This applies to computer vs computer situations. Once you put a human in the mix, it's a whole different situation because the frame of reference is different.
You can't predict what you don't understand. That's why a chess computer that uses past human games to make decisions would be, in my opinion, a pretty nasty opponent.
That's not the same, that's like those blackjack simulators that nobody every got rich with.
The point of big data is to spot trends in actual events, not compute simulation results. Especially if the simulation is performed with the same algorithm working both sides.
I always wondered, why does it become evermore more pressing as we get closer to home? As my ass lands on the toilet it seems it couldn't have waited even one more second before exploding.
It's a manifestation of enantiodromia. In layman's terms, the sudden availability of the toilet causes a paradigm shift as the quest is now fulfilled; the subject decathects from his need for restraint but cognitive dissonance (or more accurately: an availability heuristic bias) usually misleads him into discarding the crossing of the motivational inflection point and to falsely believe that he couldn't have waited longer.
I would be curious to see how an algorithm based on millions of actual games fares against a pure mathematical model. "Based on your interest in taking queens with a pawn, you might be interested into taking a bishop with your rook".
Duh. What you suggest shows a serious lack of experience because in many situations this can't be implemented, full stop. As an example, if one does not have access to single sign-on, it's basically impossible not to use passwords that are stored somewhere if more than one system must interact, unless they all support certificate authentication, which is not frequent. And in complex systems there's not always some dude waiting in front of a computer, ready to punch in a password to let a scheduled job run.
So until you have a better understanding of how things work in medium or large organizations (aka: real life), my advice is not to tell people that their implementation is faulty, or you will just show your inexperience. It's a good thing to know "best practices", but what will make you competent is being able to understand the concept of "right" practice. Until then you just sound like someone who spent time memorizing test material, which is of limited value.
This is a fascinating study because it shows that soft skills are rewarded better than hard skills in elementary school. This is almost unavoidable as teachers, themselves products of social science programs, have a strong bias toward process as opposed to results.
Unfortunately, this leads to students that are ill-equipped to face the highly competitive western business culture. Already we can see the damage: an increasing number of people who can't cope with reality without the help of big pharma (SSRI, benzodiazepine, opioids, cannabis, etc).
It is unfortunate that we are getting closer and closer to something similar to the "perfect society" in Demolition Man. See: https://www.youtube.com/watch?...
Wrong. Between hashing and clear text there's a whole lot of encryption options.
There are situations where it's perfectly valid to store passwords in an encrypted format (as opposed to a hash). As an example, a lot of people use Keepass to store their billions of uid/pwd, and this is completely acceptable (as long as the master password is decent). There are also situations where systems integration must be performed without single sign-on. There are database connection strings, stored in config files. And plenty of other non-WTF situations where the password is reversible.
Sometimes it comes from the kind of users the company deals with. It can be quite a struggle to deal with the public.
I experienced that again lately. I was working on a new system for a client, and we quickly found out that people not only forget their passwords, they also forget what email address they used to create their account (Gmail? Outlook? Isp? job email?). So they create an account, forget the password, come back a few days later, try to use a different email address, it's not found so they recreate an account, and then they change their settings or place orders, and then the next week they come back and login with the first email address they used, which is linked to the first account, so they get mad because their new settings or orders created in the 2nd account are "gone". You have no idea how often this happens. Some people have created 4 different accounts in a single month, and they keep randomly login using one or the other (resetting the password each time), and of course they complain about losing their settings.
So we added a tool for helpdesk to let them "merge" accounts when someone calls to complain about losing their settings. It helped a bit. We also tried to create a "duplicate matcher" in the login page (name/address/DOB/etc) but we did not have a lot of success with it. Believe it or not, our stats indicate that almost 15% of people make a typo when they enter their full name or DOB.
So we added a third-party login mechanism (FB, Google+, Yahoo, LinkedIn). This significantly reduced the number of calls about forgotten passwords (or more accurately, those calls were probably shifted to FB/Google/Yahoo/LinkedIn) but created another fuck-up option: people who create their account using their FB login, but then come back the next week and try to login without using the FB login button, trying instead to login with their email address and a password (which is probably their FB email and password anyways). Less people called to complain about forgotten passwords, instead they created even more accounts. There are people in the system with 4-5 logins, including FB, Google+ and 2-3 different email addresses.
So to fix this we added the "get connected" feature. Basically it's a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.
But still there was a lot of complaints about password reset links not working (users looking in the wrong inbox, or using Outlook aliases, or going back to a different email address and then seeing a password reset link and being pissed that it was obsolete). So we added a one-time password feature, which is sent by email or text message (and is matched to the specific browser session). This helped a lot too. But whenever we add a feature, people find more ways to do mistakes.
So next time you see a system that looks stupid, remember that the vast majority of users are probably people with little computer skills and no patience whatsoever for passwords and security. It does not excuse bad designs, but it puts things in perspective.
Your issue is apparently with them sending your password by email. This has nothing to do with SSL. Having a password stored in an inbox is bad for security reasons that have for the most part little to do with secure transport.
Can you reset it? If so, is it done on an HTTPS form? That's not ideal, but it's not immensely worse than those millions of websites that will send a "reset password link" by email.
I'm not saying their approach is fantastic, but I don't see reasons to get your panties in a bunch. If you are concerned with their email approach (which is not the same as "poor SSL practices") reply to that email (redacting your password), and if you're not happy with their answer or lack thereof, don't buy from them anymore. You don't need to Ask Slashdot for that.
"It's valuable feedback," Gheller said. "We can do better -- I'm very grateful he took the time in his grief to write the blog post."
It's like when the clerk at the convenience store looks at the nudie mags and large bag of cheetos that you are buying and tells you "have a nice evening" on your way out. You know there's more to it than a polite goodbye but you can't prove it.
On a positive note, having been in the Army National Guard for over 25 years (including overseas deployments), I have worked with both the Navy and the Air Force. I cannot speak specifically to the "historical antagonism" the gf mentioned, but I can say that overall, everybody I worked with generally wanted to do a good job without deference to service branch.
It's always like that. People on the ground and people in the top slots always cooperate, it's somewhere in the middle of the food chain that backstabbing and cheap politics occur. Be it intelligence services, law enforcement agencies, or departments within a large company, people who are close to the value stream or to strategy always work together while people in middle management or execution planning positions tend to focus on their small kingdom.
Look at the French. They have FOUR services (the 4th one is the Gendarmerie, which is basically the police outside big cities). And in most cities the firefighters are part of the army too.
And yet, this huge military organization works smoothly, with optimally managed funds and not a single instance of inter-services snafu. It's a terrific model that any army should follow.
This is not a technology problem, this is military politics. Basically the USAF brass doesn't want to do air-ground missions, they want to do air combat and stealth bombing because it's a lot cooler and less dangerous (for the pilots) since there's basically no serious opposition. So they sabotage every aspect of their capabilities that would allow them to do air-ground missions, like pillaging the A-10 supply chain or doing this kind of cheap stunt with the F-35, hoping that drone technology will be mature soon enough to do the dirty jobs.
Anyone who has worked on large IT projects has seen this kind of thing. The big cheese and the overpaid consultants focus on the cool but useless features that look good in PowerPoint presentations and during board meetings (like a fancy iPad-optimized dashboard or an accountant-customizable expense approval workflow that will never be used) while the really important parts like integration or bulk updates, which will be used on an hourly basis, are neglected and downplayed because they are not sexy and will be a nightmare to operate.
It's not a case of a data center being hacked and data at rest being stolen. When the POS is compromised (which is how most of these incidents happen, it was the same with Target) it's more insidious. It's like having someone install a keylogger on your computer - it does not matter how your password is stored on the backend if the password can be obtained while you type it.
The issue is how casual some organizations are about their POS security. If they were to adopt a "need to know" approach as opposed to a "whatever is convenient" approach these incidents would not have the same impact.
Why can't I load up, say, a Mastercard app on my phone, login, tell it that the next time I swipe my credit card, make it generate a one-time number only good for $50?
Because that would be immensely tedious and annoying. Look at how the TSA has made the process of taking an airplane a fucking pain in the ass... Intrusive security is not an acceptable solution.
The problem is not the credit card transaction. The problem is how companies store information they don't need out of convenience and laziness.
You misunderstand the point at which the paradigm is shifting. This is not a matter of physical contact, this is a matter of confidence threshold.
Also if you experience incidents like that more than once every 6 years, you should reconsider your allegiance to taco bell and/or indian buffets.
This applies to computer vs computer situations. Once you put a human in the mix, it's a whole different situation because the frame of reference is different.
You can't predict what you don't understand. That's why a chess computer that uses past human games to make decisions would be, in my opinion, a pretty nasty opponent.
That's not the same, that's like those blackjack simulators that nobody every got rich with.
The point of big data is to spot trends in actual events, not compute simulation results. Especially if the simulation is performed with the same algorithm working both sides.
I always wondered, why does it become evermore more pressing as we get closer to home? As my ass lands on the toilet it seems it couldn't have waited even one more second before exploding.
It's a manifestation of enantiodromia. In layman's terms, the sudden availability of the toilet causes a paradigm shift as the quest is now fulfilled; the subject decathects from his need for restraint but cognitive dissonance (or more accurately: an availability heuristic bias) usually misleads him into discarding the crossing of the motivational inflection point and to falsely believe that he couldn't have waited longer.
I would be curious to see how an algorithm based on millions of actual games fares against a pure mathematical model. "Based on your interest in taking queens with a pawn, you might be interested into taking a bishop with your rook".
Duh. What you suggest shows a serious lack of experience because in many situations this can't be implemented, full stop. As an example, if one does not have access to single sign-on, it's basically impossible not to use passwords that are stored somewhere if more than one system must interact, unless they all support certificate authentication, which is not frequent. And in complex systems there's not always some dude waiting in front of a computer, ready to punch in a password to let a scheduled job run.
So until you have a better understanding of how things work in medium or large organizations (aka: real life), my advice is not to tell people that their implementation is faulty, or you will just show your inexperience. It's a good thing to know "best practices", but what will make you competent is being able to understand the concept of "right" practice. Until then you just sound like someone who spent time memorizing test material, which is of limited value.
The one thing I'm surprised they don't support is Twitter login.
Have you tried it? It's horrible compared to the other providers. In my experience, ease of use of the authentication api is the following:
1) LinkedIn
2) Google+
3) Facebook
4) Windows Live
5) Yahoo
6) AWS Cognito
[...]
2147483647) Twitter
There are others players, like Mozilla Persona, Path, etc. but I haven't tried them.
Don't get fooled by the "small shop" illusion. Look at GW Pharmaceuticals, which has a market cap of 1.3 billion.
https://www.google.com/finance...
This is big business. If you have Netflix look at the documentaries there's a bunch of them (Green rush, etc.).
This is a fascinating study because it shows that soft skills are rewarded better than hard skills in elementary school. This is almost unavoidable as teachers, themselves products of social science programs, have a strong bias toward process as opposed to results.
Unfortunately, this leads to students that are ill-equipped to face the highly competitive western business culture. Already we can see the damage: an increasing number of people who can't cope with reality without the help of big pharma (SSRI, benzodiazepine, opioids, cannabis, etc).
It is unfortunate that we are getting closer and closer to something similar to the "perfect society" in Demolition Man. See:
https://www.youtube.com/watch?...
Wrong. Between hashing and clear text there's a whole lot of encryption options.
There are situations where it's perfectly valid to store passwords in an encrypted format (as opposed to a hash). As an example, a lot of people use Keepass to store their billions of uid/pwd, and this is completely acceptable (as long as the master password is decent). There are also situations where systems integration must be performed without single sign-on. There are database connection strings, stored in config files. And plenty of other non-WTF situations where the password is reversible.
Sometimes it comes from the kind of users the company deals with. It can be quite a struggle to deal with the public.
I experienced that again lately. I was working on a new system for a client, and we quickly found out that people not only forget their passwords, they also forget what email address they used to create their account (Gmail? Outlook? Isp? job email?). So they create an account, forget the password, come back a few days later, try to use a different email address, it's not found so they recreate an account, and then they change their settings or place orders, and then the next week they come back and login with the first email address they used, which is linked to the first account, so they get mad because their new settings or orders created in the 2nd account are "gone". You have no idea how often this happens. Some people have created 4 different accounts in a single month, and they keep randomly login using one or the other (resetting the password each time), and of course they complain about losing their settings.
So we added a tool for helpdesk to let them "merge" accounts when someone calls to complain about losing their settings. It helped a bit. We also tried to create a "duplicate matcher" in the login page (name/address/DOB/etc) but we did not have a lot of success with it. Believe it or not, our stats indicate that almost 15% of people make a typo when they enter their full name or DOB.
So we added a third-party login mechanism (FB, Google+, Yahoo, LinkedIn). This significantly reduced the number of calls about forgotten passwords (or more accurately, those calls were probably shifted to FB/Google/Yahoo/LinkedIn) but created another fuck-up option: people who create their account using their FB login, but then come back the next week and try to login without using the FB login button, trying instead to login with their email address and a password (which is probably their FB email and password anyways). Less people called to complain about forgotten passwords, instead they created even more accounts. There are people in the system with 4-5 logins, including FB, Google+ and 2-3 different email addresses.
So to fix this we added the "get connected" feature. Basically it's a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.
But still there was a lot of complaints about password reset links not working (users looking in the wrong inbox, or using Outlook aliases, or going back to a different email address and then seeing a password reset link and being pissed that it was obsolete). So we added a one-time password feature, which is sent by email or text message (and is matched to the specific browser session). This helped a lot too. But whenever we add a feature, people find more ways to do mistakes.
So next time you see a system that looks stupid, remember that the vast majority of users are probably people with little computer skills and no patience whatsoever for passwords and security. It does not excuse bad designs, but it puts things in perspective.
Your issue is apparently with them sending your password by email. This has nothing to do with SSL. Having a password stored in an inbox is bad for security reasons that have for the most part little to do with secure transport.
Can you reset it? If so, is it done on an HTTPS form? That's not ideal, but it's not immensely worse than those millions of websites that will send a "reset password link" by email.
I'm not saying their approach is fantastic, but I don't see reasons to get your panties in a bunch. If you are concerned with their email approach (which is not the same as "poor SSL practices") reply to that email (redacting your password), and if you're not happy with their answer or lack thereof, don't buy from them anymore. You don't need to Ask Slashdot for that.
The answer from the Facebook guy is pretty good:
"It's valuable feedback," Gheller said. "We can do better -- I'm very grateful he took the time in his grief to write the blog post."
It's like when the clerk at the convenience store looks at the nudie mags and large bag of cheetos that you are buying and tells you "have a nice evening" on your way out. You know there's more to it than a polite goodbye but you can't prove it.
I am looking at pictures of dead babies now.
this would make a nice t-shirt or bumper sticker.
On a positive note, having been in the Army National Guard for over 25 years (including overseas deployments), I have worked with both the Navy and the Air Force. I cannot speak specifically to the "historical antagonism" the gf mentioned, but I can say that overall, everybody I worked with generally wanted to do a good job without deference to service branch.
It's always like that. People on the ground and people in the top slots always cooperate, it's somewhere in the middle of the food chain that backstabbing and cheap politics occur. Be it intelligence services, law enforcement agencies, or departments within a large company, people who are close to the value stream or to strategy always work together while people in middle management or execution planning positions tend to focus on their small kingdom.
Look at the French. They have FOUR services (the 4th one is the Gendarmerie, which is basically the police outside big cities). And in most cities the firefighters are part of the army too.
And yet, this huge military organization works smoothly, with optimally managed funds and not a single instance of inter-services snafu. It's a terrific model that any army should follow.
Just kidding.
They expect the pilot to use his iPhone... Can't wait to see that insurgent instagram feed.
This is not a technology problem, this is military politics. Basically the USAF brass doesn't want to do air-ground missions, they want to do air combat and stealth bombing because it's a lot cooler and less dangerous (for the pilots) since there's basically no serious opposition. So they sabotage every aspect of their capabilities that would allow them to do air-ground missions, like pillaging the A-10 supply chain or doing this kind of cheap stunt with the F-35, hoping that drone technology will be mature soon enough to do the dirty jobs.
Anyone who has worked on large IT projects has seen this kind of thing. The big cheese and the overpaid consultants focus on the cool but useless features that look good in PowerPoint presentations and during board meetings (like a fancy iPad-optimized dashboard or an accountant-customizable expense approval workflow that will never be used) while the really important parts like integration or bulk updates, which will be used on an hourly basis, are neglected and downplayed because they are not sexy and will be a nightmare to operate.
When you're dealing with a multimillion record table, this saves minutes and power per query.
What database are you using? Sqlite? OpenOffice Base?
1) var x = how many Likes someone is getting
2) var y = how often people bitch about that person in private messages
3) Ratio of Candy Crush ads for that person = y/x
There, FB now has a sufficient explanation.
You speak like the hybrid cylon pilots in Galactica.
Have you been to Wyoming?
this time it's to hide their own collusion, racketeering, bribery and likely other violations of federal law.
I wonder if the other inmates will appreciate her opinion that piracy is stealing when she's in the state pen
No, they will be too busy wondering how she ended up in the state pen for violation of federal law.
It's not a case of a data center being hacked and data at rest being stolen. When the POS is compromised (which is how most of these incidents happen, it was the same with Target) it's more insidious. It's like having someone install a keylogger on your computer - it does not matter how your password is stored on the backend if the password can be obtained while you type it.
The issue is how casual some organizations are about their POS security. If they were to adopt a "need to know" approach as opposed to a "whatever is convenient" approach these incidents would not have the same impact.
Why can't I load up, say, a Mastercard app on my phone, login, tell it that the next time I swipe my credit card, make it generate a one-time number only good for $50?
Because that would be immensely tedious and annoying. Look at how the TSA has made the process of taking an airplane a fucking pain in the ass... Intrusive security is not an acceptable solution.
The problem is not the credit card transaction. The problem is how companies store information they don't need out of convenience and laziness.