The *only* nice thing about FAT is that all the Windows machines in the world can read it without installing drivers.
More important is that every electronic gizmo taking flash memory cards (digital cameras and MP3 players) can read/write it without installing drivers!
Because although installing a filesystem driver may be painful on Win98, it's one thousand times worse on solid-state electronics.
If you look at things statistically, a little money is much more valuable to an individual than his one vote.
Consider first the probability that one vote will actually change the outcome of an election: it's nearly impossible. Odds of 1/10e7 are typical. Mathmatically, a vote is just as bad an investment as a lottery ticket. (Which are, as they say, a "Tax on people who can't do math")
Then consider the real difference choosing a different president or governor will make to your life: not much, really. The two dominant political parties have grown very similar to each other. They'll rarely try to make a significant change (and most changes they attempt will be cancelled out by the other party in the next election). So not only is a vote unlikely to pay off, but that payoff isn't likely to change very much.
Thus, looking at all the possibilities, a rationally self-interested person will not waste his time voting. The hour+ it takes out of your day is actually much more valuable than the tiny chance that the vote you cast actually has a benefit to your life.
This is why explicit selling of votes was criminalized: because if it were legal, the free-market would reveal how cheap each vote really is!
PS. Having computed that voting is a waste of time, why do people still vote? Altruism. They vote not only for themselves, but also to share their wisdom with the rest of the country. And for more selfish reasons- like the feeling of success when your guy wins.
PPS. Several mathmaticians have created alternative voting schemes (different from simple majority) which boost the chance that any single vote will change the outcome of an election. But the public, so far, has rarely been interested.
Re:I disagree with the article
on
Real Security?
·
· Score: 1
I seriously hope you are kidding.
I didn't say it was good- I said it was widely practiced. And it is. Walk into any classified military research facility, and there's posters every 3 meters reminding you to change passwords every 60 days (alternating with reminders not to let anyone follow you through a keycarded door).
Forced expiry is so prevalent that I didn't want to come out against it, because the concensus is that it's really needed.
The only advantage I can see to it is that it reduces the time window open for an attack by a patient, resourceful enemy. If passwords never, ever change, then any compromised password is a permanent hole (as long as the attacker doesn't jump the gun and get caught exploiting it). If passwords are your only defense, then your network is transparent forever. Expiry at least bounds that, so a lucky glance at a post-it isn't the end-all of intrusion.
At least, that must be the thinking, or why else does the NSA require it? (PDF, flip to page 8: "Users should be forced to change their passwords regularly")
(Also, if you have a dual password+SecurID or password+biometric system, then a non-expiring password gives attackers much more time to work on physically circumventing the other element of protection)
While Celts and Hottentots have superficial differences in appearance, there isn't a test or series of tests you can run to conclusively tell that a DNA sample is from one or the other.
The inability of a geneticist to detect race doesn't invalidate it's existence. Likewise, the popular factoid that "A European has the same percentage of shared genes with his cousin as with an African" tells us nothing scientific about race, except that "percentage of identical genes" is not a valid way to measure it.
Prehaps biological science hasn't advanced to the point where it can detect race. That's fine, because sociologists and anthropologists can certainly recognize it.
Can you give me a reasonable explanation beyond "they've got dark skins"?
Population. Ireland and Israel are tiny. Their total populations (3mil and 6 mil) are less than a single US city. Russia, Israel, and Ireland combined have half the people of the US (150mil vs 300mil).
But India by itself has more people than those three countries plus all of North America (1000mil vs 580mil).
Fairly small problems just don't get much complaint. I'm sure if China got into software, they'd be even louder.
And who has heard of any outsourcing to Russia or Israel?
The well-known Linux module "ReiserFS" is a famous example of outsourcing to Russia. Hans Reiser was paid $50,000 or so to develop an advanced filesystem. Instead of feeding himself for one year of work, he turned around and hired 4 Russian PHDs... and had money leftover.
What would you say about MIT hiring an outside contractor to repair a wall on its campus when it has a civil engineering department?
Not at all a valid comparison. Civil engineers give instructions to laborers, who do most of the work creating the output product. Software engineers produce the final output themselves.
Re:People can make them whatever they like.
on
Real Security?
·
· Score: 1
So in other words, Cmdr Taco knows your email address and passowrd, and can go ahead and login to any website you use?
(Of course, that problem's not unique to you. Many people use the same passwords for all the "trivial" websites they join)
Re:Simple Passwords are fine
on
Real Security?
·
· Score: 1
So all you should need is a password that won't be guessed on the first few tries.
This is true, somewhat. But there are some important caveats:
Not all remote servers may be configured to detect or bog-down dictionary attacks.
TOO simple is still bad... too few characters, or too much repetition, opens you up to houlder-surfing attacks.
If the password is used for encryption, rather than authentication, it still needs to be complex. A dictionary-attack on encrypted data can be run in the privacy of the hacker's home, at kilohertz rates. The data may have been sniffed in transit, or the encrypted disk stolen, and then the attacker has years to work on it.
Re:Annoying security leads to circumvention
on
Real Security?
·
· Score: 2, Interesting
so while i'm doing the forward securely with ssh, they just annoyed me and i worked around it.
Even if ssh is unbreakable, your company's overall security has been reduced. The physical security of your home is probably worse than the office, but now an attacker can burgle your house to reach corporate-wide data.
Of course, if you're allowed to ssh into work, then that vulnerability exists anyhow. But if the workplace blocks inbound ssh and you created the tunnel in the reverse direction, then the danger is your own.
Re:Too many passwords - so I write 'em down!
on
Real Security?
·
· Score: 1
So would they indemnify me if my notebook was stolen and my account was accessed without my permission? No no no! I'm responsible for my passwords and should not divulge them to anyone!
Why not just write 4-5 of them in the notebook, and concentrate on memorizing the remaining 1-2 passwords the hard way? That way, if someone gets the notebook, she won't have all the keys needed (and can't guess the remainder before you, in-person, instruct the bank to reset all of the numbers)
Re:I use good passwords, and here's how
on
Real Security?
·
· Score: 2, Insightful
I use that system too, but its not as good as forcing yourself to memorize a randomly-generated string.
"iltpos" or "hthayt" has much less entropy than "ilcpskl" (which a computer gave me). Knowing you use this system, a hacker can download a bunch of ebooks and process them to generate a Markovian model of the English language. That would represent that letters appear at the starts of words with different frequency, and even (with work) that the frequency changes depending on how far you are in the sentence.
Re:I disagree with the article
on
Real Security?
·
· Score: 1
Which is why it's usually good at some level to let users set their own passwords, so that they might actually remember them. Of course, some will set simple passwords. It's up to you how to filter that.
I disagree. I think for best security, users should be given pre-generated random passwords. But, that'll only work if its fairly easy for them to have the password reset by a quick face-to-face visit with a security officer. In a truely high security facility, that should be enough security staff for that to work.
The biggest problem with user-chosen passwords is that it's incompatible with periodic password expiry. And automatically forcing users to change passwords is quite desirable (at least, it's very widely practiced).
The natural response of a user seeing a "90 days reached; you must change your password" prompt is to type in exactly the same word he currently uses. When that fails, he tries to make the smallest possible modification until the system accepts it. This leads to people cycling just one character higher as time goes by, which for good hackers (or just good guessers) is the same as if it never changed at all.
If you want to force password changes on a periodic basis, you must not let users choose!
This is why Netmeeting and other H.323 solutions should be thrown on the trash heap.
This is why NAT should be thrown on the trash heap.
If your solution can't handle NAT, it is almost useless.
If NAT breaks solutions, then it is almost useless.
There are certain rules for providing internet access, defined 23 years ago in RFC 760 (etc). NAT breaks those rules. If you use NAT, you don't have Internet access. If you don't have Internet access, you shouldn't expect Internet applications to work.
I don't recall Hitler ever bothering much about the law/I.
On the contrary. He was elected legally, and once head-of-state with an unchallengable popularity, all the laws were changed to exactly as he prefered.
If you get to be dictator, then anything you do is by definition within the law.
Wine is actually fast because it ISN'T an emulator
The oft-repeated tagline "Wine is not an emulator" is false. It would only be true if the word "emulator" meant "hardware emulator".
It does not. Although most people think of CPU virtualization when they hear the word "emulator", that is not necessarily the case. According to dictionary definitions, WINE is emphatically an emulator.
Here's the defintion:
3.
Computer Science. To imitate the function of (another system), as by modifications to hardware or software that allow the imitating system to accept the same data, execute the same programs, and achieve the same results as the imitated system.
I don't know if you're in the US, but the Constitution is written to limit government not the citizen.
In the US, laws limit citizens and corporations. For example, wiretap laws make it illegal to listen to a conversation without the speaker's knowledge.
Since computers, networks, etc at work at taken to be the property of the company--it's theirs to do with as they please.
Since my cable modem lines are the property of AOL-TimeWarner, do they have the right to do with as they please?
While it could be considered a poor choice of ethics to monitor employee's IM conversations without their explicit consent, it's entirely legal.
There is such a thing as workplace privacy. Obviously, the employer placing cameras in the toilets to broadcast scatological porn would be a breach of expected privacy (even though the employee is on the clock and everything in the room is company-property). Does secret monitoring of phone or IM also violate? That's not totally clear cut- in some states, employees have already won such lawsuits.
"Wiretap" laws aren't uniform, but they often make it is a crime to record a communication if either party has a reasonable belief it is not being recorded. (Well, that's quoting the California courts, who may not be entirely mainstream...)
I work for a large provider of internet services- in fact, we make one of the most popular IM clients in use today.
Oh please. It's understandable that/. posters may want to leave their corporate affliations private, but you're not fooling anyone with that line.
The one interesting, yet mildly annoying, thing about it is the office language that has evolved around IM. The 'burstable' nature of the messaging has caused people to adopt SMS-like abbreviations for common phrases:
If you don't like it, then use your corporate-wide instant access to suggest a feature to the guys who write the darn thing: make a checkbox which will auto-translate special abbreviations into full sentences (or the reverse).
Never mind that someone that wants DVD playback has to spend about $35-50 for a Windows player in the first place.
I don't know if Microsoft(tm) ships a DVD player with Windows XP(r) yet, but DVD software for that platform is cheaper than dirt. You can't even spend $25 on a DVD drive without finding a disc of PowerDVD jammed in the box.
It's just flat-out a bad article. The title says "Is Linux ready for the DESKTOP", but the body is completely about LAPTOP support.
There are many important obstacles to Linux working on the desktop (such as the inability to read an attachment sent from Microsoft(tm) Excel(r)) but mystical 100% hardware compatibility isn't a reasonable expectation.
Can MacOS run on his laptop even 1% as well as Linux did? But does that mean anything about whether it's "ready for the desktop"? (I believe the concensus is that OS X is one of the very best desktop environments ever...)
For that matter, how well does WindowsXP run on this off -the-shelf laptop? Again, not 1% as well as Linux does. Laptops are tricky, customized hardware. No OS not included my the OEM should be expected to work completely.
"Ready for the desktop" does not mean "A drop-in replacement for WindowsXP in every imaginable circumstance"
is that if you go into an IRC channel for any non main-stream OS (os/2, linux, mac, etc) and ask a question, you're going to get beaten up by assholes.
And a Microsoft(tm) Windows(r) IRC channel is any better? (Do they even have an IRC channel?)
Strangely enough, the channel topic had absolutely nothing to talk about the package servers, and the link in the topic was broken.
Let's quote the channel topic, and you can read it again.
*** Topic for #debian: Compromised machine info: +http://lists.debian.org/debian-devel-annou nce/200 3/debian-devel-announce-20031 +1/msg00012.html || Down: gluck (people, packages.d.o); || more info at +http://www.wiggy.net/debian/ || Take your Knoppix questions to #knoppix. || +/msg the bots, NOT the people || flood in #flood, NOT here || FAQ: +http://www.linuks.mine.nu/debian-faq/
See the section with "Down: gluck (people, packages.d.o)"?
and the link in the topic was broken.
Both URLs workfine. If you can't figure out how to remove newlines from a long URL, it's your own fault. Here, practice by removing the whitespace Slashcode adds:
The *only* nice thing about FAT is that all the Windows machines in the world can read it without installing drivers.
More important is that every electronic gizmo taking flash memory cards (digital cameras and MP3 players) can read/write it without installing drivers!
Because although installing a filesystem driver may be painful on Win98, it's one thousand times worse on solid-state electronics.
If you look at things statistically, a little money is much more valuable to an individual than his one vote.
Consider first the probability that one vote will actually change the outcome of an election: it's nearly impossible. Odds of 1/10e7 are typical. Mathmatically, a vote is just as bad an investment as a lottery ticket. (Which are, as they say, a "Tax on people who can't do math")
Then consider the real difference choosing a different president or governor will make to your life: not much, really. The two dominant political parties have grown very similar to each other. They'll rarely try to make a significant change (and most changes they attempt will be cancelled out by the other party in the next election). So not only is a vote unlikely to pay off, but that payoff isn't likely to change very much.
Thus, looking at all the possibilities, a rationally self-interested person will not waste his time voting. The hour+ it takes out of your day is actually much more valuable than the tiny chance that the vote you cast actually has a benefit to your life.
This is why explicit selling of votes was criminalized: because if it were legal, the free-market would reveal how cheap each vote really is!
PS. Having computed that voting is a waste of time, why do people still vote? Altruism. They vote not only for themselves, but also to share their wisdom with the rest of the country. And for more selfish reasons- like the feeling of success when your guy wins.
PPS. Several mathmaticians have created alternative voting schemes (different from simple majority) which boost the chance that any single vote will change the outcome of an election. But the public, so far, has rarely been interested.
I seriously hope you are kidding.
I didn't say it was good- I said it was widely practiced. And it is. Walk into any classified military research facility, and there's posters every 3 meters reminding you to change passwords every 60 days (alternating with reminders not to let anyone follow you through a keycarded door).
Forced expiry is so prevalent that I didn't want to come out against it, because the concensus is that it's really needed.
The only advantage I can see to it is that it reduces the time window open for an attack by a patient, resourceful enemy. If passwords never, ever change, then any compromised password is a permanent hole (as long as the attacker doesn't jump the gun and get caught exploiting it). If passwords are your only defense, then your network is transparent forever. Expiry at least bounds that, so a lucky glance at a post-it isn't the end-all of intrusion.
At least, that must be the thinking, or why else does the NSA require it? (PDF, flip to page 8: "Users should be forced to change their passwords regularly")
(Also, if you have a dual password+SecurID or password+biometric system, then a non-expiring password gives attackers much more time to work on physically circumventing the other element of protection)
While Celts and Hottentots have superficial differences in appearance, there isn't a test or series of tests you can run to conclusively tell that a DNA sample is from one or the other.
The inability of a geneticist to detect race doesn't invalidate it's existence. Likewise, the popular factoid that "A European has the same percentage of shared genes with his cousin as with an African" tells us nothing scientific about race, except that "percentage of identical genes" is not a valid way to measure it.
Prehaps biological science hasn't advanced to the point where it can detect race. That's fine, because sociologists and anthropologists can certainly recognize it.
Can you give me a reasonable explanation beyond "they've got dark skins"?
Population. Ireland and Israel are tiny. Their total populations (3mil and 6 mil) are less than a single US city. Russia, Israel, and Ireland combined have half the people of the US (150mil vs 300mil).
But India by itself has more people than those three countries plus all of North America (1000mil vs 580mil).
Fairly small problems just don't get much complaint. I'm sure if China got into software, they'd be even louder.
And who has heard of any outsourcing to Russia or Israel?
The well-known Linux module "ReiserFS" is a famous example of outsourcing to Russia. Hans Reiser was paid $50,000 or so to develop an advanced filesystem. Instead of feeding himself for one year of work, he turned around and hired 4 Russian PHDs... and had money leftover.
What would you say about MIT hiring an outside contractor to repair a wall on its campus when it has a civil engineering department?
Not at all a valid comparison. Civil engineers give instructions to laborers, who do most of the work creating the output product. Software engineers produce the final output themselves.
So in other words, Cmdr Taco knows your email address and passowrd, and can go ahead and login to any website you use?
(Of course, that problem's not unique to you. Many people use the same passwords for all the "trivial" websites they join)
This is true, somewhat. But there are some important caveats:
so while i'm doing the forward securely with ssh, they just annoyed me and i worked around it.
Even if ssh is unbreakable, your company's overall security has been reduced. The physical security of your home is probably worse than the office, but now an attacker can burgle your house to reach corporate-wide data.
Of course, if you're allowed to ssh into work, then that vulnerability exists anyhow. But if the workplace blocks inbound ssh and you created the tunnel in the reverse direction, then the danger is your own.
So would they indemnify me if my notebook was stolen and my account was accessed without my permission? No no no! I'm responsible for my passwords and should not divulge them to anyone!
Why not just write 4-5 of them in the notebook, and concentrate on memorizing the remaining 1-2 passwords the hard way? That way, if someone gets the notebook, she won't have all the keys needed (and can't guess the remainder before you, in-person, instruct the bank to reset all of the numbers)
I use that system too, but its not as good as forcing yourself to memorize a randomly-generated string.
"iltpos" or "hthayt" has much less entropy than "ilcpskl" (which a computer gave me). Knowing you use this system, a hacker can download a bunch of ebooks and process them to generate a Markovian model of the English language. That would represent that letters appear at the starts of words with different frequency, and even (with work) that the frequency changes depending on how far you are in the sentence.
Which is why it's usually good at some level to let users set their own passwords, so that they might actually remember them. Of course, some will set simple passwords. It's up to you how to filter that.
I disagree. I think for best security, users should be given pre-generated random passwords. But, that'll only work if its fairly easy for them to have the password reset by a quick face-to-face visit with a security officer. In a truely high security facility, that should be enough security staff for that to work.
The biggest problem with user-chosen passwords is that it's incompatible with periodic password expiry. And automatically forcing users to change passwords is quite desirable (at least, it's very widely practiced).
The natural response of a user seeing a "90 days reached; you must change your password" prompt is to type in exactly the same word he currently uses. When that fails, he tries to make the smallest possible modification until the system accepts it. This leads to people cycling just one character higher as time goes by, which for good hackers (or just good guessers) is the same as if it never changed at all.
If you want to force password changes on a periodic basis, you must not let users choose!
This is why Netmeeting and other H.323 solutions should be thrown on the trash heap.
This is why NAT should be thrown on the trash heap.
If your solution can't handle NAT, it is almost useless.
If NAT breaks solutions, then it is almost useless.
There are certain rules for providing internet access, defined 23 years ago in RFC 760 (etc). NAT breaks those rules. If you use NAT, you don't have Internet access. If you don't have Internet access, you shouldn't expect Internet applications to work.
So you can be all prepared for your arrest the minute you next set foot on US soil...
I don't recall Hitler ever bothering much about the law/I.
On the contrary. He was elected legally, and once head-of-state with an unchallengable popularity, all the laws were changed to exactly as he prefered.
If you get to be dictator, then anything you do is by definition within the law.
except for illustrating how the Gitmo situation is not in keeping with 200+ years of stated american policy, i.e. no indefinite imprisonment.
200+ years you say? Check your facts.
60 years ago
160 years ago (PDF file)
The oft-repeated tagline "Wine is not an emulator" is false. It would only be true if the word "emulator" meant "hardware emulator".
It does not. Although most people think of CPU virtualization when they hear the word "emulator", that is not necessarily the case. According to dictionary definitions, WINE is emphatically an emulator.
Here's the defintion:
I don't know if you're in the US, but the Constitution is written to limit government not the citizen.
In the US, laws limit citizens and corporations. For example, wiretap laws make it illegal to listen to a conversation without the speaker's knowledge.
Since computers, networks, etc at work at taken to be the property of the company--it's theirs to do with as they please.
Since my cable modem lines are the property of AOL-TimeWarner, do they have the right to do with as they please?
While it could be considered a poor choice of ethics to monitor employee's IM conversations without their explicit consent, it's entirely legal.
There is such a thing as workplace privacy. Obviously, the employer placing cameras in the toilets to broadcast scatological porn would be a breach of expected privacy (even though the employee is on the clock and everything in the room is company-property). Does secret monitoring of phone or IM also violate? That's not totally clear cut- in some states, employees have already won such lawsuits.
"Wiretap" laws aren't uniform, but they often make it is a crime to record a communication if either party has a reasonable belief it is not being recorded. (Well, that's quoting the California courts, who may not be entirely mainstream...)
I work for a large provider of internet services- in fact, we make one of the most popular IM clients in use today.
/. posters may want to leave their corporate affliations private, but you're not fooling anyone with that line.
Oh please. It's understandable that
The one interesting, yet mildly annoying, thing about it is the office language that has evolved around IM. The 'burstable' nature of the messaging has caused people to adopt SMS-like abbreviations for common phrases:
If you don't like it, then use your corporate-wide instant access to suggest a feature to the guys who write the darn thing: make a checkbox which will auto-translate special abbreviations into full sentences (or the reverse).
Sure, someone could use it to send classified info to a friend outside the company. But they don't need IM to do this.
The usual IM programs found installed on normal desktops are significantly less secure than a phone call, and even somewhat worse than a normal email.
Two people in the same office building, who send sensitive data over IM, will not expect it to go out to aol.com and back!
Corporate-targeted, security-concious IM apps can eliminate those problems.
Never mind that someone that wants DVD playback has to spend about $35-50 for a Windows player in the first place.
I don't know if Microsoft(tm) ships a DVD player with Windows XP(r) yet, but DVD software for that platform is cheaper than dirt. You can't even spend $25 on a DVD drive without finding a disc of PowerDVD jammed in the box.
It's just flat-out a bad article. The title says "Is Linux ready for the DESKTOP", but the body is completely about LAPTOP support.
There are many important obstacles to Linux working on the desktop (such as the inability to read an attachment sent from Microsoft(tm) Excel(r)) but mystical 100% hardware compatibility isn't a reasonable expectation.
Can MacOS run on his laptop even 1% as well as Linux did? But does that mean anything about whether it's "ready for the desktop"? (I believe the concensus is that OS X is one of the very best desktop environments ever...)
For that matter, how well does WindowsXP run on this off -the-shelf laptop? Again, not 1% as well as Linux does. Laptops are tricky, customized hardware. No OS not included my the OEM should be expected to work completely.
"Ready for the desktop" does not mean "A drop-in replacement for WindowsXP in every imaginable circumstance"
is that if you go into an IRC channel for any non main-stream OS (os/2, linux, mac, etc) and ask a question, you're going to get beaten up by assholes.
u nce/200 3/debian-devel-announce-20031
0 03 /debian-devel-announce-200311/msg00012.html
And a Microsoft(tm) Windows(r) IRC channel is any better? (Do they even have an IRC channel?)
Strangely enough, the channel topic had absolutely nothing to talk about the package servers, and the link in the topic was broken.
Let's quote the channel topic, and you can read it again.
*** Topic for #debian: Compromised machine info:
+http://lists.debian.org/debian-devel-anno
+1/msg00012.html || Down: gluck (people, packages.d.o); || more info at
+http://www.wiggy.net/debian/ || Take your Knoppix questions to #knoppix. ||
+/msg the bots, NOT the people || flood in #flood, NOT here || FAQ:
+http://www.linuks.mine.nu/debian-faq/
See the section with "Down: gluck (people, packages.d.o)"?
and the link in the topic was broken.
Both URLs work fine. If you can't figure out how to remove newlines from a long URL, it's your own fault. Here, practice by removing the whitespace Slashcode adds:
http://lists.debian.org/debian-devel-announce/2