The "little you know" is germane here. No biometric is sufficiently repeatable to be used as a key. You need to compare what you read against a reference or database of references and return a confidence factor regarding similarities.
That's why the FBI fingerprint service returns the fifteen best matches for a human to deal with. If none of these fit one of your suspects, you can ask for more "matches". The MATCH FOUND with one mug shot on the screen is pure Hollywood.
When the challenge is "does this face match (with some given confidence) the reference image of the laptop's owner?" things are a little simpler. Unfortunately, the "given confidence" part makes it almost useless if you don't want to be routinely locked out of your own laptop. I don't know what it is for faces, but the acceptable level for fingerprints makes them worth less than two extra characters in your password.
This is a perfect example of what Bruce calls "security theater". Anyone who watches TV has seen that the most secret places use biometrics--fingers, hands, eyes, faces (the only thing untried is butts)-- as the ultimate super-secure access control.
If you believe Hollywood, having this high-tech security on one's laptop is not only super secure but it's super cool! Lenovo et al know exactly what they are doing and who their client is.
Of course they broke it. "Biometric Authentication" is an oxymoron. The correct phrase is "Biometric Identification". A face or a finger are a claim of identity that still needs authentication with some form of secure credential, e.g. a password.
No Id and no authentication is "public". Id but no authentication is "public, but stupid about it".
Given that the CRTC hasn't gone on a hiring binge in the last little while, it's certain that the "ideas" will come from the same gang that are responsible for Canada's current disfunctional regulatory environment. Whatever they propose will be ambiguous where it's not unintelligible, won't do what they say they want it to do, and it will be gamed by the same big players that make Canada's cable and cell services the most expensive in the free world.
I don't know what they can do to wreck the Internet, but Canadians have learned not to underestimate their creativity.
The Dystopian part is a weak attempt at irony. What they are really planning is a Utopia wherein all those troublesome redneck farmers are gone. They've become right-thinking (or is that left-thinking?) city people, as farming jobs are replaced by urban food-manufacturing jobs.
Is there a reason no one has the intellect to go to floating point time?
When I first started playing with Java, one of the things I found appallingly silly was its handling of time. If you are going to set a new standard, it should at least be useful. The thing is too coarse to time internal events, but you can describe the age of the universe with millisecond precision.
Am I the only one who finds the fingerprints of an amateur all over this?
Microsoft told journalists at last year's Professional Developers Conference that 70% of Windows users have between eight and 15 windows open at any one time.
I went looking for this. All I found was blogs and online articles repeating this factoid but no attribution whatsoever. One of the early bloggers, maybe Twit Zero, had it as one of a list of "things I learned at the PDC". My bet is he "learned" this on a bar stool.
The Cloud is aptly named. I've read TFA and several levels of links from there and I'm no more informed than when I woke up this morning.
"Portability" is a concept, not a thing, so these folk need to explain what it is they want to port. "Metadata" isn't an answer. Metadata is data about data, so what data about what data about which phenomena are they talking about?
The other thing I'd like to know is, in what way is "the Cloud" distinct from a distributed server architecture, or what was once called a network application framework?
The agenda isn't secret--It's been open since at least Lester B.(Nobel Prize-Winning Twit) Pearson.
Moreover, there's no plan to change anything about the US. Our left-wing NGOs have their hands full just changing Canada and turning it into a colony of the United Nations. Among other problems, the Albertans and Outer Ontarians refuse to cooperate, and an attempt to disarm the population seems to have failed.
The CLC is a major component of Canada's socialist axis. They don't give a damn about IP, but they can be depended on to support anything that involves more regulation, the more invasive the better.
What it's really about is what Greenpeace calls "moving the needle". It's about getting people adjusted to having the government regulating the most trivial aspects of our lives. When a sufficient level of docility has been reached, an authoritarian socialist state can safely be established.
What gets my attention is the Swedes. The most obvious characteristic of the Swedes that might explain their tolerance of socialism is "how nice they are".
They say the same thing about Canadians. That scares me.
Quebecois and Albertans are very different people but they live in identical political contexts. Except for right turn on red, if you can behave legally in one, that same behaviour will keep you out of trouble in the other.
The same can't be said of very many pairs of states. Consider how many different sets of laws I would have to be familiar with if I travelled around the US with a handgun, a girl, or a hash pipe.
From a Canadian viewpoint, one of the fascinating things about the U.S. is that, in many ways, it's composed of a few dozen political experiments, all going on at once. Each succeeds to the extent that people choose to live in a particular state and thrive there.
Utah is not New York. They could be on different planets, and yet they are both populated by people who call themselves Americans. The opportunities for comparative anthropology are immense.
You mean "me, us, anybody" permissions? Windows account security is both more sophisticated and more granular. The problem is not with user account permissions, but with the out-of-the-box defaults. On this one, Microsoft can't win. If they do something that's appropriate for the average home user (a breed of cat most of/. can't even imagine), power users and tech writers get all over their case.
In the enterprise environment, the degree of user lockdown is easily adjusted on a per-user basis and runas (Windows' sudo -u) is available for exceptions.
This opens up a cascade of conditional probabilities.
What's the appropriate strategy? Should I assume that my password is compromised "by methods other", distinguishable from magic, the day after I change it, and choose my password change interval to match my anxieties about how long someone might have access to whatever the password protects?
What's the probability that "methods other" will compromise my password within N days? Are we looking at a Poisson distribution or normal? Give n that it's compromised, what's the probability it will be used without being detected for M days?
As you can see, this is all very confusing and how do I know that a month is a good time between changes? It could be woefully inadequate or grossly pessimistic.
For example, computers could be much more secure if people change their passwords every month
Really? What happens on day 32 that I need to change my password to prevent? What threat cannot be realized in a month, but can be realized in two?
The idea behind changing passwords is to have a new password before the current one can be broken by a determined attacker. The current reality is that a weak password can be broken in hours, and a strong password can't be broken in anyone's lifetime.
Changing passwords monthly (or daily for that matter) is not effective if you use weak passwords and it's not needed if you use strong passwords.
Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport
Perhaps he wanted to avoid going to jail? This is a case where it's sufficient to show that a forgery is possible, without breaking the law and actually doing it.
A line of code is the software equivalent of a moving part. A product with a high LOC can be likened to a Rube Goldberg device. Only an idiot would pay on an LOC basis. You want programmers to minimize LOC to utility ratio.
A fixed price for a correct product is as far from LOC piecework as buying a car is from buying the parts individually.
A line of code is not a product. A correct line of code is not a product. At the lowest level, a bunch of code with an unambiguous specification and a thoroughly tested API is a product. If it's provably correct by construction (EWD340, EWD1036), it's a superior product.
As to your last complaint, competent, honest architecture followed by fixed-price development contracts eliminate scope creep.
If the use cases are well-defined, dollars per use case, invoiced after each increment, is a good approach. It has the added advantage that the customer gets something usable with each invoice.
Granted. That's what IT architects are for. Unfortunately, very few projects have them, so programmers are expected to fill the role; one for which they are poorly qualified.
The other problem is that most software projects are staffed, costed and scheduled before the product is designed--before anyone knows what needs to be built. Other than in the Aquarian atmosphere of an Agile project, failure is inevitable.
Actually, it was IBM and CS academics that did that. OS360 was released with a long error list and assurance that this was normal for a product of that size. It was this era that produced factors like one error per so many LOC, where "so many" ranged from ten to a thousand depending on the source.
This was long before Microsoft existed and it didn't need much pushing. It was so self-serving that the software industry never argued against it. It also came just in time to meet a huge increase in demand for programmers that could only be met by lowering the bar for entry--so for most of the new crop of programmers, the predictions were accurate.
The sad idea of calling programmers "software engineers" in the hope that a new name would make them more diligent has clearly not worked. Since most are paid by the hour without reference to quality or results, it's unlikely that anything will ever work in this environment.
What's needed is a change in the business model that links payment to a finished, correct product. ISVs working on fixed-price contracts and firmware developers have very low error rates.
Slashdot Mirror
The "little you know" is germane here. No biometric is sufficiently repeatable to be used as a key. You need to compare what you read against a reference or database of references and return a confidence factor regarding similarities.
That's why the FBI fingerprint service returns the fifteen best matches for a human to deal with. If none of these fit one of your suspects, you can ask for more "matches". The MATCH FOUND with one mug shot on the screen is pure Hollywood.
When the challenge is "does this face match (with some given confidence) the reference image of the laptop's owner?" things are a little simpler. Unfortunately, the "given confidence" part makes it almost useless if you don't want to be routinely locked out of your own laptop. I don't know what it is for faces, but the acceptable level for fingerprints makes them worth less than two extra characters in your password.
This is a perfect example of what Bruce calls "security theater". Anyone who watches TV has seen that the most secret places use biometrics--fingers, hands, eyes, faces (the only thing untried is butts)-- as the ultimate super-secure access control.
If you believe Hollywood, having this high-tech security on one's laptop is not only super secure but it's super cool! Lenovo et al know exactly what they are doing and who their client is.
Of course they broke it. "Biometric Authentication" is an oxymoron. The correct phrase is "Biometric Identification". A face or a finger are a claim of identity that still needs authentication with some form of secure credential, e.g. a password.
No Id and no authentication is "public". Id but no authentication is "public, but stupid about it".
Given that the CRTC hasn't gone on a hiring binge in the last little while, it's certain that the "ideas" will come from the same gang that are responsible for Canada's current disfunctional regulatory environment. Whatever they propose will be ambiguous where it's not unintelligible, won't do what they say they want it to do, and it will be gamed by the same big players that make Canada's cable and cell services the most expensive in the free world.
I don't know what they can do to wreck the Internet, but Canadians have learned not to underestimate their creativity.
Obviously, these guys are part of the generation that grew up believing that if you want something badly enough, someone will provide it.
It's disappointing to see otherwise intelligent scientists make so much of so little.
"Pedantic" doesn't mean what you think it means. The agreement isn't pedantic but this post is pedantic.
The Dystopian part is a weak attempt at irony. What they are really planning is a Utopia wherein all those troublesome redneck farmers are gone. They've become right-thinking (or is that left-thinking?) city people, as farming jobs are replaced by urban food-manufacturing jobs.
Is there a reason no one has the intellect to go to floating point time?
When I first started playing with Java, one of the things I found appallingly silly was its handling of time. If you are going to set a new standard, it should at least be useful. The thing is too coarse to time internal events, but you can describe the age of the universe with millisecond precision.
Am I the only one who finds the fingerprints of an amateur all over this?
Microsoft told journalists at last year's Professional Developers Conference that 70% of Windows users have between eight and 15 windows open at any one time.
I went looking for this. All I found was blogs and online articles repeating this factoid but no attribution whatsoever. One of the early bloggers, maybe Twit Zero, had it as one of a list of "things I learned at the PDC". My bet is he "learned" this on a bar stool.
The Cloud is aptly named. I've read TFA and several levels of links from there and I'm no more informed than when I woke up this morning.
"Portability" is a concept, not a thing, so these folk need to explain what it is they want to port. "Metadata" isn't an answer. Metadata is data about data, so what data about what data about which phenomena are they talking about?
The other thing I'd like to know is, in what way is "the Cloud" distinct from a distributed server architecture, or what was once called a network application framework?
Speak for yourself, Darlin'.
The agenda isn't secret--It's been open since at least Lester B.(Nobel Prize-Winning Twit) Pearson.
Moreover, there's no plan to change anything about the US. Our left-wing NGOs have their hands full just changing Canada and turning it into a colony of the United Nations. Among other problems, the Albertans and Outer Ontarians refuse to cooperate, and an attempt to disarm the population seems to have failed.
The CLC is a major component of Canada's socialist axis. They don't give a damn about IP, but they can be depended on to support anything that involves more regulation, the more invasive the better.
What it's really about is what Greenpeace calls "moving the needle". It's about getting people adjusted to having the government regulating the most trivial aspects of our lives. When a sufficient level of docility has been reached, an authoritarian socialist state can safely be established.
What gets my attention is the Swedes. The most obvious characteristic of the Swedes that might explain their tolerance of socialism is "how nice they are".
They say the same thing about Canadians. That scares me.
Quebecois and Albertans are very different people but they live in identical political contexts. Except for right turn on red, if you can behave legally in one, that same behaviour will keep you out of trouble in the other.
The same can't be said of very many pairs of states. Consider how many different sets of laws I would have to be familiar with if I travelled around the US with a handgun, a girl, or a hash pipe.
Actually, Quebec, Nunavut and Newfoundland are politically identical: left-wing, strong central governments, and living on subsidies.
From a Canadian viewpoint, one of the fascinating things about the U.S. is that, in many ways, it's composed of a few dozen political experiments, all going on at once. Each succeeds to the extent that people choose to live in a particular state and thrive there.
Utah is not New York. They could be on different planets, and yet they are both populated by people who call themselves Americans. The opportunities for comparative anthropology are immense.
Dilbert?! Is that you?
proper user account permissions (a la UNIX)
You mean "me, us, anybody" permissions? Windows account security is both more sophisticated and more granular. The problem is not with user account permissions, but with the out-of-the-box defaults. On this one, Microsoft can't win. If they do something that's appropriate for the average home user (a breed of cat most of /. can't even imagine), power users and tech writers get all over their case.
In the enterprise environment, the degree of user lockdown is easily adjusted on a per-user basis and runas (Windows' sudo -u) is available for exceptions.
Second, as the gatekeepers of .net and C#
Gee. I was quite certain that ECMA was the gatekeeper: ISO/IEC 23270 (C#), ISO/IEC 23271 (CLI) and ISO/IEC 23272 (CLI TR).
Then again, I lost my tinfoil hat on the bus coming home today.
Done. It's called a Bose-Einstein Condensate.
This opens up a cascade of conditional probabilities.
What's the appropriate strategy? Should I assume that my password is compromised "by methods other", distinguishable from magic, the day after I change it, and choose my password change interval to match my anxieties about how long someone might have access to whatever the password protects?
What's the probability that "methods other" will compromise my password within N days? Are we looking at a Poisson distribution or normal? Give n that it's compromised, what's the probability it will be used without being detected for M days?
As you can see, this is all very confusing and how do I know that a month is a good time between changes? It could be woefully inadequate or grossly pessimistic.
For example, computers could be much more secure if people change their passwords every month
Really? What happens on day 32 that I need to change my password to prevent? What threat cannot be realized in a month, but can be realized in two?
The idea behind changing passwords is to have a new password before the current one can be broken by a determined attacker. The current reality is that a weak password can be broken in hours, and a strong password can't be broken in anyone's lifetime.
Changing passwords monthly (or daily for that matter) is not effective if you use weak passwords and it's not needed if you use strong passwords.
Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport
Perhaps he wanted to avoid going to jail? This is a case where it's sufficient to show that a forgery is possible, without breaking the law and actually doing it.
A line of code is the software equivalent of a moving part. A product with a high LOC can be likened to a Rube Goldberg device. Only an idiot would pay on an LOC basis. You want programmers to minimize LOC to utility ratio.
A fixed price for a correct product is as far from LOC piecework as buying a car is from buying the parts individually.
A line of code is not a product. A correct line of code is not a product. At the lowest level, a bunch of code with an unambiguous specification and a thoroughly tested API is a product. If it's provably correct by construction (EWD340, EWD1036), it's a superior product.
As to your last complaint, competent, honest architecture followed by fixed-price development contracts eliminate scope creep.
If the use cases are well-defined, dollars per use case, invoiced after each increment, is a good approach. It has the added advantage that the customer gets something usable with each invoice.
Granted. That's what IT architects are for. Unfortunately, very few projects have them, so programmers are expected to fill the role; one for which they are poorly qualified.
The other problem is that most software projects are staffed, costed and scheduled before the product is designed--before anyone knows what needs to be built. Other than in the Aquarian atmosphere of an Agile project, failure is inevitable.
Actually, it was IBM and CS academics that did that. OS360 was released with a long error list and assurance that this was normal for a product of that size. It was this era that produced factors like one error per so many LOC, where "so many" ranged from ten to a thousand depending on the source.
This was long before Microsoft existed and it didn't need much pushing. It was so self-serving that the software industry never argued against it. It also came just in time to meet a huge increase in demand for programmers that could only be met by lowering the bar for entry--so for most of the new crop of programmers, the predictions were accurate.
The sad idea of calling programmers "software engineers" in the hope that a new name would make them more diligent has clearly not worked. Since most are paid by the hour without reference to quality or results, it's unlikely that anything will ever work in this environment.
What's needed is a change in the business model that links payment to a finished, correct product. ISVs working on fixed-price contracts and firmware developers have very low error rates.