He said that he prefers Maxtor over Western Digital, which must be a joke (though I don't really get it).
I've had maybe a dozen or so hard drives. One Maxtor-- the drive head broke somehow, destroying the disk. The rest have been Western Digitals-- even my 200MB ones still work fine.
Oh, and I had a couple 42-meg Seagates, both of which crashed bad after maybe 2 years.
To summarize: Western Digital => The Google of Hard Drives Maxtor => Teh Suck Seagate => Assimilating Teh Suck
1. Ask management to hire a tech and a clerk to help you 2. ???? 3. Profit!
I'm pretty sure that 2 might consist of you threatening to leave unless you get some help. If they are really dependent upon you, it might jar their attention. Also, if you have so much experience, you could probably find another job without too much of a problem.
Alternatively, you could try optimizing your processes -- spend an extra 5% of your time each week on reducing or eliminating the biggest time hogs.
Agreed. Real men don't need to read a sissy book with non-ASCII-art pictures and diagrams. Especially none with obscure animals on the cover. Real men have the RFC printed out and bound with a big black clip.
I just stop reading at this point. Perhaps saying that it is "thought to be secure at the current state of knowledge", but if there's one thing we should have learned already, it's that nothing is absolute.
What the hell are non-hashed passwords doing in that table? Are they nucking futs?
Free Lesson to Programmers Everywhere When you store passwords for a site/application you create, you store the HASH of the password. The hash is basically gobblygook that the password gets translated to. You can't get the password back once you hash it. That's the point. When you call the help desk because you forgot your password, they create you a new one. They can't tell you, because it's technically "impossible" to do so.
It's also a good idea to prefix your password with a 'secret'. It adds another layer and actually increases the security a little bit. So you do:
$hpass = sha256($SECRET . $pass);
insert into users (username, password) values ('$user', '$hpass');
You should use algorithms like SHA256 for new applications, SHA-1 is alright for current applications, and MD5 is no good anymore.
When you want to check the passwords, do:
select password from users where username = '$given_user';
if (password == sha256($SECRET . $given_password)
good, login successful
A few other things to note: 1. Don't postfix passwords with a constant (well, that won't help at all-- prefixing will though) 2. You can probably truncate a SHA256 hash down to 160 bits or something, but don't unless you have to. 3. Hashing something twice doesn't help MD5(SHA(x)) is no better than the hardest of the two to break.
I'm only mildly disappointed by this action. The (RI|MP)AA? is only continuing their tradition of squeezing every last penny out of their consumer base at the expense of anyone who stands in their way. They'll sue *anyone*, and now they'll try to have *anyone* put in jail for violating their "rights". Perhaps they have a legal right to do this, but where does this end? This issue is seriously eroding people's rights. I can publish a song, and prevent you from:
- Copying it (certainly)
- Letting someone else listen to it (AFAIK)
- Sing it
Where does this end? I'll tell you. When artists and musicians realize that as soon the pain associated with their art form reaches a certain level, people will quickly move elsewhere. The (RI|MP)AA? likes to think that society depends on them for what they need (e.g. music) to survive. Actually, it's quite the other way around, except that they are the only game in town. People need something to do in the car. They need an activity to go to at night (concerts). They don't like total silence at work. That's the reason for the existence of *most* modern music. There are certainly exceptions, but the new Ashley Lipsyncher Simpson CD is their bread and butter.
As for movies and the rest of the "art forms", it's generally the same thing. If the whole music/movie industry dried up over night, there wouldn't be much of a loss to society as a whole. Independent musicians would quickly take their place, and something would come along to replace movies like Cabin Fever and television shows like The Bernie Mac Show.
Most people don't have a problem paying for music or movies. I certainly don't. But I will not allow myself to be subjected to rediculous licensing agreements and terms associated with the goods that I purchase. Imagine if you went to a grocery store and purchased a can of Betty Crocker cake icing, and on the back it said, "This Icing is being licensed to you, the consumer, for the exclusive use with Betty Crocker brand cakes and cake mixes. Unauthorized use will have you subject to prosecution. Under the terms of this non-transferable license agreement, you agree to not share this Icing with anyone else. In addition, you give up your right to sue Betty Crocker if said Icing makes you sick and/or you die from its consumption."
The science journal, Nature, has reported that water is wet.
Security has always been a problem, and probably always will, because there the risk is very difficult to quantify. "You should install XYZ because it'll probably maybe sorta keep out attackers." doesn't quite cut it when you ask for $500k to implement it. And the field is changing too quickly to commoditize certain security issues (A/V and simple encrypted point-to-point communications excluded).
Also, much of security is built upon black magic-- so few people understand things like cryptography, it's a bit like 'security through obscurity'.
While I agree that this is the case today, I hope that in the next 10-20 years, programming environments and languages will evolve to make that work. In my opinion, bugs are USUALLY the result of sloppy thinking and poorly defined APIs. Take any function that exposes a vulnerability, fix it, and then compare the two functions. Knowing what you know now, would you have coded it the same way if you were to do it again? Of course not. You (or the original coder) made a mistake. The programming language/environment probably didn't help you very much, and that's probably the easiest path to go down (or else actually train developers better??).
I don't mean to say that we can ever get to 100% in non-trivial programs, but we can probably reduce the number of bugs down to 2-3% of what they are now by enforcing better programming practices.
After completing a 50k/loc application last year, it passed through QA with a total of 9 bugs, 7 of which were UI-related (wrong color on the screen, typo, etc). The remaining two were corner cases that I should have accounted for. Still, 2 in 50kloc is pretty good, IMHO. I divided my application into sort of "sub-contractor" components--once they were solidified, there were no changes to their API, no hacking to add new functionality. If I needed something new, I either extended or encapsulated the original objects.
I think the answer in general is better practices, and it should certainly come (sooner or later).
Another good comment made at the NIST conference was that there really is no theoretical proof for the existence of a one-way function. Hash functions are black magic that just "happens to work" at this point. Also, there's no reason why factoring large numbers has to be so hard? (does there exist an O(n) or O(1) solution to factor an arbitrarily large number?)
So I agree with you that algorithm agility will be the only way to keep ahead of the progress made by researchers (Xiaoyun Wang et al.), at least until some serious thought goes into AHS.
By the way, the full conference proceeding are available here.
I've played Zork and Adventure and the like and, while very good, they're not quite as exciting as the games Sierra used to put out (KQ/PQ/SQ/etc), up until they went with the new mouse UI.
For example, I could not release "jacksonj04 Windows" as an operating system because that would be infringing. "jacksonj04 Windows" as a shatterproof glass technology, however, is perfectly permissible. You mean transparent aluminum?
I, for one, (do not welcome our new LaTeX overlords)-- rather, I use MiKTeX and TexnicCenter to do LaTeX in Windows. Output to PS, PDF, or DVI (any probably others). Never had a problem with it at all.
Maybe Linux has some nice tex2dvi and dvi2pdf commands, but that's hardly a selling point to me.
Who cares? It'll take 2 megapixel PICTURES that you can e-mail to yourself. For an extra $199, you can do text messaging to other Nokia N90 customers.
Seriously folks, when was the last time you heard yourself say, "It's a good thing I had that camera in my phone, or I would have missed that!".
I'd expect some *useful* features in a $900 phone (universal remote control, PDA-like features, wi-fi, laser pointer, [a phone that you can make calls on]!!, maybe something cool like goggles or a tv-out that you can pipe internet access through your phone to a screen that you can actually see something on. Why not treat the phone as a thin client and have your "computer" be your phone.
Sorry, my phone just finished making me french toast, I've got to run.
Ok I don't get the joke.. Double the strength by Polishing? Is it also doubled by Italianing? (It's probably made happier by Frenching, but that's a different issue altogether).
I spent about a month trying to track down the original book (Princess Bride) by S. Morgenstern. I was redirected from rare book seller to rare book seller until one of them was kind enough to tell me that such a person does not exist.
Ok, good point, but do we have to define hurt as "physically hurt"? If my business goes down because of an e-mail virus that spreads due to a bug in Windows, and I lose, $100,000 per day for 3 days until I get it back up, and that forces me to lay off someone, then isn't there some 'hurt' involved too?
I think the point is that currently the only incentive towards producing quality software is that of market forces (you produce crap, people go elsewhere). The threat of lawsuits may very well improve the quality of commercial code substantially (though OSS code might be a problem).
Seriously people, I know this is "news for nerds", but it's also "stuff that matters". What's next? "Charlie's Steakhouse To Provide Free Salad With Any Entree"?
Slashdot Mirror
Mod parent funny.
He said that he prefers Maxtor over Western Digital, which must be a joke (though I don't really get it).
I've had maybe a dozen or so hard drives. One Maxtor-- the drive head broke somehow, destroying the disk. The rest have been Western Digitals-- even my 200MB ones still work fine.
Oh, and I had a couple 42-meg Seagates, both of which crashed bad after maybe 2 years.
To summarize:
Western Digital => The Google of Hard Drives
Maxtor => Teh Suck
Seagate => Assimilating Teh Suck
1. Ask management to hire a tech and a clerk to help you
2. ????
3. Profit!
I'm pretty sure that 2 might consist of you threatening to leave unless you get some help. If they are really dependent upon you, it might jar their attention. Also, if you have so much experience, you could probably find another job without too much of a problem.
Alternatively, you could try optimizing your processes -- spend an extra 5% of your time each week on reducing or eliminating the biggest time hogs.
Turbosteamer -- sounds like a vacuum cleaner to me, or maybe one of those irons that you use to take the wrinkles out of your shirts.
Agreed. Real men don't need to read a sissy book with non-ASCII-art pictures and diagrams. Especially none with obscure animals on the cover. Real men have the RFC printed out and bound with a big black clip.
Mr. Seigenthaler was involved in the assasination of JFK.
Assassination
n.
The act of assassinating; a killing by treacherous violence.
Assasination
n.
The act of writing a Wikipedia article with the purpose to insert the author into the topic falsely.
See, he's fine.
He said his scheme is absolutely secure...
I just stop reading at this point. Perhaps saying that it is "thought to be secure at the current state of knowledge", but if there's one thing we should have learned already, it's that nothing is absolute.
What the hell are non-hashed passwords doing in that table? Are they nucking futs?
Free Lesson to Programmers Everywhere
When you store passwords for a site/application you create, you store the HASH of the password. The hash is basically gobblygook that the password gets translated to. You can't get the password back once you hash it. That's the point. When you call the help desk because you forgot your password, they create you a new one. They can't tell you, because it's technically "impossible" to do so.
It's also a good idea to prefix your password with a 'secret'. It adds another layer and actually increases the security a little bit. So you do:
$hpass = sha256($SECRET . $pass);
insert into users (username, password) values ('$user', '$hpass');
You should use algorithms like SHA256 for new applications, SHA-1 is alright for current applications, and MD5 is no good anymore.
When you want to check the passwords, do:
select password from users where username = '$given_user';
if (password == sha256($SECRET . $given_password)
good, login successful
A few other things to note:
1. Don't postfix passwords with a constant (well, that won't help at all-- prefixing will though)
2. You can probably truncate a SHA256 hash down to 160 bits or something, but don't unless you have to.
3. Hashing something twice doesn't help MD5(SHA(x)) is no better than the hardest of the two to break.
I'm only mildly disappointed by this action. The (RI|MP)AA? is only continuing their tradition of squeezing every last penny out of their consumer base at the expense of anyone who stands in their way. They'll sue *anyone*, and now they'll try to have *anyone* put in jail for violating their "rights". Perhaps they have a legal right to do this, but where does this end? This issue is seriously eroding people's rights. I can publish a song, and prevent you from:
- Copying it (certainly)
- Letting someone else listen to it (AFAIK)
- Sing it
Where does this end? I'll tell you. When artists and musicians realize that as soon the pain associated with their art form reaches a certain level, people will quickly move elsewhere. The (RI|MP)AA? likes to think that society depends on them for what they need (e.g. music) to survive. Actually, it's quite the other way around, except that they are the only game in town. People need something to do in the car. They need an activity to go to at night (concerts). They don't like total silence at work. That's the reason for the existence of *most* modern music. There are certainly exceptions, but the new Ashley Lipsyncher Simpson CD is their bread and butter.
As for movies and the rest of the "art forms", it's generally the same thing. If the whole music/movie industry dried up over night, there wouldn't be much of a loss to society as a whole. Independent musicians would quickly take their place, and something would come along to replace movies like Cabin Fever and television shows like The Bernie Mac Show.
Most people don't have a problem paying for music or movies. I certainly don't. But I will not allow myself to be subjected to rediculous licensing agreements and terms associated with the goods that I purchase. Imagine if you went to a grocery store and purchased a can of Betty Crocker cake icing, and on the back it said, "This Icing is being licensed to you, the consumer, for the exclusive use with Betty Crocker brand cakes and cake mixes. Unauthorized use will have you subject to prosecution. Under the terms of this non-transferable license agreement, you agree to not share this Icing with anyone else. In addition, you give up your right to sue Betty Crocker if said Icing makes you sick and/or you die from its consumption."
Yeah, just wait and see.
I think it was because January 5th is the 87th anniversary of the Nazi party. Also, it was the Nazi party's 87th anniversary.
In summary, January 5th, 2006 is the 87th anniversary of the Nazi party.
The science journal, Nature, has reported that water is wet.
Security has always been a problem, and probably always will, because there the risk is very difficult to quantify. "You should install XYZ because it'll probably maybe sorta keep out attackers." doesn't quite cut it when you ask for $500k to implement it. And the field is changing too quickly to commoditize certain security issues (A/V and simple encrypted point-to-point communications excluded).
Also, much of security is built upon black magic-- so few people understand things like cryptography, it's a bit like 'security through obscurity'.
My $0.02.
While I agree that this is the case today, I hope that in the next 10-20 years, programming environments and languages will evolve to make that work. In my opinion, bugs are USUALLY the result of sloppy thinking and poorly defined APIs. Take any function that exposes a vulnerability, fix it, and then compare the two functions. Knowing what you know now, would you have coded it the same way if you were to do it again? Of course not. You (or the original coder) made a mistake. The programming language/environment probably didn't help you very much, and that's probably the easiest path to go down (or else actually train developers better??).
I don't mean to say that we can ever get to 100% in non-trivial programs, but we can probably reduce the number of bugs down to 2-3% of what they are now by enforcing better programming practices.
After completing a 50k/loc application last year, it passed through QA with a total of 9 bugs, 7 of which were UI-related (wrong color on the screen, typo, etc). The remaining two were corner cases that I should have accounted for. Still, 2 in 50kloc is pretty good, IMHO. I divided my application into sort of "sub-contractor" components--once they were solidified, there were no changes to their API, no hacking to add new functionality. If I needed something new, I either extended or encapsulated the original objects.
I think the answer in general is better practices, and it should certainly come (sooner or later).
Illegal technology, outlawed by DMCA:
* Sticky Tape
* Magic Markers
* Shift Keys
When will these companies learn? 3M, Sharpie, and Dell-- stop trying to get me to break the law!!!
Another good comment made at the NIST conference was that there really is no theoretical proof for the existence of a one-way function. Hash functions are black magic that just "happens to work" at this point. Also, there's no reason why factoring large numbers has to be so hard? (does there exist an O(n) or O(1) solution to factor an arbitrarily large number?)
So I agree with you that algorithm agility will be the only way to keep ahead of the progress made by researchers (Xiaoyun Wang et al.), at least until some serious thought goes into AHS.
By the way, the full conference proceeding are available here.
I've played Zork and Adventure and the like and, while very good, they're not quite as exciting as the games Sierra used to put out (KQ/PQ/SQ/etc), up until they went with the new mouse UI.
Oh well, back to playing Astro-Chicken.
For example, I could not release "jacksonj04 Windows" as an operating system because that would be infringing. "jacksonj04 Windows" as a shatterproof glass technology, however, is perfectly permissible.
You mean transparent aluminum?
The CISO Handbook was written by a guy named Serious Poo?
I, for one, (do not welcome our new LaTeX overlords)-- rather, I use MiKTeX and TexnicCenter to do LaTeX in Windows. Output to PS, PDF, or DVI (any probably others). Never had a problem with it at all.
Maybe Linux has some nice tex2dvi and dvi2pdf commands, but that's hardly a selling point to me.
maybe we'll see a 100 GHz PC in the not-too-distant future.
What are you talking about? I've had a 6.8 GHz laptop for over a month. It does quantum-optical calculations damn quick, and runs Duke Nukem Forever!
And then, I was at my girlfriend's...
/.ers expected a different ending to that sentence.
A hundred thousand
Who cares? It'll take 2 megapixel PICTURES that you can e-mail to yourself. For an extra $199, you can do text messaging to other Nokia N90 customers.
Seriously folks, when was the last time you heard yourself say, "It's a good thing I had that camera in my phone, or I would have missed that!".
I'd expect some *useful* features in a $900 phone (universal remote control, PDA-like features, wi-fi, laser pointer, [a phone that you can make calls on]!!, maybe something cool like goggles or a tv-out that you can pipe internet access through your phone to a screen that you can actually see something on. Why not treat the phone as a thin client and have your "computer" be your phone.
Sorry, my phone just finished making me french toast, I've got to run.
Ok I don't get the joke.. Double the strength by Polishing? Is it also doubled by Italianing? (It's probably made happier by Frenching, but that's a different issue altogether).
I spent about a month trying to track down the original book (Princess Bride) by S. Morgenstern. I was redirected from rare book seller to rare book seller until one of them was kind enough to tell me that such a person does not exist.
That tricky William Goldman...
Ok, good point, but do we have to define hurt as "physically hurt"? If my business goes down because of an e-mail virus that spreads due to a bug in Windows, and I lose, $100,000 per day for 3 days until I get it back up, and that forces me to lay off someone, then isn't there some 'hurt' involved too?
I think the point is that currently the only incentive towards producing quality software is that of market forces (you produce crap, people go elsewhere). The threat of lawsuits may very well improve the quality of commercial code substantially (though OSS code might be a problem).
Not at all. It'd be like holding car manufacturers liable for defects that cause people to get hurt.
And we do that today.
Why should software be any different, except that writing bug-free software is probably just as hard as designing a "perfect" car.
Excellent slashvertisement.
Seriously people, I know this is "news for nerds", but it's also "stuff that matters". What's next? "Charlie's Steakhouse To Provide Free Salad With Any Entree"?