maybe you don't get this but Dubya seems to
on
Blink
·
· Score: 1
...Superficial traits can be used to the advantage of an actor trying to project a particular characterization. Similarly, an authority figure can dress and behave in a particular fashion to influence subordinates. Warren G. Harding made overwhelmingly positive first impressions throughout his political career, although he is considered by historians to be one of the worst American presidents. Despite his consistently lackluster performance, his attractive bearing and appearance camouflaged his shortcomings... br.
ok, that was a troll if you are from a red state but seriously...politics works the way it does because the "intuition" shit, so mystifying to nerds, is a pretty good model of behavior for the mythical average voter.
yup, just finding out a few things about a person can make password fishing easy...a supposedly smart programmer in an old robotics gang I once worked with was totally in love with his Toyota Celica Supra....it only took 3 tries to guess his pswd.
Now I happen to never use the same pswd twice but, based on how sloppy most people are,
your scheme looks like a pretty nice substitute for working for a living.
it better be stronger than the 40 bit key used
for current car keys...we just had a/. art on how kids at JHU built special cracking hardware that could recover the cryptokey for any of the millions of RFID tagged car keys. If you drop you keys and the bad guy picks 'em up, you are wide open even if he only has them for about 2 hours and then hands them back to you.
So it was the economists that did it! Here in the US, we got it wrong. Regan got a posse together, we rounded up all the regulatory busybodies we could find and we hung'em high. Now our phone companies either go broke, swindle investors [sometimes both] or jack up service fees at will and our airlines are all going bust. Maybe we can get dubya convinced that bin Laden is an economist.
I think thats the right interpretation...Schrage used the specific term "suspicion engine" but that word is actually a product name for software sold by IBM/Tivoli and from the little that IBM will say about it on their web site, it does not sound as evil as the possibility that is described in the rest of Schrage's mention of the suspicion engine:
...it needs to wean itself from passwords and PINs as the medium of authentication. We'd be far more secure with more layered approaches to authentication--"suspicion engines" on the lookout for deviant behaviors--and more subtle yet persistent ways of tracking and challenging online identities.
It is precisely the layering that seems ripe for abuse because when we use a password, we use it at the UI, the only layer we as users can really see or control. Other "layers" in a client server model that don't immediately reject access at the log-on can only do their job by snooping on us and may do so without our knowledge. Admittedly, the article is suggesting more than it is describing or uncovering.
from TFA:...the prototype unit does not discriminate between other sources of 2.4GHz RF, eg. "leaky" microwave ovens,...
So it will keep me from cooking my cohones along with my microwave popcorn...that sounds useful to me. If the Atmel could be programmed to drive a little active antenna tuning, maybe it would also double as a bug sweeper? Disclosure: I do wear a pocket protector.
no, not the gummint, maybe your boss though.
The easiest-to-find example that is ready to deploy, comes, surprise, surprise,
from that blue company and is described as a service that the sysadmin but maybe not the user would be aware of. Now suppose a company was having problems due to its employees using IE and bringing down spyware infections or such like problems. The management might just stick one of those engines in the pipeline and configure the sig.nefarious file any way they please to keep users from doing what the company doesn't want done. Yes, it would mean that an unauthorized user hitting xxx sites would set off alarms but the other side of the coin is that a list of just what sites your boss wants you [not the unauthorized user] to stay away from. Its a bit more intrusive than domain blocking and not very far from maintaining per-user lists of whats naughty and whats nice.
Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But the suggestion that system security admins and developers need to make deeper security mechanisms such as "suspision engines" that compare traffic on your account against profile of "normal" usage strike me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user.
The timing of the art. is unfortunate as noone is going to be reading comments this late in the posting cycle.
After all, paying people to write software hasn't exactly given us bulletproof and easy to use products...why NOT have people write code because they like to.
what am I saying? software is the only paychek I ever had!
What a coincidence!
Citi Bank and Sun Trust sent me
dozens of emails to correct my account numbers/
SSN and passwords. They are SOOO security conscious! If I had accounts at those banks I'd
sure be chaning my password all the time.
Seriously. consider
my approach I have all the same password challenges in spades: when you work with a $ecurity clarence, you can be shown the door for writing down a password...and yet there are typically MORE passwords involved in your work-a-day routines [stuff like you HAVE to have a max of 15 minute timeout on the screen saver and it must lock the screen.] My way, I only have to remember one MEMORABLE phrase and know the rules for each kind of password...my hash mechanism does the rest including periodic password change. NOTE: you DO NOT set your shell to save history, you EXIT your shell when you have gen'ed the PSWD and type, don't paste the PSWD unless you know how to ####^H^H^H^HEEEE^H^H^H^H0000 out the clipboard.
Also, if you've gotten infected by a keylogger, they can see what you type but they don't have access to stdout so they still don't know your pswd until you type it in...they'd have to really break in and get your hasher app to know what the other passwords might be. But a user in that situation has already demonstrated a level of stupidity from which nothing will protect them and which earns them no sympathy from me.
Don't trust the computer, don't trust your memory, don't trust your boss, never put it in writing.
My company just upped the ante for anyone trying
to guess one of our passwords...min of 10 characters
of which at least one each of UPPER CASE , special, numeric and lowercase are required...Its hard to produce a memorable password under these conditions.
I have about a dozen passwords to remember between the various OSes, LAN security, Mail, and then there is my firewall and systems at home. One way to handle it all is to write a script that can deterministically convert some string that you can remember into a password conforming to a parametrically sellected rule [e.g. 12 chars, mixed case and numerics, no specials] I wrote one of these generators in AWK since I have unix boxes at work and run a cygnus shell at home...it even takes account of the date [per GMT] so that I get a fresh PSWD every 3 months but can always reconstruct past passwords in a pinch with override date. I only have to remember my "open sesame" and nothing is ever written down or stored.
The very point I would have made...this stuff was declassified, [if it was ever classified] long ago. Its main significance in being published is only to tell us that the arms race between cryptographers and cryptanalysts has escallated so far beyond what is in the manual as to render it harmless.
Black Duck will have read this book and if you mayebe sorta think you might want to read the book, you'd do well to hit their website and see what they do. IF you write commercial or licensed software and you hope to get some real milage out of open source and not be SCO fodder, then a little time invested by somebody in your organization to know the ins and outs of mixing sources that come under various licenses is a prudent investment.
Works on brass too. but its harder to get ahold
of that stuff nowadays. Drano will probably work
faster on Aluminum and not require electricity but you got to play with the concentrations or the process will heat up so fast it will melt your resist.
I'm probably missing your point. It seems to me that a scheme like that would mean that psychology journals could be all but given away and journals in high energy physics would cost around a million dollars a copy! Please refine/explain what you mean by "scientific journal is paying the researcher".
Also, just how evil is it that the public pays to publish research results that the public paid for in the first place...what exceptions would there be [leaving DoD out of this for the moment] to the notion that publicly funded research is presumed to have some potential benefit to the tax paying public? And, having paid for salaries and equipment to get the research done, why not also pay to have the results disseminated? I put it this way to support one very important distinction: Tax money spent for research should be spent once, spent wisely and not to enrich anyone. Publication should simply be viewed as part of the research. the research is done to high standards with controls and validation steps and the publication should be done to high standards too, including readability and acceptance by review boards much as the research grants were reviewed and accepted. For this we don't even NEED scientific journals! The era when journal publication in a prestigious magazine like Science or Nature was how the public [that could even read such reportage] came to know the results of scientific work IS OVER!. So what are these journals for? They are tokens that professors need in order to get tenure for one thing.
actually, if you tried the equivalent in
Ada, you'd get your wrist slapped for
the x[5] because Ada does array bounds checking.
I dont know if it would raise the error at compile time but, as coded, the 5 is static so at least the
info is present and a mechanism for checking....gawd I hate ada!
Sounds crazy but I think something like that has been tried before and though "mob review" by completely random and unqualified commenters is a better description of the result, the scoring system salvages it from pure drivle and flame wars. One other thing: if the reviewers, ultimately a very qualified demographic, were subjected to advertising, those should be "viewers" before whom specialized advertiseres [such as now pollute my Nature copies] would pay dearly to expose their copy...thus chipping in revenue to support a journal that offsets some of what is lost by not selling rediculously expensive hardcopy to libraries.
And/. subjects articles to MASSIVE though not noticeably rigorous mob review [though some/.ers are actually peers especially in the Developers, Books, BSD, Linux and IT sections.] and even though its unevenly informed, the/. moderation is definitely an improvement over the take it or leave it one way flow of information in print journalism. The/. commenters don't get paid much [I'm still waiting for my check.] and are generally worth it but since their sheer numbers probably prop up/. ad revenue [if they make any?], I'd say there are even models where getting reviewed online could be cash positive for the publisher.
I have been letting my journal subscriptions lapse and taking the [sometimes much cheaper] online-only format [Nature and SciAm at the moment] for reasons other than just cost:[1] my office is drowning in paper, magazines pile up everywhere and I am out of time for recyling and space for archiving. [2] I can search the downloaded forms of the journals. [3] I can burn two years worth to a single CD still searchable and immeasurably tidier than my paper pile.
Peer Review is important. In Science News [a subscription I may keep], The articles summarize important journal articles and conference presentations [presumablly already peer reviewed by the time they reach that stage] and then S.N authors hit their rollodexes for [sometimes dissenting] assessments of the story from persons NOT involed in its publication but expert in the topic...With little time to read and new stuff flooding in, its so valuable to not have that reader-at-the-mercy-of-the-author sensation you get with most news media treatments [and some industry-supported or advertising supported "journals"] Surely, the times [and the Globes and the Mirrors and the Chronicles] they are a changin'. I can't afford more than 3 or 4 subscripions on my own and am just lucky to work where there is a world class technical library. If nothing else, the opening of the scientific publishing monopoly should be access for millions of readers and researchers who would otherwise have to sit out some of the great battles that now rage at the frontiers of knowledge.
Did I say Massive? the meter has stuck at 17 comments all during my longwinded typing...well, here's 18...are the rest of you guys on the wrong site too?
Thanks. Informed perspective is what I always HOPE for in/. comments and once in a while I get it!
I shouldn't complain about my job, but as a tax payer, I am aghast at what I am paid to rescue 10 year old algorithm's from death by insupportability. I would
LOVE to be translating the crypt full of Ada to some language that was not downright hostile to non-zero-based and range checked array indices [to mention one of several headaches they pay me to endure].
I am tempted to mention BitC to the Lab supervisor but they weren't the ones who chose to abandon Ada...the customer is always "right" about C++:-(
Personally, I jumped from C to Java and then got dragged back into C++ and lately have had to learn Ada PDQ...the weakness of my opinions about Ada has no end of great exuses. [Actually, I wish the world had stopped changing after we got DEC to ordain BLISS for systems programming but try and tell 10000 cowboy engineers what language they ought to use!]
If anything, the years since the rise and fall of Ada have led to an attenuation of the extent to which humans can intervene ( man-in-the-loop style or as human-monitored autonomous systems) in the operation of critical software. Consider for instance how much of our defense relies on space born platforms...if you have a bug or a lack of stability up there, you pray for a work-around. More than ever, we need tools that, at the very least, don't get in the way of making reliable systems.
I used to imagine this was a plant with some way of mounting stimulus-response behavior akin to animals so I, complete biology nincompoop that I am, was expecting news of the discovery of an alternative to nerve tissue or some such thing. Now I hear its mostly a mechanical trap. I hate having to constantly re-learn that nature is more clever than I am!
[giggling as I type] Good thing/. doesn't let us mod sigs; its already a blog on the verge of utter chaos...though definitely some sigs are better than the comments they adorn.
across the Charles to Boston
http://www.fsf.org/fsf/fsf.html
Really, this is silly! You would only have to have a world capitol of OSS if it were a business, or if it were run primarily by people with unhealthy needs for recognition, domination and money...that happens north of Portland or very near the Potomac. The coolest thing about the FSF website is the who's Gnus page...contributed software comes from all over the planet.
Slashdot Mirror
...Superficial traits can be used to the advantage of an actor trying to project a particular characterization. Similarly, an authority figure can dress and behave in a particular fashion to influence subordinates. Warren G. Harding made overwhelmingly positive first impressions throughout his political career, although he is considered by historians to be one of the worst American presidents. Despite his consistently lackluster performance, his attractive bearing and appearance camouflaged his shortcomings...
br. ok, that was a troll if you are from a red state but seriously...politics works the way it does because the "intuition" shit, so mystifying to nerds, is a pretty good model of behavior for the mythical average voter.
yup, just finding out a few things about a person can make password fishing easy...a supposedly smart programmer in an old robotics gang I once worked with was totally in love with his Toyota Celica Supra....it only took 3 tries to guess his pswd. Now I happen to never use the same pswd twice but, based on how sloppy most people are, your scheme looks like a pretty nice substitute for working for a living.
it better be stronger than the 40 bit key used for current car keys...we just had a /. art on how kids at JHU built special cracking hardware that could recover the cryptokey for any of the millions of RFID tagged car keys. If you drop you keys and the bad guy picks 'em up, you are wide open even if he only has them for about 2 hours and then hands them back to you.
So it was the economists that did it! Here in the US, we got it wrong. Regan got a posse together, we rounded up all the regulatory busybodies we could find and we hung'em high. Now our phone companies either go broke, swindle investors [sometimes both] or jack up service fees at will and our airlines are all going bust. Maybe we can get dubya convinced that bin Laden is an economist.
from TFA: ...the prototype unit does not discriminate between other sources of 2.4GHz RF, eg. "leaky" microwave ovens,...
So it will keep me from cooking my cohones along with my microwave popcorn...that sounds useful to me. If the Atmel could be programmed to drive a little active antenna tuning, maybe it would also double as a bug sweeper?
Disclosure: I do wear a pocket protector.
You never heard of Mood Rings?
no, not the gummint, maybe your boss though. The easiest-to-find example that is ready to deploy, comes, surprise, surprise, from that blue company and is described as a service that the sysadmin but maybe not the user would be aware of. Now suppose a company was having problems due to its employees using IE and bringing down spyware infections or such like problems. The management might just stick one of those engines in the pipeline and configure the sig.nefarious file any way they please to keep users from doing what the company doesn't want done. Yes, it would mean that an unauthorized user hitting xxx sites would set off alarms but the other side of the coin is that a list of just what sites your boss wants you [not the unauthorized user] to stay away from. Its a bit more intrusive than domain blocking and not very far from maintaining per-user lists of whats naughty and whats nice.
Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But the suggestion that system security admins and developers need to make deeper security mechanisms such as "suspision engines" that compare traffic on your account against profile of "normal" usage strike me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user.
The timing of the art. is unfortunate as noone is going to be reading comments this late in the posting cycle.
AFTER THE QUALITY GOES IN...
After all, paying people to write software hasn't exactly given us bulletproof and easy to use products...why NOT have people write code because they like to.
what am I saying? software is the only paychek I ever had!
What a coincidence!
Citi Bank and Sun Trust sent me dozens of emails to correct my account numbers/ SSN and passwords. They are SOOO security conscious! If I had accounts at those banks I'd sure be chaning my password all the time.
Seriously. consider my approach I have all the same password challenges in spades: when you work with a $ecurity clarence, you can be shown the door for writing down a password...and yet there are typically MORE passwords involved in your work-a-day routines [stuff like you HAVE to have a max of 15 minute timeout on the screen saver and it must lock the screen.] My way, I only have to remember one MEMORABLE phrase and know the rules for each kind of password...my hash mechanism does the rest including periodic password change.
NOTE: you DO NOT set your shell to save history, you EXIT your shell when you have gen'ed the PSWD and type, don't paste the PSWD unless you know how to ####^H^H^H^HEEEE^H^H^H^H0000 out the clipboard.
Also, if you've gotten infected by a keylogger, they can see what you type but they don't have access to stdout so they still don't know your pswd until you type it in...they'd have to really break in and get your hasher app to know what the other passwords might be. But a user in that situation has already demonstrated a level of stupidity from which nothing will protect them and which earns them no sympathy from me.
Don't trust the computer, don't trust your memory, don't trust your boss, never put it in writing.
My company just upped the ante for anyone trying to guess one of our passwords...min of 10 characters of which at least one each of UPPER CASE , special, numeric and lowercase are required...Its hard to produce a memorable password under these conditions. I have about a dozen passwords to remember between the various OSes, LAN security, Mail, and then there is my firewall and systems at home.
One way to handle it all is to write a script that can deterministically convert some string that you can remember into a password conforming to a parametrically sellected rule [e.g. 12 chars, mixed case and numerics, no specials] I wrote one of these generators in AWK since I have unix boxes at work and run a cygnus shell at home...it even takes account of the date [per GMT] so that I get a fresh PSWD every 3 months but can always reconstruct past passwords in a pinch with override date. I only have to remember my "open sesame" and nothing is ever written down or stored.
The very point I would have made...this stuff was declassified, [if it was ever classified] long ago. Its main significance in being published is only to tell us that the arms race between cryptographers and cryptanalysts has escallated so far beyond what is in the manual as to render it harmless.
Black Duck
Black Duck will have read this book and if you mayebe sorta think you might want to read the book, you'd do well to hit their website and see what they do. IF you write commercial or licensed software and you hope to get some real milage out of open source and not be SCO fodder, then a little time invested by somebody in your organization to know the ins and outs of mixing sources that come under various licenses is a prudent investment.
Works on brass too. but its harder to get ahold of that stuff nowadays. Drano will probably work faster on Aluminum and not require electricity but you got to play with the concentrations or the process will heat up so fast it will melt your resist.
I'm probably missing your point. It seems to me that a scheme like that would mean that psychology journals could be all but given away and journals in high energy physics would cost around a million dollars a copy! Please refine/explain what you mean by "scientific journal is paying the researcher".
Also, just how evil is it that the public pays to publish research results that the public paid for in the first place...what exceptions would there be [leaving DoD out of this for the moment] to the notion that publicly funded research is presumed to have some potential benefit to the tax paying public? And, having paid for salaries and equipment to get the research done, why not also pay to have the results disseminated? I put it this way to support one very important distinction: Tax money spent for research should be spent once, spent wisely and not to enrich anyone. Publication should simply be viewed as part of the research. the research is done to high standards with controls and validation steps and the publication should be done to high standards too, including readability and acceptance by review boards much as the research grants were reviewed and accepted. For this we don't even NEED scientific journals! The era when journal publication in a prestigious magazine like Science or Nature was how the public [that could even read such reportage] came to know the results of scientific work IS OVER!. So what are these journals for? They are tokens that professors need in order to get tenure for one thing.
actually, if you tried the equivalent in Ada, you'd get your wrist slapped for the x[5] because Ada does array bounds checking. I dont know if it would raise the error at compile time but, as coded, the 5 is static so at least the info is present and a mechanism for checking....gawd I hate ada!
Sounds crazy but I think something like that has been tried before and though "mob review" by completely random and unqualified commenters is a better description of the result, the scoring system salvages it from pure drivle and flame wars. One other thing: if the reviewers, ultimately a very qualified demographic, were subjected to advertising, those should be "viewers" before whom specialized advertiseres [such as now pollute my Nature copies] would pay dearly to expose their copy...thus chipping in revenue to support a journal that offsets some of what is lost by not selling rediculously expensive hardcopy to libraries.
And /. subjects articles to MASSIVE though not noticeably rigorous mob review [though some /.ers are actually peers especially in the Developers, Books, BSD, Linux and IT sections.] and even though its unevenly informed, the /. moderation is definitely an improvement over the take it or leave it one way flow of information in print journalism. The /. commenters don't get paid much [I'm still waiting for my check.] and are generally worth it but since their sheer numbers probably prop up /. ad revenue [if they make any?], I'd say there are even models where getting reviewed online could be cash positive for the publisher.
I have been letting my journal subscriptions lapse and taking the [sometimes much cheaper] online-only format [Nature and SciAm at the moment] for reasons other than just cost:[1] my office is drowning in paper, magazines pile up everywhere and I am out of time for recyling and space for archiving. [2] I can search the downloaded forms of the journals. [3] I can burn two years worth to a single CD still searchable and immeasurably tidier than my paper pile.
Peer Review is important. In Science News [a subscription I may keep], The articles summarize important journal articles and conference presentations [presumablly already peer reviewed by the time they reach that stage] and then S.N authors hit their rollodexes for [sometimes dissenting] assessments of the story from persons NOT involed in its publication but expert in the topic...With little time to read and new stuff flooding in, its so valuable to not have that reader-at-the-mercy-of-the-author sensation you get with most news media treatments [and some industry-supported or advertising supported "journals"]
Surely, the times [and the Globes and the Mirrors and the Chronicles] they are a changin'. I can't afford more than 3 or 4 subscripions on my own and am just lucky to work where there is a world class technical library. If nothing else, the opening of the scientific publishing monopoly should be access for millions of readers and researchers who would otherwise have to sit out some of the great battles that now rage at the frontiers of knowledge.
Did I say Massive? the meter has stuck at 17 comments all during my longwinded typing...well, here's 18...are the rest of you guys on the wrong site too?
Thanks. Informed perspective is what I always HOPE for in /. comments and once in a while I get it!
I shouldn't complain about my job, but as a tax payer, I am aghast at what I am paid to rescue 10 year old algorithm's from death by insupportability. I would
LOVE to be translating the crypt full of Ada to some language that was not downright hostile to non-zero-based and range checked array indices [to mention one of several headaches they pay me to endure].
I am tempted to mention BitC to the Lab supervisor but they weren't the ones who chose to abandon Ada...the customer is always "right" about C++ :-(
Personally, I jumped from C to Java and then got dragged back into C++ and lately have had to learn Ada PDQ...the weakness of my opinions about Ada has no end of great exuses. [Actually, I wish the world had stopped changing after we got DEC to ordain BLISS for systems programming but try and tell 10000 cowboy engineers what language they ought to use!]
If anything, the years since the rise and fall of Ada have led to an attenuation of the extent to which humans can intervene ( man-in-the-loop style or as human-monitored autonomous systems) in the operation of critical software. Consider for instance how much of our defense relies on space born platforms...if you have a bug or a lack of stability up there, you pray for a work-around. More than ever, we need tools that, at the very least, don't get in the way of making reliable systems.
- integer i, n, sum
18 continuesum = 1
d0 18 i = 1, n
I used to imagine this was a plant with some way of mounting stimulus-response behavior akin to animals so I, complete biology nincompoop that I am, was expecting news of the discovery of an alternative to nerve tissue or some such thing. Now I hear its mostly a mechanical trap. I hate having to constantly re-learn that nature is more clever than I am!
[giggling as I type] /. doesn't let us mod sigs; its already a blog on the verge of utter chaos...though definitely some sigs are better than the comments they adorn.
Good thing
across the Charles to Boston http://www.fsf.org/fsf/fsf.html Really, this is silly! You would only have to have a world capitol of OSS if it were a business, or if it were run primarily by people with unhealthy needs for recognition, domination and money...that happens north of Portland or very near the Potomac. The coolest thing about the FSF website is the who's Gnus page...contributed software comes from all over the planet.
Cambridge Mass. last time I checked. you gotta give it some weight. VA also has a lot of OSS projects within its borders.