I don't have any fun/funny password tales to share, but I can share a story about true password protection.
The year was 1999. I was working at a computer-related company, I won't call it a "startup" or a "dotcom" but it was similar. There were three sysadmins, and the owner didn't trust any one admin with the ability to login as root by himself. So a compromise was reached.
Each of the three admins chose a password. The three passwords were combined into one monster, master, root password. In order to login as root, all three admins needed to be present, to type their portion of the password in the correct order. Once all three admins typed in, a root login was achieved and whatever duty was necessary would be performed.
So, what if one of the 3 admins got hit by a bus on the way to work? There was a contingency plan. Each of the three of us entrusted our password to one of the other two. In the event of an emergency, assuming two of the three admins were present, the full password could be reconstructed. For example,
Admin A's password was apple, and he told that to Admin B
Admin B's password was blueberry, and he told that to Admin C
Admin C's password was cherry, and he told that to Admin A
So if Admin B got runover by a train, Admin A and Admin C could still login as root (because Admin C knew Admin B's password part), change the root password, and do whatever needed to be done.
The benefit was that, unless there was some sort of conspiracy, no one admin could ever login as root by himself and do anything crazy.
For those who don't get the reference, and why it's funny... There used to be a TV game show in the US called "The Newlywed Game." It featured recently married couples and the idea was to see how well they really knew each other. The host would ask the men a question, and in order to get points, the women would have to guess how their husband answered. (And vice versa, women would get a question and the husbands would try to predict their wives' answers.)
Some of the questions were tame, e.g. "Ladies, what is your favorite type of seafood?" If a guy's wife answered "Shrimp" but he had predicted "Flounder" they didn't get a point. You get the idea.
Well, on one episode, the question for the ladies was: "What's the strangest place you've ever made whoopee?" (This was back in the '70s, you couldn't say "made love" or "had sex" on TV, so they would say "whoopee.") They were going for answers like "the kitchen table," or "the movie theater."
They got to one woman and she answers, "In the butt."
Let's say I have a single lock on the handle of my front door... with no dead bolt. Along comes someone and kicks the door open and proceeds to rob my house. While he's robbing my house he steals a cd that I borrowed from my friend. Are you saying that *I* should be arrested because I failed to install an adequate dead bolt on my front door and thus the robber stole a cd that didn't belong to me?
You're comparing apples to oranges. In fact, you're comparing apples to... zebras, or something not even closely related.
The first distinction is that in your example, your friend willingly loaned you the CD. I don't think anyone has intentionally "loaned" their personal information to Acxiom. Before the initial story was reported here, I'd never heard of Acxiom, though various articles proclaim them to be [one of] the biggest data-mining compan[y|ies] around. If they have any data on me, I sure as hell didn't loan it to them.
The second problem with your analogy is that a CD is nothing like personal data. A CD is a vanity, something worth maybe $15, less now that it's used. Acxiom has been described as serving "most top credit card companies and retail banks." What do you think the credit card or bank details of a single person - much less however many people were affected by this breach - are worth? That $15 CD pales in comparison.
What's adequate? Let's say I did install a dead bolt but the robber was sophisticated enough to pick both locks? In this case I shouldn't be arrested because I had "adequate" security and was victimized by a "skilled" robber who had the proper knowledge that surpassed my own in lock technology?
Your analogy fails here as well. You, as a private citizen, do not have any liability for the stolen items. Your friend loaned you the CD, there was no business agreement surrounding that friendly exchange. Acxiom is a business, the rules are different.
Suppose you rent a storage facility at one of those mini-storage places. Their property is surrounded by a chainlink fence complete with razorwire. The gate requires a keycode to enter. Each bay is padlocked. Now let's say some joker breaks into the place, gets into your bay and steals everything you have stored there. Surely a fence with razorwire, key-coded facility access, and padlocks are "adequate" security... But you're damn sure that the mini-storage company would be liable for your loss, unless that was covered in your contract with them.
...is the mugshot of the guy responsible. Anyone want to start a pool on how many gallons of Bawls (and other ThinkGeek(TM) caffeinated products) this guy consumed in the 24 hours prior to his arrest??
Spammers don't care about keeping their customers happy, so attempting to use this to destroy their business by making their customers unhappy is doomed to failure.
I think the post you replied to, as well as its parent, were speaking of pay-per-click schemes. The original parent meant "customer" as in the person who hires the spammer, not the person who buys the products.
A fair portion of the spam I get seems to promote pay-per-click programs, especially the porn spam. Spammer signs up as an "affiliate" of a porn site, sends out ten million emails, might generate 10,000 hits, each of which are probably paying half a cent. He gets a check from the porn site owner (or its processing company) for 50 bucks.
Now suppose instead of generating 10,000 legitimate click-throughs from spam recipients, that mailing to 10 million addresses generated 5 million click-throughs from filterbots. The porn site operator sees some guy sending 5 million hits out of nowhere, and none of those hits are converting into signups. Do you think he's really going to cut the spammer a check for $25,000? No, he's going to boot the spammer out of his affiliate program, and the spammer isn't going to get paid.
The same holds true for the mainstream side. Let's say ABC WidgetCo hires a spammer to drive some sales. The spammer sends out 10 million emails promoting abcwidgetco.com. Filterbots happily fetch abcwidgetco.com 5 million times over the course of a day or two. ABC WidgetCo's website dies for a few hours due to the overwhelming load, and their hosting bill for the month skyrockets, yet none of that turned into sales. Do you think they're going to pay the spammer if they haven't already? Even if they prepaid, do you think they're ever going to hire a spammer again?
The idea is to make spamming either costly or at least unprofitable. Even if the spammer doesn't wind up paying out-of-pocket, he won't be able to make anything from pay-per-click or pay-per-hit models, either. Right now a lot of spammers probably slip under the radar of spam and cheat detection in these types of programs, but filterbots would make it obvious to the sponsors that they had a spammer on their hands.
The idea isn't to bring down or overload the hosts sending or relaying the spam. The idea is to hit the spamvertised website, the one being promoted inside the email message. There are two advantages to this:
1) The spamvertised site may suffer a Slashdot-like effect, making it unreachable to potential suckers clicking through on the spam
2) The spammer, or whoever's hosting them, is going to see his or her bandwidth bill jump
It's a dual-pronged approach, with both prongs aimed directly at the spammers' wallets. First you try to make them lose some orders, then you try to drive up their hosting costs. Sales go down while expenses go up. At some point, the break-even point is driven below the line of diminishing returns, and the cost of spamming rises from practically zero to something prohibitive.
I have to admit looping fetch/wget in a few cases where I was repeatedly and persistently spammed by some sites. They did invite me to visit, after all, and the spam didn't ask me to limit my browsing to 1 hit. I've daydreamed a few times about a distributed "spam spider" where thousands of people run a client which sits in the background, fetching spamvertised websites. The client would retrieve a fresh list of sites to visit every hour or so.
The only hole in the idea is finding a trusted, centralized moderator (or moderators) to control the list of spamvertised sites. The RBL model has shown repeatedly that the individuals in charge of such lists will occasionally use them to further a personal vendetta of some sort. But with the right person at the helm, someone who receives a lot of spam and can identify real spam from joe-jobs, it might just be possible to maintain a rolling database of sites promoted in spam.
For those of you who may not be aware, Fry's Electronics has been selling a Linux desktop PC loaded with ThizLinux for quite a while now. The question is, are they really selling it? The answer is a definitive no.
First of all, their sales staff has no idea how to run Windows, let alone Linux. In reality, I didn't expect anything less from that caliber of employee. What are you going to do? Let's put it this way... I live in Las Vegas and have been to that Fry's location on more than one occasion and stood by while a salesman, approached with questions from a customer, stuttered and spit trying to come up with answers. They usually just end up blurting to the customer that the machine is "just NOT Windows". Nice sales pitch.
To top that award winning sales pitch off, the customer is staring at a KDM login screen which has it's default language set to Chinese. Don't get me wrong, Chinese is a fine language, but hardly appropriate sitting on display in the Las Vegas branch of Fry's Electronics. Not only did the whole Chinese thing confuse me, but the fact that it was running an obscure Linux distribution that nobody has ever heard of really did the trick. Check out their web site and tell me what you think. Where is the support? Even if you visit their 'English' site, it is a bit confusing to the average computer user.
To make things even worse, the distribution is old. It is running kernel 2.4.18 with KDE 2.2.2 as its default desktop, and their Xfree86 version is 4.2.0. It isn't even the latest release of ThizLinux. This is software more apt (no pun intended) to be used on a server system... not on a consumer desktop. Why not use one of the better desktop distros such as Red Hat, SuSE, Mandrake, Libranet, or even (please forgive me for saying this but I have to) LindowsOS? They have better support and usability, are more appealing to the eye, and are far more likely to be accepted by end users than ThizLinux.
What really set me off was my visit to the Las Vegas store this evening. I was simply going to purchase a few peripherals and wandered by the lonely Linux PC in the corner. Sometimes the normally $299 unit goes on sale for around $100. Sure, it's a pretty cheaply built box, but would make a nice toy for such a low price. What caught my eye this time was the addition of a new placard placed squarely on top of the PC chassis. It read something like this:
This computer is running the Linux operating system. It is easily removed and can be replaced by Windows 98 or higher by formatting the hard drive and loading Windows. We will perform this service for you for a fee.
I found that completely unacceptable for two reasons:
They are immediately telling you that the machine is no good. Insinuating that it's in the best interest of the customer to remove the current operating system and install Windows is ridiculous. Even though the sign does not come right out and say "This OS is a piece of garbage", the sign conveys the message loud and clear.
They are offering to charge the customer more money to fix a product which they are selling as 'broken' to begin with. Nothing like wearing your soul on your sleeve. Actually, this way of thinking is pure Microsoft. Since they are selling a product they know is garbage, why sell it at all? To be quite honest, as a Linux user I frown upon the insinuation that my chosen OS is somehow inferior to Windows 98.
Maybe I shouldn't care... and in reality it isn't going to make a difference in my day whether they sell those boxes or not. It just bothers me that Linux is being portrayed this way to the general public. My message to the people who run Fry's Electronics (and any other outlet who may sell Linux PCs) is simple: If you are going to sell Linux boxes, please educate your staff on the subject, rather than allowing them to sound ignorant in front of your customers. It is an embarrassment to you as much as it is to the Linux community. Since you are selling Linux boxes, please make sure that they are set with a langua
Not monopolistic at all, but it sounds doomed to me, unless Robertson manages to sell a few major corporations on the technology.
This reminds me a great deal of the Nextel "walkie-talkie" service: extremely innovative and convenient as hell, but only if you're talking to another Nextel user, otherwise it's worthless. The "nationwide walkie-talkie" service that Nextel offers is only compatible with other Nextel users; you can't, for example, "walkie-talkie" to a Verizon cellphone user.
Two words come to mind when thinking of SIPphone: proprietary, incompatible. Unless it's adopted by a couple of major corps, it's never going to take off.
On behalf of UndisclosedCompany.com, I hereby serve you with a termination notice. The NDA you signed upon commencement of employ with UndisclosedCompany clearly prohibits you from discussing the herbal habits of your fellow employees in public.
You have irreparably associated UndisclosedCompany's image with that of a bunch of neck-bearded stoned coders, and our company will be appearing at F'dCompany.com before the week is out.
We invite all emerging and established digital artists, filmmakers, and storytellers to submit works in the following competitive categories: Animation, Short Subject, New Forms, and Gallery.
I guess this rules out my homemade pr0n movies. Unless, of course, they'd qualify for the "short subject" category...
Slashdot Mirror
I don't have any fun/funny password tales to share, but I can share a story about true password protection.
The year was 1999. I was working at a computer-related company, I won't call it a "startup" or a "dotcom" but it was similar. There were three sysadmins, and the owner didn't trust any one admin with the ability to login as root by himself. So a compromise was reached.
Each of the three admins chose a password. The three passwords were combined into one monster, master, root password. In order to login as root, all three admins needed to be present, to type their portion of the password in the correct order. Once all three admins typed in, a root login was achieved and whatever duty was necessary would be performed.
So, what if one of the 3 admins got hit by a bus on the way to work? There was a contingency plan. Each of the three of us entrusted our password to one of the other two. In the event of an emergency, assuming two of the three admins were present, the full password could be reconstructed. For example,
Admin A's password was apple, and he told that to Admin B
Admin B's password was blueberry, and he told that to Admin C
Admin C's password was cherry, and he told that to Admin A
So if Admin B got runover by a train, Admin A and Admin C could still login as root (because Admin C knew Admin B's password part), change the root password, and do whatever needed to be done.
The benefit was that, unless there was some sort of conspiracy, no one admin could ever login as root by himself and do anything crazy.
--
Rate Naked People at FuckMeter! (NSFW)
For those who don't get the reference, and why it's funny... There used to be a TV game show in the US called "The Newlywed Game." It featured recently married couples and the idea was to see how well they really knew each other. The host would ask the men a question, and in order to get points, the women would have to guess how their husband answered. (And vice versa, women would get a question and the husbands would try to predict their wives' answers.)
Some of the questions were tame, e.g. "Ladies, what is your favorite type of seafood?" If a guy's wife answered "Shrimp" but he had predicted "Flounder" they didn't get a point. You get the idea.
Well, on one episode, the question for the ladies was: "What's the strangest place you've ever made whoopee?" (This was back in the '70s, you couldn't say "made love" or "had sex" on TV, so they would say "whoopee.") They were going for answers like "the kitchen table," or "the movie theater."
They got to one woman and she answers, "In the butt."
Hilarity ensued.
--
Rate Naked People at FuckMeter! (Not Safe For Work)
The first distinction is that in your example, your friend willingly loaned you the CD. I don't think anyone has intentionally "loaned" their personal information to Acxiom. Before the initial story was reported here, I'd never heard of Acxiom, though various articles proclaim them to be [one of] the biggest data-mining compan[y|ies] around. If they have any data on me, I sure as hell didn't loan it to them.
The second problem with your analogy is that a CD is nothing like personal data. A CD is a vanity, something worth maybe $15, less now that it's used. Acxiom has been described as serving "most top credit card companies and retail banks." What do you think the credit card or bank details of a single person - much less however many people were affected by this breach - are worth? That $15 CD pales in comparison.Your analogy fails here as well. You, as a private citizen, do not have any liability for the stolen items. Your friend loaned you the CD, there was no business agreement surrounding that friendly exchange. Acxiom is a business, the rules are different.
Suppose you rent a storage facility at one of those mini-storage places. Their property is surrounded by a chainlink fence complete with razorwire. The gate requires a keycode to enter. Each bay is padlocked. Now let's say some joker breaks into the place, gets into your bay and steals everything you have stored there. Surely a fence with razorwire, key-coded facility access, and padlocks are "adequate" security... But you're damn sure that the mini-storage company would be liable for your loss, unless that was covered in your contract with them.
But, see, none of us have a contract with Acxiom.
Acxiom is liable, one way or another.
--
Rate Naked People! at Fuck Meter (not work-safe)
...is the mugshot of the guy responsible. Anyone want to start a pool on how many gallons of Bawls (and other ThinkGeek(TM) caffeinated products) this guy consumed in the 24 hours prior to his arrest??
Rate Naked People! at Fuck Meter! (Not work-safe)
A fair portion of the spam I get seems to promote pay-per-click programs, especially the porn spam. Spammer signs up as an "affiliate" of a porn site, sends out ten million emails, might generate 10,000 hits, each of which are probably paying half a cent. He gets a check from the porn site owner (or its processing company) for 50 bucks.
Now suppose instead of generating 10,000 legitimate click-throughs from spam recipients, that mailing to 10 million addresses generated 5 million click-throughs from filterbots. The porn site operator sees some guy sending 5 million hits out of nowhere, and none of those hits are converting into signups. Do you think he's really going to cut the spammer a check for $25,000? No, he's going to boot the spammer out of his affiliate program, and the spammer isn't going to get paid.
The same holds true for the mainstream side. Let's say ABC WidgetCo hires a spammer to drive some sales. The spammer sends out 10 million emails promoting abcwidgetco.com. Filterbots happily fetch abcwidgetco.com 5 million times over the course of a day or two. ABC WidgetCo's website dies for a few hours due to the overwhelming load, and their hosting bill for the month skyrockets, yet none of that turned into sales. Do you think they're going to pay the spammer if they haven't already? Even if they prepaid, do you think they're ever going to hire a spammer again?
The idea is to make spamming either costly or at least unprofitable. Even if the spammer doesn't wind up paying out-of-pocket, he won't be able to make anything from pay-per-click or pay-per-hit models, either. Right now a lot of spammers probably slip under the radar of spam and cheat detection in these types of programs, but filterbots would make it obvious to the sponsors that they had a spammer on their hands.
The idea isn't to bring down or overload the hosts sending or relaying the spam. The idea is to hit the spamvertised website, the one being promoted inside the email message. There are two advantages to this:
1) The spamvertised site may suffer a Slashdot-like effect, making it unreachable to potential suckers clicking through on the spam
2) The spammer, or whoever's hosting them, is going to see his or her bandwidth bill jump
It's a dual-pronged approach, with both prongs aimed directly at the spammers' wallets. First you try to make them lose some orders, then you try to drive up their hosting costs. Sales go down while expenses go up. At some point, the break-even point is driven below the line of diminishing returns, and the cost of spamming rises from practically zero to something prohibitive.
I have to admit looping fetch/wget in a few cases where I was repeatedly and persistently spammed by some sites. They did invite me to visit, after all, and the spam didn't ask me to limit my browsing to 1 hit. I've daydreamed a few times about a distributed "spam spider" where thousands of people run a client which sits in the background, fetching spamvertised websites. The client would retrieve a fresh list of sites to visit every hour or so.
The only hole in the idea is finding a trusted, centralized moderator (or moderators) to control the list of spamvertised sites. The RBL model has shown repeatedly that the individuals in charge of such lists will occasionally use them to further a personal vendetta of some sort. But with the right person at the helm, someone who receives a lot of spam and can identify real spam from joe-jobs, it might just be possible to maintain a rolling database of sites promoted in spam.
--
Rate Naked People! at Fuck Meter! (Not work-safe)
For those of you who may not be aware, Fry's Electronics has been selling a Linux desktop PC loaded with ThizLinux for quite a while now. The question is, are they really selling it? The answer is a definitive no.
First of all, their sales staff has no idea how to run Windows, let alone Linux. In reality, I didn't expect anything less from that caliber of employee. What are you going to do? Let's put it this way... I live in Las Vegas and have been to that Fry's location on more than one occasion and stood by while a salesman, approached with questions from a customer, stuttered and spit trying to come up with answers. They usually just end up blurting to the customer that the machine is "just NOT Windows". Nice sales pitch.
To top that award winning sales pitch off, the customer is staring at a KDM login screen which has it's default language set to Chinese. Don't get me wrong, Chinese is a fine language, but hardly appropriate sitting on display in the Las Vegas branch of Fry's Electronics. Not only did the whole Chinese thing confuse me, but the fact that it was running an obscure Linux distribution that nobody has ever heard of really did the trick. Check out their web site and tell me what you think. Where is the support? Even if you visit their 'English' site, it is a bit confusing to the average computer user.
To make things even worse, the distribution is old. It is running kernel 2.4.18 with KDE 2.2.2 as its default desktop, and their Xfree86 version is 4.2.0. It isn't even the latest release of ThizLinux. This is software more apt (no pun intended) to be used on a server system... not on a consumer desktop. Why not use one of the better desktop distros such as Red Hat, SuSE, Mandrake, Libranet, or even (please forgive me for saying this but I have to) LindowsOS? They have better support and usability, are more appealing to the eye, and are far more likely to be accepted by end users than ThizLinux.
What really set me off was my visit to the Las Vegas store this evening. I was simply going to purchase a few peripherals and wandered by the lonely Linux PC in the corner. Sometimes the normally $299 unit goes on sale for around $100. Sure, it's a pretty cheaply built box, but would make a nice toy for such a low price. What caught my eye this time was the addition of a new placard placed squarely on top of the PC chassis. It read something like this:
This computer is running the Linux operating system. It is easily removed and can be replaced by Windows 98 or higher by formatting the hard drive and loading Windows. We will perform this service for you for a fee.
I found that completely unacceptable for two reasons:
They are immediately telling you that the machine is no good. Insinuating that it's in the best interest of the customer to remove the current operating system and install Windows is ridiculous. Even though the sign does not come right out and say "This OS is a piece of garbage", the sign conveys the message loud and clear.
They are offering to charge the customer more money to fix a product which they are selling as 'broken' to begin with. Nothing like wearing your soul on your sleeve. Actually, this way of thinking is pure Microsoft. Since they are selling a product they know is garbage, why sell it at all? To be quite honest, as a Linux user I frown upon the insinuation that my chosen OS is somehow inferior to Windows 98.
Maybe I shouldn't care... and in reality it isn't going to make a difference in my day whether they sell those boxes or not. It just bothers me that Linux is being portrayed this way to the general public. My message to the people who run Fry's Electronics (and any other outlet who may sell Linux PCs) is simple: If you are going to sell Linux boxes, please educate your staff on the subject, rather than allowing them to sound ignorant in front of your customers. It is an embarrassment to you as much as it is to the Linux community. Since you are selling Linux boxes, please make sure that they are set with a langua
Re: Your Job Application
Position: Slashdot EditorYou're Hired
Sincerely,
CmdrTaco
--
FuckMeter: Rate naked people!
This reminds me a great deal of the Nextel "walkie-talkie" service: extremely innovative and convenient as hell, but only if you're talking to another Nextel user, otherwise it's worthless. The "nationwide walkie-talkie" service that Nextel offers is only compatible with other Nextel users; you can't, for example, "walkie-talkie" to a Verizon cellphone user.
Two words come to mind when thinking of SIPphone: proprietary, incompatible. Unless it's adopted by a couple of major corps, it's never going to take off.
--
Rate Adult Photos (Free Pr0n!)
On behalf of UndisclosedCompany.com, I hereby serve you with a termination notice. The NDA you signed upon commencement of employ with UndisclosedCompany clearly prohibits you from discussing the herbal habits of your fellow employees in public.
You have irreparably associated UndisclosedCompany's image with that of a bunch of neck-bearded stoned coders, and our company will be appearing at F'dCompany.com before the week is out.
Sincerely,
UndisclosedPHB
--
Free pr0n - rate adult pics
--
Rate Adult Pics (Free pr0n!)
But of course! Their second first release will be called Anthony, instead of Opie... :)
--
Rate Adult Pics (Free pr0n!)