The fully burdened cost of employing me is not $85k/year above what I make in salary. I mean seriously, I pay like $80/mo for health insurance that the company picks up a $350/mo tab on... that's like $4000. The cost of HR and payroll scales very well per-employee. My total compensation and amortized maintenance (cost of all the legal/payroll/HR stuff divided by employee base) is less than $10,000 above my salary.
You do realize network engineers in real companies, multi-billion-dollar companies, make $50k-$80k, which is around $25-$30/hr, right? Or do you still live in the fantasy world of $200k programmer salaries?
The British have one thing over America: They know how to say "Piss off!" in every situation imaginable. Americans just get all hot and whimper and then bend over. Violence is bad here, it's taught as "not the solution", and all aggression is looked down upon; we've forgotten how to push back, to shout at people, and to react to someone trying to kill us by throwing a brick at them instead of crying and ducking under a chair.
In America, it would be like, "ohgod, I uh, please don't call me, I don't want to talk about stuff like that it's uncomfortable!"
The thing is it makes sense in hundreds of contexts; when you put the keystone information in (i.e. "he's a con artist and is manipulating you"), only then does it tie together. Otherwise it's a bunch of stuff that can't forward-predict anything: we all know egomaniacs who act like this but aren't conning you.
Yes. More to the point, the totality of pertinent reports would set off alarms... but there would be a thousand other alarms with reports pertinent to a thousand other attacks that never materialized. How do you pick out the right one to respond to?
Saddam got executed as a response. I was talking about the imagined fantasy that anyone could have predicted the planes getting hijacked and hitting the tower in the first place.
Black swan
on
Losing Aaron
·
· Score: 5, Insightful
Bob knows that none of the "obvious signs" were really there, that everyone made them up to explain in hindsight what nobody saw coming. He knows he did exactly what he could have done, and he could have done more if he could predict the impossible-to-predict events of the future.
It's the same thing as 9/11. The FBI, CIA, the executive branch, everyone had all these documents about 3000 terrorist groups and hundreds if not thousands of operations and actions and movements. A lot of hot seats to check into. Then one of those hot seats inexplicably caught fire. Everyone looked back and shouted, "Oh my GOD it was so obvious! We should have known it was going to happen today! Look at the time line! 6 weeks ago, then a month, then just 12 days before the towers came down... it was screaming at us!!"... but, it wasn't.
Aaron's death came roughly the same way. When Aaron started doing what he was doing, someone could have predicted easily that somebody might not be amused. Nobody could predict it becoming an outright holy war against one person, nor could they predict that he'd just kill himself instead of having his life crushed and getting shoved into buttsex prison for 18 years per count for 200,000 counts of shit he didn't do wrong. It just happened. The big story of his life has a lead-in, but the really big surprise twists were a total surprise.
True, but as you say: the "password" is a generator seed, and the real access key is what's stored in plaintext. Also: this intermediate hash needs to be repeatable, so it can't really be salted (I can come up with a few over-engineered ways, like the AP sending back the salt in the handshake and you store the salt), so rainbow tables.... In any case, the actual authentication token is plaintext.
Most people are going to whoosh at the numbers, too. 33% of Democrats believe humans poofed into existence; 57% of Republicans think the same; 33% overall believe this way..33x +.57y =.33(x+y);.33x +.57y =.33x +.33y. The numbers given show that republicans don't exist.
Windows does the same thing. Does it automatically connect to Wifi when it boots?
We can store them in an exotic form of plaintext, like encrypted with the encryption key in/var, so you can use the encryption key to read the plaintext but we can claim it's "stored encrypted" even though this doesn't add security.
If the system stores an encryption key and a password, it's storing plaintext in an exotic format. If the system is capable of extracting the plaintext without user intervention, then it's storing plaintext in an exotic format. If it's OpenSSL encrypted, and the OpenSSL key is RIGHT THERE NEXT TO IT, it's in plaintext.
If you want the system to use a wifi connection as its primary--to boot and enable wifi, or to allow all users to enable wifi--the wifi connection must store the password in plaintext.
Think like this: You get a wire, plug in an RJ-45, and tell the system to enable that on boot. When you boot, you're online.
Now, if you use wifi, to do this, you have two options. The first is for a user to log in, connect to wifi, and store the password encrypted in keyring. The next user logs in (after the first logs off, or after a reboot) and, not knowing the password, can't use the network on that machine. The second option is to store that password in plaintext, accessible by a system level service (or, alternately, by all users). At boot, the system service enables the network connection; any user with access rights to enable or disable the network connection can send a message to the service to do so, and the service will read the password from disk.
In the second scenario, if you create an encryption key and encrypt the password, you need to store the key in plaintext. An attacker would get the key and use it to decrypt the password in the same way as he'd obtain the plaintext password, so technically you are still storing plaintext--just in a different format involving multiple files. It's not encrypted until it's separated from the key. An encrypted e-mail is encrypted because only the sender and recipient have the key--the sender usually generates a session key and encrypts that with a public key, so usually no longer has the key after sending it. A third party would have an encrypted blob and no key. If you encrypted the e-mail and stored a private key to decrypt it on the same system, protected by a password stored in a text file on the same system, then administrative access gives you full access to everything--essentially, the message is stored in plaintext. That's a stretch; but if your system fundamentally functions such that it must store some data, and stores that data and an encryption key "to encrypt it", you're storing plaintext--the "encrypted" data is never transported, and the key is just theater.
So this isn't an example of poor security; it's an example of "the only way to accomplish this particular goal".
No, not probability. Appeal to emotion. After the next attack, people will make stupid scared decisions. Right now he's threatening that another attack could come and you should be afraid NOW and let him save you, somehow.
Not really. What else did the CIA give bush? Briefings on 3000 other terrorist attacks just about to happen, from 250 other terrorist groups in 87 countries? All that intelligence is like an oil field and you're looking for that one quart of oil that's going to burn ultra-hot because of its unique composition. One day it ignites while you're sucking it out of the ground and the rig blows up, and people are like, "There were so many warning signs, the equipment was groaning, it was out of maintenance, some drills had failed, engineers on the team had warned that this could happen..." and what really happened was a piece of sulfated rock came up in the oil that day, and would have ignited a brand-new, inspected, perfectly functional rig anyway, and we've NEVER had a piece of sulfated rock cause a fire like that so nobody could have possibly predicted that could be an actual thing.
Worse, he's right: people don't understand what's happening and believe anything under stress. I could rant, but I'll just point at some barely coherent brown kid who sounds nutty but really knows what he's talking about. Try not to go too far out on this stuff, but... yeah, he has a point.
It may be accurate, but you'll never find a theoretically ideal rubber sheet.
The fully burdened cost of employing me is not $85k/year above what I make in salary. I mean seriously, I pay like $80/mo for health insurance that the company picks up a $350/mo tab on... that's like $4000. The cost of HR and payroll scales very well per-employee. My total compensation and amortized maintenance (cost of all the legal/payroll/HR stuff divided by employee base) is less than $10,000 above my salary.
You do realize network engineers in real companies, multi-billion-dollar companies, make $50k-$80k, which is around $25-$30/hr, right? Or do you still live in the fantasy world of $200k programmer salaries?
Done in one. "We're re-releasing a popular low-cost router, the immensely popular $50 FiftyBuxBox. The new FiftyBuxBoxDuo will cost $3000."
Rob, I think it would be more productive to talk about Clara.
The British have one thing over America: They know how to say "Piss off!" in every situation imaginable. Americans just get all hot and whimper and then bend over. Violence is bad here, it's taught as "not the solution", and all aggression is looked down upon; we've forgotten how to push back, to shout at people, and to react to someone trying to kill us by throwing a brick at them instead of crying and ducking under a chair.
In America, it would be like, "ohgod, I uh, please don't call me, I don't want to talk about stuff like that it's uncomfortable!"
The thing is it makes sense in hundreds of contexts; when you put the keystone information in (i.e. "he's a con artist and is manipulating you"), only then does it tie together. Otherwise it's a bunch of stuff that can't forward-predict anything: we all know egomaniacs who act like this but aren't conning you.
Yes. More to the point, the totality of pertinent reports would set off alarms... but there would be a thousand other alarms with reports pertinent to a thousand other attacks that never materialized. How do you pick out the right one to respond to?
Saddam got executed as a response. I was talking about the imagined fantasy that anyone could have predicted the planes getting hijacked and hitting the tower in the first place.
Bob knows that none of the "obvious signs" were really there, that everyone made them up to explain in hindsight what nobody saw coming. He knows he did exactly what he could have done, and he could have done more if he could predict the impossible-to-predict events of the future.
It's the same thing as 9/11. The FBI, CIA, the executive branch, everyone had all these documents about 3000 terrorist groups and hundreds if not thousands of operations and actions and movements. A lot of hot seats to check into. Then one of those hot seats inexplicably caught fire. Everyone looked back and shouted, "Oh my GOD it was so obvious! We should have known it was going to happen today! Look at the time line! 6 weeks ago, then a month, then just 12 days before the towers came down... it was screaming at us!!" ... but, it wasn't.
Aaron's death came roughly the same way. When Aaron started doing what he was doing, someone could have predicted easily that somebody might not be amused. Nobody could predict it becoming an outright holy war against one person, nor could they predict that he'd just kill himself instead of having his life crushed and getting shoved into buttsex prison for 18 years per count for 200,000 counts of shit he didn't do wrong. It just happened. The big story of his life has a lead-in, but the really big surprise twists were a total surprise.
I always use a shotgun when I'm fishing.
True, but as you say: the "password" is a generator seed, and the real access key is what's stored in plaintext. Also: this intermediate hash needs to be repeatable, so it can't really be salted (I can come up with a few over-engineered ways, like the AP sending back the salt in the handshake and you store the salt), so rainbow tables.... In any case, the actual authentication token is plaintext.
Yes. The poll shows there's no such thing as Republicans.
Most people are going to whoosh at the numbers, too. 33% of Democrats believe humans poofed into existence; 57% of Republicans think the same; 33% overall believe this way. .33x + .57y = .33(x+y); .33x + .57y = .33x + .33y. The numbers given show that republicans don't exist.
Windows does the same thing. Does it automatically connect to Wifi when it boots?
We can store them in an exotic form of plaintext, like encrypted with the encryption key in /var, so you can use the encryption key to read the plaintext but we can claim it's "stored encrypted" even though this doesn't add security.
Why Linux specifically? Windows also stores your WIfi password in plaintext.
Your argument is that the password should be rot13 or base64 encoded.
If the system stores an encryption key and a password, it's storing plaintext in an exotic format. If the system is capable of extracting the plaintext without user intervention, then it's storing plaintext in an exotic format. If it's OpenSSL encrypted, and the OpenSSL key is RIGHT THERE NEXT TO IT, it's in plaintext.
If you want the system to use a wifi connection as its primary--to boot and enable wifi, or to allow all users to enable wifi--the wifi connection must store the password in plaintext.
Think like this: You get a wire, plug in an RJ-45, and tell the system to enable that on boot. When you boot, you're online.
Now, if you use wifi, to do this, you have two options. The first is for a user to log in, connect to wifi, and store the password encrypted in keyring. The next user logs in (after the first logs off, or after a reboot) and, not knowing the password, can't use the network on that machine. The second option is to store that password in plaintext, accessible by a system level service (or, alternately, by all users). At boot, the system service enables the network connection; any user with access rights to enable or disable the network connection can send a message to the service to do so, and the service will read the password from disk.
In the second scenario, if you create an encryption key and encrypt the password, you need to store the key in plaintext. An attacker would get the key and use it to decrypt the password in the same way as he'd obtain the plaintext password, so technically you are still storing plaintext--just in a different format involving multiple files. It's not encrypted until it's separated from the key. An encrypted e-mail is encrypted because only the sender and recipient have the key--the sender usually generates a session key and encrypts that with a public key, so usually no longer has the key after sending it. A third party would have an encrypted blob and no key. If you encrypted the e-mail and stored a private key to decrypt it on the same system, protected by a password stored in a text file on the same system, then administrative access gives you full access to everything--essentially, the message is stored in plaintext. That's a stretch; but if your system fundamentally functions such that it must store some data, and stores that data and an encryption key "to encrypt it", you're storing plaintext--the "encrypted" data is never transported, and the key is just theater.
So this isn't an example of poor security; it's an example of "the only way to accomplish this particular goal".
It was always a lie.
No, not probability. Appeal to emotion. After the next attack, people will make stupid scared decisions. Right now he's threatening that another attack could come and you should be afraid NOW and let him save you, somehow.
Not really. What else did the CIA give bush? Briefings on 3000 other terrorist attacks just about to happen, from 250 other terrorist groups in 87 countries? All that intelligence is like an oil field and you're looking for that one quart of oil that's going to burn ultra-hot because of its unique composition. One day it ignites while you're sucking it out of the ground and the rig blows up, and people are like, "There were so many warning signs, the equipment was groaning, it was out of maintenance, some drills had failed, engineers on the team had warned that this could happen..." and what really happened was a piece of sulfated rock came up in the oil that day, and would have ignited a brand-new, inspected, perfectly functional rig anyway, and we've NEVER had a piece of sulfated rock cause a fire like that so nobody could have possibly predicted that could be an actual thing.
Eternal September?
Worse, he's right: people don't understand what's happening and believe anything under stress. I could rant, but I'll just point at some barely coherent brown kid who sounds nutty but really knows what he's talking about. Try not to go too far out on this stuff, but ... yeah, he has a point.
Is the NSA a good agency or a bad agency? Is it a matter of the power being too much, or the power being of a sort that should not be?