I can see older, that is the natural tendency of people exposed to the world.
But educated? Where did you get those stats?
The hood, the barrio, the welfare office, and the homeless shelter of course, all bastions of hardcore conservative thought. Err...
The funny part is through massive grade inflation and job requirement inflation, the average "uneducated" HS grad from 50 years ago was far better educated than the average modern college grad.
GWB! Palin! Fox news! Global warming! All human caused changes are evil because they were human caused! There is a waiting list for Prius! Whole Foods reports a shortage of goat cheese! All savages are noble and cultural imperialism is eliminating them! Somewhere, someone is not being taxed! There exists at least one social engineering law which we have not enacted!
Wasn't really all that hard, was it? The half of you whom are cowering under your desk can come out now, I was just kidding about the goat cheese shortage.
TV viewing skews pretty strongly towards old. So its pretty much a synonym for "why am I assumed to be old", in other words its because the assumer is an idiot.
Something I don't get about the TV infotainment channels is well in excess of 50% of the time I tune in, all the networks are showing commercials, mostly for old people prescriptions. How? No bias from other channel schedules, such as switching to CNN during a star trek commercial break, because I simply sit down at the couch at a random time, turn on the tube and flip to CNN / MSNBC / FOX and over 50% of the time its a commercial. Is it really over 50% advertisements?
They could have rolled this out in search prefs and exposed it to a targeted slice of search users, I wonder why they didn't.
Smooth slow gradual rollout so as to not choke their processing servers? Thats how I would do it.
After the ten actual chrome users send enough "real data" to test the intake servers, they can run the import on that same data set one million times to emulate the 10 million FF users who would install this on the first day available. Or they could import the ten chrome users data ten million times to emulate what happens when 100 million FF users eventually use the extension.
How long will it take bloatware to include "browser bars" specifically designed to contaminate the results? If expertsexchange paid HP to add a browser bar that sent fake data to google claiming their domain is the best....
If you're limited to one extra spacebar, this is much funnier
rm -Rf/var/log/debug/*
Which explains why I don't particularly like subdirectories in/var/log, but whatever.
This is an epic fail at a higher level, as you're supposed to be using centralized logging, and whatever isn't being logged centrally is supposed to be maintained by logrotate, so unless your job is "hiding evidence" the actual fatal error was manually maintaining log files, not maintaining them the wrong way.
Most "dumb things that sudo tries to prevent" are in this general class of epic fail.
Every log, every config, every chmod, damn near every command needs to done as root
WRONG. Could not be wrong-er.
All of those are supposed to be done by an automated and/or centralized system.
rsyslog has copyright dates from 1995. sysklogd is older. Puppet has copyright dates from 2005 but that is like using a nuke as a flyswatter. This is not exactly cutting edge design.
If you're manually changing stuff by hand, either as root or by sudo, either its a bizarre emergency situation or you're doin it wrong...
If you can't deploy services to a new box using one line in a Puppet config you are so doing it wrong.
That tiny kernel is what separates the sudo using noobs from the oldtimers. The oldtimers have a "personal server" or a shared "swamp box" or a "dev server" with some coworkers where they F around, experiment with grep, and read usenet slashdot infopages and manpages.
The noobs are the ones whom log into the primary DNS server or the primary mail server to F around, read man pages, fool with grep on large files, read usenet, ssh into other boxes. Then they overload it, crash it, run it out of memory, wipe it, and the "solution" is to install sudo. Stupid.
The REAL solution is not to F around on a production box. Log in, do your root work as fast as possible, and log out, as fast as possible. The oldtimers know the only reason to log into the primary DNS server is to do things requiring logging in as root. Everytime you do something on a production box, you need to ask yourself, should I be doing this on a dev box instead?
The other side of the coin is oldtimers either use "Puppet" or a homemade reinvention like it. Other than disaster emergency situations, why the hell would I log in as root to individual boxes to install software or make config changes? I generally do not log into production boxes other than troubleshooting failures. You get puppet to the point where it works on a test box, have puppet deploy itself to another test box, apply it to one production box while carefully monitoring and testing, then have puppet deploy to the whole farm. Deployment involved both application and removal recipes.
I don't log in as root to add/remove users because of centralized AAA systems, so discussing how I "need sudo" to add users just shows ignorance of modern practice. I don't log in as root to look at logs because I have centralized logging systems so discussing how I "need sudo" to run dmesg and tail -f/var/log/syslog just shows ignorance of modern practice.
In ye olden days, back when Cthulhu was just a pup, I used CVS (which at that time was pretty cutting edge) and a small herd of shell script using that newfangled "bash shell" thing to emulate what you can now do in about two lines of Puppet. If you're allergic to Puppet or whatever, you can make a poor, inadequate, featureless, and inelegant clone of Puppet using git and some shell scripts in about a half hour.
Every time someone claims not to care about whether blind people can access their site, I remind them
of multi-million dollar judgments brought by trolly ADA lawyers? Even if "they never happen" the urban legend of them is strong enough to be effective.
The Chinese recently popped one about 540 miles up.
The soviet system from the 60s had a somewhat different strategy where it pretty much did the rendezvous and instead of docking, blew up. Something to think about with those automated, autodocking Progress resupply rockets to the ISS is that pretty is a peaceful application of an old ASAT design. Theoretically anyone whom feels like lauching a geosync sat (admittedly a pretty small and elite group) could send up a special care package that goes boom... This would probably end up semi-permanently ruining the geosync belt for all nations, probably not going to win them many christmas cards.
Sorta, for some definition of land line. Mostly they use fiber links, when they aren't microwave backhauling. Which is very good, because there is almost no aftermarket for "recycled" fiber.
On the other hand, a couple feet of copper telco cable, when euphemistically "recycled" is roughly equal to a couple days of a 3rd worlders income. All that unguarded copper just laying around... Installing POTS loop-start landlines is kind of a losing proposition in the 3rd world.
If you thought home grown meth heads were motivated to steal and recycle copper... Of course most 3rd world areas don't exactly have the rule of law, so they shoot on sight anyone suspected of stealing cables, making it primarily an organized crime operation.
1980 median income in 2004 dollars was $27,206. 2004 median income in (drumroll) 2004 dollars was $30,513. A pretty flat line.
I agree commodity, real estate, food, health insurance, all those prices for mandatory purchases have increased. That means discretionary income has collapsed over that interval, so game prices are a higher fraction of the entertainment dollar than ever before.
In 1980 my father may have gone to the mall with the equivalent of $100 in his pocket. I might only have $50 in my pocket now. Games should be dropping in price if they want to maintain volume.
What about using a cellular automate? A silly idea I just had yesterday. Take a grafical representation of the password, then "hash" it by running 100 generations of life through. Store the result as the hash. The salt would be an additional life colony so that after 100 generations you're not going to end up with a dead colony.
GoL isn't as good of a hash compared to a more traditional hash. First thing that comes to mind is some hashes can spread a single bit change faster than GoL's "speed of light" limitation. The "c" limit in GoL is that a glider etc cannot move faster than a cell per generation in any direction, but I think there are hashes where a single bit change can spread across the hash faster than one adjacent bit per complete hash function. One generation of MD5 beats 50 generation of GoL on a 100x100 board in terms of smearing that single bit across the result.
Also you can get into huge arguments but generally running a hash multiple times doesn't spread the bits much better than running it once.
Not being a security guru, why would you even give someone 10k or 100k attempts/second? I'd want to keep that number as low as feasibly possible, per account.
Attacker sql injected (or whatever) a "select * from passwordstable" and now have a local copy. Then on their local box, or cloud provider, or another victims box / cloud, they crack the passwords table using their own resources. You have no way to rate limit them other than making it computationally intensive. I think you're thinking of something like "fail2ban" on your locally installed app.
Why is this even a question? Use bcrypt, always. (Preferably using the $5$ or $6$ extensions.)
mysql only offers AES, DES, MD5, and SHA... So... for at least a certain subset of developers, thats what they're going to use.
I'm not saying they're correct to do so, I'm just explaining why they will not even consider your suggestion, because they have architectural problems, for them its not as simple as search and replace all calls to md5() with bcrypt().
Like TFA says, worry more about the passwords people choose. It doesn't matter if you use SHA-1, MD5, or an HMAC, if the idiot types "password" for his password, it's going to be discovered on the first loop of anyone's "common passwords" list.
Its best to go overboard and require a minimum of 15 characters, a mix of upper and lowercase, at least two non-consecutive numbers and at least two punctuation marks. And store then so they can't reuse their previous 20 passwords. That way the users will exclusively save the password in their unsecure browser, unsecure post it notes, or cut and paste from a text file, or the corporate standard database that being an excel spreadsheet. Thats how REAL security pros roll, or so I'm told.
Do other countries have conspiracy theorists with such depth and wide-reaching audiences that have radio or television programs?
Baghdad Bob was quite popular, you could say he had a monopoly, up until 2003 or so.
http://en.wikipedia.org/wiki/Muhammad_Saeed_al-Sahhaf
Viewing from the outside, he was actually pretty funny, and probably could have done very well in stand up comedy.
makes me want to take a shower, but please (not just with him)
Newbie programmer parenthesis mistake results in compiler mis-parsing:
makes me want to take a shower, but please, not just with him.
What's the name for that syndrome where smart people think they're dumber than they are and dumb people think they're smarter than they are?
Philosophy Class?
I can see older, that is the natural tendency of people exposed to the world.
But educated? Where did you get those stats?
The hood, the barrio, the welfare office, and the homeless shelter of course, all bastions of hardcore conservative thought. Err...
The funny part is through massive grade inflation and job requirement inflation, the average "uneducated" HS grad from 50 years ago was far better educated than the average modern college grad.
exploiting fear in liberals is difficult
GWB! Palin! Fox news! Global warming! All human caused changes are evil because they were human caused! There is a waiting list for Prius! Whole Foods reports a shortage of goat cheese! All savages are noble and cultural imperialism is eliminating them! Somewhere, someone is not being taxed! There exists at least one social engineering law which we have not enacted!
Wasn't really all that hard, was it? The half of you whom are cowering under your desk can come out now, I was just kidding about the goat cheese shortage.
why am i assumed to know who Glenn Beck is?
TV viewing skews pretty strongly towards old. So its pretty much a synonym for "why am I assumed to be old", in other words its because the assumer is an idiot.
Something I don't get about the TV infotainment channels is well in excess of 50% of the time I tune in, all the networks are showing commercials, mostly for old people prescriptions. How? No bias from other channel schedules, such as switching to CNN during a star trek commercial break, because I simply sit down at the couch at a random time, turn on the tube and flip to CNN / MSNBC / FOX and over 50% of the time its a commercial. Is it really over 50% advertisements?
They could have rolled this out in search prefs and exposed it to a targeted slice of search users, I wonder why they didn't.
Smooth slow gradual rollout so as to not choke their processing servers? Thats how I would do it.
After the ten actual chrome users send enough "real data" to test the intake servers, they can run the import on that same data set one million times to emulate the 10 million FF users who would install this on the first day available. Or they could import the ten chrome users data ten million times to emulate what happens when 100 million FF users eventually use the extension.
How long will it take bloatware to include "browser bars" specifically designed to contaminate the results? If expertsexchange paid HP to add a browser bar that sent fake data to google claiming their domain is the best ....
To know that after 5 years of uptime, changes, backups, and people playing with the system it still CAN reboot.
Thats why you reboot all the boxes during a weekly scheduled maintenance or local equivalent.
You don't just randomly reboot after every time you log in and change something or fix a problem.
Rebooting all the boxes, verifying proper operation, and fixing any problems is actually excellent training for the junior on the admin team.
rm -rf /var /log/debug*
If you're limited to one extra spacebar, this is much funnier
rm -Rf /var/log/debug /*
Which explains why I don't particularly like subdirectories in /var/log, but whatever.
This is an epic fail at a higher level, as you're supposed to be using centralized logging, and whatever isn't being logged centrally is supposed to be maintained by logrotate, so unless your job is "hiding evidence" the actual fatal error was manually maintaining log files, not maintaining them the wrong way.
Most "dumb things that sudo tries to prevent" are in this general class of epic fail.
Every log, every config, every chmod, damn near every command needs to done as root
WRONG. Could not be wrong-er.
All of those are supposed to be done by an automated and/or centralized system.
rsyslog has copyright dates from 1995. sysklogd is older. Puppet has copyright dates from 2005 but that is like using a nuke as a flyswatter. This is not exactly cutting edge design.
If you're manually changing stuff by hand, either as root or by sudo, either its a bizarre emergency situation or you're doin it wrong...
If you can't deploy services to a new box using one line in a Puppet config you are so doing it wrong.
why are you even logged
That tiny kernel is what separates the sudo using noobs from the oldtimers. The oldtimers have a "personal server" or a shared "swamp box" or a "dev server" with some coworkers where they F around, experiment with grep, and read usenet slashdot infopages and manpages.
The noobs are the ones whom log into the primary DNS server or the primary mail server to F around, read man pages, fool with grep on large files, read usenet, ssh into other boxes. Then they overload it, crash it, run it out of memory, wipe it, and the "solution" is to install sudo. Stupid.
The REAL solution is not to F around on a production box. Log in, do your root work as fast as possible, and log out, as fast as possible. The oldtimers know the only reason to log into the primary DNS server is to do things requiring logging in as root. Everytime you do something on a production box, you need to ask yourself, should I be doing this on a dev box instead?
The other side of the coin is oldtimers either use "Puppet" or a homemade reinvention like it. Other than disaster emergency situations, why the hell would I log in as root to individual boxes to install software or make config changes? I generally do not log into production boxes other than troubleshooting failures. You get puppet to the point where it works on a test box, have puppet deploy itself to another test box, apply it to one production box while carefully monitoring and testing, then have puppet deploy to the whole farm. Deployment involved both application and removal recipes.
I don't log in as root to add/remove users because of centralized AAA systems, so discussing how I "need sudo" to add users just shows ignorance of modern practice. I don't log in as root to look at logs because I have centralized logging systems so discussing how I "need sudo" to run dmesg and tail -f /var/log/syslog just shows ignorance of modern practice.
In ye olden days, back when Cthulhu was just a pup, I used CVS (which at that time was pretty cutting edge) and a small herd of shell script using that newfangled "bash shell" thing to emulate what you can now do in about two lines of Puppet. If you're allergic to Puppet or whatever, you can make a poor, inadequate, featureless, and inelegant clone of Puppet using git and some shell scripts in about a half hour.
Every time someone claims not to care about whether blind people can access their site, I remind them
of multi-million dollar judgments brought by trolly ADA lawyers? Even if "they never happen" the urban legend of them is strong enough to be effective.
vlm, agreed
Not satellites in geo synchronous orbits.
The US and Chinese can reach up to about 300 miles.
http://en.wikipedia.org/wiki/ASM-135_ASAT
The ancient ASM-135 topped out, optimistically, around 350 miles.
http://en.wikipedia.org/wiki/RIM-161_Standard_Missile_3
The SM3 has never been tried above 130 miles.
The Chinese recently popped one about 540 miles up.
The soviet system from the 60s had a somewhat different strategy where it pretty much did the rendezvous and instead of docking, blew up. Something to think about with those automated, autodocking Progress resupply rockets to the ISS is that pretty is a peaceful application of an old ASAT design. Theoretically anyone whom feels like lauching a geosync sat (admittedly a pretty small and elite group) could send up a special care package that goes boom... This would probably end up semi-permanently ruining the geosync belt for all nations, probably not going to win them many christmas cards.
If it gets to the point that a government has and uses a kill switch chances are they won't blink at having to shoot a satellite down.
Its harder to do that you'd think. If a countries greatest achievement is a giant pile of rocks, they're probably not going to be successful.
Spending a hundred million dollars as a business, without a credible cost-benefit analysis and proof of return on investment is just silly.
You make it sound as simple as the video game business.
Cell towers use land lines.
Sorta, for some definition of land line. Mostly they use fiber links, when they aren't microwave backhauling. Which is very good, because there is almost no aftermarket for "recycled" fiber.
On the other hand, a couple feet of copper telco cable, when euphemistically "recycled" is roughly equal to a couple days of a 3rd worlders income. All that unguarded copper just laying around... Installing POTS loop-start landlines is kind of a losing proposition in the 3rd world.
If you thought home grown meth heads were motivated to steal and recycle copper... Of course most 3rd world areas don't exactly have the rule of law, so they shoot on sight anyone suspected of stealing cables, making it primarily an organized crime operation.
So which terrorist won?
The one that said "they hate us for our freedoms"
What cost $15 in 1980 would cost $38.55 in 2009 thanx to inflation. http://www.westegg.com/inflation/
1980 median income in 2004 dollars was $27,206. 2004 median income in (drumroll) 2004 dollars was $30,513. A pretty flat line.
I agree commodity, real estate, food, health insurance, all those prices for mandatory purchases have increased.
That means discretionary income has collapsed over that interval, so game prices are a higher fraction of the entertainment dollar than ever before.
In 1980 my father may have gone to the mall with the equivalent of $100 in his pocket. I might only have $50 in my pocket now. Games should be dropping in price if they want to maintain volume.
They are "overpriced" yet the Wii is comparable or less than a new subsidized iPhone has cost
I think you're off by around an order of magnitude.
My (roughly) three year old Wii cost about $400.
Three years of iphone means $300 upfront, plus over $100 per month times 36 months in 3 years equals about $4000.
A three year old phone has been bounced around a lot and probably has a dead battery. On the other hand the Wii is running great...
A Wii is around one tenth the cost of an iphone.
Now my $186 dollar ipod touch thats two years old, now we have some competition. But not an iphone, no way.
Don't forget phase noise on both transmitter and receiver.
What about using a cellular automate?
A silly idea I just had yesterday.
Take a grafical representation of the password, then "hash" it by running 100 generations of life through. Store the result as the hash.
The salt would be an additional life colony so that after 100 generations you're not going to end up with a dead colony.
Oh, I can't patent the idea, I'm not the first one thinking of that. http://kestas.kuliukas.com/GameOfLife/
GoL isn't as good of a hash compared to a more traditional hash. First thing that comes to mind is some hashes can spread a single bit change faster than GoL's "speed of light" limitation. The "c" limit in GoL is that a glider etc cannot move faster than a cell per generation in any direction, but I think there are hashes where a single bit change can spread across the hash faster than one adjacent bit per complete hash function. One generation of MD5 beats 50 generation of GoL on a 100x100 board in terms of smearing that single bit across the result.
Also you can get into huge arguments but generally running a hash multiple times doesn't spread the bits much better than running it once.
Not being a security guru, why would you even give someone 10k or 100k attempts/second? I'd want to keep that number as low as feasibly possible, per account.
Attacker sql injected (or whatever) a "select * from passwordstable" and now have a local copy. Then on their local box, or cloud provider, or another victims box / cloud, they crack the passwords table using their own resources. You have no way to rate limit them other than making it computationally intensive. I think you're thinking of something like "fail2ban" on your locally installed app.
Why is this even a question? Use bcrypt, always. (Preferably using the $5$ or $6$ extensions.)
mysql only offers AES, DES, MD5, and SHA... So... for at least a certain subset of developers, thats what they're going to use.
I'm not saying they're correct to do so, I'm just explaining why they will not even consider your suggestion, because they have architectural problems, for them its not as simple as search and replace all calls to md5() with bcrypt().
Like TFA says, worry more about the passwords people choose. It doesn't matter if you use SHA-1, MD5, or an HMAC, if the idiot types "password" for his password, it's going to be discovered on the first loop of anyone's "common passwords" list.
Its best to go overboard and require a minimum of 15 characters, a mix of upper and lowercase, at least two non-consecutive numbers and at least two punctuation marks. And store then so they can't reuse their previous 20 passwords. That way the users will exclusively save the password in their unsecure browser, unsecure post it notes, or cut and paste from a text file, or the corporate standard database that being an excel spreadsheet. Thats how REAL security pros roll, or so I'm told.