It bothers me that few people seem to be appreciating that a 4 or 5 _word_ passphrase (as given as examples in the original article) really doesn't have much entropy at all.
Robert points out it contains capitalisation. Yes, the first letter of the first word of the sentence! And also that it contains punctuation - grammatically correct punctuation, thus so predictable as to hardly register!
He then goes on to claim how amazingly secure these 20 or so character long strings are. But in fact he's now counting in the wrong units - its number of words that matter, not characters. To crack his examples, all it takes is a different approach. It would take a dictionary (online? there's enough of them!) of common words and some simple grammatical rules and you could begin to brute force pass-phrases. And then it comes back to the old obscurity rules - made-up words, random punctuation, etc.
I admit it could work for a while, but if the world adopts this in a year's time there will be computer scientists (and linguists) the world over wowwing everyone by guessing their passwords.
I don't see a good explanation of TCP Vegas here (as I understand it) and I think it would be relevant, as it sounds like they're doing little new.
TCP Vegas is not additive increase multiplicative decrease (ie rate halving on packet loss) as ordinary TCP is, but additive decrease. It is based on monitoring round-trip-times with the crucial observation that if router queues are getting full (due to congestion) then packets queue for longer and increase the RTT. Thus, when delay seems to be increasing, Vegas gently decreases rate, producing a smoothed graph over time rather than a sawtooth.
It requires very precise timing, made possible by relatively recent Intel chips with cycle counters.
Slashdot Mirror
It bothers me that few people seem to be appreciating that a 4 or 5 _word_ passphrase (as given as examples in the original article) really doesn't have much entropy at all.
Robert points out it contains capitalisation. Yes, the first letter of the first word of the sentence! And also that it contains punctuation - grammatically correct punctuation, thus so predictable as to hardly register!
He then goes on to claim how amazingly secure these 20 or so character long strings are. But in fact he's now counting in the wrong units - its number of words that matter, not characters. To crack his examples, all it takes is a different approach. It would take a dictionary (online? there's enough of them!) of common words and some simple grammatical rules and you could begin to brute force pass-phrases. And then it comes back to the old obscurity rules - made-up words, random punctuation, etc.
I admit it could work for a while, but if the world adopts this in a year's time there will be computer scientists (and linguists) the world over wowwing everyone by guessing their passwords.
Is this really true?
Looking over the pond from the UK, suing the USPTO sounds like a superb idea. Maybe you guys should start petitioning your government for permission.
C'mon, in a society as litiguous as yours, you can sue your own grandmother without raising eyebrows, so _surely_ you can sue your government.
Who cares what the law says - if the US public were told there was someone they couldn't sue, I'd expect riots.
I don't see a good explanation of TCP Vegas here (as I understand it) and I think it would be relevant, as it sounds like they're doing little new.
TCP Vegas is not additive increase multiplicative decrease (ie rate halving on packet loss) as ordinary TCP is, but additive decrease. It is based on monitoring round-trip-times with the crucial observation that if router queues are getting full (due to congestion) then packets queue for longer and increase the RTT. Thus, when delay seems to be increasing, Vegas gently decreases rate, producing a smoothed graph over time rather than a sawtooth.
It requires very precise timing, made possible by relatively recent Intel chips with cycle counters.