I suppose you've never heard of software or information system security engineering, eh?
They also hire people outside of the CS realm. They want thinkers, and if you get the right engineer, you get someone smart and creative, not just a code monkey. (Code monkeys can be obtained from people who don't have college degrees.)
I suggest that you check this out. You might be suprised to see "Mechanical Manufacturing Engineer" and "Hardware Engineer." You might also note that not all of Google's innovations (and I know the connotation of this word leaves my statement open for debate) have been in the search engine game.
Unless you have a Ph.D., any experience you have doing research is completely unmarketable.
I disagree. Your undergraduate and masters research is probably the most important thing you need to market. My last job was achieved partially because the person hiring took a genuine interest in my research, and it created a great conversation-point on which to make the interview comfortable. But one experience does not a proof make, so I will try to add at least some reasoning to go along with my disagreeing:
Any more, every college student graduates with a fancy-sounding degree along with thousands of other students, all of which probably have 4.0s and what-have-you. So what is to set them apart? It's that extra research that will make you stand out from the vanilla student (as well as your people and writing skills.) Also, most places seem to be wising up about the "I went to a prestigious school" qualification, and are becoming more interested in what sort of work you do. (Not that the prestigious school doesn't at least raise some eyebrows, but from my observations, those students are being increasingly weeded out from those who have some research experience with practical application, especially with corporate partners, to bring to the table. A person with a good research background from a prestigious school, don't get me wrong, has a definite advantage.)
Actually, the horses are fitted with rubberized shoes, so their hard hooves are less concern when it comes to scratching and such. If allowed to traffic one area highly, it is likely their weight would become a concern and begin wearing the carpet, but probably no more than carts being pushed with heavy loads. Ideally, the horses wouldn't spend very long working back and forth on the carpet, but I can see where that is a concern. Then again, with the rubbers shoes, this probably makes them less concern than the multitudes of 200 pound people who walk across the area constantly. *shrugs*
Also, the guide horses are actually trained to spook in place 100% of the time. You will see similar (but to a lesser degree) with horses trained for riot situations. That doesn't stop them from being suprised, but their fight-or-flight reflexes are supressed such that they are taught to spook-in-place.
I personally think guide horses would be a wonderful idea, in addition to these store-limited guide robots. Then again, I worked on robots and show jumped when I was younger, so I am partial to both.:)
Ahhh, yes. According to the guidehorse website (and this makes sense accord to my understanding of the ADA):
Under the Americans with Disabilities Act (ADA), privately owned businesses that serve the public, such as restaurants, hotels, retail stores, taxicabs, theaters, concert halls, and sports facilities, are prohibited from discriminating against individuals with disabilities. The ADA requires these businesses to allow people with disabilities to bring their service animals onto business premises in whatever areas customers are generally allowed.
I believe that, since they fall under the category of "service animal," they are permitted the same as any guide dog.
This didn't seem to go through the first time, so I am posting it again. I do not know why it didn't show up. If it does again, then my apologies, and please disregard.
I also want to tag onto my own post and explain that I was responding to the Slashdot article, not the posted article. The posted article clearly states:
"People think we're trying to replace guide dogs, but we're not."
Having RTFA, I must say that the application they are using these robots for is a neat one, as the robots could be used in addition to the guide dogs. It's not like the person is taking the robot home and trying to use it as a method to cross the street. These basically amount to smart shopping carts. For the application these bots were intended for, I am sure they will do a lovely job and it's a good idea. However, for the question the poster posed, that was answered in the article in that these were never meant to do that. These would not see a speeding car coming around the corner...the dog would.
No. As someone who was part of a team that worked on building autonomous robots (albeit for the I.G.V.C), I must say that, in my experience, the one thing that cannot be replaced (at least, not yet anyways) is instinct. (Neural Networking or no.) The dog offers companionship and thus a bond, which plays well with the dog's instincts in not just leading the person around and fetching things for them, but protecting them as well.
If people are concerned with replacing guide dogs (as they have relatively short lives and take a long time to train), they should consider guide horses. You may think I am crazy, but this has been successfully tested and is becoming more popular.
The horses live to be 25-40 years old, have binocular and monocular vision, and are very intelligent. They also have more instincts about safety than an algorithm, to date, can provide.
My university is not a public university. It is a private university.
Yes, the program is rather small. However, one part of our program apparently turns down at least 1000 applicants. No, that is nothing compared to larger universities where there are 10,000 students in the CS program. Frankly, though, I didn't go to those universities because I was less impressed with their programs.
Very few of the people in my program are local to Oklahoma. In fact, I would say only a couple of people from Oklahoma are in the program.
Yes, I cannot comment on Ph.D. salaries as most people in the program I was speaking of generally stop at the MS-level, so take the Ph.D. factor out of those estimates.:) I wouldn't even be able to guess what a Ph.D. student from this particular program would make as I haven't the fortune of hearing any of those starting salaries.
Do you know what made me go on to do ME and EE as an undergrad, and CS and EE as a grad? (and no, I don't sleep. Sleep is for after degrees)
Long, boring account: I have a strong background in studio art and interpreting literature. I also happened to be good with people. My father looked at me and said, "Okay. You're good with people, you like to write, and you're creative. Now, get good at math." He showed me how I could still keep my love of art and yet get into a field where I could have a real impact. He waited until late in college to really push the matter, but in hindsight he had been making sure I kept up in all areas since day one, even having me learn things like multiplication tables a year before my school would expect me to. I was never particularly great at math, though, because I had no real interest in it. Frankly, it is because reasons for being interested in it hadn't been planted in my head, as school rarely gave insight into the application of the base concepts I was learning, just that I should memorize them because one day in the distant future, for some unknown reason, it would be important. It wasn't until someone sat down and showed me, "Hey look what you can do with Laplace Transforms, differentiation, and Fourier series" that I thought, wow, this stuff is really useful.
So, with the encouragement of my parents and my boyfriend, I took my creativity and skills with customers to engineering, whose primary enrollees sadly seem to lack in both. (And, speaking with those who hire in industry, it seems that they agree.) So far job offers have not been a problem, and unlike the other cookie-cutter memorize-math engineers, I can actually design and engineer something creative and useful, and can market it. (You can tell the difference between the creative engineers, and those who can spit back rote learning in order to solve a problem. It's always a pleasure to be in a team setting with the former, but the latter are oftentimes just as well being replaced by Google and a good modeling/simulation program, although I am sure I will be modded down for saying that.) No, I am not a whiz at math, although now having relevance to go with the concepts has certainly improved my math skills to the point that they aren't too worse off from your average engineering student. What I don't know, I can look up.
It's not too late to grab those creative, "people-types": So, the last time my university had little munchkins running around Ooooing and Aahhhing at all of the career displays, and all of the engineering profs navigated their way over to the math and science club folks, I showed up and grabbed the artists and pulled them over to the robots and lasers, and showed them exactly where they fit in engineering. Then I told them that while they could take a billion classes in middle and high school in their favorite subjects, and breeze through them because they were already so good at it (I find many high school art classes are behind the real talent in the classroom, and only offer those kids an hour to draw, not an hour to learn something), why not jump into Advanced Placement calculus, chemistry, physics, etc. courses and work their tails off learning that material so they would have that side to market, and then their creativity to solidify the deal? Learning differential equations doesn't make you any less of an artist, nor does having that piece of paper claiming you're educated about art on the wall make you any more saleable if you're not any good. (I found places for my art without a single person asking for my art degree. That is not to say that I am a good artist, though, as I am admittedly quite mediocre, as many in the industry are.)
Now, that isn't saying that people shouldn't go to college for Art or English majors, but if even a few jump ship (and lets face it, the arts or communications are what females are pointed toward from day one in many classrooms) and attract that component of which
Some schools are doing just that. I know that my own school works hand-in-hand with industry to develop projects so that they get free labor, and we get real world experience. That is just inside the classroom. The number of outside-the-classroom research projects being cooperatively done with industry and/or government is amazing.
And these aren't just programmers-for-hire projects, either. So far we have done an assessment of the compliance of a financial institution with federal regulations, a information system security engineering project where we designed a incident aggregation system, some digital forensics projects, and more.
I am also curious why you seem to lower internships as not having real, tangible consequences. On a long-term internship I had in my undergraduate work, I was placed in an engineering department and had to develop projects that went to production. In fact, I had to redesign products, design new products, acquire the parts, schedule time for assembly, call the machinists to get things in order, set up testing procedures for these projects, and decide if the final product was ready for shipping to real customers in which real money was exchanged. When things went wrong, I was called in to face the CEO and explain what happened, where we were, and how the problem was going to be fixed.
I never made anyone a cup of coffee, nor got the luxury of sitting there watching someone else do work while I played with equations. I was in the engineering department and was expected to be able to step up to the plate as the engineering staff was already short as it was. It is my hopes that most of the hiring individuals realize that not all internships are fluffy.
I think some of the "geniuses" might very well be in that pile of resumes that you go through. Hopefully, they are smart enough to be able to differentiate their real, tangible experience from the fluffy internships people assume when they see "intern."
$60-70k for somebody out of grad school is not spectacular.
While I don't disagree with what you said, I would like to note that this depends on your locale. In California, such a salary might seem quite low. In another state, that is easily enough to buy a large house and several acres.
That is interesting because at my university, the opposite is true. I think that the number of enrollees in the computer science department has seen a significant increase.
Personally, I think a lot of it has to do with the perception of the quality of a program. Our CS program is seeing a drastic increase of the number of students enrolling, and one part of our program has a hefty waiting list. Right now, that part of the program has 100% placement and, I believe, the statistics I was told Friday was that each student was courting, on average, 2.5 offers. Most of the students receive offers in the $60k-70k range, which in my opinion, is spectacular for someone fresh out of grad school. I believe that the undergraduates are receiving offers in the $50k-60k range, although don't quote me on these figures as they are mere observation. I don't know what world other people live in, but that is good money for someone with limited experience. I must say, though, that because of the exclusivity of the program, it brings in some excellent, excellent students. Our EE department, however, which hasn't seen reworking in years, has barely enough freshmen to justify having courses. This is a big difference from four years ago. Now, I don't believe that the need for good EEs has gone down (as other university's trends suggest quite the opposite is true), but it's the general perception that the program has stagnated. If they rework the program and make it look impressive to prospective students, enrollment would likely increase again.
I think part of the job-finding problem is one of personality. As I said, one part of our program (which typically has very outgoing, dedicated, social students) sees an average of 2.5 job offers per student. (I must also be fair that a HUGE part of this has to do with the program director who works tirelessly to get his students jobs.) However, I know someone who graduated from another part of another program who is barely getting above minimum wage. Placing the students in a room, the students from the one program outshine the other. Anymore, it's not a matter of being a sound programmer or being able to find bugs in code. You simply can't be the shove-a-pizza-box-under-the-door-and-I-will-spit-b ack-code sort of worker. The CS grads who are capable of handling customers, have a firm grasp of the hardware side of CS, can effectively market themselves and their projects to manager-types while still accomplishing their own security and feature goals, are the ones you see getting the jobs. You also see students here working very challenging internships and balancing many research projects, as opposed to specializing in one area (which might be obsolete.) Internships look impressive to employers.
I think that too many people ran toward CS with dollar signs in their eyes, and CS produced a lot of mediocre coders which, frankly, can be outsourced. The truly successful can be a CS+ (a manager, a salesman, a marketer, a programmer, a designer, etc.) and it seems to be they who are snapped up first. I think another part of the problem is the "even at Brown" or "even at CM" or "even at MIT" mentality. A lot of employers (even I was once offered a Google job) are finding some of the best-kept-secret programs in the nation, and are hiring out of them. A lot of trouble students fall into is the "Hey look! I went to this school!" mentality when they should be telling employers, who are starting to wise up, "hey look at what I accomplished on this and that project in this team environment while taking on a leadership position and look at how much money I can make you." Once that goes into place, the school reputation can build on it.
I could be wrong, though. That is just my observation. I just find it odd to hear this when I see the opposite happening here.
Hehe. Fair enough. And you are very much correct about the average joe being completely overwhelmed by the prospect of even turning on a Mac, let alone recovering data on it.
As to the comment on the local PD, our local police department actually has a very well-developed cyber crime unit that works with the local information security group at the university. However, I don't know how well developed other units are. Just based on the articles I have read about their solving triple homicides based on digital evidence and what-not, and hearing about their use of iLook, EnCase, and all sorts of forensic tools, I would feel pretty confident in their ability to do a fair forensic analysis of a machine. As far as federal crimes go, it would be passed to the FBI, who have a very, very good team, who probably have a myriad of Mac tools. Again, extra info, but whatever.:)
But my facetious meter wasn't on today. It's been a very, very long day. I apologize the on-my-soap-box comments. hehe. I just hear that argument so much, it's almost reflex-reaction.:)
In any case, the point is moot. I doubt the university will invest time in searching the kid's machine, and certainly not for retrieving deleted files. I think his best course of action is to probably contact someone reasonable in their IS/IT department and explain the situation. Failing that, a more empty victory would be to do as I did and not use their network with his personal PC. I found the restrictive policies for dorm life disagreeable to what I found acceptable, and so I took my money elsewhere, and ended up with 3x the space, my own kitchen and bathroom, and am not paying much more in rent.:) The university tried insisting upon my living on campus, but I never did.
Nobody really knows how to do data recovery on a Mac anyhow.
That is a myth.
This isn't meant to be snitty, but is an honest suggestion. You should read-up on the progress digital forensics has made. You might want to start here.
I will guarantee you that data recovery on a Mac is very doable. The question is whether someone wants to spend the money having a good forensics team do the analysis. In this case, it's doubtful that someone will want to spend the time and money over a few MP3s, but who knows. If you're breaking federal laws that lead to a large financial/asset/information loss, you might find that it suddenly becomes worth the government's time.
However, I personally wouldn't mind that inaccurate statement being passed around. In fact, it's when the bad guys think their being sneaky about something and become sloppy that they're the easiest to catch.
But a Mac is certainly not the impenetratable beast that people make it out to be, cool as it may be. When they teach undergraduate college courses in how to do it, you know that the government can do it as well.
Which is probably what the parent poster implied in saying the "condition of using it." Many, many university TOSs stipulate this little gem and many, many students do not bother to read their school's policies. Lately, the courts have sided on the side of those who draft these contracts or policies, even the more ridiculous ones.
This even shows up on occasion in rental agreements where people are silly enough to sign rights for the landlord to enter the premises without notice at any time. People don't read, and they sign. Seems like an unreasonable thing to put in a lease, but if people are willing to sign it, the courts generally uphold it. However, in the example I just gave, some states are stepping up to protect the citizens who sign these things by creating laws that say that even if you sign away that right, it's not legally binding. (In the case of entering the premises by a landlord. However, college dorms are treated differently than apartments--I don't know why--and I have yet to see a single "you can't sign away your rights to maintaining the privacy of your PC contents on a network" law.) I generally maintain the stance that someone should be accountable for what they agree to or sign when what they are agreeing to is posted in a clear, conspicuous manner. And yes, I read EULAs. However, Iguess I can see the occasional reason for not forcing someone to abide by that agreement. I know of a symposium that sorta (meaning, unofficially) recently conducted an experiment where they gave out TOS for their wireless connections to people who were standing in long lines, and took note of who read it and who didn't. One iteration of the TOS had "You are not reading this" written into it. Almost no one (all college-aged students) actually read the agreement.
I don't know if right-to-search is part of this school's particular policy, but it's something to consider.
Actually, SuSe is sold in stores like Circuit City or Best Buy and, while I can't say that it's as profitable as the selling of support, people do buy that software. Red Hat has done the same. Mostly, you're buying pretty disks and the promise of support, but they're still selling their open source software and are fairly successful groups.
Agreed, though, that companies like IBM have made more money using open source in their products, but just by coupling your open source solution with a hardware platform does not completely negate the value of the open source software. I can think of tons of instances where this is true in the embedded community, where open sourcing the software is often necessary (since many embedded systems is used for development purposes), and the software is bought loaded on the hardware, but is hardware-specific. You might consider TiVo, for instance. In the case of TiVo, are you paying for the software, or just the hardware? In that case, I would say both, packaged. If you write TiVo for their code, since it uses GPL software, IIRC, they must send you the source. True, it's probably useless without their hardware, but I call that a sound business foundation, yes?
I proposed an open source business model here that you might find interesting that, although it is debatable if it's true to the spirit of open source as accepted by the community, would theoretically make a perfectly valid, profitable business model.
Oh, definitely agreed, although it has always been presented to me as in line with "open source" in the manner in which I have described, when I have described it, and I have seen licenses (perhaps I exaggerated the amount in the parent post, although I am not sure since the influence of the GPL in "open" software development polarizes the community such that it's hard to really tell if there is more GPL or LGPL derivatives compared to those similar to the model I desribe) which lean toward my description. I am unsure if this is really a misnomer, or if it's just that we have all come to accept the (very unrestrictive, IMO) GPL as the de facto standard for open sourcing. Regardless, it is the direction I would like to see most software companies go. Where they are unable to provide a feature, they can gain the financial benefit of someone else's hard work in making their product usable, and certainly make life easier for those who have to develop around third-party software. I find that it combines the progressive nature of the open source community and yet maintains the cut-throat corporate money-drone side as well.
I really appreciate the GPL, but I also think it important to stress that the GPL (and BSD-licensing as well) is not the only open source license available for software, unless you use already-GPL code. (Although I was under the impression that you can add to the GPL by wrapping around it your own license, so long as it does not conflict with the GPL.
My mindset comes from a more restrictive open license (which indeed sounds and probably is conflicting and now that you mention it, might be a misnomer), especially in the case of situations like voting machines, etc. Now, while I don't want to necessarily spur a flamewar about voting machines, one of the issues has been where companies like Diebold (if I am confusing company names, please forgive me) have been unwilling to open the source for auditing purposes and many people do not want to completely open the source to anyone and everyone for one reason or another. However, there has been a (legitimate, I think) call for regulating this process and assuring that the software is reliable outside of in-company code reviews. Contrast this with forensics software which must, on some level, be open sourced for peer review for it to fall under the Federal Rules of Evidence. However, most forensics suites (I am not talking about live Linux CDs and such which, btw, are super-useful forensics tools) are not open source as in go-to-the-website-and-download-it. I suppose that was what I was thinking. The solution I suggest may be a viable alternative or compromise, falling in line with the forensics direction of doing things, only a little more protective of the voting machine companies' rights if you limit the "customer" to include the U.S. government or an "independent" auditing company, although there is a lot to be said about that.
However, and I may be incorrect in thinking so, I was fairly sure that I heard in a conference years ago, concerning the GPL, by someone involved in that community, that alterations had to be made available on-request, but that your own licensing wrap could limit this to your customers, and I though TiVo was offered as an example, but I could be mistaken. My point wasn't intended to necessarily be about the GPL as much as open source licensing in general, although I believe that the GPL has made for a very successful and wonderful model. If I am wrong about it's restrict-ability, and I suppose that I should open up the newest version of the GPL and really poor over it, then I thank you for correcting me. Honestly, I am less familiar with the GPL specifically than I ought to be.
In the end, though, I believe you are right, Sloppy. I am sure this will gain me no favors with the GPL-promoting community, but if I wrote something from-scratch, the model I described would probably be the direction I would go as far as licensing goes, especially if my software was boutique and industry-specific, since it would afford me the most profit with the most "free development" within the community it was intended, while offering the attribute of being open to those who need it (and pay for it.)
One of the most misunderstood parts of Open Licensing is the idea of "free" (as in beer) versus "free" (as in open licensing to customers) versus "free" (as in, anyone can see it.)
It is not necessarily true that an Open source product is free of charge. It is not necessarily true that an Open source product must be shared with anyone and everyone.
In fact, open sourcing does not necessarily mean that you have to make the source open to everyone, and may only be shared with paying customers, despite that being against what one would naturally think.
Many open source licenses maintain the open source nature to customers only. Depending on the license, you don't necessarily have to send the source to anyone and everyone, nor do you have to post it on a website. When a person becomes a customer, they can then gain the right to your source for their own development needs (as per your license), with whatever additional licensing wrapping you want to provide (be it that they cannot openly distribute code to anyone but their customers, or that they can only openly distribute their code, yours omitted, to their customers, or that they have to give you a % of earning for money made using part of your code) being up to you.
What aspirations you have for your software will determine which open source license you use (or create.) A lot of what you will read is (with good intentions) incorrect because so many people assume that open source means both or either free (as in beer) and free (to everyone.) Many licenses take advantage of the fact that until you become a customer, they are not bound through licensing to you (and likewise, outside of applicable laws and copyright issues, you are not bound to their licenses either. Makes sense.) Using the software consents to licensing, which may require paying for that service. That is one way to both open source (making the customers happy and making your product extensible) and make money.
To me, that's a great business model. Customers pay you for your hard work and they get to see the code so that they can tailor their own applications to it. It makes your product more extensible and marketable, offers your customer more options, and has the benefit of being profitable as well. You can then also sell support for your products and make money off of that as well.
I am not intending to be snitty in suggesting that you search Google; there were tons of other seemingly-good resources contained within it, and it might just be a case of different search terms. You might be able to team the information gained there with the advice of people here.
Also, if you can gain access to the class papers from the Boston Embedded Systems conference, particularly those from Bill Gatliff in 2003, there were tons of developers there who lectured on this very thing, citing examples and explaining the ins and outs of open-source licensing. I thought Bill Gatliff did an excellent job, and you may be able to contact him through his website for some resources.
I apologize. I grabbed onto the parent poster's word retina and went with it. There is such a thing as a retina scanner, but it's actually Retina (with a capital R) scanner made by eEye. That is what one gets for trying to post something too quickly without putting much thought into it first...you mix words without even noticing. And, on the great Slashdot, once you hit "submit" you can't change it, and reposting it correctly will get marked redundant (and rightfully so...for nonrepudiation.)
You are correct that it is iris scanning.
Now, there isn't much I can say about your attitude about my simple mistake except that I have written papers regarding biometric systems (and I promise they had much more thought and care put into them than my quick Slashdot post) and I apologize because that really did make me look like an ass. (Cue the AC trolls making stupid ass comments) But I do think you were a bit harsh over a simple mistake. We can discuss this like professionals without having to be snitty. (Although admittedly...that was a pretty silly thing I wrote.)
Also, one correction (or, I guess, addition?): not all eye-based "biometrics" systems (at least, that are sold as such) look at the actual physical metrics of the eye. I can promise you that a good part of them actually only take a single image (camera/image-based) and compares them with a stored image, much like the old facial systems did. With a high-resolution scan of the eye, these have been easily fooled. (They are also terrible as far as false negatives.)
I find that the biggest problem with biometrics (and I am not against using them as a complementary authentication system) is getting the vendors to be honest about how their particular system works. Frankly, though, in businesses you market everything as though it has gold legs on it, so I can't really blame them.) When their sales hype of "Ooooo, Biometric!" works, people don't give much ado to the fact that an image on a piece of paper or a fogged glass can work. These aren't Star Trek solutions, these are proven-in-the-lab red team analysis of these systems. Now, while mom and pop shops probably don't have to worry about someone following them to the bar to lift fingerprints, yes, there are "high-security" situations where espionage is a concern.
Yep. I first learned about it in my forensics coursework.
For more information on this, this Google search produced some good sites explaining tihs.
Also, in just conducting that search, I learned that 2000 and XP is apparently immune from this particular problem, according to this site.
"With LM, password hashes were split into two separate 7-character hashes. This actually made passwords more vulnerable because a brute-force attack could be performed on each half of the password at the same time. So passwords that were 9 characters long were broken into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash did not take long, and the 7-character portion could usually be cracked within hours. Often, the smaller portion could actually be used to assist in the cracking of the longer portion. Because of this, many security professionals determined that optimal password lengths were 7 or 14 characters, corresponding to the two 7-character hashes. ... But things are different with newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.
With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters."
The problem is that with Windows, your password is broken into 7-character segments, so your password is now:
iswtfmt osadgaw d
which would still be vulnerable to checking against hash tables, since its simply seven alphanumeric characters.
Also, for this particular example (if a Windows password) I would give L0phtcrack less than a day, and probably less than an hour to get that one. In the case of network based passwords, Cain & Abel would probably grab it in no-time.
Most of the systems only appear to support even that many. Most Windows systems actually then break the passwords up into 7-character segments, and then create a hash and store them. So, the greater-character-password support is still limited to 7-character segments. This means that the old hash table problem still applies because checking every 7-character possibility is a real-time option.
The only added layer of security is that instead of having to break only one password, your 70 character "password" (or passphrase, to be exact) equates to ten 7-character passwords for which the hash tables will cover.
I can't speak for newer Windows systems from experience, but I know this is true for "older" (non-XP) ones. However, last I heard (second-hand knowledge), this was still true.
Yes. Actually, I did a fair amount of research in biometrics and found that for most systems, you don't even need to make fake fingers or gloves. In fact, many biometric systems will work with simply a black and white photocopy of the person's fingerprint with a heated hand (your own) behind it while its held up to the scanner. It depends on whether is static-based or image-based. Same goes for retina scanners. Some systems can be fooled with a high-quality picture of an eye.
Even worse, some fingerprint-based biometric sensors that were being toted as secure were able to be broken by simply blowing warm breath on the reader, much like when you go up to a cold, glassy window and fog it with your breath. The biometric sensors, for one reason or another, read the previous fingerprint.
Again, it all depends on which system is in question, but my research found that most biometric systems were able to be broken, sans bloody, cut-off fingers or jelly replicas. Of course, they are toted as super-secure.
That is why the fundamental rule for using biometrics for authentication is as follows: Biometrics aren't meant to replace passwords/passphrases. They are meant to be used as an added layer of security in addition to the password.
(As a side note, if you wanted to do more than just get the copy of fingerprints, invite someone out for beer and french fries at the local bar and bring some scotch tape with you. When they are done and leave, take their greasy, finger-print covered glass and apply the scotch tape to it. You will lift the oily fingerprint. Depending on how the system works, you can now use watery ink to get a negative of the fingerprint. Print this onto the old boards they used to hand-make printed circuit boards, etch the board with chemicals, and come out with a fairly 3-D version of the fingerprint. Now, make your standard flat, thin jelly mold and, when set, wrap it on your finger. Viola!)
Slashdot Mirror
I suppose you've never heard of software or information system security engineering, eh?
They also hire people outside of the CS realm. They want thinkers, and if you get the right engineer, you get someone smart and creative, not just a code monkey. (Code monkeys can be obtained from people who don't have college degrees.)
I suggest that you check this out.
You might be suprised to see "Mechanical Manufacturing Engineer" and "Hardware Engineer."
You might also note that not all of Google's innovations (and I know the connotation of this word leaves my statement open for debate) have been in the search engine game.
Unless you have a Ph.D., any experience you have doing research is completely unmarketable.
I disagree. Your undergraduate and masters research is probably the most important thing you need to market. My last job was achieved partially because the person hiring took a genuine interest in my research, and it created a great conversation-point on which to make the interview comfortable. But one experience does not a proof make, so I will try to add at least some reasoning to go along with my disagreeing:
Any more, every college student graduates with a fancy-sounding degree along with thousands of other students, all of which probably have 4.0s and what-have-you. So what is to set them apart? It's that extra research that will make you stand out from the vanilla student (as well as your people and writing skills.) Also, most places seem to be wising up about the "I went to a prestigious school" qualification, and are becoming more interested in what sort of work you do. (Not that the prestigious school doesn't at least raise some eyebrows, but from my observations, those students are being increasingly weeded out from those who have some research experience with practical application, especially with corporate partners, to bring to the table. A person with a good research background from a prestigious school, don't get me wrong, has a definite advantage.)
Besides, to the bean-counters, more is more.
Actually, the horses are fitted with rubberized shoes, so their hard hooves are less concern when it comes to scratching and such. If allowed to traffic one area highly, it is likely their weight would become a concern and begin wearing the carpet, but probably no more than carts being pushed with heavy loads. Ideally, the horses wouldn't spend very long working back and forth on the carpet, but I can see where that is a concern. Then again, with the rubbers shoes, this probably makes them less concern than the multitudes of 200 pound people who walk across the area constantly. *shrugs*
:)
Also, the guide horses are actually trained to spook in place 100% of the time. You will see similar (but to a lesser degree) with horses trained for riot situations. That doesn't stop them from being suprised, but their fight-or-flight reflexes are supressed such that they are taught to spook-in-place.
I personally think guide horses would be a wonderful idea, in addition to these store-limited guide robots. Then again, I worked on robots and show jumped when I was younger, so I am partial to both.
Ahhh, yes. According to the guidehorse website (and this makes sense accord to my understanding of the ADA):
Under the Americans with Disabilities Act (ADA), privately owned businesses that serve the public, such as restaurants, hotels, retail stores, taxicabs, theaters, concert halls, and sports facilities, are prohibited from discriminating against individuals with disabilities. The ADA requires these businesses to allow people with disabilities to bring their service animals onto business premises in whatever areas customers are generally allowed.
Guide horses qualify as service animals.
I believe that, since they fall under the category of "service animal," they are permitted the same as any guide dog.
This didn't seem to go through the first time, so I am posting it again. I do not know why it didn't show up. If it does again, then my apologies, and please disregard.
I also want to tag onto my own post and explain that I was responding to the Slashdot article, not the posted article. The posted article clearly states:
"People think we're trying to replace guide dogs, but we're not."
Having RTFA, I must say that the application they are using these robots for is a neat one, as the robots could be used in addition to the guide dogs. It's not like the person is taking the robot home and trying to use it as a method to cross the street. These basically amount to smart shopping carts. For the application these bots were intended for, I am sure they will do a lovely job and it's a good idea.
However, for the question the poster posed, that was answered in the article in that these were never meant to do that. These would not see a speeding car coming around the corner...the dog would.
No. As someone who was part of a team that worked on building autonomous robots (albeit for the I.G.V.C), I must say that, in my experience, the one thing that cannot be replaced (at least, not yet anyways) is instinct. (Neural Networking or no.) The dog offers companionship and thus a bond, which plays well with the dog's instincts in not just leading the person around and fetching things for them, but protecting them as well.
If people are concerned with replacing guide dogs (as they have relatively short lives and take a long time to train), they should consider guide horses. You may think I am crazy, but this has been successfully tested and is becoming more popular.
The horses live to be 25-40 years old, have binocular and monocular vision, and are very intelligent. They also have more instincts about safety than an algorithm, to date, can provide.
However, the robots are a very neat idea.
My university is not a public university. It is a private university.
Yes, the program is rather small. However, one part of our program apparently turns down at least 1000 applicants. No, that is nothing compared to larger universities where there are 10,000 students in the CS program. Frankly, though, I didn't go to those universities because I was less impressed with their programs.
Very few of the people in my program are local to Oklahoma. In fact, I would say only a couple of people from Oklahoma are in the program.
Yes, I cannot comment on Ph.D. salaries as most people in the program I was speaking of generally stop at the MS-level, so take the Ph.D. factor out of those estimates. :) I wouldn't even be able to guess what a Ph.D. student from this particular program would make as I haven't the fortune of hearing any of those starting salaries.
:)
I apologize for not being more clear.
Do you know what made me go on to do ME and EE as an undergrad, and CS and EE as a grad? (and no, I don't sleep. Sleep is for after degrees)
Long, boring account:
I have a strong background in studio art and interpreting literature. I also happened to be good with people. My father looked at me and said, "Okay. You're good with people, you like to write, and you're creative. Now, get good at math." He showed me how I could still keep my love of art and yet get into a field where I could have a real impact. He waited until late in college to really push the matter, but in hindsight he had been making sure I kept up in all areas since day one, even having me learn things like multiplication tables a year before my school would expect me to. I was never particularly great at math, though, because I had no real interest in it. Frankly, it is because reasons for being interested in it hadn't been planted in my head, as school rarely gave insight into the application of the base concepts I was learning, just that I should memorize them because one day in the distant future, for some unknown reason, it would be important. It wasn't until someone sat down and showed me, "Hey look what you can do with Laplace Transforms, differentiation, and Fourier series" that I thought, wow, this stuff is really useful.
So, with the encouragement of my parents and my boyfriend, I took my creativity and skills with customers to engineering, whose primary enrollees sadly seem to lack in both. (And, speaking with those who hire in industry, it seems that they agree.) So far job offers have not been a problem, and unlike the other cookie-cutter memorize-math engineers, I can actually design and engineer something creative and useful, and can market it. (You can tell the difference between the creative engineers, and those who can spit back rote learning in order to solve a problem. It's always a pleasure to be in a team setting with the former, but the latter are oftentimes just as well being replaced by Google and a good modeling/simulation program, although I am sure I will be modded down for saying that.) No, I am not a whiz at math, although now having relevance to go with the concepts has certainly improved my math skills to the point that they aren't too worse off from your average engineering student. What I don't know, I can look up.
It's not too late to grab those creative, "people-types":
So, the last time my university had little munchkins running around Ooooing and Aahhhing at all of the career displays, and all of the engineering profs navigated their way over to the math and science club folks, I showed up and grabbed the artists and pulled them over to the robots and lasers, and showed them exactly where they fit in engineering. Then I told them that while they could take a billion classes in middle and high school in their favorite subjects, and breeze through them because they were already so good at it (I find many high school art classes are behind the real talent in the classroom, and only offer those kids an hour to draw, not an hour to learn something), why not jump into Advanced Placement calculus, chemistry, physics, etc. courses and work their tails off learning that material so they would have that side to market, and then their creativity to solidify the deal? Learning differential equations doesn't make you any less of an artist, nor does having that piece of paper claiming you're educated about art on the wall make you any more saleable if you're not any good. (I found places for my art without a single person asking for my art degree. That is not to say that I am a good artist, though, as I am admittedly quite mediocre, as many in the industry are.)
Now, that isn't saying that people shouldn't go to college for Art or English majors, but if even a few jump ship (and lets face it, the arts or communications are what females are pointed toward from day one in many classrooms) and attract that component of which
Some schools are doing just that. I know that my own school works hand-in-hand with industry to develop projects so that they get free labor, and we get real world experience. That is just inside the classroom. The number of outside-the-classroom research projects being cooperatively done with industry and/or government is amazing.
And these aren't just programmers-for-hire projects, either. So far we have done an assessment of the compliance of a financial institution with federal regulations, a information system security engineering project where we designed a incident aggregation system, some digital forensics projects, and more.
I am also curious why you seem to lower internships as not having real, tangible consequences. On a long-term internship I had in my undergraduate work, I was placed in an engineering department and had to develop projects that went to production. In fact, I had to redesign products, design new products, acquire the parts, schedule time for assembly, call the machinists to get things in order, set up testing procedures for these projects, and decide if the final product was ready for shipping to real customers in which real money was exchanged. When things went wrong, I was called in to face the CEO and explain what happened, where we were, and how the problem was going to be fixed.
I never made anyone a cup of coffee, nor got the luxury of sitting there watching someone else do work while I played with equations. I was in the engineering department and was expected to be able to step up to the plate as the engineering staff was already short as it was. It is my hopes that most of the hiring individuals realize that not all internships are fluffy.
I think some of the "geniuses" might very well be in that pile of resumes that you go through. Hopefully, they are smart enough to be able to differentiate their real, tangible experience from the fluffy internships people assume when they see "intern."
$60-70k for somebody out of grad school is not spectacular.
:)
While I don't disagree with what you said, I would like to note that this depends on your locale. In California, such a salary might seem quite low. In another state, that is easily enough to buy a large house and several acres.
And thank-you.
That is interesting because at my university, the opposite is true. I think that the number of enrollees in the computer science department has seen a significant increase.
b ack-code sort of worker. The CS grads who are capable of handling customers, have a firm grasp of the hardware side of CS, can effectively market themselves and their projects to manager-types while still accomplishing their own security and feature goals, are the ones you see getting the jobs. You also see students here working very challenging internships and balancing many research projects, as opposed to specializing in one area (which might be obsolete.) Internships look impressive to employers.
Personally, I think a lot of it has to do with the perception of the quality of a program. Our CS program is seeing a drastic increase of the number of students enrolling, and one part of our program has a hefty waiting list. Right now, that part of the program has 100% placement and, I believe, the statistics I was told Friday was that each student was courting, on average, 2.5 offers. Most of the students receive offers in the $60k-70k range, which in my opinion, is spectacular for someone fresh out of grad school. I believe that the undergraduates are receiving offers in the $50k-60k range, although don't quote me on these figures as they are mere observation. I don't know what world other people live in, but that is good money for someone with limited experience. I must say, though, that because of the exclusivity of the program, it brings in some excellent, excellent students. Our EE department, however, which hasn't seen reworking in years, has barely enough freshmen to justify having courses. This is a big difference from four years ago. Now, I don't believe that the need for good EEs has gone down (as other university's trends suggest quite the opposite is true), but it's the general perception that the program has stagnated. If they rework the program and make it look impressive to prospective students, enrollment would likely increase again.
I think part of the job-finding problem is one of personality. As I said, one part of our program (which typically has very outgoing, dedicated, social students) sees an average of 2.5 job offers per student. (I must also be fair that a HUGE part of this has to do with the program director who works tirelessly to get his students jobs.) However, I know someone who graduated from another part of another program who is barely getting above minimum wage. Placing the students in a room, the students from the one program outshine the other. Anymore, it's not a matter of being a sound programmer or being able to find bugs in code. You simply can't be the shove-a-pizza-box-under-the-door-and-I-will-spit-
I think that too many people ran toward CS with dollar signs in their eyes, and CS produced a lot of mediocre coders which, frankly, can be outsourced. The truly successful can be a CS+ (a manager, a salesman, a marketer, a programmer, a designer, etc.) and it seems to be they who are snapped up first.
I think another part of the problem is the "even at Brown" or "even at CM" or "even at MIT" mentality. A lot of employers (even I was once offered a Google job) are finding some of the best-kept-secret programs in the nation, and are hiring out of them. A lot of trouble students fall into is the "Hey look! I went to this school!" mentality when they should be telling employers, who are starting to wise up, "hey look at what I accomplished on this and that project in this team environment while taking on a leadership position and look at how much money I can make you." Once that goes into place, the school reputation can build on it.
I could be wrong, though. That is just my observation. I just find it odd to hear this when I see the opposite happening here.
Hehe. Fair enough. And you are very much correct about the average joe being completely overwhelmed by the prospect of even turning on a Mac, let alone recovering data on it.
:)
:)
:) The university tried insisting upon my living on campus, but I never did.
As to the comment on the local PD, our local police department actually has a very well-developed cyber crime unit that works with the local information security group at the university. However, I don't know how well developed other units are. Just based on the articles I have read about their solving triple homicides based on digital evidence and what-not, and hearing about their use of iLook, EnCase, and all sorts of forensic tools, I would feel pretty confident in their ability to do a fair forensic analysis of a machine. As far as federal crimes go, it would be passed to the FBI, who have a very, very good team, who probably have a myriad of Mac tools. Again, extra info, but whatever.
But my facetious meter wasn't on today. It's been a very, very long day. I apologize the on-my-soap-box comments. hehe. I just hear that argument so much, it's almost reflex-reaction.
In any case, the point is moot. I doubt the university will invest time in searching the kid's machine, and certainly not for retrieving deleted files. I think his best course of action is to probably contact someone reasonable in their IS/IT department and explain the situation. Failing that, a more empty victory would be to do as I did and not use their network with his personal PC. I found the restrictive policies for dorm life disagreeable to what I found acceptable, and so I took my money elsewhere, and ended up with 3x the space, my own kitchen and bathroom, and am not paying much more in rent.
Nobody really knows how to do data recovery on a Mac anyhow.
That is a myth.
This isn't meant to be snitty, but is an honest suggestion. You should read-up on the progress digital forensics has made. You might want to start here.
I will guarantee you that data recovery on a Mac is very doable.
The question is whether someone wants to spend the money having a good forensics team do the analysis. In this case, it's doubtful that someone will want to spend the time and money over a few MP3s, but who knows. If you're breaking federal laws that lead to a large financial/asset/information loss, you might find that it suddenly becomes worth the government's time.
However, I personally wouldn't mind that inaccurate statement being passed around. In fact, it's when the bad guys think their being sneaky about something and become sloppy that they're the easiest to catch.
But a Mac is certainly not the impenetratable beast that people make it out to be, cool as it may be. When they teach undergraduate college courses in how to do it, you know that the government can do it as well.
Which is probably what the parent poster implied in saying the "condition of using it." Many, many university TOSs stipulate this little gem and many, many students do not bother to read their school's policies. Lately, the courts have sided on the side of those who draft these contracts or policies, even the more ridiculous ones.
This even shows up on occasion in rental agreements where people are silly enough to sign rights for the landlord to enter the premises without notice at any time. People don't read, and they sign. Seems like an unreasonable thing to put in a lease, but if people are willing to sign it, the courts generally uphold it. However, in the example I just gave, some states are stepping up to protect the citizens who sign these things by creating laws that say that even if you sign away that right, it's not legally binding. (In the case of entering the premises by a landlord. However, college dorms are treated differently than apartments--I don't know why--and I have yet to see a single "you can't sign away your rights to maintaining the privacy of your PC contents on a network" law.) I generally maintain the stance that someone should be accountable for what they agree to or sign when what they are agreeing to is posted in a clear, conspicuous manner. And yes, I read EULAs. However, Iguess I can see the occasional reason for not forcing someone to abide by that agreement.
I know of a symposium that sorta (meaning, unofficially) recently conducted an experiment where they gave out TOS for their wireless connections to people who were standing in long lines, and took note of who read it and who didn't. One iteration of the TOS had "You are not reading this" written into it. Almost no one (all college-aged students) actually read the agreement.
I don't know if right-to-search is part of this school's particular policy, but it's something to consider.
Actually, SuSe is sold in stores like Circuit City or Best Buy and, while I can't say that it's as profitable as the selling of support, people do buy that software. Red Hat has done the same. Mostly, you're buying pretty disks and the promise of support, but they're still selling their open source software and are fairly successful groups.
Agreed, though, that companies like IBM have made more money using open source in their products, but just by coupling your open source solution with a hardware platform does not completely negate the value of the open source software. I can think of tons of instances where this is true in the embedded community, where open sourcing the software is often necessary (since many embedded systems is used for development purposes), and the software is bought loaded on the hardware, but is hardware-specific. You might consider TiVo, for instance. In the case of TiVo, are you paying for the software, or just the hardware? In that case, I would say both, packaged. If you write TiVo for their code, since it uses GPL software, IIRC, they must send you the source. True, it's probably useless without their hardware, but I call that a sound business foundation, yes?
I proposed an open source business model here that you might find interesting that, although it is debatable if it's true to the spirit of open source as accepted by the community, would theoretically make a perfectly valid, profitable business model.
Oh, definitely agreed, although it has always been presented to me as in line with "open source" in the manner in which I have described, when I have described it, and I have seen licenses (perhaps I exaggerated the amount in the parent post, although I am not sure since the influence of the GPL in "open" software development polarizes the community such that it's hard to really tell if there is more GPL or LGPL derivatives compared to those similar to the model I desribe) which lean toward my description. I am unsure if this is really a misnomer, or if it's just that we have all come to accept the (very unrestrictive, IMO) GPL as the de facto standard for open sourcing. Regardless, it is the direction I would like to see most software companies go. Where they are unable to provide a feature, they can gain the financial benefit of someone else's hard work in making their product usable, and certainly make life easier for those who have to develop around third-party software. I find that it combines the progressive nature of the open source community and yet maintains the cut-throat corporate money-drone side as well.
I really appreciate the GPL, but I also think it important to stress that the GPL (and BSD-licensing as well) is not the only open source license available for software, unless you use already-GPL code. (Although I was under the impression that you can add to the GPL by wrapping around it your own license, so long as it does not conflict with the GPL.
My mindset comes from a more restrictive open license (which indeed sounds and probably is conflicting and now that you mention it, might be a misnomer), especially in the case of situations like voting machines, etc. Now, while I don't want to necessarily spur a flamewar about voting machines, one of the issues has been where companies like Diebold (if I am confusing company names, please forgive me) have been unwilling to open the source for auditing purposes and many people do not want to completely open the source to anyone and everyone for one reason or another. However, there has been a (legitimate, I think) call for regulating this process and assuring that the software is reliable outside of in-company code reviews. Contrast this with forensics software which must, on some level, be open sourced for peer review for it to fall under the Federal Rules of Evidence. However, most forensics suites (I am not talking about live Linux CDs and such which, btw, are super-useful forensics tools) are not open source as in go-to-the-website-and-download-it. I suppose that was what I was thinking. The solution I suggest may be a viable alternative or compromise, falling in line with the forensics direction of doing things, only a little more protective of the voting machine companies' rights if you limit the "customer" to include the U.S. government or an "independent" auditing company, although there is a lot to be said about that.
However, and I may be incorrect in thinking so, I was fairly sure that I heard in a conference years ago, concerning the GPL, by someone involved in that community, that alterations had to be made available on-request, but that your own licensing wrap could limit this to your customers, and I though TiVo was offered as an example, but I could be mistaken. My point wasn't intended to necessarily be about the GPL as much as open source licensing in general, although I believe that the GPL has made for a very successful and wonderful model. If I am wrong about it's restrict-ability, and I suppose that I should open up the newest version of the GPL and really poor over it, then I thank you for correcting me. Honestly, I am less familiar with the GPL specifically than I ought to be.
In the end, though, I believe you are right, Sloppy. I am sure this will gain me no favors with the GPL-promoting community, but if I wrote something from-scratch, the model I described would probably be the direction I would go as far as licensing goes, especially if my software was boutique and industry-specific, since it would afford me the most profit with the most "free development" within the community it was intended, while offering the attribute of being open to those who need it (and pay for it.)
One of the most misunderstood parts of Open Licensing is the idea of "free" (as in beer) versus "free" (as in open licensing to customers) versus "free" (as in, anyone can see it.)
It is not necessarily true that an Open source product is free of charge.
It is not necessarily true that an Open source product must be shared with anyone and everyone.
In fact, open sourcing does not necessarily mean that you have to make the source open to everyone, and may only be shared with paying customers, despite that being against what one would naturally think.
Many open source licenses maintain the open source nature to customers only. Depending on the license, you don't necessarily have to send the source to anyone and everyone, nor do you have to post it on a website. When a person becomes a customer, they can then gain the right to your source for their own development needs (as per your license), with whatever additional licensing wrapping you want to provide (be it that they cannot openly distribute code to anyone but their customers, or that they can only openly distribute their code, yours omitted, to their customers, or that they have to give you a % of earning for money made using part of your code) being up to you.
What aspirations you have for your software will determine which open source license you use (or create.) A lot of what you will read is (with good intentions) incorrect because so many people assume that open source means both or either free (as in beer) and free (to everyone.) Many licenses take advantage of the fact that until you become a customer, they are not bound through licensing to you (and likewise, outside of applicable laws and copyright issues, you are not bound to their licenses either. Makes sense.) Using the software consents to licensing, which may require paying for that service. That is one way to both open source (making the customers happy and making your product extensible) and make money.
To me, that's a great business model. Customers pay you for your hard work and they get to see the code so that they can tailor their own applications to it. It makes your product more extensible and marketable, offers your customer more options, and has the benefit of being profitable as well. You can then also sell support for your products and make money off of that as well.
Using Google search terms "make money using open source", I came up with the following:
-101 Ways to Make Money off Open Source
-How to make money with Open Source Software
-Making an open source living
-eWeek:How to Make Money Off Open Source
I am not intending to be snitty in suggesting that you search Google; there were tons of other seemingly-good resources contained within it, and it might just be a case of different search terms. You might be able to team the information gained there with the advice of people here.
Also, if you can gain access to the class papers from the Boston Embedded Systems conference, particularly those from Bill Gatliff in 2003, there were tons of developers there who lectured on this very thing, citing examples and explaining the ins and outs of open-source licensing. I thought Bill Gatliff did an excellent job, and you may be able to contact him through his website for some resources.
I apologize. I grabbed onto the parent poster's word retina and went with it. There is such a thing as a retina scanner, but it's actually Retina (with a capital R) scanner made by eEye. That is what one gets for trying to post something too quickly without putting much thought into it first...you mix words without even noticing. And, on the great Slashdot, once you hit "submit" you can't change it, and reposting it correctly will get marked redundant (and rightfully so...for nonrepudiation.)
You are correct that it is iris scanning.
Now, there isn't much I can say about your attitude about my simple mistake except that I have written papers regarding biometric systems (and I promise they had much more thought and care put into them than my quick Slashdot post) and I apologize because that really did make me look like an ass. (Cue the AC trolls making stupid ass comments)
But I do think you were a bit harsh over a simple mistake. We can discuss this like professionals without having to be snitty. (Although admittedly...that was a pretty silly thing I wrote.)
Also, one correction (or, I guess, addition?): not all eye-based "biometrics" systems (at least, that are sold as such) look at the actual physical metrics of the eye. I can promise you that a good part of them actually only take a single image (camera/image-based) and compares them with a stored image, much like the old facial systems did. With a high-resolution scan of the eye, these have been easily fooled. (They are also terrible as far as false negatives.)
I find that the biggest problem with biometrics (and I am not against using them as a complementary authentication system) is getting the vendors to be honest about how their particular system works. Frankly, though, in businesses you market everything as though it has gold legs on it, so I can't really blame them.) When their sales hype of "Ooooo, Biometric!" works, people don't give much ado to the fact that an image on a piece of paper or a fogged glass can work. These aren't Star Trek solutions, these are proven-in-the-lab red team analysis of these systems. Now, while mom and pop shops probably don't have to worry about someone following them to the bar to lift fingerprints, yes, there are "high-security" situations where espionage is a concern.
I bid you good day.
Yep. I first learned about it in my forensics coursework.
...
For more information on this, this Google search produced some good sites explaining tihs.
Also, in just conducting that search, I learned that 2000 and XP is apparently immune from this particular problem, according to this site.
"With LM, password hashes were split into two separate 7-character hashes. This actually made passwords more vulnerable because a brute-force attack could be performed on each half of the password at the same time. So passwords that were 9 characters long were broken into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash did not take long, and the 7-character portion could usually be cracked within hours. Often, the smaller portion could actually be used to assist in the cracking of the longer portion. Because of this, many security professionals determined that optimal password lengths were 7 or 14 characters, corresponding to the two 7-character hashes.
But things are different with newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.
With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters."
That might be true for some systems, but
The problem is that with Windows, your password is broken into 7-character segments, so your password is now:
iswtfmt
osadgaw
d
which would still be vulnerable to checking against hash tables, since its simply seven alphanumeric characters.
Also, for this particular example (if a Windows password) I would give L0phtcrack less than a day, and probably less than an hour to get that one.
In the case of network based passwords, Cain & Abel would probably grab it in no-time.
Tagging on...
Most of the systems only appear to support even that many. Most Windows systems actually then break the passwords up into 7-character segments, and then create a hash and store them. So, the greater-character-password support is still limited to 7-character segments. This means that the old hash table problem still applies because checking every 7-character possibility is a real-time option.
The only added layer of security is that instead of having to break only one password, your 70 character "password" (or passphrase, to be exact) equates to ten 7-character passwords for which the hash tables will cover.
I can't speak for newer Windows systems from experience, but I know this is true for "older" (non-XP) ones. However, last I heard (second-hand knowledge), this was still true.
Yes. Actually, I did a fair amount of research in biometrics and found that for most systems, you don't even need to make fake fingers or gloves. In fact, many biometric systems will work with simply a black and white photocopy of the person's fingerprint with a heated hand (your own) behind it while its held up to the scanner. It depends on whether is static-based or image-based. Same goes for retina scanners. Some systems can be fooled with a high-quality picture of an eye.
Even worse, some fingerprint-based biometric sensors that were being toted as secure were able to be broken by simply blowing warm breath on the reader, much like when you go up to a cold, glassy window and fog it with your breath. The biometric sensors, for one reason or another, read the previous fingerprint.
Again, it all depends on which system is in question, but my research found that most biometric systems were able to be broken, sans bloody, cut-off fingers or jelly replicas. Of course, they are toted as super-secure.
That is why the fundamental rule for using biometrics for authentication is as follows:
Biometrics aren't meant to replace passwords/passphrases. They are meant to be used as an added layer of security in addition to the password.
(As a side note, if you wanted to do more than just get the copy of fingerprints, invite someone out for beer and french fries at the local bar and bring some scotch tape with you. When they are done and leave, take their greasy, finger-print covered glass and apply the scotch tape to it. You will lift the oily fingerprint. Depending on how the system works, you can now use watery ink to get a negative of the fingerprint. Print this onto the old boards they used to hand-make printed circuit boards, etch the board with chemicals, and come out with a fairly 3-D version of the fingerprint. Now, make your standard flat, thin jelly mold and, when set, wrap it on your finger. Viola!)