Yes, but how do you validate that the public key I send you is actually my public key? You have to already have it or it has to be stores somewhere that the other party trusts, bringing us right back to our original problem.
PKI lets two parties communicate securely without having ever spoken, and it lets one party validate that something was actually sent by another party _if they have the other parties public key and can trust it_.
Biometrics doesn't add anything useful to this equation that I see. Sure you can use some biometric information as a private key and generate a public key, but what does that give you over using some random number to generate a public key. It still comes down to the party at the other end having that public key and being reasonably sure it's yours.
Sure, but how do they apply to confirming an identity and not a capability.
Maybe I'm too thick to get it, but I can't see how say, a bank, can validate that you are who you say you are without at least knowing _something_ about you that you can than verify through whatever means.
meaning it has to be activated by your particular stomach in order for the challenge to be accepted in the first place
As with DRM, if the thing that decides if you are valid can be in your hands (so to speak), you may as well assume it will be compromised.
There's no way I can think of to pass on a piece of information describing yourself to another party without that party having to know that information already to validate it, and if they do, it can be stolen and replayed.
I can kinda see the appeal of an implanted device, but yeah, there's no reason such a system couldn't be a fob you carry around with you (or somewhat unfortunately more likely, baked into your phone).
Assuming it was based on current public key encryption, even if broken an attacker would still need to harvest private keys from users to make use of it. That's gonna require special equipment (portable reader of some kind) and time.
Sure, damage would be done, but it wouldn't be the apocalypse. I suspect you'd see less impact than you do with current CC theft. AES being broken would be a far bigger deal on the internet where it would be much easier to apply the attack in a wide spread manner.
The problem with this, and biometrics in general, is that there is only one you.
You can't revoke your "vein pattern" any more than you can revoke your fingerprint. Using your same biometric information for everything has the same pitfalls as using the same password for everything, and you are just one sketchy gas station away from someone getting a copy.
If you are going to implant something, why not implant a challenge/response system with a public/private key and strong cryptography, like you know, we've been doing on the internet with a good amount of success. A random very large number is just as good as any biometric information, and at least you can change it.
Privacy isn't of great concern to many. It's not even an issue of comprehension. There are people who understand the privacy implications of things like facebook, but still happily participate because the social aspects are more appealing to them.
Social media in general has caught on because a great many people _want_ to share everything about themselves to everyone. Sites like what you linked to do a fairly poor job of convincing such people because they:
- Tend to focus on unrelatable things (like oppression in other countries, or oppression of people at home they can't personally relate to). - Are written from an opposite viewpoint where privacy is just automatically an important thing that everyone should want. If social media has shown us anything, it's not to many people. The FSF is at the forefront of this too. When you write a blathering piece where you just assume your position from the beginning, people who don't already agree just roll their eyes, and the only ones you convince are those who already agreed. - Not the case here, but often times focus on rare events where some shared information is used against them.
Very least, going as far as running a server at home, even one that's basically a pre-configured appliance, is a fairly extreme step for most non-geeks to take unless you can make a really compelling argument that doesn't involve dystopian futures and acid mines.
Suddenly you can't get to anything I was forwarding (which I'll probably notice) and yes there are probably effective attacks to get at my internal boxes through the nat, but at least it's not wide open as I imagine it would be in a configuration without nat.
I doubt they'll go this route, but what would make sense to me would be to give customers the option to request a direct connection.
Between cell phones and people who have no interest in running a server (even unintentionally), there's probably only a small portion of people out there who really need a direct connection, and there are probably plenty of IPs to support them if you put everyone else on CGN.
As someone who's not really a networking guy, this!
I like the extra layer NAT provides. It's no substitute for a firewall of course, but having your internal boxes not publicly addressable at all adds an extra layer of warm and fuzzy.
Is this attitude wrong? Probably. But it is also pervasive.
- People have different priorities. Some are all about the money, some want the retirement contribution, some want equity, some want vacation, etc. People also proportionally value these things differently. How much do you value an extra week of vacation to say, more retirement contribution or more salary? Negotiation solves this problem.
- As has been said, the employer and candidate have two directly opposing goals. The employer wants to pay the least they can while not feeling like you'll get a higher paying opportunity a few weeks later, and the employee wants the most money.
- Negotiation keeps things competitive. If every company stopped allowing negotiations, it would either become a race to the bottom or the top (I'm actually not even sure which, but the cynic in me thinks bottom).
Ultimately, I think this whole thing is stupid. I'm a guy, but I have to imagine this is patronizing as all hell to women. Isn't this the kind of shit feminists have been fighting forever?
I made a post about this above, but yeah, that describes my current relationship with git, and is one of the reasons I don't enjoy using it.
I feel like I truly know svn, I understand what it does and am very comfortable with how it works. Part of that is just having used it for a long time, but I do feel like git is much harder to wrap your head around.
With git I feel like I'm just following a bunch of recipes that I know work (or seem to work), and that's really not a good way to go about anything. Every time I try and get my head around the guts of git, I feel like it's been made intentionally screwy, and most git users I've talked to seem to just operate on the same recipe set I do. I just feels icky.
As someone mostly in the "I dun get it" crowd, I'll say the problem for me is that I feel like while I can use it, I don't have a great deal of understanding as to what it's actually doing outside of the basics. I feel like I'm following a bunch of recipes that I know work.
With svn (which admittedly I've used for many years and on sizable projects vs git which I've used for months and on small stuff), I feel like I have a really good grasp of the whole thing. Sure there are some subtle bits I don't know because I've never needed, but I know the important bits, and I feel like from that I can solve just about any problem I run into by understanding what svn is trying to do and why it's not working.
I get that at least some of this is just inexperience, but I think even with experience, git seems far more complex and nuanced than svn, which has a relatively consistent way of working and a seems to have a much smaller set of features. I feel like I got comfortable with svn way faster, and at that point I was only mildly familiar with version control in general.
I know I'm gonna get flamed for this, but just wanted to provide some insight into the mind of someone who hasn't jumped on the git bandwagon yet.
There's also GPS, for which receivers are very cheap and which provides very accurate time.
This article is nonsense. Assuming IoT ever becomes an actual thing, the vast majority of devices won't need any better than the "good enough" that NTP provides. Those that do will probably manage their own time using accurate clocks and GPS.
Time patronization rarely matters. Usually you need an accurate clock (i.e. exactly 100hz) way more than you need your time to be within 0.100ms of someone elses time.
We used to at least get a disclaimer, even if it was just an article _about_ something geeknet owned.
Slipping their own garbage in the mix with things a user might have actually submitted is pretty shitty, and the campaign id in the URL is just obscene.
I think using slashdot to promote their own trash articles is a bit sketchy.
Take a look at Nerval's Lobster's user page. The account exists for the sole purpose of posting dice.com garbage. There is no way actual users submit this crap. The URL even has a campaign id in it so they can track the success of their shit posting.
This kind of behaviour makes me want to be defiant in the least significant and most petty way possible... so I took slashdot off my adblock whitelist.
I'm actually just now at the "oh shit, I really gotta figure out how money works" stage in my life.
I managed to save enough for a decent down payment on a house by dumping cash into a savings account for a bunch of years, and I have RRSPs because it was a checkbox and a form when I joined the company. I'm pretty good about living within my means (no debt aside from the mortgage), but I don't know shit about investing and if the "retirement calculator" on our companies group retirement page is any indication, I aught to learn soon
The only options I really see (for myself at least) are:
- management, which as you mentioned isn't for everyone - self employment / consulting - develop a niche skillset in a long term industry (aerospace, defense, medical, etc.. some company that will keep you around until you retire because you speak the language, can talk to the customer, and have legitimately valuable experience in some niche area).
Personally I'm banking on 3, with 2 as a fallback.
If the resume is going to be read by a human and not keyword filtering software, I think a decent programmer only needs to list the things he is specifically skilled in. I'm going to presume someone with 5 or 6 years experience knows a handful of scripting languages, knows what version control is, can do basic database stuff, can use a bug tracker, etc.
Most decent companies, HR is just a first hurtle. Make sure you specifically use all the key words in the job description exactly as they appear (don't use networking if they asked for TCP/IP.. say TCP/IP), use phrases like "I've been involved with x and similar technologies for <number of years they want> when x is something that has only existed for a year, etc. The project manager/team lead who ultimately interviews you probably has the same level of respect for the HR technical evaluation as you do.
I've tried to keep them on the line and waste their time, but they figure it out pretty fast and just hang up (although once I did get a bit of profanity, so I was kinda proud of that).
I like Marillion. I find the vocals are a bit jagged, but the guitar is definitely good. Haven't heard of the other two. Will throw them on the pile o` stuff to listen to.
Have been wondering this myself. The recent site instability, frequent downtime, and sudden "everything looks like shit" layout changes seem to imply that either:
a) they've given up trying to get us to swallow beta and are opting to fuck up the "normal" version of the site b) they're trying to encourage people to switch by making the "normal" version of the site even shittier than beta
Slashdot Mirror
Yes, but how do you validate that the public key I send you is actually my public key? You have to already have it or it has to be stores somewhere that the other party trusts, bringing us right back to our original problem.
PKI lets two parties communicate securely without having ever spoken, and it lets one party validate that something was actually sent by another party _if they have the other parties public key and can trust it_.
Biometrics doesn't add anything useful to this equation that I see. Sure you can use some biometric information as a private key and generate a public key, but what does that give you over using some random number to generate a public key. It still comes down to the party at the other end having that public key and being reasonably sure it's yours.
Sure, but how do they apply to confirming an identity and not a capability.
Maybe I'm too thick to get it, but I can't see how say, a bank, can validate that you are who you say you are without at least knowing _something_ about you that you can than verify through whatever means.
Right, but there has to be a public key involved at some point.
meaning it has to be activated by your particular stomach in order for the challenge to be accepted in the first place
As with DRM, if the thing that decides if you are valid can be in your hands (so to speak), you may as well assume it will be compromised.
There's no way I can think of to pass on a piece of information describing yourself to another party without that party having to know that information already to validate it, and if they do, it can be stolen and replayed.
I can kinda see the appeal of an implanted device, but yeah, there's no reason such a system couldn't be a fob you carry around with you (or somewhat unfortunately more likely, baked into your phone).
Assuming it was based on current public key encryption, even if broken an attacker would still need to harvest private keys from users to make use of it. That's gonna require special equipment (portable reader of some kind) and time.
Sure, damage would be done, but it wouldn't be the apocalypse. I suspect you'd see less impact than you do with current CC theft. AES being broken would be a far bigger deal on the internet where it would be much easier to apply the attack in a wide spread manner.
The problem with this, and biometrics in general, is that there is only one you.
You can't revoke your "vein pattern" any more than you can revoke your fingerprint. Using your same biometric information for everything has the same pitfalls as using the same password for everything, and you are just one sketchy gas station away from someone getting a copy.
If you are going to implant something, why not implant a challenge/response system with a public/private key and strong cryptography, like you know, we've been doing on the internet with a good amount of success. A random very large number is just as good as any biometric information, and at least you can change it.
Privacy isn't of great concern to many. It's not even an issue of comprehension. There are people who understand the privacy implications of things like facebook, but still happily participate because the social aspects are more appealing to them.
Social media in general has caught on because a great many people _want_ to share everything about themselves to everyone. Sites like what you linked to do a fairly poor job of convincing such people because they:
- Tend to focus on unrelatable things (like oppression in other countries, or oppression of people at home they can't personally relate to).
- Are written from an opposite viewpoint where privacy is just automatically an important thing that everyone should want. If social media has shown us anything, it's not to many people. The FSF is at the forefront of this too. When you write a blathering piece where you just assume your position from the beginning, people who don't already agree just roll their eyes, and the only ones you convince are those who already agreed.
- Not the case here, but often times focus on rare events where some shared information is used against them.
Very least, going as far as running a server at home, even one that's basically a pre-configured appliance, is a fairly extreme step for most non-geeks to take unless you can make a really compelling argument that doesn't involve dystopian futures and acid mines.
I get that NAT isn't a firewall, but I think it makes a nice second layer.
Lets say I'm using shorewall, and for whatever reason I break my config and don't notice.
Consider: (big bad internet) -- (broken shorewall + nat) -- (internal boxes)
Suddenly you can't get to anything I was forwarding (which I'll probably notice) and yes there are probably effective attacks to get at my internal boxes through the nat, but at least it's not wide open as I imagine it would be in a configuration without nat.
It's compelling arguments like that which will surely convince people to give a shit about ipv6.
I doubt they'll go this route, but what would make sense to me would be to give customers the option to request a direct connection.
Between cell phones and people who have no interest in running a server (even unintentionally), there's probably only a small portion of people out there who really need a direct connection, and there are probably plenty of IPs to support them if you put everyone else on CGN.
As someone who's not really a networking guy, this!
I like the extra layer NAT provides. It's no substitute for a firewall of course, but having your internal boxes not publicly addressable at all adds an extra layer of warm and fuzzy.
Is this attitude wrong? Probably. But it is also pervasive.
I feel like it exists for a few main reasons:
- People have different priorities. Some are all about the money, some want the retirement contribution, some want equity, some want vacation, etc. People also proportionally value these things differently. How much do you value an extra week of vacation to say, more retirement contribution or more salary? Negotiation solves this problem.
- As has been said, the employer and candidate have two directly opposing goals. The employer wants to pay the least they can while not feeling like you'll get a higher paying opportunity a few weeks later, and the employee wants the most money.
- Negotiation keeps things competitive. If every company stopped allowing negotiations, it would either become a race to the bottom or the top (I'm actually not even sure which, but the cynic in me thinks bottom).
Ultimately, I think this whole thing is stupid. I'm a guy, but I have to imagine this is patronizing as all hell to women. Isn't this the kind of shit feminists have been fighting forever?
I made a post about this above, but yeah, that describes my current relationship with git, and is one of the reasons I don't enjoy using it.
I feel like I truly know svn, I understand what it does and am very comfortable with how it works. Part of that is just having used it for a long time, but I do feel like git is much harder to wrap your head around.
With git I feel like I'm just following a bunch of recipes that I know work (or seem to work), and that's really not a good way to go about anything. Every time I try and get my head around the guts of git, I feel like it's been made intentionally screwy, and most git users I've talked to seem to just operate on the same recipe set I do. I just feels icky.
As someone mostly in the "I dun get it" crowd, I'll say the problem for me is that I feel like while I can use it, I don't have a great deal of understanding as to what it's actually doing outside of the basics. I feel like I'm following a bunch of recipes that I know work.
With svn (which admittedly I've used for many years and on sizable projects vs git which I've used for months and on small stuff), I feel like I have a really good grasp of the whole thing. Sure there are some subtle bits I don't know because I've never needed, but I know the important bits, and I feel like from that I can solve just about any problem I run into by understanding what svn is trying to do and why it's not working.
I get that at least some of this is just inexperience, but I think even with experience, git seems far more complex and nuanced than svn, which has a relatively consistent way of working and a seems to have a much smaller set of features. I feel like I got comfortable with svn way faster, and at that point I was only mildly familiar with version control in general.
I know I'm gonna get flamed for this, but just wanted to provide some insight into the mind of someone who hasn't jumped on the git bandwagon yet.
There's also GPS, for which receivers are very cheap and which provides very accurate time.
This article is nonsense. Assuming IoT ever becomes an actual thing, the vast majority of devices won't need any better than the "good enough" that NTP provides. Those that do will probably manage their own time using accurate clocks and GPS.
Time patronization rarely matters. Usually you need an accurate clock (i.e. exactly 100hz) way more than you need your time to be within 0.100ms of someone elses time.
We used to at least get a disclaimer, even if it was just an article _about_ something geeknet owned.
Slipping their own garbage in the mix with things a user might have actually submitted is pretty shitty, and the campaign id in the URL is just obscene.
I think using slashdot to promote their own trash articles is a bit sketchy.
Take a look at Nerval's Lobster's user page. The account exists for the sole purpose of posting dice.com garbage. There is no way actual users submit this crap. The URL even has a campaign id in it so they can track the success of their shit posting.
This kind of behaviour makes me want to be defiant in the least significant and most petty way possible... so I took slashdot off my adblock whitelist.
I'm actually just now at the "oh shit, I really gotta figure out how money works" stage in my life.
I managed to save enough for a decent down payment on a house by dumping cash into a savings account for a bunch of years, and I have RRSPs because it was a checkbox and a form when I joined the company. I'm pretty good about living within my means (no debt aside from the mortgage), but I don't know shit about investing and if the "retirement calculator" on our companies group retirement page is any indication, I aught to learn soon
Will definitely look into that book...
This really does scare me.
The only options I really see (for myself at least) are:
- management, which as you mentioned isn't for everyone
- self employment / consulting
- develop a niche skillset in a long term industry (aerospace, defense, medical, etc.. some company that will keep you around until you retire because you speak the language, can talk to the customer, and have legitimately valuable experience in some niche area).
Personally I'm banking on 3, with 2 as a fallback.
Agree.
If the resume is going to be read by a human and not keyword filtering software, I think a decent programmer only needs to list the things he is specifically skilled in. I'm going to presume someone with 5 or 6 years experience knows a handful of scripting languages, knows what version control is, can do basic database stuff, can use a bug tracker, etc.
Indeed.
Most decent companies, HR is just a first hurtle. Make sure you specifically use all the key words in the job description exactly as they appear (don't use networking if they asked for TCP/IP .. say TCP/IP), use phrases like "I've been involved with x and similar technologies for <number of years they want> when x is something that has only existed for a year, etc. The project manager/team lead who ultimately interviews you probably has the same level of respect for the HR technical evaluation as you do.
I've tried to keep them on the line and waste their time, but they figure it out pretty fast and just hang up (although once I did get a bit of profanity, so I was kinda proud of that).
I like Marillion. I find the vocals are a bit jagged, but the guitar is definitely good. Haven't heard of the other two. Will throw them on the pile o` stuff to listen to.
Have been wondering this myself. The recent site instability, frequent downtime, and sudden "everything looks like shit" layout changes seem to imply that either:
a) they've given up trying to get us to swallow beta and are opting to fuck up the "normal" version of the site
b) they're trying to encourage people to switch by making the "normal" version of the site even shittier than beta