Nuclear plants don't consume water, they need a cool sink to dump waste heat because of basic thermodynamics. This is true for any thermal plant ex. solar-thermal. As the ranter agrees, coal fired plants would use 25% less water because they operate at somewhat better efficiency.
A river is a convenient cold sink, and the large amount of water sucked in by the plant ensures the output temperature does not increase by more than a few degrees so as to not endanger the river ecosystem. If no large river or ocean is available, a pure cooling-tower approach can be used. A 1 GW-electric reactor with ~33% efficiency needs to dump 2GW of heat while running; water has a latent vaporisation heat of 0.6 KWh/Kg, 600KWh/t so you need to evaporate 10000 cubic meters of water per hour to cool a 1GWe reactor; that's about 3 cubic meters per second and completely manageable, aside from the high capital costs. 10% of Mississippi water is enough to cool six hundred 1GWe reactors.
Also, there's no contradiction to say that global warming affects water intake of nukes, while at the same time nukes are a global warming cure. Going 100% nuke is sustainable: global warming stops, water intake from river can continue, breeder fuel lasts for a millennia. Going 50% solar+wind+hydro and 50% coal (necessary for base load when the sun does not shine and wind does not blow) is unsustainable, does not stop global warming and any presumed effects on the rivers.
I'd get a good chuckle out of someone trying to trademark "Phonebook", it would point out how ridiculous trademarks are getting. If someone succeeded however, I'd probably cry too.
That would be almost like someone getting a trademark on the word 'face' in the field of 'Telecommunication services, namely, providing online chat rooms and electronic bulletin boards for transmission of messages among computer users'.
Also really helps with distribution which is an issue these days. It is a problem to upgrade the power gird and there are always distribution losses. A good way to mitigate that is more local generation, in particular in response to peak loads. If peak cooling and other loads are handled with local solar, that makes for a much more even load on the grid.
Sorry, but that makes no sense. Solar is in no way a supplier of peak power. It's output spikes widely (10:1) in a cloudy day. So you need to get that power from somewhere else, and have the infrastructure in place to get it. What solar provides is intermittent power with a low $ value on a liberalised energy market. In order to meet the base-load demands of a data center you need to couple it with expensive hydro or pumped-storage installations, which are constrained to specific geographic locations. So renewables are a disturbance in the grid, and not a way to "even out" the load.
Well, if you buy the hardware today, you are locked-out from future advances, and you need to recover that sunken cost. Sure, someday we might harness the energy of flying pigs, and at that point we can have a chat on the economic viability of pigovoltaics. It's in no way foolhardy to pass on investing in something that's a money looser now and might never become viable, especially when we are running pretty close to a fundamental physical limit of pig buoyancy.
(did I mention some egotistical motives? Yes, I did)
Even in a purely purely egotistical approach, it should be clear that the PV cell's price is heavily subsided by the cheaply available fossil fuel, which is used intensively in mining and manufacturing. There's no way to "go solar" without a large electric storage, which will degrade much more quickly than 25 years. A technology which is borderline profitable now will become prohibitively expensive assuming a high oil price.
And how would you go about making HVAC more efficient?
How about, instead of making electricity at 10-15% efficiency and use it to run a 20-30% efficient refrigerator, switch the whole datacenter to absorption cooling which uses solar heat directly ?
This way, instead of an abysmal solar efficiently of 5% and large capital costs, you get 20% efficiency with some piping and thermal captors.
The sun doesn't shine brightly all the time and there are installation costs etc, so the payback time is about a multiple of that say 8-10 years?
I assume they are rated at direct incident light of 1000W/m^2; they have about 13% efficiency, and cost about 200$/m^2. In United States you have quite a bit of sun, about 5KW/day/m^2. So you get 0.65KWh per day, on average, for every square meter of installation. You earn about 21$/year/m^2.
It takes 10 years pay it back ignoring the present money value. At more economically realistic 5% interest rate, the payback time is about 20 years, on par with the panel's life time. So much for "free energy". Without ignoring the setup costs and indirect costs from using the power company to regulate your supply when the sun does not shine, the payback time is right about never.
Strictly for the US south-west, solar is borderline profitable when done at the utility level, because they have huge economies of scale. For most of Europe, Canada, Rusia etc. it's a non-starter.
Solar power is a perfect match for data centers. Their power demand is basically constant
Especially if you built it on an asteroid with no clouds and with a side always facing the Sun. Cause you don't need those coal and nuclear plants generating base load, and those huge dams regulating peak load, like on Earth.
Assuming a good hashing scheme: the 15 digit card number (the 16th is the checksum) + 3 digit cvv2 + an expiration date somewhere in the next 3 years (36 values) gives about 64 bit of entropy. That's clearly within a botnet's capabilities to attack via bruteforce if it's a plain MD5 or so, and not a computationally expensive algo like bcrypt. Since there are 10 million stolen cards, assuming they didn't use a salt then you get a valid card number with a 41 bit attack which can be quickly performed on a single PC.
Also, what good is for Sony a hashed credit card number ? It would only be useful to detect previously used cards; for anything like a monthly subscription, you need reversible encryption or plaintext. All in all, unless clear information is released, we can safely assume the hackers have the credit cards in plain format or they can easily get to plaintext.
Emissions per $production are the only sensible measurement. And the US is over 5.25 times good as China in that comparison.
So you are saying that a ton of corn ($300) or steel ($700) produced in a developing nation should have the same carbon footprint to a mobile phone ?
Further, you do realize that moving the Western populace from preindustrial conditions to current conditions was done without regard to carbon outputs and efficiency ? Given that carbon levels are cumulative, why should the average 3rd world country be taxed for doing the same today ?
I'd say that's fairly accurate - nothing compared to the hype and panic at least. No one died from radiation sickness. There was a single worker who died after being hit by a crane, but that's an industrial accident and it's not correlated with the nuclear nature of the plant; if you hit a gas-powered plant, hydroelectric dam or huge wind farm with a 9.0 earthquake + tsunami and you can also expect casualties. As it turns out, it was much safer to be inside the nuclear plant than on the beach when the tsunami hit. There were also two workers who received a dangerous radiation level (they recovered), and have a higher cancer risk with a few percentage higher than the average guy. Assuming they do die of cancer in the next 10-20 years (and that's fairly unlikely) we`re still looking exceptionally good compared with the tens of thousands of victims of the tsunami.
The bulk of the radiation was released as: - airborne gases during the hydrogen explosions - activated water, dumped into sea
The activated water quickly dilutes to background radiation level when dissolved in the vastness of the ocean. The lack of radioactive dust means that the exclusion zone is temporary and there will be little permanent soil or groundwater contamination, unlike Chernobyl. The bulk of radiation was released as Iodine-131 which halves it's radiation output every 8 days. And that means a 10.000 fold reduction after 3 months. Which further means that once the exclusion zone is dropped (in about 6 months), there will be probably no significant danger to live near the plant (but that further depends on the radioactive Strontium and Cesium levels, which depend on the weather and soil chemistry, so it's a bit early to speculate).
How do you sell someone a $60 game that's really worth it?
You don't. But instead of a market of 10 million wiiboxstation3, you have a market of 600 million mobile devices, so you can keep the exact same creative level, profit and overall game experience by selling it for $1.
In fact the $60 has nothing to do with the actual effort of making the game, and it's all about maximizing revenue on an item that has a marginal cost of $0 for each extra unit produced. So the $60 is the "sweet spot" that maximizes the profit (or minimizes loss) for that particular game, given that the production costs are already sunken.
The fact that the market drove the price down to $1 means that there's much higher competition, spurred by the low entry barrier in the mobile market (less resources, less detail, less graphic effort, less or no 3d modeling etc.)
I could see the perceived value of bragging. Be it ego, respect from other hackers (thus further access), admiration from female hacketes (hey, I said 'perceived') there could be some value an intelligent individual might see in advertising. However, if you do go about advertising, some minimal common-sense is required:
- make it so that the reported does not know or air your personal details; the police shouldn't be able to squeeze it out from him because a reporter has the legal right to protect his sources in most countries
- make sure you don't admit directly any wrongdoing, say "- Here's an video where a some guy I've met on IRC hacks into NASA servers - Some guy, huh ? - Yup, I don't do that... it would be illegal - Ah.... I see ! (big grin)"
- make sure you don't keep incriminating evidence laying around, and always expect "the raid"; decent computer hygiene, encryption, digital and physical shredding of anything that might connect you to advertised or past acts of hacking etc.
Because legislators are morons and don't know the difference between stealing credit cards and hardening your kernel, the above don't apply only to criminals, but any person that's somehow connected to the computer security field. The recent PS3 criminal accusation come to mind.
To which I could reply: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" I'm a programmer BTW. Strangely enough, I believe the world would much better-off without informational fascism.
Likewise nobody should make big budget movies or try to sell their music?
Oh, you can try to do those things as much as you want. But don't base your business plan on governmental enforcement of artificial scarcity upon non-consenting individuals. The price of information is N dollars for the first copy, and zero dollars for all the rest. If you don't like that price structure, don't sell information. You need to find a buyer for the first copy, for example you might sell in-game advertising on the virtual banners. But expect a ripped copy if your advertising is too annoying. First and foremost, don't expect you are entitled to a government-sponsored backdoor on every computing device in the world - the only way property over information can be enforced.
how about me saying "this is like someone copying your personal information off your hard drive while your computer is in for repair"
It depends on what you have on that machine: 1. If it's your secret work for the last 3 years which was not intended for public consumption, tough luck. You are the master of your own destiny and if secrecy is your business, you should do it well. 2. If it's your personal details or photos, the perpetrator should be jailed if caught; any private individual has the right to privacy and intimate life - and that too is an inalienable right. 3. If it's your bank account of PayPal password, the perpetrator should be jailed. Money clearly is property, and hacking into various databases to deposes you of your physical property is theft. I'm not saying you can't commit crimes trough informational means, I'm saying information _itslef_ can't be a crime.
The fact that no-one happens to have invented a way of magically cloning the latter without damaging the original isn't really relevant
That fact is entirely relevant. The human mind cannot begin to comprehend how would the world look like without scarcity of physical property. The ability to clone any object will have such far reaching implications that our current legal or philosophical system will no longer be relevant. Well, guess what, we have that ability right now in the informational domain. Insisting to treat information like property is equivalent to banning the physical replicator when it's invented on the grounds that it might violate "intellectual property".
Will any more games be written if copyright is abolished ? Frankly I don't care. The complete liberalization of information exchanges will have such far reaching effects in our society that worrying about games is like pondering the future sales of hair wigs on the brink of finding a cancer cure.
there is no inalienable right to download, store and copy copyrighted works. Sure, nature itself won't prevent you from doing it but that's not a standard to form a society by.
Quite the contrary, I have the inalienable right to anything nature allows me, for as long as I don't overstep some other individual's inalienable rights. I will use my property as I see fit (circumvention, duplication) and I will assembly with like-minded individuals (internet broadcasting) which are clearly inalienable rights inscribed in any the constitution of any free country. In doing so Crytek can claim their business plan was ruined however there's no inalienable right to a have a working business plan. Ruining other's people business is essential for competition and a fact of life in capitalism.
I was pointing out that his ferocious attack against the leaker, be it an insider or not, was baseless. If GP sympathizes with Crytek he should lash out at Crytek for this obvious blunder which is entirely their fault, bot some 3rd parties who were excising their freedoms.
Saying this is Crytek's responsibility is like blaming someone for having their car stolen while it was being repaired at a garage.
Information cannot be stolen. Information can be duplicated, and secrets can be leaked. The fact that you are conflate physical property with information shows you have no idea what property is. Further more, property over information does not exists and cannot possibly coexist alongside with property over physical objects. If I assert property over a certain pattern of letters or bits, then I clearly assert the right to randomly seize property or strip-search individuals on the street that I suspect are hiding my pattern - how else would I be able to protect the property over my information ? This symptom is clearly seen in today's consumer electronics that are no longer behaving like property but rather like little living-room agents always communicating with their corporate overlords and conspiring against the owner's legitimate interests.
The only way there could be would be if whoever in the supply chain is responsible for this leak were to say, trip up and fall out of a third floor window into a skip full of broken glass and dogshit.
Please try to follow:: 1. Crytek is a private company. They are free to use their property to do as they please, they care write code, they care barricade themselves in a bunker and otherwise do what they want to keep the secrets they want. 2. I on the other hand, I am also a private individual. I too assert my right to use my property as I see fit, including to store, transmit or otherwise manipulate data that was once unknown to me, and now isn't.
If Crytek lives and profits out of keeping secrets, which they are very much entitled to as a private association of private individuals, then they are solely responsible if said secrets become known. There are no imaginary strings that force me to use my property in such a way as to support the goals or business objectives of other private individuals. The right to use my property as I see fit for my goals is the cornerstone of freedom. Conversely, the confiscation of my freedoms by a handful of powerful entities is totalitarianism.
I have the unalienable right to download, store and copy the leaked copy using my physical property, regardless of what the copyright or anti-circumvention laws claim. If Crytek can find the individual that leaked said secrets, and has some form of legal binding contract with said individual that covers confidentiality, they are well entitled to damages under that contract. But by all means, don't hold me responsible when your business model fails because of your own ineptitude. Using your clout to draft laws against me is not only unjust, but a violation of my inalienable rights.
The Windows product might worth the money and the effort. Free is not allays better for the end-user, allot of grief for the non-techie Linux user comes from the uncompromising philosophical posturing of not allowing for-profit software in the default install. Once you have a solid open foundation, software be it closed or open source should be allowed to compete on an equal basis, this is the best way to meet the needs of the user. Think Android.
The whole point is not to get lulled into a false sense of security when using a "long" password. The 37 char password "Dp+qnKOU52Lc)|37GPa1\c]YD}A+E;W-v8VCh)" has 244 bits of entropy while the 37 character sentence "The quick fox jumps over the lazy dog" can have as less as 20 bits for an attacker that has a "1 million famous phrases" list - which is sure to contain such a well known sentence.
Lastly, there have been numerous articles, and legal documents, showing the NSA/FBI/etc attempting to crack many different peoples volumes, but being unable to. Don't see them as magic, they can't just crack anything they want.
I would expect such a capability to be reserved for national emergency situations, anti-terrorism threats etc. not for the run-of-the-mill paedophile or fraudster. Let's analyse TrueCrypt for a second: the build installed on my computer offers by default to create an AES volume using RIPEMD-160 iterated 2000 times under PBKDF2 as the key derivation function. A single ATI Radeon can try about 1 million such keys per second (TFA, assume RIPEMD-160 ~ SHA1, they are close designs), without being optimised for such a task. It's not a stretch then assume the NSA can build a dedicated crack chip that can do 10 million keys per second, while costing between 10$ and 30$ including interconnects, cooling, power supply etc. This means a 10 to 30 million dollar NSA hardware cracker comprising of one million such chips can try 10^13 TrueCrypt passwords per second, or 3 * 10^20 per year. Thus, the NSA can crack within a year any TrueCrypt password with less than 68bits of entropy, using a 10 to 30 million $ cracker !
Well then, 68 bits covers a perfectly random 10 character password, perfect 14 character alphanumerics, perfect 20 characters numerics, and most user generated English sentences shorter than 50 characters ! I must admit I'm a bit surprised myself. If you had such a capability and were a secret spy agency, would you advertise ? It becomes critical why we must develop, review and switch to memory-hard password derivation functions such as scrypt, which have a much wider security margin against hardware attacks. According to scrypt's author, a $10 Million design attacking PBKDF2 would cost $210 Billion to achive the same performance against scrypt.
given someone has a password under 6.25 (50 bits / 8) characters, it would be cracked. I would agree with that. That's an absurdly small password
You are dead wrong when you assume a single password character means 8 bits of entropy. The best possible password that can be typed using a normal keyboard (94 printable characters, without keyboard gymnastics, euro-sign, etc.) has about 6.6 bits of entropy per character assuming the characters are uncorrelated and a high quality RNG is used as the source (huge assumptions). From the reference cited, 92% percent of passwords don't have any special characters. A lower-case + numbers password has only about 5 bits of entropy per character.
Worse yet, the vast majority of people will not use a truly random password, with a uniformly distributed character set. The examples provided as the longest passwords, and probably some of the best passwords in the list are "fool2thinkfool2thinkol2think" and "dokitty17darling7g7darling7" have 4 lower-case words (12 bits entropy each), 4 numbers with 2 digits (7 bits entropy each) for a total of 76 bits of entropy, and I'm being generous. That's just 2.8 bits of entropy per character ! Real world passwords indeed.
Regarding your claim about a 400 bit entropy password, allow me to doubt it. You might have a 50 character passphrase, but if it's a lowercase of english text it's entropy can be estimated as follows:
The first character is taken to have 4 bits of entropy, the next 7 characters are taken to have 2 bits of entropy each, the following 12 characters are taken to have 1.5 bits of entropy each, and subsequent characters are taken to have 1 bit of entropy each.
That gives you about 66 bit of entropy according to NIST. You might have a 400 bit passfile, but in that case you could also generate a 400 Kbyte passfile, it doesn't really matter. The whole idea of passwords is that they authenticate the person (something you know, and can realistically remember) and not the machine (something you have, or can easily copy).
No scheme can add entropy to a password: that is actually an impossible feat, aside from multiple user passwords, or multi-factor auth, where one factor's authenticator is encrypted using another of the user's factors or passwords. The purpose of salting is to prevent pre-optimization of a brute force attempt.
Clearly the entropy of the password is constant regardless of the algorithm, however a good key strengthening or key stretching algorithm can force the attacker to make more steps for a brute-force attack, just as if a longer key was used, hence their name. As Twylite explains bellow you schemes add only a few bits of extra effort to the attacker.
The purpose of salting is well achieved with a straight Hash(password + salt) scheme, as well as using your scheme. So there's no need to bring Rainbow tables/dictionaries into discussion. You seem to operate under the impression that your scheme will improve resistance to online, non-precomputed brute-force attacks versus the straight Hash(password + salt), which it does not.
The point basically was, use a stronger key in the first place, rather than layering on key strengthening techniques.
And it's wrong. You might use a 256 byte passphrase, but the average PayPal user has 42 bits of entropy in his password. If you can stretch that to 60 - 70 bits using password strengthening techniques, it's a huge security improvement for your system.
You don't iterate a hash function. That's just cryptographic hand waving
That's exactly what common password strengthening algorithms like bcrypt or PBKDF2 do. They are carefully designed for the purpose of increasing brute-force computational cost and of course don't simply do MD5(MD5(MD5(....MD5(x)))).
HMAC is for message authentication codes.
That's what an encrypted password is a MAC from the user that authenticates the salt using his password. In this instance however, since the attacker can't control the salt nor password, using a HMAC will not buy more security. Guilty as charged of hand waiving:)
Slashdot Mirror
...rant about water consumption of nukes...
Nuclear plants don't consume water, they need a cool sink to dump waste heat because of basic thermodynamics. This is true for any thermal plant ex. solar-thermal. As the ranter agrees, coal fired plants would use 25% less water because they operate at somewhat better efficiency.
A river is a convenient cold sink, and the large amount of water sucked in by the plant ensures the output temperature does not increase by more than a few degrees so as to not endanger the river ecosystem. If no large river or ocean is available, a pure cooling-tower approach can be used. A 1 GW-electric reactor with ~33% efficiency needs to dump 2GW of heat while running; water has a latent vaporisation heat of 0.6 KWh/Kg, 600KWh/t so you need to evaporate 10000 cubic meters of water per hour to cool a 1GWe reactor; that's about 3 cubic meters per second and completely manageable, aside from the high capital costs. 10% of Mississippi water is enough to cool six hundred 1GWe reactors.
Also, there's no contradiction to say that global warming affects water intake of nukes, while at the same time nukes are a global warming cure. Going 100% nuke is sustainable: global warming stops, water intake from river can continue, breeder fuel lasts for a millennia. Going 50% solar+wind+hydro and 50% coal (necessary for base load when the sun does not shine and wind does not blow) is unsustainable, does not stop global warming and any presumed effects on the rivers.
I'd get a good chuckle out of someone trying to trademark "Phonebook", it would point out how ridiculous trademarks are getting. If someone succeeded however, I'd probably cry too.
That would be almost like someone getting a trademark on the word 'face' in the field of 'Telecommunication services, namely, providing online chat rooms and electronic bulletin boards for transmission of messages among computer users'.
Also really helps with distribution which is an issue these days. It is a problem to upgrade the power gird and there are always distribution losses. A good way to mitigate that is more local generation, in particular in response to peak loads. If peak cooling and other loads are handled with local solar, that makes for a much more even load on the grid.
Sorry, but that makes no sense. Solar is in no way a supplier of peak power. It's output spikes widely (10:1) in a cloudy day. So you need to get that power from somewhere else, and have the infrastructure in place to get it.
What solar provides is intermittent power with a low $ value on a liberalised energy market. In order to meet the base-load demands of a data center you need to couple it with expensive hydro or pumped-storage installations, which are constrained to specific geographic locations. So renewables are a disturbance in the grid, and not a way to "even out" the load.
Well, if you buy the hardware today, you are locked-out from future advances, and you need to recover that sunken cost. Sure, someday we might harness the energy of flying pigs, and at that point we can have a chat on the economic viability of pigovoltaics. It's in no way foolhardy to pass on investing in something that's a money looser now and might never become viable, especially when we are running pretty close to a fundamental physical limit of pig buoyancy.
(did I mention some egotistical motives? Yes, I did)
Even in a purely purely egotistical approach, it should be clear that the PV cell's price is heavily subsided by the cheaply available fossil fuel, which is used intensively in mining and manufacturing. There's no way to "go solar" without a large electric storage, which will degrade much more quickly than 25 years. A technology which is borderline profitable now will become prohibitively expensive assuming a high oil price.
And how would you go about making HVAC more efficient?
How about, instead of making electricity at 10-15% efficiency and use it to run a 20-30% efficient refrigerator, switch the whole datacenter to absorption cooling which uses solar heat directly ?
This way, instead of an abysmal solar efficiently of 5% and large capital costs, you get 20% efficiency with some piping and thermal captors.
The sun doesn't shine brightly all the time and there are installation costs etc, so the payback time is about a multiple of that say 8-10 years?
I assume they are rated at direct incident light of 1000W/m^2; they have about 13% efficiency, and cost about 200$/m^2.
In United States you have quite a bit of sun, about 5KW/day/m^2. So you get 0.65KWh per day, on average, for every square meter of installation. You earn about 21$/year/m^2.
It takes 10 years pay it back ignoring the present money value. At more economically realistic 5% interest rate, the payback time is about 20 years, on par with the panel's life time. So much for "free energy". Without ignoring the setup costs and indirect costs from using the power company to regulate your supply when the sun does not shine, the payback time is right about never.
Strictly for the US south-west, solar is borderline profitable when done at the utility level, because they have huge economies of scale. For most of Europe, Canada, Rusia etc. it's a non-starter.
Solar power is a perfect match for data centers. Their power demand is basically constant
Especially if you built it on an asteroid with no clouds and with a side always facing the Sun. Cause you don't need those coal and nuclear plants generating base load, and those huge dams regulating peak load, like on Earth.
Assuming a good hashing scheme: the 15 digit card number (the 16th is the checksum) + 3 digit cvv2 + an expiration date somewhere in the next 3 years (36 values) gives about 64 bit of entropy. That's clearly within a botnet's capabilities to attack via bruteforce if it's a plain MD5 or so, and not a computationally expensive algo like bcrypt. Since there are 10 million stolen cards, assuming they didn't use a salt then you get a valid card number with a 41 bit attack which can be quickly performed on a single PC.
Also, what good is for Sony a hashed credit card number ? It would only be useful to detect previously used cards; for anything like a monthly subscription, you need reversible encryption or plaintext.
All in all, unless clear information is released, we can safely assume the hackers have the credit cards in plain format or they can easily get to plaintext.
Emissions per $production are the only sensible measurement. And the US is over 5.25 times good as China in that comparison.
So you are saying that a ton of corn ($300) or steel ($700) produced in a developing nation should have the same carbon footprint to a mobile phone ?
Further, you do realize that moving the Western populace from preindustrial conditions to current conditions was done without regard to carbon outputs and efficiency ? Given that carbon levels are cumulative, why should the average 3rd world country be taxed for doing the same today ?
you are saying nothing happened?
I'd say that's fairly accurate - nothing compared to the hype and panic at least. No one died from radiation sickness. There was a single worker who died after being hit by a crane, but that's an industrial accident and it's not correlated with the nuclear nature of the plant; if you hit a gas-powered plant, hydroelectric dam or huge wind farm with a 9.0 earthquake + tsunami and you can also expect casualties. As it turns out, it was much safer to be inside the nuclear plant than on the beach when the tsunami hit.
There were also two workers who received a dangerous radiation level (they recovered), and have a higher cancer risk with a few percentage higher than the average guy. Assuming they do die of cancer in the next 10-20 years (and that's fairly unlikely) we`re still looking exceptionally good compared with the tens of thousands of victims of the tsunami.
The bulk of the radiation was released as:
- airborne gases during the hydrogen explosions
- activated water, dumped into sea
The activated water quickly dilutes to background radiation level when dissolved in the vastness of the ocean. The lack of radioactive dust means that the exclusion zone is temporary and there will be little permanent soil or groundwater contamination, unlike Chernobyl. The bulk of radiation was released as Iodine-131 which halves it's radiation output every 8 days. And that means a 10.000 fold reduction after 3 months. Which further means that once the exclusion zone is dropped (in about 6 months), there will be probably no significant danger to live near the plant (but that further depends on the radioactive Strontium and Cesium levels, which depend on the weather and soil chemistry, so it's a bit early to speculate).
Sorry, no mutants to see here, move along...
How do you sell someone a $60 game that's really worth it?
You don't. But instead of a market of 10 million wiiboxstation3, you have a market of 600 million mobile devices, so you can keep the exact same creative level, profit and overall game experience by selling it for $1.
In fact the $60 has nothing to do with the actual effort of making the game, and it's all about maximizing revenue on an item that has a marginal cost of $0 for each extra unit produced. So the $60 is the "sweet spot" that maximizes the profit (or minimizes loss) for that particular game, given that the production costs are already sunken.
The fact that the market drove the price down to $1 means that there's much higher competition, spurred by the low entry barrier in the mobile market (less resources, less detail, less graphic effort, less or no 3d modeling etc.)
I could see the perceived value of bragging. Be it ego, respect from other hackers (thus further access), admiration from female hacketes (hey, I said 'perceived') there could be some value an intelligent individual might see in advertising.
However, if you do go about advertising, some minimal common-sense is required:
- make it so that the reported does not know or air your personal details; the police shouldn't be able to squeeze it out from him because a reporter has the legal right to protect his sources in most countries
- make sure you don't admit directly any wrongdoing, say "- Here's an video where a some guy I've met on IRC hacks into NASA servers - Some guy, huh ? - Yup, I don't do that... it would be illegal - Ah.... I see ! (big grin)"
- make sure you don't keep incriminating evidence laying around, and always expect "the raid"; decent computer hygiene, encryption, digital and physical shredding of anything that might connect you to advertised or past acts of hacking etc.
Because legislators are morons and don't know the difference between stealing credit cards and hardening your kernel, the above don't apply only to criminals, but any person that's somehow connected to the computer security field. The recent PS3 criminal accusation come to mind.
To which I could reply: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"
I'm a programmer BTW. Strangely enough, I believe the world would much better-off without informational fascism.
Likewise nobody should make big budget movies or try to sell their music?
Oh, you can try to do those things as much as you want. But don't base your business plan on governmental enforcement of artificial scarcity upon non-consenting individuals. The price of information is N dollars for the first copy, and zero dollars for all the rest. If you don't like that price structure, don't sell information. You need to find a buyer for the first copy, for example you might sell in-game advertising on the virtual banners. But expect a ripped copy if your advertising is too annoying.
First and foremost, don't expect you are entitled to a government-sponsored backdoor on every computing device in the world - the only way property over information can be enforced.
how about me saying "this is like someone copying your personal information off your hard drive while your computer is in for repair"
It depends on what you have on that machine:
1. If it's your secret work for the last 3 years which was not intended for public consumption, tough luck. You are the master of your own destiny and if secrecy is your business, you should do it well.
2. If it's your personal details or photos, the perpetrator should be jailed if caught; any private individual has the right to privacy and intimate life - and that too is an inalienable right.
3. If it's your bank account of PayPal password, the perpetrator should be jailed. Money clearly is property, and hacking into various databases to deposes you of your physical property is theft. I'm not saying you can't commit crimes trough informational means, I'm saying information _itslef_ can't be a crime.
The fact that no-one happens to have invented a way of magically cloning the latter without damaging the original isn't really relevant
That fact is entirely relevant. The human mind cannot begin to comprehend how would the world look like without scarcity of physical property. The ability to clone any object will have such far reaching implications that our current legal or philosophical system will no longer be relevant. Well, guess what, we have that ability right now in the informational domain. Insisting to treat information like property is equivalent to banning the physical replicator when it's invented on the grounds that it might violate "intellectual property".
Will any more games be written if copyright is abolished ? Frankly I don't care. The complete liberalization of information exchanges will have such far reaching effects in our society that worrying about games is like pondering the future sales of hair wigs on the brink of finding a cancer cure.
there is no inalienable right to download, store and copy copyrighted works. Sure, nature itself won't prevent you from doing it but that's not a standard to form a society by.
Quite the contrary, I have the inalienable right to anything nature allows me, for as long as I don't overstep some other individual's inalienable rights.
I will use my property as I see fit (circumvention, duplication) and I will assembly with like-minded individuals (internet broadcasting) which are clearly inalienable rights inscribed in any the constitution of any free country. In doing so Crytek can claim their business plan was ruined however there's no inalienable right to a have a working business plan. Ruining other's people business is essential for competition and a fact of life in capitalism.
I was pointing out that his ferocious attack against the leaker, be it an insider or not, was baseless. If GP sympathizes with Crytek he should lash out at Crytek for this obvious blunder which is entirely their fault, bot some 3rd parties who were excising their freedoms.
Saying this is Crytek's responsibility is like blaming someone for having their car stolen while it was being repaired at a garage.
Information cannot be stolen. Information can be duplicated, and secrets can be leaked. The fact that you are conflate physical property with information shows you have no idea what property is.
Further more, property over information does not exists and cannot possibly coexist alongside with property over physical objects. If I assert property over a certain pattern of letters or bits, then I clearly assert the right to randomly seize property or strip-search individuals on the street that I suspect are hiding my pattern - how else would I be able to protect the property over my information ? This symptom is clearly seen in today's consumer electronics that are no longer behaving like property but rather like little living-room agents always communicating with their corporate overlords and conspiring against the owner's legitimate interests.
The only way there could be would be if whoever in the supply chain is responsible for this leak were to say, trip up and fall out of a third floor window into a skip full of broken glass and dogshit.
Please try to follow::
1. Crytek is a private company. They are free to use their property to do as they please, they care write code, they care barricade themselves in a bunker and otherwise do what they want to keep the secrets they want.
2. I on the other hand, I am also a private individual. I too assert my right to use my property as I see fit, including to store, transmit or otherwise manipulate data that was once unknown to me, and now isn't.
If Crytek lives and profits out of keeping secrets, which they are very much entitled to as a private association of private individuals, then they are solely responsible if said secrets become known. There are no imaginary strings that force me to use my property in such a way as to support the goals or business objectives of other private individuals. The right to use my property as I see fit for my goals is the cornerstone of freedom. Conversely, the confiscation of my freedoms by a handful of powerful entities is totalitarianism.
I have the unalienable right to download, store and copy the leaked copy using my physical property, regardless of what the copyright or anti-circumvention laws claim. If Crytek can find the individual that leaked said secrets, and has some form of legal binding contract with said individual that covers confidentiality, they are well entitled to damages under that contract. But by all means, don't hold me responsible when your business model fails because of your own ineptitude. Using your clout to draft laws against me is not only unjust, but a violation of my inalienable rights.
The Windows product might worth the money and the effort. Free is not allays better for the end-user, allot of grief for the non-techie Linux user comes from the uncompromising philosophical posturing of not allowing for-profit software in the default install. Once you have a solid open foundation, software be it closed or open source should be allowed to compete on an equal basis, this is the best way to meet the needs of the user. Think Android.
The whole point is not to get lulled into a false sense of security when using a "long" password. The 37 char password "Dp+qnKOU52Lc)|37GPa1\c]YD}A+E;W-v8VCh)" has 244 bits of entropy while the 37 character sentence "The quick fox jumps over the lazy dog" can have as less as 20 bits for an attacker that has a "1 million famous phrases" list - which is sure to contain such a well known sentence.
Lastly, there have been numerous articles, and legal documents, showing the NSA/FBI/etc attempting to crack many different peoples volumes, but being unable to. Don't see them as magic, they can't just crack anything they want.
I would expect such a capability to be reserved for national emergency situations, anti-terrorism threats etc. not for the run-of-the-mill paedophile or fraudster.
Let's analyse TrueCrypt for a second: the build installed on my computer offers by default to create an AES volume using RIPEMD-160 iterated 2000 times under PBKDF2 as the key derivation function. A single ATI Radeon can try about 1 million such keys per second (TFA, assume RIPEMD-160 ~ SHA1, they are close designs), without being optimised for such a task. It's not a stretch then assume the NSA can build a dedicated crack chip that can do 10 million keys per second, while costing between 10$ and 30$ including interconnects, cooling, power supply etc. This means a 10 to 30 million dollar NSA hardware cracker comprising of one million such chips can try 10^13 TrueCrypt passwords per second, or 3 * 10^20 per year.
Thus, the NSA can crack within a year any TrueCrypt password with less than 68bits of entropy, using a 10 to 30 million $ cracker !
Well then, 68 bits covers a perfectly random 10 character password, perfect 14 character alphanumerics, perfect 20 characters numerics, and most user generated English sentences shorter than 50 characters ! I must admit I'm a bit surprised myself. If you had such a capability and were a secret spy agency, would you advertise ?
It becomes critical why we must develop, review and switch to memory-hard password derivation functions such as scrypt, which have a much wider security margin against hardware attacks. According to scrypt's author, a $10 Million design attacking PBKDF2 would cost $210 Billion to achive the same performance against scrypt.
given someone has a password under 6.25 (50 bits / 8) characters, it would be cracked. I would agree with that. That's an absurdly small password
You are dead wrong when you assume a single password character means 8 bits of entropy. The best possible password that can be typed using a normal keyboard (94 printable characters, without keyboard gymnastics, euro-sign, etc.) has about 6.6 bits of entropy per character assuming the characters are uncorrelated and a high quality RNG is used as the source (huge assumptions). From the reference cited, 92% percent of passwords don't have any special characters. A lower-case + numbers password has only about 5 bits of entropy per character.
Worse yet, the vast majority of people will not use a truly random password, with a uniformly distributed character set. The examples provided as the longest passwords, and probably some of the best passwords in the list are "fool2thinkfool2thinkol2think" and "dokitty17darling7g7darling7" have 4 lower-case words (12 bits entropy each), 4 numbers with 2 digits (7 bits entropy each) for a total of 76 bits of entropy, and I'm being generous. That's just 2.8 bits of entropy per character ! Real world passwords indeed.
Regarding your claim about a 400 bit entropy password, allow me to doubt it. You might have a 50 character passphrase, but if it's a lowercase of english text it's entropy can be estimated as follows:
The first character is taken to have 4 bits of entropy, the next 7 characters are taken to have 2 bits of entropy each, the following 12 characters are taken to have 1.5 bits of entropy each, and subsequent characters are taken to have 1 bit of entropy each.
That gives you about 66 bit of entropy according to NIST. You might have a 400 bit passfile, but in that case you could also generate a 400 Kbyte passfile, it doesn't really matter. The whole idea of passwords is that they authenticate the person (something you know, and can realistically remember) and not the machine (something you have, or can easily copy).
No scheme can add entropy to a password: that is actually an impossible feat, aside from multiple user passwords, or multi-factor auth, where one factor's authenticator is encrypted using another of the user's factors or passwords. The purpose of salting is to prevent pre-optimization of a brute force attempt.
Clearly the entropy of the password is constant regardless of the algorithm, however a good key strengthening or key stretching algorithm can force the attacker to make more steps for a brute-force attack, just as if a longer key was used, hence their name. As Twylite explains bellow you schemes add only a few bits of extra effort to the attacker.
The purpose of salting is well achieved with a straight Hash(password + salt) scheme, as well as using your scheme. So there's no need to bring Rainbow tables/dictionaries into discussion. You seem to operate under the impression that your scheme will improve resistance to online, non-precomputed brute-force attacks versus the straight Hash(password + salt), which it does not.
The point basically was, use a stronger key in the first place, rather than layering on key strengthening techniques.
And it's wrong. You might use a 256 byte passphrase, but the average PayPal user has 42 bits of entropy in his password. If you can stretch that to 60 - 70 bits using password strengthening techniques, it's a huge security improvement for your system.
You don't iterate a hash function. That's just cryptographic hand waving
That's exactly what common password strengthening algorithms like bcrypt or PBKDF2 do. They are carefully designed for the purpose of increasing brute-force computational cost and of course don't simply do MD5(MD5(MD5(....MD5(x)))).
HMAC is for message authentication codes.
That's what an encrypted password is a MAC from the user that authenticates the salt using his password. In this instance however, since the attacker can't control the salt nor password, using a HMAC will not buy more security. Guilty as charged of hand waiving :)