What choice do they have? It could take 4hrs to verify someone is on such a drug. It ended well so this is hardly a controversy.
How many flights have you arrived for where a 4-hour delay wouldn't have caused huge problems for you?
Most airlines I know, you lose your flight if you don't get through security on time, and if you can't pay for a much more expensive ticket on the next flight then you might lose your entire holiday
Well yeah. and the wheelchair doesn't go through x-ray nor does the person in it, plus you don't queue for security -- probably the quickest/easiest way to get airside short of wearing a police uniform.
ah, the good old "tell us everything that would be useful for blackmailing you and we'll write it all down" method that RAF use for doing security-clearance... just trust us with all your embarassing secrets - what could possibly go wrong?
Correct me if I am wrong, and do not mean any ill will towards the winner of this contest, but doesn't it make more sense to just hire someone from the island to do it? It would either be quicker, cheaper, or possibly both.
Passwords do need to be written down, and stored in "escrow". I put the list of passwords in an envelope, lick seal it, sign and date the seam, and then seal it again with clear packing tape. Give it to the boss to put in his safe.
Yes, it's easy to open, but you'd know whether someone tried to tamper with it.
well, the person with access to the safe would know whether someone tried to tamper with it...
According to the article, there is not 'potential customer' here, just a 'STFU' from your friendly competitor who has a monopoly in the OS market who used that to force a monopoly in the word-processor market.
if they're forcing the population of switzerland to pay to support your competitor's business ideas, why would you not sue them to challenge that?
Completely wrong. The law isn't mathematics, and doesn't need to be 100% provably correct. To be admissible the device only has to be accurate to within a set of standards
So according to your theory, witness statements are unchallengeable if the witness meets a certain set of minimum requirements?
sorry, but I think that theory is rubbish. Witnesses can be cross-examined and if their testimony is found to contain any errors then they're considered tainted.
Why should cross-examination be any less stringent when the witnesses code their opinions as embedded C++ within a breathalyser?
I would think that if half your accounts get attacked in a few hours, it might be a good idea to just go ahead and cut the wire to the outside world until you get control of the situation.
the PP was talking about password guesses, i.e. someone who can't break into your account nonetheless prevening you from logging-in just by guessing 3 times.
so you're willing to prevent a legit user from working because someone who knows their account name (clearly exposed in email addresses etc) made 3 anonymous connections per 3 days to your network?
Mod parent up as one of the few who understands how forced password changes are generally bad for security.
thanks. just an amateur at security, but apparently the professionals can make-up arguments which baffle me...;)
anyway, the "time since compromised" thing - surely once an account's password is guessed, that's it -- security is failed?
so if you change passwords every 10 seconds, the hacker doesn't give a fig since he already has a login token valid for 15 or 30 minutes which allows him to download everything accessible by the person with the weak password
what exactly are password-expiry people hoping to gain by shutting-off access 30 days later? Do they think the compromised account didn't have permissions to install an app which will compromise the next password? (remembering that security didn't detect this compromise, hence why they're relying on the password expiry as their only way to lock-out crackers who are already in their network)
don't bother with Dell - once you've found a machine that you want, there's no way they're going to put linux on it unless you request an offline quote that means you get no discounts and can't do easy comparisons between different configurations. Or unless you go through their "linux portal" that makes everything more expensive.
Oh, and Dell will only sell you the most expensive possible version of the most expensive linux distribution unless you get one of their "toy" pink laptops from the 'home' section. (and who knows, they might give money to Microsoft on your behalf anyway)
It's not an irrelevant factor. Without any password changes, you are guaranteed to get the password eventually.
With password changes, you get the password even quicker, because there are only a very small number of sequences that people can think-up once per month, compared with a larger number of unique passwords that they can think-up just once.
the modern treatment of "illegal enemy combatant" by the US has been immoral. But, it allows for the summary execution of saboteurs, spies, etc. during times of war.
It sounds very similar to Commando Order, which might be a problem because that was illegal - and people were tried as war criminals for summarily executing saboteurs and spies (e.g. wikipedia mentions Alfred Jodl who was hanged for behaving as we seem to be encouraging americans to behave)
I dunno...do you really think they'd have addressed things like "only 11 out of hundreds" of facilities having intrusion detection measures unless somebody did this?
To me, that seems an odd sort of thing to mention. Having an IDS rather assumes that hackers have free access to the network and that the "security" is limited to chasing them down.
Surely a system with correct security doesn't need IDS, because there would be nothing to detect?!? i.e. a secure system only allows actions which it knows are correct, whereas an IDS detects the system allowing actions which it knows are incorrect.
And you may notice that you missed my point. Not that I particularly agree with my point; the new prisons will not house nearly enough people to make any sizeable dent in the unemployment figures. For that, we have to employ them in local government.
Am I the only one who has no idea who or what Phorm is?
For everyone else like me, a quick google search tells me that it is a company that makes advertising software that borders on spyware.
They became famous for illegally wiretapping the internet connections of BT broadband customers and using the information thus gleaned to decide which adverts to serve to whom.
I wonder if they'll adopt the same strategy in other countries?
I certainly haven't seen any advertisements yet about "Tele2 - the company that brings small bills and big privacy".
The UK just decided that ISPs should record all internet traffic and store it for a specified period in case the government wants to dip in for a snoop...
so don't trust anyone in the UK, although exit-nodes here should be okay if they only store IP and timestamp.
Slashdot Mirror
What choice do they have? It could take 4hrs to verify someone is on such a drug. It ended well so this is hardly a controversy.
How many flights have you arrived for where a 4-hour delay wouldn't have caused huge problems for you?
Most airlines I know, you lose your flight if you don't get through security on time, and if you can't pay for a much more expensive ticket on the next flight then you might lose your entire holiday
Is it possible to get surgery or laser-work which just replaces your fingerprints with abusive messages directed towards anyone scanning them?
probably a wheelchair
Well yeah. and the wheelchair doesn't go through x-ray nor does the person in it, plus you don't queue for security -- probably the quickest/easiest way to get airside short of wearing a police uniform.
ah, the good old "tell us everything that would be useful for blackmailing you and we'll write it all down" method that RAF use for doing security-clearance... just trust us with all your embarassing secrets - what could possibly go wrong?
Correct me if I am wrong, and do not mean any ill will towards the winner of this contest, but doesn't it make more sense to just hire someone from the island to do it? It would either be quicker, cheaper, or possibly both.
I think they're doing that already -- giving GPS devices to people in developing countries to help make free maps. e.g. see http://foundation.openstreetmap.org/gpstogo/
If you think that is ironic, then note that the story poster is worried his ability to get a job if he dies in a bus accident.
maybe he could work as a voter in Florida?
Passwords do need to be written down, and stored in "escrow". I put the list of passwords in an envelope, lick seal it, sign and date the seam, and then seal it again with clear packing tape. Give it to the boss to put in his safe.
Yes, it's easy to open, but you'd know whether someone tried to tamper with it.
well, the person with access to the safe would know whether someone tried to tamper with it...
otherwise known as D.I.Y. DRONES...
Don't sue your potential customers.
According to the article, there is not 'potential customer' here, just a 'STFU' from your friendly competitor who has a monopoly in the OS market who used that to force a monopoly in the word-processor market.
if they're forcing the population of switzerland to pay to support your competitor's business ideas, why would you not sue them to challenge that?
Completely wrong. The law isn't mathematics, and doesn't need to be 100% provably correct. To be admissible the device only has to be accurate to within a set of standards
So according to your theory, witness statements are unchallengeable if the witness meets a certain set of minimum requirements?
sorry, but I think that theory is rubbish. Witnesses can be cross-examined and if their testimony is found to contain any errors then they're considered tainted.
Why should cross-examination be any less stringent when the witnesses code their opinions as embedded C++ within a breathalyser?
I would think that if half your accounts get attacked in a few hours, it might be a good idea to just go ahead and cut the wire to the outside world until you get control of the situation.
the PP was talking about password guesses, i.e. someone who can't break into your account nonetheless prevening you from logging-in just by guessing 3 times.
so you're willing to prevent a legit user from working because someone who knows their account name (clearly exposed in email addresses etc) made 3 anonymous connections per 3 days to your network?
Mod parent up as one of the few who understands how forced password changes are generally bad for security.
thanks. just an amateur at security, but apparently the professionals can make-up arguments which baffle me... ;)
anyway, the "time since compromised" thing - surely once an account's password is guessed, that's it -- security is failed?
so if you change passwords every 10 seconds, the hacker doesn't give a fig since he already has a login token valid for 15 or 30 minutes which allows him to download everything accessible by the person with the weak password
what exactly are password-expiry people hoping to gain by shutting-off access 30 days later? Do they think the compromised account didn't have permissions to install an app which will compromise the next password? (remembering that security didn't detect this compromise, hence why they're relying on the password expiry as their only way to lock-out crackers who are already in their network)
"Their taste for another rewarding beverage -- sugar water -- was unaffected."
research sponsored by coke?
And, for the expert users out there, it's just more fun to buy a computer with Linux already on it and not have to pay the Microsoft tax.
I thought we paid that tax EVEN IF we bought a Linux laptop.
Well you could buy a macbook from EmperorLinux and only pay for the Mac OS X license to use Linux ;)
or just get an Asus eee - for £156 there's not much room to hide the cost of an unused Windows license!
In the UK, try: http://www.efficientpc.co.uk/
don't bother with Dell - once you've found a machine that you want, there's no way they're going to put linux on it unless you request an offline quote that means you get no discounts and can't do easy comparisons between different configurations. Or unless you go through their "linux portal" that makes everything more expensive.
Oh, and Dell will only sell you the most expensive possible version of the most expensive linux distribution unless you get one of their "toy" pink laptops from the 'home' section. (and who knows, they might give money to Microsoft on your behalf anyway)
It's not an irrelevant factor. Without any password changes, you are guaranteed to get the password eventually.
With password changes, you get the password even quicker, because there are only a very small number of sequences that people can think-up once per month, compared with a larger number of unique passwords that they can think-up just once.
It doesn't matter where the 3 attempts come from. On the 3rd failure, the account is locked.
Yes, this does allow for DoS attacks. So what?
so they can prevent everyone from logging-in. would that not cause a problem to your login system?
80% of the code in business fits this description
how much of that code is given police powers to arrest someone?
Perhaps they're coded inelegantly or poorly, but do they actually spit out inaccurate numbers?
Irrelevant - the test is: do they always spit-out provably correct numbers?
As others have mentioned, XKCD explains much better why IDS seems wrong...
the modern treatment of "illegal enemy combatant" by the US has been immoral. But, it allows for the summary execution of saboteurs, spies, etc. during times of war.
It sounds very similar to Commando Order, which might be a problem because that was illegal - and people were tried as war criminals for summarily executing saboteurs and spies (e.g. wikipedia mentions Alfred Jodl who was hanged for behaving as we seem to be encouraging americans to behave)
I dunno...do you really think they'd have addressed things like "only 11 out of hundreds" of facilities having intrusion detection measures unless somebody did this?
To me, that seems an odd sort of thing to mention. Having an IDS rather assumes that hackers have free access to the network and that the "security" is limited to chasing them down.
Surely a system with correct security doesn't need IDS, because there would be nothing to detect?!? i.e. a secure system only allows actions which it knows are correct, whereas an IDS detects the system allowing actions which it knows are incorrect.
And you may notice that you missed my point. Not that I particularly agree with my point; the new prisons will not house nearly enough people to make any sizeable dent in the unemployment figures. For that, we have to employ them in local government.
Or let the government pay them to work at macdonalds
Am I the only one who has no idea who or what Phorm is?
For everyone else like me, a quick google search tells me that it is a company that makes advertising software that borders on spyware.
They became famous for illegally wiretapping the internet connections of BT broadband customers and using the information thus gleaned to decide which adverts to serve to whom.
I wonder if they'll adopt the same strategy in other countries?
I certainly haven't seen any advertisements yet about "Tele2 - the company that brings small bills and big privacy".
The UK just decided that ISPs should record all internet traffic and store it for a specified period in case the government wants to dip in for a snoop...
so don't trust anyone in the UK, although exit-nodes here should be okay if they only store IP and timestamp.