The issue is pre-judging individuals and even worse, acting on that pre-judgment.
The problem is that the human brain is genetically programmed to make that pre-judgment. We put things into categories, and refine those categories. But it's impossible to not put things into categories. So pre-judging will happen, regardless of whether it "should".
You didn't refute any of my points, just insulted me and confused everyone with broken formatting. Your 30 second problem was invalid. I prove it, and you got mad.
I used one of those and they realitime reject passwords that don't match the attacked server. "I'm sorry, your password isn't strong enough, please try another", until it logs into the battle.net account, and then it takes it and tells you everything is ok.
More nefarious would be to have bizarre unpublished rules that require you take 10 tries to make a password, then try all the "failures" with the email to log into all the popular sites.
All you need is the email password, and you can compromise everything else, anyway.
Add that to conspiracy theories, and the cable cuts in the middle east were not from sloppy sailors, but US agents cutting the cable so a tap could be installed elsewhere undetected.
Because if you do actually cut the cable (with a boat anchor, near shore), then you can do whatever you want with it in the middle and nobody would notice.
I have no idea what I'm talking about here, but could the tap be applied while they're still laying the cable?
In practice, the tap would go in without a problem, but the diagnostics at either end would detect a problem with the cable and give an approximate location Then it's up to the operator whether they want to accept a known damaged cable, or pay to investigate the "damage" before going live. It's possible they'd look for a rebate from the cable manufacturer, and just light it up. But I've not seen anything indicating any cable was "lightly damaged" and put into service. The liklihood that "damage" would get worse and lead to failure would be too high.
I don't see your point. They publicize the collection before they start, and those areas can be avoided. I'm not trying to avoid the collection of my information tinfoil-hat style, I've already given it to the government willingly twice. I'm just pointing out that you are wrong. Nobody is currently, or proposing to do what you say, and those with a US passport are exempt from the lines of collection in the US.
You are FUDing things which haven't happened. That makes it seem like you are OK with everything else, as if you weren't, you'd have something "real" to complain about.
There is a high rate of Americans kidnapping their child
It's impossible to kidnap your kid, they are kidnapping their ex's kid, who they might share genetic code with.
What's funny is that when I left the US, the three of us had three different surnames on our passport, and nobody said a thing. We had all the extra paperwork to prove who the 3 year old belonged to, but nobody cared. Flew from Hawaii to Fiji, no questions asked. I guess one parent with a kid is suspicions, a married-looking couple with a kid can go wherever, even if not married and the kid isn't theirs (not the case for us, but for all anyone knew, it was).
Yeah, break into an optical network timed to the nanosecond without triggering any alarms? They (THE "they") can't even snoop a line without the operators finding out. A 2dB loss in power for a tap would be obvious. Well, unless they set up a machine that bent the fiber at 2 degrees per day, for 90 days. Most of the non-destructive ("hidden" or "secret" taps) pick up light leakage. But a 2-3 dB drop from a sudden bend for the tap, and the monitoring systems will set off alarms. Some can even locate the bend from dispersion and reflections (designed to find breaks, but sensitive enough to find the bends of a non-destructive tap). But bend it slowly over many days, and the "damage" will look like a problem with the line, perhaps a water incursion. Likely, before you start setting off power loss alarms, they'll re-set the alarm thresholds. Best if you had someone on the inside to report the actions in relation to the slow power loss. But blindly bending it over a 90 day period would likely get you a tap with nobody realizing it was a tap. But tap it in 10 seconds, and they'll have a "non-destructive tap alarm" go off. No really, some equipment has that built in.
But a destructive tap, like the parent suggests, will never go unnoticed.
Hm, haven't traveled through the UK. But I don't see anything to indicate that they take anything biometric upon entering. I'm due to go there next month, so I'll see what happens then.
yep, correct, the lease business model states that they sell at full consumer rates to the electric company, not at the producers rate ( which is cheaper )
The article didn't say that there was an unfavorable buy-back rate that discourages leasing. But they said leasing was "illegal". Also, everywhere I've lived, they bill based on net use 1-month. So if you take 400kWh from the grid, and sell back 399kWh in the month of June, you pay for 1 kWh. If you sold back 401kWh, you'd get a "refund" for 1 kWh. So the question of whether that 1 kWh is 0.12 or 0.08 isn't an issue.
Most lease-backs work with the lease paid from power savings, not from on-sold power sold at a profit. I spend $200 per month on electric, so cutting that in half and charging me $100 a month on a lease agreement is a break-even. It's a win if power goes up 3% per year for the life of the 10 year lease.
"Several [states] also have rules that specifically discourage homeowners from going solar. In addition to the bans and restrictions on leasing arrangements, some Southern states assess taxes and fees on solar equipment and generation that do not exist elsewhere."
That's not just lack of subsidies, that's active blocking of financing and technical options for solar.
Biometrics, plus a card, plus a PIN would be great. Only have to remember to keep your token on you, and a short numerical string. That's still better/easier than hard passwords for everything.
Biometrics are rarely even good. They are a 3-7 byte key based on a hash of something. Any more, and the repeatability starts to fail. So if you "hack" the system to be able to key in the keys directly, rather than going through the scanning hardware, you have a very good chance of guessing a "password".
Sometimes it seems like the sites make their password rules match banks. Then, if you can't find anything else that works, use your bank password. The site then has your email, name and bank password. They can try that combo on all the major bank sites, and could get access.
I'm surprised more black-hats don't set up "free" services with that intention.
It won't be long before you won't be able to buy a bunch of v4 addresses for them. Or maybe you will, but they'll be expensive enough to seriously impact your bottom line. Will an extra $5/mo on each customer's bill be enough to count as an inferior experience for them? What about $10/mo? $20/mo?
I just bought a/19. Buying (permanent for all time) for under $5 per IP. Eventually it'll cause a problem, but we are still 5+ years from that. There's almost a black market of IPs out there, but they are available and "easy" to get.
If you have v6, you can accept inbound connections on any of your computers without dealing with port forwarding/NAT.
You "can" do that with v4 now, if only you own a public range for your private network. Though, in practice, NAT was sold as a firewall, so abandoning NAT will make people think it's less secure. It also assumes you are giving out multiple public v6 addresses to end users, when I've not seen that in practice.
Who running dual stack gives out blocks of v6 to end users as part of the "standard" residential low-cost service? What sizes are the blocks?
And if I spoof my source IP to your valid user's IPs? Your DOS prevention will be worse than the DOS itself. Lockout all your actual users because one guy is attacking you.
So are *any* attacks performed live, rate limited? What are they called? Rate limiting is a *response* to brute/dictionary attacks being performed on live login servers. Obviously someone did it, or they wouldn't have shut down that vector. Security is very reactive, and seldom proactive.
If the attacker is performing the attack "offline" then you've already lost the security battle. That's the point. If you lose your password database, assume the passwords are all broken, no matter whether you have "must have 3.2 uppercase and 4.35 lowercase letters, 0.6 special characters and as many numbers as you like, so long as it doesn't start or end with a number" rules or let them use plain English sentences. A hashed " " is as meaningful as a hashed "a" so "cat dog run fast" is better than a very random 8-char password. http://xkcd.com/936/ Even if you know it's susceptible to a dictionary attack, it'll be better than most.
But the point is, once they have your hash, you've already screwed up your security. Especially if you don't then change all the passwords.
And if you read my above posts, you'll see that I believe dual stack uses resources that increases cost and complexity for the end users, and I don't want to subject them to an inferior service. I'll go v6 when v6 works. It doesn't yet. It's not about the users, it's about the content. The content (specifically Skype) isn't ready, so dual-stack won't "help" any user, and will cause increased problems/cost for users. There's nothing that v6 helps them do that they can't do on v4. But there's lots on v4 they can't do on v6.
v6 isn't ready. When it is, I'll look at it. What benefit does dual stack give that v4 doesn't? If you can't name a single one that isn't "religious", then I'll reconsider. Yes, I understand that "someday" it'll be good, but if I have to go out and buy a bunch of v4 addresses for them anyway, why shouldn't I just give them standard v4 Internet?
Take your bragging about how many books you had to read. I find it pretty hard to believe that you took anything meaningful from reading alot of quite difficult books.
You don't have to take much "meaningful" from a book to learn from it. You'll remember some of the general themes, but you'll also pass 100+ words you didn't know, and you'll solve them in context, so that you then know them, but don't even remember learning them. Reading is a good vocabulary lesson, even if there's nothing in Moby Dick worth learning.
The issue is pre-judging individuals and even worse, acting on that pre-judgment.
The problem is that the human brain is genetically programmed to make that pre-judgment. We put things into categories, and refine those categories. But it's impossible to not put things into categories. So pre-judging will happen, regardless of whether it "should".
You didn't refute any of my points, just insulted me and confused everyone with broken formatting. Your 30 second problem was invalid. I prove it, and you got mad.
I used one of those and they realitime reject passwords that don't match the attacked server. "I'm sorry, your password isn't strong enough, please try another", until it logs into the battle.net account, and then it takes it and tells you everything is ok.
More nefarious would be to have bizarre unpublished rules that require you take 10 tries to make a password, then try all the "failures" with the email to log into all the popular sites.
All you need is the email password, and you can compromise everything else, anyway.
Only happens as part of specific death methods. And unrelated to rigor.
Hence why it's all theoretical.
Add that to conspiracy theories, and the cable cuts in the middle east were not from sloppy sailors, but US agents cutting the cable so a tap could be installed elsewhere undetected.
Because if you do actually cut the cable (with a boat anchor, near shore), then you can do whatever you want with it in the middle and nobody would notice.
I have no idea what I'm talking about here, but could the tap be applied while they're still laying the cable?
In practice, the tap would go in without a problem, but the diagnostics at either end would detect a problem with the cable and give an approximate location Then it's up to the operator whether they want to accept a known damaged cable, or pay to investigate the "damage" before going live. It's possible they'd look for a rebate from the cable manufacturer, and just light it up. But I've not seen anything indicating any cable was "lightly damaged" and put into service. The liklihood that "damage" would get worse and lead to failure would be too high.
I don't see your point. They publicize the collection before they start, and those areas can be avoided. I'm not trying to avoid the collection of my information tinfoil-hat style, I've already given it to the government willingly twice. I'm just pointing out that you are wrong. Nobody is currently, or proposing to do what you say, and those with a US passport are exempt from the lines of collection in the US.
You are FUDing things which haven't happened. That makes it seem like you are OK with everything else, as if you weren't, you'd have something "real" to complain about.
There is a high rate of Americans kidnapping their child
It's impossible to kidnap your kid, they are kidnapping their ex's kid, who they might share genetic code with.
What's funny is that when I left the US, the three of us had three different surnames on our passport, and nobody said a thing. We had all the extra paperwork to prove who the 3 year old belonged to, but nobody cared. Flew from Hawaii to Fiji, no questions asked. I guess one parent with a kid is suspicions, a married-looking couple with a kid can go wherever, even if not married and the kid isn't theirs (not the case for us, but for all anyone knew, it was).
Yeah, break into an optical network timed to the nanosecond without triggering any alarms? They (THE "they") can't even snoop a line without the operators finding out. A 2dB loss in power for a tap would be obvious. Well, unless they set up a machine that bent the fiber at 2 degrees per day, for 90 days. Most of the non-destructive ("hidden" or "secret" taps) pick up light leakage. But a 2-3 dB drop from a sudden bend for the tap, and the monitoring systems will set off alarms. Some can even locate the bend from dispersion and reflections (designed to find breaks, but sensitive enough to find the bends of a non-destructive tap). But bend it slowly over many days, and the "damage" will look like a problem with the line, perhaps a water incursion. Likely, before you start setting off power loss alarms, they'll re-set the alarm thresholds. Best if you had someone on the inside to report the actions in relation to the slow power loss. But blindly bending it over a 90 day period would likely get you a tap with nobody realizing it was a tap. But tap it in 10 seconds, and they'll have a "non-destructive tap alarm" go off. No really, some equipment has that built in.
But a destructive tap, like the parent suggests, will never go unnoticed.
Hm, haven't traveled through the UK. But I don't see anything to indicate that they take anything biometric upon entering. I'm due to go there next month, so I'll see what happens then.
yep, correct, the lease business model states that they sell at full consumer rates to the electric company, not at the producers rate ( which is cheaper )
The article didn't say that there was an unfavorable buy-back rate that discourages leasing. But they said leasing was "illegal". Also, everywhere I've lived, they bill based on net use 1-month. So if you take 400kWh from the grid, and sell back 399kWh in the month of June, you pay for 1 kWh. If you sold back 401kWh, you'd get a "refund" for 1 kWh. So the question of whether that 1 kWh is 0.12 or 0.08 isn't an issue.
Most lease-backs work with the lease paid from power savings, not from on-sold power sold at a profit. I spend $200 per month on electric, so cutting that in half and charging me $100 a month on a lease agreement is a break-even. It's a win if power goes up 3% per year for the life of the 10 year lease.
"Several [states] also have rules that specifically discourage homeowners from going solar. In addition to the bans and restrictions on leasing arrangements, some Southern states assess taxes and fees on solar equipment and generation that do not exist elsewhere."
That's not just lack of subsidies, that's active blocking of financing and technical options for solar.
Yeah, that's when the muscles tighten up. There are no muscles in that organ.
That's why it's nice having a US passport. I don't have to get recorded if I visit/transit.
Biometrics, plus a card, plus a PIN would be great. Only have to remember to keep your token on you, and a short numerical string. That's still better/easier than hard passwords for everything.
Biometrics are rarely even good. They are a 3-7 byte key based on a hash of something. Any more, and the repeatability starts to fail. So if you "hack" the system to be able to key in the keys directly, rather than going through the scanning hardware, you have a very good chance of guessing a "password".
Sometimes it seems like the sites make their password rules match banks. Then, if you can't find anything else that works, use your bank password. The site then has your email, name and bank password. They can try that combo on all the major bank sites, and could get access.
I'm surprised more black-hats don't set up "free" services with that intention.
Yup. Because SQL injection attacks work in passwords, especially when you have a 4,000 old COBOL system.
It won't be long before you won't be able to buy a bunch of v4 addresses for them. Or maybe you will, but they'll be expensive enough to seriously impact your bottom line. Will an extra $5/mo on each customer's bill be enough to count as an inferior experience for them? What about $10/mo? $20/mo?
I just bought a /19. Buying (permanent for all time) for under $5 per IP. Eventually it'll cause a problem, but we are still 5+ years from that. There's almost a black market of IPs out there, but they are available and "easy" to get.
If you have v6, you can accept inbound connections on any of your computers without dealing with port forwarding/NAT.
You "can" do that with v4 now, if only you own a public range for your private network. Though, in practice, NAT was sold as a firewall, so abandoning NAT will make people think it's less secure. It also assumes you are giving out multiple public v6 addresses to end users, when I've not seen that in practice.
Who running dual stack gives out blocks of v6 to end users as part of the "standard" residential low-cost service? What sizes are the blocks?
And if I spoof my source IP to your valid user's IPs? Your DOS prevention will be worse than the DOS itself. Lockout all your actual users because one guy is attacking you.
So are *any* attacks performed live, rate limited? What are they called? Rate limiting is a *response* to brute/dictionary attacks being performed on live login servers. Obviously someone did it, or they wouldn't have shut down that vector. Security is very reactive, and seldom proactive.
If the attacker is performing the attack "offline" then you've already lost the security battle. That's the point. If you lose your password database, assume the passwords are all broken, no matter whether you have "must have 3.2 uppercase and 4.35 lowercase letters, 0.6 special characters and as many numbers as you like, so long as it doesn't start or end with a number" rules or let them use plain English sentences. A hashed " " is as meaningful as a hashed "a" so "cat dog run fast" is better than a very random 8-char password. http://xkcd.com/936/ Even if you know it's susceptible to a dictionary attack, it'll be better than most.
But the point is, once they have your hash, you've already screwed up your security. Especially if you don't then change all the passwords.
And if you read my above posts, you'll see that I believe dual stack uses resources that increases cost and complexity for the end users, and I don't want to subject them to an inferior service. I'll go v6 when v6 works. It doesn't yet. It's not about the users, it's about the content. The content (specifically Skype) isn't ready, so dual-stack won't "help" any user, and will cause increased problems/cost for users. There's nothing that v6 helps them do that they can't do on v4. But there's lots on v4 they can't do on v6.
v6 isn't ready. When it is, I'll look at it. What benefit does dual stack give that v4 doesn't? If you can't name a single one that isn't "religious", then I'll reconsider. Yes, I understand that "someday" it'll be good, but if I have to go out and buy a bunch of v4 addresses for them anyway, why shouldn't I just give them standard v4 Internet?
Take your bragging about how many books you had to read. I find it pretty hard to believe that you took anything meaningful from reading alot of quite difficult books.
You don't have to take much "meaningful" from a book to learn from it. You'll remember some of the general themes, but you'll also pass 100+ words you didn't know, and you'll solve them in context, so that you then know them, but don't even remember learning them. Reading is a good vocabulary lesson, even if there's nothing in Moby Dick worth learning.