I was on a major financial institution's web site yesterday changing my password. It asked me to pick a password with a minimum of six characters. Then it asked me to type the answer to a Secret Question. It required that I have a minimum of three characters in my answer. There were about twelve questions to pick from plus the option for a custom question (which we'll ignore for now since odds are no one picks it anyway). So, if we consider the choice of question to be (at best) an extra character in the answer, we are only required to use four (really like 3.5) characters. If I'm attacking this system, where am I going to spend my time? What is the point of having a minimum of six characters in the password? This isn't even considering the fact that the answer to the Secret Question is almost certainly something out of a dictionary whereas there's at least a chance the password is somewhat more complex.
Not really. Try storing on modern physical media a key of whatever length you like. Now try storing all the work you've ever done. I'm guessing they take up almost the exact same amount of space (and I'm not making commentary on how much work you've done!). The real utility comes in data transmission where bandwidth counts. I gaurantee you if you've got terabytes or petabytes of data on hand you're not encrypting all that, you're relying on physical security.
Any organization handling truly sensitive data doesn't have the luxury of using third party key management. As soon as you have to manage keys, the difficulty of encrypting data goes way up. For these applications, a six letter password isn't going to cut it. Security has little to nothing to do with encrypting data. You can just as easily lock the data in a safe. If you encrypt the data and lock the key in a safe, what's the difference? There is none. People often equate encrypted with secure and this is rarely, rarely the case.
Interesting that they picked OTP since you need a random source for all key generation. Anyway, this is overkill in the extreme. While generating good random numbers is tricky, it's perfectly possible with sources right here at home. If you want really good numbers, use something like thermal noise. If you want good numbers, use/dev/random. Either way it's a question of estimating the number of bits of entropy you have collected. That isn't straight-forward but it's perfectly possible. And a lot easier than trying to guarantee you get one bit of entropy per bit collected by carrying a radio telescope around with you.
Evaluate each one based on what's important to you. What language do you use? What platforms do you support? What libraries do you incorporate vs write yourself? I'm not sure there are shortcuts to answering any of these.
Ug, I know casio calls them "atomic" but on slashdot, please...these are simply watches that receive the VLF radio time signals transmitted by NIST from station WWVB near the US atomic clock in Boulder, Colorado. There's nothing atomic about them...other than the fact that they're made of atoms.
It's always bugged me that they call it quantum encryption since it's really classical encryption used in a quantum transmission role. I don't see anything "quantum" about the encryption itself. Of course, it probably sounds cooler that way...
I recommend you go with Linux over CE. I've had experience embedding both and I don't think there's much of a comparison. Linux may take more work in some cases but ultimately you can be assured it will do what you want. CE shifts with the Microsoft winds and there's no guarantee your hardware will be supported down the road. Now, that being said, if you're developing a PDA or other graphical device where user experience weighs in over flexibility of hardware, you may want to seriously consider CE. However, for 95% of embedded apps (higher?), I would go with Linux. If the linux community were to stop addressing the great variety of embedded devices that it currently does, there's more likely a bigger problem to deal with (armageddon, global extinction event, etc).
You made a huge inline claim without really ANY backup!
mmm...huge inline claim. Sounds like that could lead to memory thrashing. But seriously folks, if you took the time to actually read my post (you know, left to right, top to bottom), you'll see that I never made any such claim. There is simply nothing inherent in C# that will protect you from most classes of errors. Especially the really insidious ones that A.) You don't discover until it's too late and B.) Usually are the result of bad design, not bad language. At the end of the day, C#: Not that different from C++. The rules of logic still apply.
Easier = More Reliable? Er...perhaps. I've found more reliable means spending time doing good design and checking that you didn't f something up. Again, we're really not talking about whether a buffer overflows here; that can be accomplished with encapsulation and non-stupid design practice.
Ah, another true believer. I work heavily in both managed and unmanaged code (c/c++/c#) hybrid solutions. In my experience, a well designed C++ program is as stable as a well designed C# program. Who cares if it "crashes" if it doesn't do what you want? The worst program is one that seems to be working but is generating invalid results. Don't let anyone convince you that C# is going to provide more reliable execution. We use C# for its nice GUIs; C++ for cross-platform portability.
Don't kid yourself...I'm no marketing expert but I remember reading that "Don't squeeze the Charmin" was pretty much responsible for the success of a product in a market of exchangeable goods. Now, maybe processors aren't exchangeable, and maybe the average PC consumer is smarter (??). But either way, I think we can agree that you shouldn't wipe your ass with a processor...I mean, either way I think we can agree that in some cases it does matter.
And yet my own studies indicate there are fewer women on the internet dating sites.
Re:The cost of doing the right thing
on
Peter Quinn Resigns
·
· Score: 2, Insightful
News networks producing stories that seem to have been inaccurate (from the article) is a problem with government?
Sure. There's always going to be someone there to second guess, be it the media or someone else. It's the reponse to those opinions (usually made without even bothering to understand the issue) that causes the problem. Do you honestly think there wasn't some pressure put on this guy to leave? Pressure comes in many forms. They can say nothing to you at all while simultaneously conveying the fact that you have no future.
Re:The cost of doing the right thing
on
Peter Quinn Resigns
·
· Score: 3, Insightful
Well, that's nothing new. However, having worked in government for many years I can tell you it is a rare thing indeed for someone at this level to do anything other than what is needed to get by. What you would consider the easiest and most logical decision imaginable is not made. And it is not made because it is the harder thing to do as the right decision usually is.
Slashdot Mirror
The message never exists on the computer of either the sender or recepient? Other than when it does and you're reading it, right?
There's nothing wrong with ohio...except the snow, rain, and fraudulent voting of course.
Uh, apparently your reply is bogus. Sorry.
I don't think we really needed the 3rd grade scienst lesson.
but a spelling one would be nice.
I was on a major financial institution's web site yesterday changing my password. It asked me to pick a password with a minimum of six characters. Then it asked me to type the answer to a Secret Question. It required that I have a minimum of three characters in my answer. There were about twelve questions to pick from plus the option for a custom question (which we'll ignore for now since odds are no one picks it anyway). So, if we consider the choice of question to be (at best) an extra character in the answer, we are only required to use four (really like 3.5) characters. If I'm attacking this system, where am I going to spend my time? What is the point of having a minimum of six characters in the password? This isn't even considering the fact that the answer to the Secret Question is almost certainly something out of a dictionary whereas there's at least a chance the password is somewhat more complex.
Not really. Try storing on modern physical media a key of whatever length you like. Now try storing all the work you've ever done. I'm guessing they take up almost the exact same amount of space (and I'm not making commentary on how much work you've done!). The real utility comes in data transmission where bandwidth counts. I gaurantee you if you've got terabytes or petabytes of data on hand you're not encrypting all that, you're relying on physical security.
Any organization handling truly sensitive data doesn't have the luxury of using third party key management. As soon as you have to manage keys, the difficulty of encrypting data goes way up. For these applications, a six letter password isn't going to cut it. Security has little to nothing to do with encrypting data. You can just as easily lock the data in a safe. If you encrypt the data and lock the key in a safe, what's the difference? There is none. People often equate encrypted with secure and this is rarely, rarely the case.
Plain old video did kill the radio star.
Ah, good point. I stand corrected.
Interesting that they picked OTP since you need a random source for all key generation. Anyway, this is overkill in the extreme. While generating good random numbers is tricky, it's perfectly possible with sources right here at home. If you want really good numbers, use something like thermal noise. If you want good numbers, use /dev/random. Either way it's a question of estimating the number of bits of entropy you have collected. That isn't straight-forward but it's perfectly possible. And a lot easier than trying to guarantee you get one bit of entropy per bit collected by carrying a radio telescope around with you.
Intergalactic Public Key Infrastructure
Evaluate each one based on what's important to you. What language do you use? What platforms do you support? What libraries do you incorporate vs write yourself? I'm not sure there are shortcuts to answering any of these.
Ug, I know casio calls them "atomic" but on slashdot, please...these are simply watches that receive the VLF radio time signals transmitted by NIST from station WWVB near the US atomic clock in Boulder, Colorado. There's nothing atomic about them...other than the fact that they're made of atoms.
It's always bugged me that they call it quantum encryption since it's really classical encryption used in a quantum transmission role. I don't see anything "quantum" about the encryption itself. Of course, it probably sounds cooler that way...
It would appear not. At the very least, it is not included in SANE in either the internal or external backends. For that matter, no Planon scanner is.
I recommend you go with Linux over CE. I've had experience embedding both and I don't think there's much of a comparison. Linux may take more work in some cases but ultimately you can be assured it will do what you want. CE shifts with the Microsoft winds and there's no guarantee your hardware will be supported down the road. Now, that being said, if you're developing a PDA or other graphical device where user experience weighs in over flexibility of hardware, you may want to seriously consider CE. However, for 95% of embedded apps (higher?), I would go with Linux. If the linux community were to stop addressing the great variety of embedded devices that it currently does, there's more likely a bigger problem to deal with (armageddon, global extinction event, etc).
Easier = More Reliable? Er...perhaps. I've found more reliable means spending time doing good design and checking that you didn't f something up. Again, we're really not talking about whether a buffer overflows here; that can be accomplished with encapsulation and non-stupid design practice.
Ah, another true believer. I work heavily in both managed and unmanaged code (c/c++/c#) hybrid solutions. In my experience, a well designed C++ program is as stable as a well designed C# program. Who cares if it "crashes" if it doesn't do what you want? The worst program is one that seems to be working but is generating invalid results. Don't let anyone convince you that C# is going to provide more reliable execution. We use C# for its nice GUIs; C++ for cross-platform portability.
If they're not already using it, they should try this stuff.
Gleick's just jealous (but Wolfram is livid and Feynman is rolling over in his grave).
Don't kid yourself...I'm no marketing expert but I remember reading that "Don't squeeze the Charmin" was pretty much responsible for the success of a product in a market of exchangeable goods. Now, maybe processors aren't exchangeable, and maybe the average PC consumer is smarter (??). But either way, I think we can agree that you shouldn't wipe your ass with a processor...I mean, either way I think we can agree that in some cases it does matter.
And yet my own studies indicate there are fewer women on the internet dating sites.
Sure. There's always going to be someone there to second guess, be it the media or someone else. It's the reponse to those opinions (usually made without even bothering to understand the issue) that causes the problem. Do you honestly think there wasn't some pressure put on this guy to leave? Pressure comes in many forms. They can say nothing to you at all while simultaneously conveying the fact that you have no future.
Well, that's nothing new. However, having worked in government for many years I can tell you it is a rare thing indeed for someone at this level to do anything other than what is needed to get by. What you would consider the easiest and most logical decision imaginable is not made. And it is not made because it is the harder thing to do as the right decision usually is.