
    a diff; in many cases the new version could be automatically patched with
    your edits; you'd only have to merge them manually if you made changes in
    some of the same places where the file changed from the old version to the
    new one. The (unpatched) new version would then become the new foo.orig .)

  20. Re:Novell had a Linux track years ago on Novell's Certified Linux Engineer · · Score: 1

    > It's kind of a stretch that they are calling this a Certified Linux Engineer

    I thought it was Novell Certified Linux Engineer. Now, I suppose you could
    read that as Novell-Certified Linux Engineer (i.e., a Linux Engineer who
    is Certified by Novell), but without the hyphen the natural reading IMO is
    that Novell and Certified and Linux are all adjectives modifying the noun
    Engineer. i.e., this certification is not about Linux per se but rather the
    combination of Novell and Linux (or, more particularly, Novell running on
    Linux). Seems reasonable to me. There are other certs out there if you just
    want to be certified to work with Linux systems in general. This is a Novell
    certification, so of course it relates to Novell systems.

  21. Re:The Price of Doing Certs on Novell's Certified Linux Engineer · · Score: 1

    > Ah, the endless loop. When employed, certs are not needed

    I would think that if you've been employed for a decent amount of time in
    a relevant job, you wouldn't need the certs afterward either, unless you're
    fired for incompetence or something. Last I checked, job experience was
    worth a good deal more than certs. (A degree is nice to have too...)

  22. Re:First thing you see... on Novell's Certified Linux Engineer · · Score: 1

    > Are they saying that we are lazy?

    Well, there's lazy and then there's lazy. Some people are lazy enough to
    put out the effort needed to learn how to set things up properly so that
    they run themselves and we can kick back a bit. This is the virtue of
    laziness.

    If you're too lazy to learn the proper skills to make things work that way,
    so that you are constantly troubleshooting preventable problems that crop up
    because of flaws in your setup, that is False Laziness.

    If you read the camel book, you will also learn about the distinction between
    the virtues of Impatience and Hubris and their corresponding antitheses, False
    Impatience and False Hubris.

  23. Re:it wouldn't change anything on New IE Holes Discovered · · Score: 1

    > I believe the current "best practice" is to wait at least 1 week for the
    > vendor to initially respond... and to give them at least 1 month to create
    > a patch if they (privately) acknowledge the problem.

    Ordinarily I would agree with this for most products (even most Microsoft
    products -- e.g., if you find a security flaw in their CIFS implementation
    or something), but MSIE's security track record is so horrifically aweful
    that any attempt to follow these practices in the case of MSIE is a total
    waste of time. Microsoft has proven repeatedly that they do not consider a
    reported security flaw in MSIE (or MSOE) to be worth their time until it is
    actively exploited by the blackhat community. My guess is that this is a
    result of internal policy within the MSIE team itself, more than Microsoft
    in general. Vulnerabilities in many of their other components get patches
    before the exploit hits the wild, so we have to assume that whoever answers
    the mail does forward it along to the appropriate team. But when the MSIE
    team gets them, they apparently file them in the bit bucket until something
    disastrous happens to bring it to their attention for real.

    IMO, since there's a workaround (disable Active Scripting), the researcher was
    right to make this public, so that people can protect themselves *before* the
    exploit hits. There was essentially no hope that the patch would come out in
    time for that, regardless of any best practices followed.

  24. Re:Incident response times on New IE Holes Discovered · · Score: 1

    > They could have just distributed IE with Windows and have it install by
    > default. Sure users would be able to uninstall it, but how many home users
    > would even bother to uninstall it and install their browser of choice as
    > long as IE wasn't a total piece of crap?

    You seem to be forgetting that versions of IE prior to 5.5 or so *were* total
    crap, and I don't mean just in terms of security. IE4 was worse than Netscape
    Communicator 4, which almost all of us now consider totally unusable. IE
    didn't actually get to be halfway decent until *after* it already had a very
    strong market share (due to bundling). For example, such basic features as
    Print Preview were added *after* the release of 5.0 and didn't always work
    right at first.

    The fact that security is now universally considered one of the biggest
    shortcomings of IE, whereas before it wasn't, is not because the security
    somehow suddenly got worse; it's because MSIE is in many respects now quite
    good. Three years ago it was junk in pretty much every respect; Microsoft
    has actually made huge progress with IE. They probably now need to rebuild
    it mostly from scratch to stop the perpetual security issues, but they now
    have some leisure to do that, since apart from a couple of minor things
    (e.g. popup blocking) there are few urgent feature needs in the extant
    codebase. They ought to be able to build a fresh browser from the ground
    up now and bring it out in about three years with fanfare and hype as the
    best thing since sliced bread (i.e., IE).

    What they're going to do about Outlook, I don't know. If they want to
    shake their reputation for bad security, they've got to do *something*
    about Outlook, obviously.

  25. Re:The one line that says it all... on SCO Letter to Fortune 1500 Now Online · · Score: 1

    > I am amazed that the US continues to tolerate their system, or maybe
    > poorer people don't vote.

    Warning: generalisations follow...

    Actually, our system in the US as it stands now *greatly* favours the
    non-working poor. Hugely so. Normal people put things off for weeks and
    months because the 40% we have to pay after the insurance company pays its
    share is still quite a lot of money; people on Medicare, meanwhile, call
    routinely an ambulance for non-emergency things just because they can't be
    bothered to get someone to drive them a quarter mile to the hospital. It
    doesn't cost them anything. They abuse the emergency room, too, going in
    for the most flagrant of non-emergencies because (unlike a doctor's office
    visit) it costs them nothing.

    I don't mind a certain amount of paying for poor people to have some health
    care, but it has frankly gotten entirely out of hand. The percentage of my
    paycheck going for other people's health care needs is a good deal higher
    than what I pay for health care for myself, including dental checkups and
    everything. (Granted, I'm single, but still...) I say, make 'em pay 40%
    like the rest of us, *especially* for non-critical stuff, like calling an
    ambulence for a condition that hadn't changed in hours.

    Oh, and if I had my way smoking would disqualify you from receiving any help
    at all; if you don't have any concern for your own health, how can you expect
    the rest of us to take the responsibility that you won't? This is a harsh,
    narrow-minded, and unpopular view, but I didn't come to it out of randomness
    or meanness.