There's much truth in that. Not to be arrogantly American and jingoistic, but this country really is different, for better or worse
You think so? I've lived in the USA for one full year, and didn't notice anything particularly different, apart from having real seasons;) Perhaps that says more about the Americanisation of my home country (Australia) than anything else, but there it is.
I know no one who has ever wanted to leave the U.S. and live in any of those same countries.
I guess I'm imagining all of the many US citizens I know that have moved here then?;)
Of course, there's traffic in the other direction as well, but on the face of it your statement (that no person living in the USA wishes to relocate) is simply not correct.
It's nice to know that a tiny part of me just achieved a small measure of immortality on another planet in our solar system.
Tangential question - how long can a DVD be expected to last, even in "ideal" conditions? Or is this a special DVD made of materials that will degrade more slowly than ordinary discs?
We've actually put the entire continent into stealth mode, hoping that terrorists, US-style IP law lobbyists, RIAA, MPAA, SCO, etc will simply forget about us and just leave us alone!
Please *stop* talking about us, you're breaking our cover!!
Just a quick comment for those stuck with NTLM at work. I run a local NTLM proxy server so I can run whatever browser or HTTP tool I like on whatever OS I need. I just point my browser at the proxy and it just works.
Since you are authenticating with your user name and password, from your machine, and you are still actually going through the company web proxy just like IE would, there's absolutely no logical reason for the local "preventers of information services" to complain. At least, in my case, they haven't been able come up with an actual reason yet that hasn't been easy to dismiss. Not for want of trying, though...
I don't mean to imply that OSS people never innovate, just that I feel too much effort is put into cloning the latest MS or MacOS "innovations"
It would be nice if the real open source innovations were trumpeted as much as the latest window manager or Office clone or whatever.
Look at the Python programming language, for example. Now MS appear to be cannibalizing many of the good ideas from that, in the form of VB.NET (I think that's probably a good thing, BTW).
On the other hand, of course we need things like office productivity applications if we care about converting the desktop user (if you do, in fact, care), and it takes a lot of the grunt coding kind of effort. If people want to do that then fine, and I admire people who would take on such an inglorious and thankless task. But I'm a bit tired of hearing about that kind of thing instead of the real innovations that are occurring.
This system ensures that one password is unique amongst machines. Instead of having one password for many machines, you have one generator which generates one password unique to each machine
I think I understand now. This would at least protect you against password sniffing by a attacker with no "inside" information. They would only get the password for that one machine.
Enigma and Shark (ww2) both used time-generated seeds. Just feeding a pseudorandom number generator with time can be enough for password security
I'm not familiar with Enigma (apart from having heard of it). My expertise in such things extends to having implemented SSL on top of a colleague's C library of cryptographic primitives. I am reading "Handbook of Applied Cryptography" (Menezes, van Oorschot, Vanstone)... I'm just not up to the section on classical cyphers. I read almost all of "Applied Cryptography" by Schneier of couple of years ago, but found it fairly shallow, especially the coverage of RSA.
But yes, time is a useful seed - yet you can't store the resulting seed in the device if you're worried about losing the device itself.
It really is all about keeping the passphrase secret
Yes, I think that's the case. At least when dealing with attackers that may know the algorithm and the seed/key/machine name - as the passphrase is now the weak point again and it just can't be guessable.
Muscle response could allow repitition after just a few times. Write it down on a post-it note, login and logout till you can do it via memory, then burn the post-it note. People selecting easy passwords should be shot. Er, I guess I got to go give myself a good talking to
Yes, this is my prefered methodology too. A purely random password that uses uppercase, lowercase and digits to keep the search space large. And not written down anywhere.
However, my current emplyer has the policy of forcing password changes every month for almost every machine or server I have to access. If I did it properly, I would be going through this twice a week. Yet another case where "harsher" security rules can actually lessen security... I would bet that most people where I work just have English words concatenated in order to cope with this - or just write them down. If the password lasted longer we could encourage them to select good ones as the effort would be worth it. I just use a numerical suffix with my "good" password, but I'm always forgetting where I'm up to in the sequence.
I think I'll write something for my Palm that accepts my "good" password that I've memorized, and combines it with the date of the last forced change for a given machine or server, and runs both through a hash algorithm to produce the "real" password. And it'll be a good excuse to finally use Python on the Palm for something:)
One thing you are missing is the ease of changing the passphrases
I have to admit, I don't quite see that. Just having one password shared by all, and changing it when someone leaves is just as effective, isn't it? Given that they know the algorithm and all the keys (in this case, the machine names) this is in effect exactly what the method we're discussing reduces to, I think.
You could try to bruteforce passphrases, but considering how long those could be, you would most likely not succeed
The point I'm dancing around is that once the algorithm is known you're back to relying on the "unguessability" of the individual password and key.
I think this definitely would increase the difficulty of a dictionary attack for an individual who doesn't tell anyone what she's doing, but I suspect that once you try to make everyone in the organization do the same thing, you've got to expect that the algorithm and the key selection details will be leaked, and so you can't let the password be an easily guessed one. Which is right back to where we started - you need hard to guess passwords.
Sure, by adding another element (the key) you've increased the number of combinations that must be attempted, but if people are now selecting easy to guess passwords and keys, you might well be in a worse position.
As for the PDA/Cell stuff, they have them. Devices that maintain a private/public key generation sequence based on time (I'm not sure what algo they use) and display the random numbers for you on an LCD
Time? I hadn't thought of that. However, once the device is lost, you had better hope that the user selected a hard to guess password:) I'll have to have a look at these devices, though.
I think what you missed in my initial design that it does result in stronger passwords because you can share passwords amongst multiple people and if one of those people is no longer trusted a simple passphrase change will lock them out
Okay, I am definitely missing something here. Here's my reasoning: I can already set a common password to the same (hard to guess) string and just change it when someone leaves. If the person who left knows the algorithm and the key selection method (eg. machine names) I think this is effectively what you are doing anyhow.
Perhaps if you were to change change the algorithm as well when someone left...
I was just using that as an example though, I doubt I would actually do that in practice
It's an interesting idea. Then tension between "easy to remember" and "hard to guess" is what makes passwords such a weak point. If people could generate hard to guess passwords from easy to remember ones, it would be a useful process to get people to perform when faced with the eternal "select a new password" problem.
"Your philosophy intrigues me, and I wish to subscribe to your newsletter!" - H. J. Simpson.
However, I don't think it stands up. In the spirit of "more eyes makes it better", here's the problems I can see. I assume that someone is actually making an effort, first. That is, someone is specifically targeting you or your organization.
You pick a passphrase that you use for all of your systems. You then pick a unique seed for each system. Then, you do some quick mental math on it (pick an algo of your choice, just make it simple) and then you have the effective security of two passwords + unknown algorithm.
The problem is, an unknown algorithm isn't considered particularly effective. What if an employee leaves, or lets it slip somehow? What if the algorithm can be determined from analysis of sufficient samples? Given the (by definition) simple nature of the cipher, this appears to be a significant risk.
It will make all of your passwords invulnerable to dictionary attacks (unless a rare circumstance has your resulting password being "password" or something)
Given that all but the most casual of attackers will likely know the machine name and the algorithm, this might well make you *more* susceptible to dictionary attacks. It's a psychological problem - the user thinks "this password is encrypted, therefore I can just make it an English word", whereas under normal circumstances they wouldn't have done that.
For example, if you have a pass phrase of "MYBOXISSECURE" then you can use the box name as a seed, lets call the box "DEBIAN" and have the algorithm block the seed and then subtract, modulo 26
This is the biggest danger that I can see: the use of the machine name as the key. If by that you mean "DNS name" or part thereof, this appears to be pretty dangerous. Chances are an attacker would know that, right? Or that it's some easily guessed word itself. So now the attacker just runs every permutation of dictionary words, in addition to popular passwords and machine names through your algorithm.
It would probably be safer to pick something *not* available through the network. My employer has a serial number they attach to the side of the machine for tracking purposes. Using that would eliminate everyone without physical access to the machine for enough time to copy down this number.
It's a hack solution for the weak-password problem
Yes, I think it is;) I suspect it will defeat only the casual attacker. It might also lead, as I mentioned, to weaker security through a *false* sense of security. I've seen this recently - people thinking that converting an application-level password to base-64 when stored in the database and transmitted over the network was "better than nothing". I had to explain how this was completely ridiculous very, very patiently. And how it makes the problem worse, as other people now assume it's perfectly safe for anyone to see that base-64 password when implementing anything that involves the password.
This idea has got me thinking though... what if everyone in the organization had access to enough mobile computing power to do a better job on this (I'm thinking PDA here, but it could be a specialized device). You don't put the password in the device (as that make the device the vulnerable point), but instead it implements an algorithm that's strong enough that it doesn't matter if the attackers know what the algorithm is. That just leaves the password and the key, which still must be selected according to the rules of what makes a "good password". So DNS names are still right out, I think. I'm going to tentatively suggest that the key be derived from an skey-like system that runs on both the PDA and the machine. This way neither the human nor the PDA are useful on their own.
Unfortunately, if someone gets the PDA only the password is keeping them out, and that had better not be somethin
Re:I'm just waiting for the ...
on
Project Plex-Box
·
· Score: 1
And the resale value of a slightly used SEXBox would be dismal.
No. I will, but O'Reilly's not my problem. Addison-Wesley is:(
I haven't cracked a technical reference book in years.
It comes down to what your needs are. If you can find decent material online then more power to you. I find a lot of what's available on line to be entirely substandard or even entirely incorrect. There are exceptions, but in general this is to be expected as good authors expect to be paid for their work, and publishing actual books is the only realistic way to do that at the moment.
It's a shame, I agree, but that's the current situation.
I have read some introductions to new technologies in dead tree format, but you hardly need to haul those back and forth to work each day
I'm not exactly ferrying "EJBs in 21 days for Dummies" about, you know... yes, some books are "fire and forget", in that you read them once or twice. Others are constant companions;)
Others are frequently visited on a needs basis... when I need any volume of TCP/IP Illustrated, I *really* need it! I don't want to resort to some second rate webpage that purports to contains the same information - that is why I bought the book. Trouble is, I can't predict this, so I'm reduced to trying to guess what I'll need. And then there's the new books I'm reading... I end up with 3 or 4, minimum. And that's just non-fiction. I also need something to read on the bus! Stephenson (and others) should release his books in more commuter friendly editions, split into 3 books or something...
I have read some introductions to new technologies in dead tree format, but you hardly need to haul those back and forth to work each day
I'm afraid that there are no decent online alternatives to half the books I have need to refer to at the moment. I'm all for getting this stuff online, but it's just not possible (for me) to rely entirely on online content right now.
Get all of Steven's works online, and maybe that will change. In fact, get the entire Professional Computing Series online, and we'll see:)
Google is your friend here. It's absolutely so important to how I do my job now that I'm all for splitting dates into B.G and A.G.
Yes, I agree. But like I said, the quality of what is available on line is sometimes quite low, incomplete, or even incorrect or misleading.
To summarize, I wish we were living in a world where I could rely on online sources: but we just aren't!
Yes, if only we could come up with some way to display technical reference material on a computer screen! We could even incorporate a search function more powerful than an index or table of contents! If we got really fancy, we could allow for shared annotation and electronic "bookmarks" to important sections
Ah, sarcasm, the lowest form of wit... yes, I take your point. However, no one actually provides an online version of any of the books that I need to reference frequently that I'm aware of.
I *did* say that online books are the answer. The problem here is the publishers not doing it. Unless you're prepared to scan all of my books in for me, that is...
To me the big downside is that others may not always know how to find you
I can think of another. Who is going to move my technical books each day? Due to limited shelf space in my current cubicle, I only have a limited supply as it is. One shelf full, and an overflow stack on my desk. And even now, I often regret not having a certain book on hand when needed.
Going off-topic a bit, the solution is, of course, online books. I am tired of lugging 3 or 4 hefty books home every weekend! I've actually considering purchasing another copy of some of my most referenced books just to reduce this problem. Public transport just wasn't designed for carting books about, as I have discovered:(
It says something about the people proposing this scheme... I'm not sure what exactly, but I've observed that the smartest and most productive people (even in management) that I know have whole bookshelves (sometimes 2!) full of really useful reading material.
As far as verbosity goes - COBOL is actually less verbose than C, C++, or Java in a number of ways (and more so in others). I once wrote a complete interpreter with a variety of optimizations included from scratch in 400 lines of code. Would have been a lot more code in C, etc.
How would you go about this? I've written a fair few programming language interpreters, compilers, code generators and so forth, and the tiny little bit of COBOL isn't sufficient. I can't find anything helpful on the web so far. I might just need a pointer to the right sources.
Let's take a simple problem. Parsing and computing arithmetic expressions, that is, things like "1 + 2 * 3", or "(1 + 2) * 3", or "((1 * (2 + 3)) * 4", or 1 + 2 * 3 * 4", and so on. It's essential that it gets the operator precedence right, too. I can provide a grammar if this is too imprecise.
In every other language in which I've done this sort of thing, I'd write (or generate) a lexer, and then a parser (generated again perhaps) that builds an abstract syntax tree (AST) of objects that represent the expression. Then I'd simply walk the tree of objects generating code or computing the value of the expression.
Now, I'd ruled COBOL out for this kind of task as 1) the input is all fixed form, you define the structure of files up front, 2) you can't allocate more memory as you need it for complex structures like the AST, nor do you have pointers or references that are needed to connect it up correctly, and 3) you don't have local variables so you can't recursively walk the tree structure to produce the output. Okay, sure, you can use an explicit stack instead of recursion, but since COBOL only has fixed-length arrays, that's not really an option either.
Basically, I can't get past the lack of the ability to build arbitrary structures, ie. the lack of dynamic memory allocation and pointers/references. And the record-based nature of the input. How do I start writing a lexer for free form input? How would I read in just one character, or even one whole line if the length is not known up front?
Is it possible to outline this briefly, perhaps as psuedo-COBOL in some form? Or is the language you were interpreting not like this (ie free form text and with potentially infinite nesting) and therefore more tractable with COBOL?
Re:CORBA failure largely due to its awful C++ API
on
Software Fashion
·
· Score: 1
However, I've also had a bit of experience with the Java mapping. Let me tell you, the Java mapping is just beautiful. If you can find an excuse I'd recommend working with it a bit if for no other reason than to experience what a good CORBA mapping can be like
The Python mapping is also very good. In both these cases, the people really understood both the language and OOP.
I don't know what those who wrote the C++ mapping were thinking
It's a long and sordid story.
My first reaction to seeing the C++ mapping, as a fresh graduate, was that clearly it was written by C programmers who just didn't understand the whole "object orientation" thing yet.
In part, I was right. The C++ mapping was deliberately designed to preserve binary compatability as much as possible with the C mapping. Back in the early 90s this probably appeared to be necessary. I've never heard of anyone needing this *ever*, but that's the official reason.
When the mapping was standardized, there was the mapping we ended up with, and a competing alternative that was OO, intuitive and just about as good as the Java mapping. But, the C style "non-OO" mapping was perceived as "more efficient" for some reason, there were a lot of politics, the company who designed the OO mapping collapsed IIRC, and some large and influential vendors had already implemented the "non-OO" one.
So that's how we got here. I did go to the trouble of writing a code generator that was intended to "wrap" the standard C++ mapping code in a nice OO layer (and that used strings and vectors!). That was OK, but I underestimated the number of gotchas involved in the C++ mapping. Trying to encode every single silly arbitrary rule was a nightmare. Basically, I wouldn't try that ever again. But who cares, I've got the Python mappings and Fnorb, right?;)
Now, if you want to get some idea of what a good C++ mapping might look like, take a look at ICE from ZeroC
Disclaimer: I *don't* work for ZeroC, nor do I have any interest financial or otherwise in them. I have worked with some of their employees in the past.
ICE is basically CORBA redesigned from the ground up without the cruft, and with a decent C++ mapping. It's available for C++ and Java, and free for non-commercial use. It's being used as the underlying communications engine for a massively-multiplayer game, "Wish" by MutableRealms.
I've always thought these multiplayer online games would be an interesting field for people who know something about distributed systems, as the first generation of such games clearly didn't have much of a clue about how handle this aspect very well at all.
If you mean Fnorb, then sure, go ahead...what with it being an open source project and all. None of us are paid to work on it however, which is probably what you meant.
I use Fnorb, and therefore CORBA, in my actual job whenever it's applicable. Mostly to talk to C++ and Java objects from Python. As I said, SOAP can't cut it (I need asynchronous callbacks and proper object identity, for example), and I'm not going to use raw sockets and invent my own on-the-wire protocol and object model every single time!
There really isn't any viable alternative to CORBA that works right now.
Because the dipsticks I used to work with were hugely into silver-bullet thinking and CORBA was one of many things that were pushed as silver bullets, along with SGML and "push" technology
I think almost any technology is susceptible to being touted as a silver-bullet technology.
There's probably an axiom somewhere here: "Just because something is perceived by management as being a silver-bullet, doesn't alway make it intrinsically bad."
Enlighten me please - how does all the paraphernalia of J2EE not provide a solution where CORBA does?
J2EE is an infrastructure for implementing a certain kind of N-tier system. You hand over a lot of complexity to the "container", at the cost of flexibility.
CORBA is applicable to any distributed computing problem. J2EE reuses a lot of CORBA technology (IIOP, transaction spec, naming spec, etc) in the context of solving one type of problem, and so is able to relieve the programmer of a lot of the low-level details.
A simple example: all objects in J2EE must be "session", "entity", or "message-driven" beans. Since you restrict yourself to these usage patterns, the container can (potentially!) do a lot of the grunt-work (fail-over, redundancy, eviction of unused objects, etc) for you.
Re:What about CORBA?
on
Software Fashion
·
· Score: 4, Interesting
But missed CORBA! Surely it belongs in the Technology X != Silver Bullet category
However, if you believe CORBA was going to be a silver bullet, then you were mistaken. I've never heard anyone say such a thing. But then, I stay away from marketing people.
As far as I'm concerned, CORBA best solves the "this project has too many resources" problem
I think you actually discovered that "distributed systems are difficult".
What you need is a component infrastructure that builds on CORBA to make the slice of the generic distributed system problem that most people are (currently) interested in a simple problem. Luckily it exists, and it is called J2EE;)
As for me, J2EE *doesn't* address the kind of problems I'm interested in, so the *only* option is CORBA. (And please, don't talk to me about web services or SOAP... that stuff is years away from being useful to me)
So, I've scanned through most of the comments stating the programmers shouldn't be allowed to do GUIs, that this or that GUI sux, etc, etc.
So, what's an example of a good GUI? I can't think of one off the top of my head. Certainly not any browser (either IE or Mozilla), and they are probably the GUI programs I use the most. Example: trying to enter text into a form like this is one of the most painful computing related experiences ever. And all the browsers do it the same way (almost).
I've tried Visual Studio. Gave up in frustration. I tried Eclipse. Gave up in a rage. Word makes me want to set the "designer" on fire. I will not touch it again, ever, if I can possibly help it. And let's just not mention Excel, as I may just spontaneously combust.
So, I use my "windowing" system either on Windows or *nix simply to run multiple shells, Emacs, and some Python interactive sessions. And a browser window or two.
So, the challenge to all the "HCI experts" scoffing at the programmer's GUI design ability is simply this - where's this great GUI we're all supposed to be imitating, or gazing at in silent awe of the HCI expert's power? Is there even *one*? I'd certainly like to see it.
I can think of some individual *widgets* that are good in a particular domain, like displaying a file hierarchy as an expandable tree. But is there an entire non-trivial GUI-based tool that could be held up as a shining beacon of excellent design?
Perhaps the whole idea of trying to model every problem domain in the universe as a collection of scroll bars, radio buttons, check boxes and tabbed dialogs is just fundamentally wrong, and will never work?
It says "total price" for the first 100 kWh is 18.8 cents, then it says in the column header "cost per unit" after that in parentheses. So... which one is right?
I guess total != total, or something. So it's really 18.8 per kilowatt hour, otherwise the price cutoff here in this table is pointless.
If this is right, I'm never turning another light off ever. I can't help thinking that someone who worked on the Viking probe might know something I don't, though...;)
The answer is neither! It was an interpretation error. I read the answer from Python ("0.48") as 48 cents, not 0.48 of one cent, which it was, because I went and did something else for a bit before hitting "enter".
That will teach me to be switching between work and/. I should just pick one or the other.
But since I'm home now, it's Soul Calibur II time... and the point is well and truly made that leaving a light on when showering is effectively zero cost!
Okaaaay, it's late in the day here, but I fscked up here. Since the bulb is only watts, not kilowatts, it's 0.02c an hour to run it.
So, that's 48c a day to run to continously. Not far off in the first place... given the intervening time period for forgetfulness. Or am I completely wrong, and it's time to go home for the night?;)
Nowhere did I ever make any claim that could be even remotely construed to mean anything like that. Calm down, tiger, think with your head
Sorry. I was just wanting to know what you thought it would be, and answered hastily.
I looked at the site of my local electricity supplier, and it would be more like 20c an *hour* to run a 100 watt bulb, assuming that "kWh" is what I think it is (kilowatt hours). That's probably what the result was 5 years ago as well. I think I still have a case for not worrying about the damned shower... and definitely one against continuous nagging for leaving a light on for two whole minutes;)
Considering that the largest electrical service you can normally get to your home in the US is a 200-amp service, and that the cable that it comes on is nearly two inches in diameter, you can imagine what kind of cable you'd need for over a thousand amps. : )
I'm in Australia... I don't know the amperage here. It's 240 *volts* AC here. I did want to ask, isn't kilowatts the right thing to be concerned about WRT the melting point of the wire? I guess you're just assuming the voltage is constant, so you just talk in amps? I haven't thought about this since high school, clearly:)
Slashdot Mirror
Not what I said, is it?
/. lack of precision
/. response :)
So what's your point exactly, then? Were you *not* in fact implying that migration is one way, due to your experience?
Typical
Typical boring canned
There's much truth in that. Not to be arrogantly American and jingoistic, but this country really is different, for better or worse
;) Perhaps that says more about the Americanisation of my home country (Australia) than anything else, but there it is.
;)
You think so? I've lived in the USA for one full year, and didn't notice anything particularly different, apart from having real seasons
I know no one who has ever wanted to leave the U.S. and live in any of those same countries.
I guess I'm imagining all of the many US citizens I know that have moved here then?
Of course, there's traffic in the other direction as well, but on the face of it your statement (that no person living in the USA wishes to relocate) is simply not correct.
It's nice to know that a tiny part of me just achieved a small measure of immortality on another planet in our solar system.
Tangential question - how long can a DVD be expected to last, even in "ideal" conditions? Or is this a special DVD made of materials that will degrade more slowly than ordinary discs?
We've actually put the entire continent into stealth mode, hoping that terrorists, US-style IP law lobbyists, RIAA, MPAA, SCO, etc will simply forget about us and just leave us alone!
Please *stop* talking about us, you're breaking our cover!!
Just a quick comment for those stuck with NTLM at work. I run a local NTLM proxy server so I can run whatever browser or HTTP tool I like on whatever OS I need. I just point my browser at the proxy and it just works.
...
The proxy I use is written in Python, is small, and is really easy to install. NTLM Authorization Proxy Server.
Since you are authenticating with your user name and password, from your machine, and you are still actually going through the company web proxy just like IE would, there's absolutely no logical reason for the local "preventers of information services" to complain. At least, in my case, they haven't been able come up with an actual reason yet that hasn't been easy to dismiss. Not for want of trying, though
I don't mean to imply that OSS people never innovate, just that I feel too much effort is put into cloning the latest MS or MacOS "innovations"
It would be nice if the real open source innovations were trumpeted as much as the latest window manager or Office clone or whatever.
Look at the Python programming language, for example. Now MS appear to be cannibalizing many of the good ideas from that, in the form of VB.NET (I think that's probably a good thing, BTW).
On the other hand, of course we need things like office productivity applications if we care about converting the desktop user (if you do, in fact, care), and it takes a lot of the grunt coding kind of effort. If people want to do that then fine, and I admire people who would take on such an inglorious and thankless task. But I'm a bit tired of hearing about that kind of thing instead of the real innovations that are occurring.
This system ensures that one password is unique amongst machines. Instead of having one password for many machines, you have one generator which generates one password unique to each machine
... I'm just not up to the section on classical cyphers. I read almost all of "Applied Cryptography" by Schneier of couple of years ago, but found it fairly shallow, especially the coverage of RSA.
... I would bet that most people where I work just have English words concatenated in order to cope with this - or just write them down. If the password lasted longer we could encourage them to select good ones as the effort would be worth it. I just use a numerical suffix with my "good" password, but I'm always forgetting where I'm up to in the sequence.
:)
I think I understand now. This would at least protect you against password sniffing by a attacker with no "inside" information. They would only get the password for that one machine.
Enigma and Shark (ww2) both used time-generated seeds. Just feeding a pseudorandom number generator with time can be enough for password security
I'm not familiar with Enigma (apart from having heard of it). My expertise in such things extends to having implemented SSL on top of a colleague's C library of cryptographic primitives. I am reading "Handbook of Applied Cryptography" (Menezes, van Oorschot, Vanstone)
But yes, time is a useful seed - yet you can't store the resulting seed in the device if you're worried about losing the device itself.
It really is all about keeping the passphrase secret
Yes, I think that's the case. At least when dealing with attackers that may know the algorithm and the seed/key/machine name - as the passphrase is now the weak point again and it just can't be guessable.
Muscle response could allow repitition after just a few times. Write it down on a post-it note, login and logout till you can do it via memory, then burn the post-it note. People selecting easy passwords should be shot. Er, I guess I got to go give myself a good talking to
Yes, this is my prefered methodology too. A purely random password that uses uppercase, lowercase and digits to keep the search space large. And not written down anywhere.
However, my current emplyer has the policy of forcing password changes every month for almost every machine or server I have to access. If I did it properly, I would be going through this twice a week. Yet another case where "harsher" security rules can actually lessen security
I think I'll write something for my Palm that accepts my "good" password that I've memorized, and combines it with the date of the last forced change for a given machine or server, and runs both through a hash algorithm to produce the "real" password. And it'll be a good excuse to finally use Python on the Palm for something
One thing you are missing is the ease of changing the passphrases
:) I'll have to have a look at these devices, though.
...
I have to admit, I don't quite see that. Just having one password shared by all, and changing it when someone leaves is just as effective, isn't it? Given that they know the algorithm and all the keys (in this case, the machine names) this is in effect exactly what the method we're discussing reduces to, I think.
You could try to bruteforce passphrases, but considering how long those could be, you would most likely not succeed
The point I'm dancing around is that once the algorithm is known you're back to relying on the "unguessability" of the individual password and key.
I think this definitely would increase the difficulty of a dictionary attack for an individual who doesn't tell anyone what she's doing, but I suspect that once you try to make everyone in the organization do the same thing, you've got to expect that the algorithm and the key selection details will be leaked, and so you can't let the password be an easily guessed one. Which is right back to where we started - you need hard to guess passwords.
Sure, by adding another element (the key) you've increased the number of combinations that must be attempted, but if people are now selecting easy to guess passwords and keys, you might well be in a worse position.
As for the PDA/Cell stuff, they have them. Devices that maintain a private/public key generation sequence based on time (I'm not sure what algo they use) and display the random numbers for you on an LCD
Time? I hadn't thought of that. However, once the device is lost, you had better hope that the user selected a hard to guess password
I think what you missed in my initial design that it does result in stronger passwords because you can share passwords amongst multiple people and if one of those people is no longer trusted a simple passphrase change will lock them out
Okay, I am definitely missing something here. Here's my reasoning: I can already set a common password to the same (hard to guess) string and just change it when someone leaves. If the person who left knows the algorithm and the key selection method (eg. machine names) I think this is effectively what you are doing anyhow.
Perhaps if you were to change change the algorithm as well when someone left
I was just using that as an example though, I doubt I would actually do that in practice
It's an interesting idea. Then tension between "easy to remember" and "hard to guess" is what makes passwords such a weak point. If people could generate hard to guess passwords from easy to remember ones, it would be a useful process to get people to perform when faced with the eternal "select a new password" problem.
A good method: Easy mental ciphers
;) I suspect it will defeat only the casual attacker. It might also lead, as I mentioned, to weaker security through a *false* sense of security. I've seen this recently - people thinking that converting an application-level password to base-64 when stored in the database and transmitted over the network was "better than nothing". I had to explain how this was completely ridiculous very, very patiently. And how it makes the problem worse, as other people now assume it's perfectly safe for anyone to see that base-64 password when implementing anything that involves the password.
... what if everyone in the organization had access to enough mobile computing power to do a better job on this (I'm thinking PDA here, but it could be a specialized device). You don't put the password in the device (as that make the device the vulnerable point), but instead it implements an algorithm that's strong enough that it doesn't matter if the attackers know what the algorithm is. That just leaves the password and the key, which still must be selected according to the rules of what makes a "good password". So DNS names are still right out, I think. I'm going to tentatively suggest that the key be derived from an skey-like system that runs on both the PDA and the machine. This way neither the human nor the PDA are useful on their own.
"Your philosophy intrigues me, and I wish to subscribe to your newsletter!" - H. J. Simpson.
However, I don't think it stands up. In the spirit of "more eyes makes it better", here's the problems I can see. I assume that someone is actually making an effort, first. That is, someone is specifically targeting you or your organization.
You pick a passphrase that you use for all of your systems. You then pick a unique seed for each system. Then, you do some quick mental math on it (pick an algo of your choice, just make it simple) and then you have the effective security of two passwords + unknown algorithm.
The problem is, an unknown algorithm isn't considered particularly effective. What if an employee leaves, or lets it slip somehow? What if the algorithm can be determined from analysis of sufficient samples? Given the (by definition) simple nature of the cipher, this appears to be a significant risk.
It will make all of your passwords invulnerable to dictionary attacks (unless a rare circumstance has your resulting password being "password" or something)
Given that all but the most casual of attackers will likely know the machine name and the algorithm, this might well make you *more* susceptible to dictionary attacks. It's a psychological problem - the user thinks "this password is encrypted, therefore I can just make it an English word", whereas under normal circumstances they wouldn't have done that.
For example, if you have a pass phrase of "MYBOXISSECURE" then you can use the box name as a seed, lets call the box "DEBIAN" and have the algorithm block the seed and then subtract, modulo 26
This is the biggest danger that I can see: the use of the machine name as the key. If by that you mean "DNS name" or part thereof, this appears to be pretty dangerous. Chances are an attacker would know that, right? Or that it's some easily guessed word itself. So now the attacker just runs every permutation of dictionary words, in addition to popular passwords and machine names through your algorithm.
It would probably be safer to pick something *not* available through the network. My employer has a serial number they attach to the side of the machine for tracking purposes. Using that would eliminate everyone without physical access to the machine for enough time to copy down this number.
It's a hack solution for the weak-password problem
Yes, I think it is
This idea has got me thinking though
Unfortunately, if someone gets the PDA only the password is keeping them out, and that had better not be somethin
And the resale value of a slightly used SEXBox would be dismal.
Special Edition Xbox!!
If MS then put the abbreviated name on the box, they won't be able to keep up with the incredible demand!
Have you checked out O'Reilly's on-line library?
:(
... yes, some books are "fire and forget", in that you read them once or twice. Others are constant companions ;)
... I end up with 3 or 4, minimum. And that's just non-fiction. I also need something to read on the bus! Stephenson (and others) should release his books in more commuter friendly editions, split into 3 books or something ...
:)
No. I will, but O'Reilly's not my problem. Addison-Wesley is
I haven't cracked a technical reference book in years.
It comes down to what your needs are. If you can find decent material online then more power to you. I find a lot of what's available on line to be entirely substandard or even entirely incorrect. There are exceptions, but in general this is to be expected as good authors expect to be paid for their work, and publishing actual books is the only realistic way to do that at the moment.
It's a shame, I agree, but that's the current situation.
I have read some introductions to new technologies in dead tree format, but you hardly need to haul those back and forth to work each day
I'm not exactly ferrying "EJBs in 21 days for Dummies" about, you know
Others are frequently visited on a needs basis... when I need any volume of TCP/IP Illustrated, I *really* need it! I don't want to resort to some second rate webpage that purports to contains the same information - that is why I bought the book. Trouble is, I can't predict this, so I'm reduced to trying to guess what I'll need. And then there's the new books I'm reading
I have read some introductions to new technologies in dead tree format, but you hardly need to haul those back and forth to work each day
I'm afraid that there are no decent online alternatives to half the books I have need to refer to at the moment. I'm all for getting this stuff online, but it's just not possible (for me) to rely entirely on online content right now.
Get all of Steven's works online, and maybe that will change. In fact, get the entire Professional Computing Series online, and we'll see
Google is your friend here. It's absolutely so important to how I do my job now that I'm all for splitting dates into B.G and A.G.
Yes, I agree. But like I said, the quality of what is available on line is sometimes quite low, incomplete, or even incorrect or misleading.
To summarize, I wish we were living in a world where I could rely on online sources: but we just aren't!
Yes, if only we could come up with some way to display technical reference material on a computer screen! We could even incorporate a search function more powerful than an index or table of contents! If we got really fancy, we could allow for shared annotation and electronic "bookmarks" to important sections
... yes, I take your point. However, no one actually provides an online version of any of the books that I need to reference frequently that I'm aware of.
...
Ah, sarcasm, the lowest form of wit
I *did* say that online books are the answer. The problem here is the publishers not doing it. Unless you're prepared to scan all of my books in for me, that is
To me the big downside is that others may not always know how to find you
:(
... I'm not sure what exactly, but I've observed that the smartest and most productive people (even in management) that I know have whole bookshelves (sometimes 2!) full of really useful reading material.
I can think of another. Who is going to move my technical books each day? Due to limited shelf space in my current cubicle, I only have a limited supply as it is. One shelf full, and an overflow stack on my desk. And even now, I often regret not having a certain book on hand when needed.
Going off-topic a bit, the solution is, of course, online books. I am tired of lugging 3 or 4 hefty books home every weekend! I've actually considering purchasing another copy of some of my most referenced books just to reduce this problem. Public transport just wasn't designed for carting books about, as I have discovered
It says something about the people proposing this scheme
As far as verbosity goes - COBOL is actually less verbose than C, C++, or Java in a number of ways (and more so in others). I once wrote a complete interpreter with a variety of optimizations included from scratch in 400 lines of code. Would have been a lot more code in C, etc.
How would you go about this? I've written a fair few programming language interpreters, compilers, code generators and so forth, and the tiny little bit of COBOL isn't sufficient. I can't find anything helpful on the web so far. I might just need a pointer to the right sources.
Let's take a simple problem. Parsing and computing arithmetic expressions, that is, things like "1 + 2 * 3", or "(1 + 2) * 3", or "((1 * (2 + 3)) * 4", or 1 + 2 * 3 * 4", and so on. It's essential that it gets the operator precedence right, too. I can provide a grammar if this is too imprecise.
In every other language in which I've done this sort of thing, I'd write (or generate) a lexer, and then a parser (generated again perhaps) that builds an abstract syntax tree (AST) of objects that represent the expression. Then I'd simply walk the tree of objects generating code or computing the value of the expression.
Now, I'd ruled COBOL out for this kind of task as 1) the input is all fixed form, you define the structure of files up front, 2) you can't allocate more memory as you need it for complex structures like the AST, nor do you have pointers or references that are needed to connect it up correctly, and 3) you don't have local variables so you can't recursively walk the tree structure to produce the output. Okay, sure, you can use an explicit stack instead of recursion, but since COBOL only has fixed-length arrays, that's not really an option either.
Basically, I can't get past the lack of the ability to build arbitrary structures, ie. the lack of dynamic memory allocation and pointers/references. And the record-based nature of the input. How do I start writing a lexer for free form input? How would I read in just one character, or even one whole line if the length is not known up front?
Is it possible to outline this briefly, perhaps as psuedo-COBOL in some form? Or is the language you were interpreting not like this (ie free form text and with potentially infinite nesting) and therefore more tractable with COBOL?
However, I've also had a bit of experience with the Java mapping. Let me tell you, the Java mapping is just beautiful. If you can find an excuse I'd recommend working with it a bit if for no other reason than to experience what a good CORBA mapping can be like
;)
The Python mapping is also very good. In both these cases, the people really understood both the language and OOP.
I don't know what those who wrote the C++ mapping were thinking
It's a long and sordid story.
My first reaction to seeing the C++ mapping, as a fresh graduate, was that clearly it was written by C programmers who just didn't understand the whole "object orientation" thing yet.
In part, I was right. The C++ mapping was deliberately designed to preserve binary compatability as much as possible with the C mapping. Back in the early 90s this probably appeared to be necessary. I've never heard of anyone needing this *ever*, but that's the official reason.
When the mapping was standardized, there was the mapping we ended up with, and a competing alternative that was OO, intuitive and just about as good as the Java mapping. But, the C style "non-OO" mapping was perceived as "more efficient" for some reason, there were a lot of politics, the company who designed the OO mapping collapsed IIRC, and some large and influential vendors had already implemented the "non-OO" one.
So that's how we got here. I did go to the trouble of writing a code generator that was intended to "wrap" the standard C++ mapping code in a nice OO layer (and that used strings and vectors!). That was OK, but I underestimated the number of gotchas involved in the C++ mapping. Trying to encode every single silly arbitrary rule was a nightmare. Basically, I wouldn't try that ever again. But who cares, I've got the Python mappings and Fnorb, right?
Now, if you want to get some idea of what a good C++ mapping might look like, take a look at ICE from ZeroC
Disclaimer: I *don't* work for ZeroC, nor do I have any interest financial or otherwise in them. I have worked with some of their employees in the past.
ICE is basically CORBA redesigned from the ground up without the cruft, and with a decent C++ mapping. It's available for C++ and Java, and free for non-commercial use. It's being used as the underlying communications engine for a massively-multiplayer game, "Wish" by MutableRealms.
I've always thought these multiplayer online games would be an interesting field for people who know something about distributed systems, as the first generation of such games clearly didn't have much of a clue about how handle this aspect very well at all.
Can I come work for you guys?
...what with it being an open source project and all. None of us are paid to work on it however, which is probably what you meant.
If you mean Fnorb, then sure, go ahead
I use Fnorb, and therefore CORBA, in my actual job whenever it's applicable. Mostly to talk to C++ and Java objects from Python. As I said, SOAP can't cut it (I need asynchronous callbacks and proper object identity, for example), and I'm not going to use raw sockets and invent my own on-the-wire protocol and object model every single time!
There really isn't any viable alternative to CORBA that works right now.
Because the dipsticks I used to work with were hugely into silver-bullet thinking and CORBA was one of many things that were pushed as silver bullets, along with SGML and "push" technology
I think almost any technology is susceptible to being touted as a silver-bullet technology.
There's probably an axiom somewhere here: "Just because something is perceived by management as being a silver-bullet, doesn't alway make it intrinsically bad."
Enlighten me please - how does all the paraphernalia of J2EE not provide a solution where CORBA does?
J2EE is an infrastructure for implementing a certain kind of N-tier system. You hand over a lot of complexity to the "container", at the cost of flexibility.
CORBA is applicable to any distributed computing problem. J2EE reuses a lot of CORBA technology (IIOP, transaction spec, naming spec, etc) in the context of solving one type of problem, and so is able to relieve the programmer of a lot of the low-level details.
A simple example: all objects in J2EE must be "session", "entity", or "message-driven" beans. Since you restrict yourself to these usage patterns, the container can (potentially!) do a lot of the grunt-work (fail-over, redundancy, eviction of unused objects, etc) for you.
But missed CORBA! Surely it belongs in the Technology X != Silver Bullet category
.
;)
... that stuff is years away from being useful to me)
Disclaimer: I'm clearly bigotted
However, if you believe CORBA was going to be a silver bullet, then you were mistaken. I've never heard anyone say such a thing. But then, I stay away from marketing people.
As far as I'm concerned, CORBA best solves the "this project has too many resources" problem
I think you actually discovered that "distributed systems are difficult".
What you need is a component infrastructure that builds on CORBA to make the slice of the generic distributed system problem that most people are (currently) interested in a simple problem. Luckily it exists, and it is called J2EE
As for me, J2EE *doesn't* address the kind of problems I'm interested in, so the *only* option is CORBA. (And please, don't talk to me about web services or SOAP
So, I've scanned through most of the comments stating the programmers shouldn't be allowed to do GUIs, that this or that GUI sux, etc, etc.
So, what's an example of a good GUI? I can't think of one off the top of my head. Certainly not any browser (either IE or Mozilla), and they are probably the GUI programs I use the most. Example: trying to enter text into a form like this is one of the most painful computing related experiences ever. And all the browsers do it the same way (almost).
I've tried Visual Studio. Gave up in frustration. I tried Eclipse. Gave up in a rage. Word makes me want to set the "designer" on fire. I will not touch it again, ever, if I can possibly help it. And let's just not mention Excel, as I may just spontaneously combust.
So, I use my "windowing" system either on Windows or *nix simply to run multiple shells, Emacs, and some Python interactive sessions. And a browser window or two.
So, the challenge to all the "HCI experts" scoffing at the programmer's GUI design ability is simply this - where's this great GUI we're all supposed to be imitating, or gazing at in silent awe of the HCI expert's power? Is there even *one*? I'd certainly like to see it.
I can think of some individual *widgets* that are good in a particular domain, like displaying a file hierarchy as an expandable tree. But is there an entire non-trivial GUI-based tool that could be held up as a shining beacon of excellent design?
Perhaps the whole idea of trying to model every problem domain in the universe as a collection of scroll bars, radio buttons, check boxes and tabbed dialogs is just fundamentally wrong, and will never work?
The problem is, I can't interpret this table
... which one is right?
...
...
;)
It says "total price" for the first 100 kWh is 18.8 cents, then it says in the column header "cost per unit" after that in parentheses. So
I guess total != total, or something. So it's really 18.8 per kilowatt hour, otherwise the price cutoff here in this table is pointless.
So
>>> 18.8 / 1000 * 100 * 24 [enter]
45.120000000000005
45 cents! But wait, I've forgotten the GST
>>> (18.8+1.71) / 1000 * 100 * 24
49.224000000000004
Right. There it is. So I *will* turn lights off, but I still will not let anyone nag me about it
Before I fire up the 'cube, I'm worried now that it's too damned low.
... ;)
Here's the reasoning. It costs me 18.8 cents for 100 kilowatt hours. So, for a hundred watt light bulb (say), its:
$ python
>>> 18.8 / 100 / 1000 * 100 * 24 [enter]
0.45119999999999993
That's 18.8 / 100 kWh (for 1 kwh) / 1000 (back to watts) * 100 (wattage of light) * 24 hours.
If this is right, I'm never turning another light off ever. I can't help thinking that someone who worked on the Viking probe might know something I don't, though
I knew it was time to go home :(
/. I should just pick one or the other.
... and the point is well and truly made that leaving a light on when showering is effectively zero cost!
The answer is neither! It was an interpretation error. I read the answer from Python ("0.48") as 48 cents, not 0.48 of one cent, which it was, because I went and did something else for a bit before hitting "enter".
That will teach me to be switching between work and
But since I'm home now, it's Soul Calibur II time
I hope.
run a 100 watt bulb
... given the intervening time period for forgetfulness. Or am I completely wrong, and it's time to go home for the night? ;)
Okaaaay, it's late in the day here, but I fscked up here. Since the bulb is only watts, not kilowatts, it's 0.02c an hour to run it.
So, that's 48c a day to run to continously. Not far off in the first place
Nowhere did I ever make any claim that could be even remotely construed to mean anything like that. Calm down, tiger, think with your head
... and definitely one against continuous nagging for leaving a light on for two whole minutes ;)
... I don't know the amperage here. It's 240 *volts* AC here. I did want to ask, isn't kilowatts the right thing to be concerned about WRT the melting point of the wire? I guess you're just assuming the voltage is constant, so you just talk in amps? I haven't thought about this since high school, clearly :)
Sorry. I was just wanting to know what you thought it would be, and answered hastily.
I looked at the site of my local electricity supplier, and it would be more like 20c an *hour* to run a 100 watt bulb, assuming that "kWh" is what I think it is (kilowatt hours). That's probably what the result was 5 years ago as well. I think I still have a case for not worrying about the damned shower
Considering that the largest electrical service you can normally get to your home in the US is a 200-amp service, and that the cable that it comes on is nearly two inches in diameter, you can imagine what kind of cable you'd need for over a thousand amps. : )
I'm in Australia