It's a bit more than 7 squares. See a demo here (the java applet): http://pluspin.com/demo/newsoftheworld - and obviously you can configure it to enforce a minimum pattern complexity if so required.
I've looked at these guys before, http://www.pinplus.net/content/pin-nutshell
Basically you remember a pattern and then to log in you are presented with a large grid of letters/numbers which you then have to type in the letters/numbers corresponding to your pattern. So you never reveal your pattern at any point, keyloggers/screenscrapers never have access to your pattern. Even if someone did get a screengrab, there are multiple instances of each letter/number in the grid, so you can't tell which position in the grid the user was referring to.
In embedded devices like these, there is no reason to use a root password. The devices should be locked down completely with a process to update them with signed firmware.
If they need some form of remote access, they should at the very least use SSH PKI.
See the two roundabouts? They each have pedestrian islands on each side road.
The roads themselves aren't high volume, but rather than having to come to a complete stop at each intersection and look, or install traffic lights and wait until the cycle goes green, you can basically drive straight through and only check a single direction as you go. You don't need to check for oncoming traffic, nor do you need to check for traffic turning into your path, as it's a single flow. It greatly reduces the number of potential points cars can crash into each other.
Pedestrian either have pedestrian crossings or pedestrian islands provided along each ingress/egress road. With ped crossings obviously cars give way to peds immediately, and there is no distraction because at that point you are still on a normal road. With the islands, the pedestrian moving into the middle first when it's safe, then onto the next side. Pedestrians don't walk onto the roundabout itself.
Roundabouts are used in low and medium volume traffic situations, where it is quite easy to find a safe gap to walk across a road. It does mean a bit more walking for someone trying to walk 'straight' through the roundabout, as you'll have to deviate slightly down a side road then walk back up again. But as mentioned, since there isn't normally much traffic, you don't normally need to walk far. It's normally quicker than waiting for a traffic light.
What Qantas has here is closer to the difference between self-checkouts in supermarkets - designed to handle only small loads - and the regular supermarket operator who can handle all volumes of goods.
Yes, your floating point operation will work, sir, as long as you use the correct registers.
You are of course correct, they have had fatal crashes in the past. But none with jet engines. I.e. nothing in the modern era.
I'd prefer we had a rolling scale approach that reflects the average working life of modern planes, e.g. in the last 20 years has the airline had a fatal crash?
- Don't allow zip files with passwords (or any other compression format)
- Inspect individual files in compressed archives for checksum matches (i.e. lolcat.jpg not matched, but game.exe is, so is README.txt, etc...) and if enough of the individual files match known checksums, flag it for human inspection.
- Check all files to identify what filetype they are - jpg/zip/gz/tar/etc... if the file type is not known, disallow it. Yes I'm sure someone will invent a zip file format with a JPG header.
- Perhaps for 'identity verified' customers (users who you have confirmed their phone/address somehow, e.g. TXT postal letter activation code) you lift the restrictions on no encrypted files, and also allow files of unknown type.
- Video and Audio are harder to detect than other lossless filetypes, as the user can modify it easily to change its checksum without destroying the content. There are some algorithms that fingerprints aren't affected by such changes but they're typically a lot more specific to the given filetype and I imagine quite intensive to run compared to a typical SHA/MD5 checksum.
Let's have a larger number for dedicated silent calls. 999 111 999. A lot harder to accidentally put in. Publicity of it will make sure people who *need* silent calls will use it (and those who don't are Darwins). All calls to 999 111 999 would be followed up, and pranksters would be severely fined / jailed on the first offense.
For 'online' systems which lock accounts after a small number of tries, it would *seem* like an 8 digit alphanum password (which isn't one of the trivial ones discussed earlier) would be sufficient, wouldn't it?
More than likely it would be fine. I guess I was commenting more on your question of brute force attacks being relevant in the days where you get X tries then the account is locked. If you choose even a moderately sane password (i.e. no sequential numbers, no keyboard sequences, no common words) then you'll be a lot safer than most people.
But attackers these days are more interested in *any* account, not a specific account. So brute force hacking has shifted from brute force passwords to brute force usernames. Imagine trying tonnes of common usernames (johnsmith@gmail.com) against the top 3 most common passwords. You're bound to strike gold soon enough. Attackers will most likely have access to large email databases of legitimate addresses to use in their attempts. Sites allowing / encouraging / requiring you to use your email as your username these days only make such attackers easier.
One thing to think about - If you try brute force a username, yes, you probably will lock out that account for a period of time. But what if you try the same password against random usernames. There is over 200,000 users with the password 123456. All you need to do is guess the username for one. Most websites don't detect and block against this sort of attack.
One thing some companies do, is require X of Y characteristics.
i.e. Your password must be at least 8 characters long, and contain at least 3 out of the following 4: {lowercase letter, uppercase letter, number, special character}.
So your keyspace is far larger than: Must have a lowercase, uppercase, digit and special character. I think it's a nice compromise - but of course as this report shows, a hacker would still probably target [a-z0-9]{8}.
What would be interesting if the change password form predetermined the password requirements for this particular password, and these requirements are randomised each time the user wants to change the password. E.g. one time it may require a password of at least 8 characters, the next time it might require it to be 10 characters. One time it may require digits, another time it may require special characters. So an attacker in this case couldn't rely on a large populus having simple passwords of the bare minimum length as the system forces some variances in those minimums. Sure, it'll probably piss off users even more... (And I'm the first to admit I'd be pissed off by such an approach too).
I've been involved in certifying a firewall to meet ICSA requirements. Let me say that it can only be a good thing to take into account what certifications the product has before using it. This includes FOSS and commercial.
While it's nice that you can review the source of FOSS tools, that gives you no guarantee that the tools are configured appropriately and securely. If you are in an organisation that requires a verifiable degree of security (or as management sees it: level of risk) then using certified products is a no-brainer. No one claims a certified product is absolutely secure, and you should never base a purchase decision purely on the 'does it have a shiny certification logo on the carton?', but when using a certified product you can at least say that X, Y & Z situations are covered. This is especially important in the situation of a breach, where the integrity of logging is important. You don't want your boss screaming at you because the timestamps were wrong or inconsistent, that some data was not logged, etc...
Anyway, I was among the tens of thousands of people who witnessed the 'streak of light' shortly after 10pm, from the Auckland Domain where the annual Christmas in the Park concert had just finished. The streak lasted less than what felt like 10 seconds, made no discernible noise, and looked about as bright than a nearby firework (of which there were heaps 5 minutes prior at the end of the concert).
In fact, at the time I only half thought it was a 'shooting star' as it could've been part of the fireworks. The show had finished, and people were packing up, so I wondered if it was something for the kids (Ooh, hey kids, look, Santa has flown away). But after reading this article, it must have been the same meteorite. Very cool!
I'm always amazed at the complexities of the tax system in the US (and many other countries).
In NZ, The only Sales tax we have a 12.5% GST Tax (Goods and Services). That's it. Doesn't vary from postcode to postcode. And its included in the price tag of the product, so no needing to figure out the cash in hand price.
There are some petrol excises/taxes, but they're transparent to the user (i.e. built into the price of the petrol) and not deductible.
It's good to be a small country, with no hassles over which state collects the tax, etc...
Australia really botched up adopting GST several years back. They looked at the NZ model, but decided to make exceptions, which are just outright painful. Tax cooked chicken but not raw? But don't tax cold cooked chicken? Yikes! GST Food Guide.
There does not yet exist an application that people use that really needs multiple cores.
People need to stop thinking that 'I don't have a program that uses 16 cores (16 real threads), so I don't need a 16 core system).'
Chances are you have at least 16 programs running and each of those is run in a thread. User Applications aren't the only things that need CPU time. It's only the touching the surface.
People are not creating multicore systems with the idea that a single program will use all the cores. Some programs will be more multithreaded than others, but that's not the point.
With multiple cores, you give the user the feeling of a more responsive system (due in some part I'd imagine from the CPU scheduler having far more real threads to work with than a single core system). Resource allocation of cpu time becomes more generous/less taxing for the OS.
The end result is that your MP3 player will run happily along in the background doing its thing, while your file download manager is downloading many files off the net, and the user is sitting down writing his word document, which has real-time spell checking that doesn't pause while it scans the large document. Oh, and Gmail is running on your web browser. Your IM client of choice is somewhere around there too.
All these programs have multiple threads (I won't even bother mentioning the plethora of operating system/system utilities and services and their threads).
Imagine splitting the CPU cycles of 1 core for all these tasks, and sharing them fairly, against splitting the cycles of 2..4..16 cores.
The article is a bit lacking in information. So, even if the album is being pirated more than purchased, how does that ratio compare to other album releases? Does it show a big/small/non-existent change? Or a negative change (i.e. people pirate more because they know its free anyway, which I doubt, but hey). For all we know, most albums could be pirated double,triple,etc... more times than the Radiohead one is.
The buzz generated by the band's pay-what-you-want publicity stunt may also boost sales. Radiohead's previous album sold only 300,000 copies in the first week--about one-sixth the number of copies of In Rainbows now in circulation. While it's a bit unfair to compare album sales of the same artist over time and try link the increases purely to price, you could say that even if it didn't decrease piracy, it certainly increased Radioheads piggy banks!
There are companies that do this already (MailGuard in Australia, http://www.mailguard.com.au/ we sell their services to our clients), burn a DVD archive of all your email and send it to you on a monthly basis. Great for companies that have strong archival and record keeping requirements/laws. It's actually quite a sensible thing to do, plus there's nothing technical that you need to do (at least for how MailGuard does it).
1. I have some cheap usb hardware (wireless network dongle, bluetooth, etc). No drivers for mac. (I've spent hours searching mailing lists)
Why? All Macs these days come with Wifi (b/g/n) and Bluetooth 2.
2. I want to adjust mouse acceleration. I can't figure out how without buying an expensive 3rd party app.
Just up your overall mouse speed.
3. I want to be able to launch my apps with one or two-key keyboard shortcuts. I can't figure this one out either.
This isn't normal. It works fine with my machine and all my workmates.
5. Many open source apps that I love don't have standard maintained OS X distributions (gvim, pidgin, etc). I could try compiling myself, or I've found older versions that other people have built for them, but that's rather a step backwards instead of forwards.
Slashdot Mirror
It's a bit more than 7 squares. See a demo here (the java applet): http://pluspin.com/demo/newsoftheworld - and obviously you can configure it to enforce a minimum pattern complexity if so required.
I've looked at these guys before, http://www.pinplus.net/content/pin-nutshell Basically you remember a pattern and then to log in you are presented with a large grid of letters/numbers which you then have to type in the letters/numbers corresponding to your pattern. So you never reveal your pattern at any point, keyloggers/screenscrapers never have access to your pattern. Even if someone did get a screengrab, there are multiple instances of each letter/number in the grid, so you can't tell which position in the grid the user was referring to.
500 UKP computer.
2450 UKP extra costs incurred by dealing with the UK government's self-serving bureaucracy.
50 UKP delivery.
It's GBP - for Pound Sterling. Admittedly not as intuitive as one would first think (Great Britain Pounds? No).
Don't forget, Microsoft has also invested in Facebook.
In embedded devices like these, there is no reason to use a root password. The devices should be locked down completely with a process to update them with signed firmware.
If they need some form of remote access, they should at the very least use SSH PKI.
I think he's actually unemployed and out of money and needs to save his $$$
The summary suggests otherwise: "I'll also still have access to the internet at my office"
Example: http://maps.google.co.uk/maps?ll=-36.79191,174.771398&spn=0.001697,0.003484&sll=51.629526,-0.175223&sspn=0.021045,0.055747&t=h&z=19
See the two roundabouts? They each have pedestrian islands on each side road.
The roads themselves aren't high volume, but rather than having to come to a complete stop at each intersection and look, or install traffic lights and wait until the cycle goes green, you can basically drive straight through and only check a single direction as you go. You don't need to check for oncoming traffic, nor do you need to check for traffic turning into your path, as it's a single flow. It greatly reduces the number of potential points cars can crash into each other.
Pedestrian either have pedestrian crossings or pedestrian islands provided along each ingress/egress road. With ped crossings obviously cars give way to peds immediately, and there is no distraction because at that point you are still on a normal road. With the islands, the pedestrian moving into the middle first when it's safe, then onto the next side. Pedestrians don't walk onto the roundabout itself.
Roundabouts are used in low and medium volume traffic situations, where it is quite easy to find a safe gap to walk across a road. It does mean a bit more walking for someone trying to walk 'straight' through the roundabout, as you'll have to deviate slightly down a side road then walk back up again. But as mentioned, since there isn't normally much traffic, you don't normally need to walk far. It's normally quicker than waiting for a traffic light.
What Qantas has here is closer to the difference between self-checkouts in supermarkets - designed to handle only small loads - and the regular supermarket operator who can handle all volumes of goods. Yes, your floating point operation will work, sir, as long as you use the correct registers.
First off, QANTAS had a fatal crash in 1951.
You are of course correct, they have had fatal crashes in the past. But none with jet engines. I.e. nothing in the modern era. I'd prefer we had a rolling scale approach that reflects the average working life of modern planes, e.g. in the last 20 years has the airline had a fatal crash?
Does anyone have a link to the actual legislation? So we can read and see for ourselves what the law states.
Easy to stop
- Don't allow zip files with passwords (or any other compression format)
- Inspect individual files in compressed archives for checksum matches (i.e. lolcat.jpg not matched, but game.exe is, so is README.txt, etc...) and if enough of the individual files match known checksums, flag it for human inspection.
- Check all files to identify what filetype they are - jpg/zip/gz/tar/etc... if the file type is not known, disallow it. Yes I'm sure someone will invent a zip file format with a JPG header.
- Perhaps for 'identity verified' customers (users who you have confirmed their phone/address somehow, e.g. TXT postal letter activation code) you lift the restrictions on no encrypted files, and also allow files of unknown type.
- Video and Audio are harder to detect than other lossless filetypes, as the user can modify it easily to change its checksum without destroying the content. There are some algorithms that fingerprints aren't affected by such changes but they're typically a lot more specific to the given filetype and I imagine quite intensive to run compared to a typical SHA/MD5 checksum.
*whoosh* That was his point.
Let's have a larger number for dedicated silent calls. 999 111 999. A lot harder to accidentally put in. Publicity of it will make sure people who *need* silent calls will use it (and those who don't are Darwins). All calls to 999 111 999 would be followed up, and pranksters would be severely fined / jailed on the first offense.
For 'online' systems which lock accounts after a small number of tries, it would *seem* like an 8 digit alphanum password (which isn't one of the trivial ones discussed earlier) would be sufficient, wouldn't it?
More than likely it would be fine. I guess I was commenting more on your question of brute force attacks being relevant in the days where you get X tries then the account is locked. If you choose even a moderately sane password (i.e. no sequential numbers, no keyboard sequences, no common words) then you'll be a lot safer than most people.
But attackers these days are more interested in *any* account, not a specific account. So brute force hacking has shifted from brute force passwords to brute force usernames. Imagine trying tonnes of common usernames (johnsmith@gmail.com) against the top 3 most common passwords. You're bound to strike gold soon enough. Attackers will most likely have access to large email databases of legitimate addresses to use in their attempts. Sites allowing / encouraging / requiring you to use your email as your username these days only make such attackers easier.
One thing to think about - If you try brute force a username, yes, you probably will lock out that account for a period of time. But what if you try the same password against random usernames. There is over 200,000 users with the password 123456. All you need to do is guess the username for one. Most websites don't detect and block against this sort of attack.
One thing some companies do, is require X of Y characteristics. i.e. Your password must be at least 8 characters long, and contain at least 3 out of the following 4: {lowercase letter, uppercase letter, number, special character}.
So your keyspace is far larger than: Must have a lowercase, uppercase, digit and special character. I think it's a nice compromise - but of course as this report shows, a hacker would still probably target [a-z0-9]{8}.
What would be interesting if the change password form predetermined the password requirements for this particular password, and these requirements are randomised each time the user wants to change the password. E.g. one time it may require a password of at least 8 characters, the next time it might require it to be 10 characters. One time it may require digits, another time it may require special characters. So an attacker in this case couldn't rely on a large populus having simple passwords of the bare minimum length as the system forces some variances in those minimums. Sure, it'll probably piss off users even more... (And I'm the first to admit I'd be pissed off by such an approach too).
I've been involved in certifying a firewall to meet ICSA requirements. Let me say that it can only be a good thing to take into account what certifications the product has before using it. This includes FOSS and commercial.
While it's nice that you can review the source of FOSS tools, that gives you no guarantee that the tools are configured appropriately and securely. If you are in an organisation that requires a verifiable degree of security (or as management sees it: level of risk) then using certified products is a no-brainer. No one claims a certified product is absolutely secure, and you should never base a purchase decision purely on the 'does it have a shiny certification logo on the carton?', but when using a certified product you can at least say that X, Y & Z situations are covered. This is especially important in the situation of a breach, where the integrity of logging is important. You don't want your boss screaming at you because the timestamps were wrong or inconsistent, that some data was not logged, etc...
If you are interested, take a look at the criteria for certification for firewalls - http://www.icsalabs.com/technology-program/firewalls/modular-firewall-certification-criteria-version-41
There are a lot of FOSS based products, including the one I worked on, that are ICSA certified. You can have your cake and eat it.
Casualty is a term limited to not just describing dead people but also wounded people. reference.com definitions of casualty.
Anyway, I was among the tens of thousands of people who witnessed the 'streak of light' shortly after 10pm, from the Auckland Domain where the annual Christmas in the Park concert had just finished. The streak lasted less than what felt like 10 seconds, made no discernible noise, and looked about as bright than a nearby firework (of which there were heaps 5 minutes prior at the end of the concert).
In fact, at the time I only half thought it was a 'shooting star' as it could've been part of the fireworks. The show had finished, and people were packing up, so I wondered if it was something for the kids (Ooh, hey kids, look, Santa has flown away). But after reading this article, it must have been the same meteorite. Very cool!
It would suck if you went away for 3 months on holiday and came back to discover your only avenue of correction expired a month back.
Or if someone intercepted your mail and gave you false statements.
I'm shocked that just because someone fails to find an error within an incredibly short timeframe, that it is effectively cleaned and validated.
I'm always amazed at the complexities of the tax system in the US (and many other countries).
In NZ, The only Sales tax we have a 12.5% GST Tax (Goods and Services). That's it. Doesn't vary from postcode to postcode. And its included in the price tag of the product, so no needing to figure out the cash in hand price.
There are some petrol excises/taxes, but they're transparent to the user (i.e. built into the price of the petrol) and not deductible.
It's good to be a small country, with no hassles over which state collects the tax, etc...
Australia really botched up adopting GST several years back. They looked at the NZ model, but decided to make exceptions, which are just outright painful. Tax cooked chicken but not raw? But don't tax cold cooked chicken? Yikes! GST Food Guide.
People need to stop thinking that 'I don't have a program that uses 16 cores (16 real threads), so I don't need a 16 core system).'
Chances are you have at least 16 programs running and each of those is run in a thread. User Applications aren't the only things that need CPU time. It's only the touching the surface.
People are not creating multicore systems with the idea that a single program will use all the cores. Some programs will be more multithreaded than others, but that's not the point.
With multiple cores, you give the user the feeling of a more responsive system (due in some part I'd imagine from the CPU scheduler having far more real threads to work with than a single core system). Resource allocation of cpu time becomes more generous/less taxing for the OS.
The end result is that your MP3 player will run happily along in the background doing its thing, while your file download manager is downloading many files off the net, and the user is sitting down writing his word document, which has real-time spell checking that doesn't pause while it scans the large document. Oh, and Gmail is running on your web browser. Your IM client of choice is somewhere around there too.
All these programs have multiple threads (I won't even bother mentioning the plethora of operating system/system utilities and services and their threads).
Imagine splitting the CPU cycles of 1 core for all these tasks, and sharing them fairly, against splitting the cycles of 2..4..16 cores.
There are companies that do this already (MailGuard in Australia, http://www.mailguard.com.au/ we sell their services to our clients), burn a DVD archive of all your email and send it to you on a monthly basis. Great for companies that have strong archival and record keeping requirements/laws. It's actually quite a sensible thing to do, plus there's nothing technical that you need to do (at least for how MailGuard does it).
Why? All Macs these days come with Wifi (b/g/n) and Bluetooth 2.
2. I want to adjust mouse acceleration. I can't figure out how without buying an expensive 3rd party app.
Just up your overall mouse speed.
3. I want to be able to launch my apps with one or two-key keyboard shortcuts. I can't figure this one out either.
Use Quicksilver. http://quicksilver.blacktree.com/ 4. My scrollbar in firefox doesn't work right. Is this normal?
This isn't normal. It works fine with my machine and all my workmates.
5. Many open source apps that I love don't have standard maintained OS X distributions (gvim, pidgin, etc). I could try compiling myself, or I've found older versions that other people have built for them, but that's rather a step backwards instead of forwards.
Try Fink Commander. http://finkcommander.sourceforge.net/
Hope this stuff helps!