While it sounds stupid, they could have been storing multiple hashes for every password all along. Like if they had a minimum password length of 8, they could store N hashes to get every variation from 8 to N+7 password lengths. When you create the account, log in, or change the password, they could regenerate the entire hash set at any time. They could have been preempting this move for years, and collected statistics on accounts with > 16 length passwords (I bet there are not that many, comparatively). A little advance planning here and they would not have ever had to store the plain text password.
The final shape should actually end up looking not like a toroid, but a disc, or... "flying saucer" if you will. The absolute first thing we should do with them though is send them back in time and play mind tricks on generations past, otherwise we'll miss many decades of inspiration on Hollywood films which ultimately serve to desensitize the populace towards first contact.
And what if the salt was more than two characters whose bits were distributed throughout the hash, and changed with every one? It would be pretty tough to spot, I think. Ultimately you're right - any crypto is subject to eventual cracking, but what's critical is the ability to add a microscopic fingerprint on the bill that counterfeiters cannot do at this point in combination with it. I think over the long term, the U.S. Treasury is simply going to have to set up a moving target, continually changing the face of the dollar with one trick after the next to keep counterfeiters on a rotating obsolescence plan. The more elusive the trick, the longer it will take them to replicate the capability. In this case, the micro printing with specialized ink AND and a cryptographic model would all need to be figured out - that will take time.
What article are you referring to exactly? The Engadget summary says nothing about reading the codes and sending them to URLS. The press release linked to it also says nothing of the kind. It wouldn't even make any sense to do this unless,for example, you expect every vending machine on the planet to be internet connected. If a bill-handling machine can read in a bill, optically/magnetically/otherwise read the plain text face serial number or the metal strip inserted, and micro-optically read and decipher this QR code and get a match, it can be used to accept or reject the bill that was inserted. Think ATM, change machine, parking pay stations, toll booths, etc. None of those things need the internet, or a URL, to get a useful function out of such a system, so it doesn't make sense to include a URL. I see nothing of what you suggest the article is proposing in either location. (Have they since been edited out of shame?)
It would be super amazing to own a smartphone with an infrared laser illuminated microscope.
I'm baffled by all the comments about the security concerns on this. Barcode scanners have been reading UPC codes at PC-based cash registers operated by high school dropouts for decades, and nobody has yet been able to craft a magic barcode that can crash the system. The argument is asinine. It is not that hard to establish a standard and write some firmware with strict adherence to that standard that will reject anything that is non-sense. Seriously does nobody understand how things work any more?
Here, let's invent a specification and a bill sorter that uses it, it'll be fun. The QR code will implement a cipher using 6-bit characters supporting an input character set of [A-Z0-9] with an exact string length 11 characters, or 66 bits. This is sufficient to encode the serial number on the $5 bill in my pocket right now. The cipher will put out the exact same number of bits, and the "QR style code" will encode exactly those bits, no more, no less (for extra credit, we can add some checksum / error correction bits). When a scanner picks up the code, it will check the bit length and verify that it is 66 bits, then it will reverse the cipher and compare it to the plain text serial number on the front of the bill. If the 66-bit strings match, the sorter will drop the bill in the "accepted bin", else it will be diverted to the "inspection bin".
Now you go ahead and think up a scheme by which you can crash and/or infect my scanner. Any firmware developer worth their salt would be able to see you coming a mile away in such a simple system.
That doesn't make sense. You don't want a piece of paper with a serial number plus a certificate that validates itself, "trust me, I'm so legit!" You encode minimal information onto the paper and validate externally just as the GP suggested. It can be compared to SSL certificates - unless it has that externally verifiable data source (the CA) then the validation is not accepted.
When faced with a choice like this, I have always chosen the path that would further advance my career, usually in combination with better pay. It is not that important to me to have fun at work or enjoy it - work is work... I'm not here to screw around, make friends, waste time, or engage in office drama. There are only so many years we have as top-earning grunts to plan for retirement, etc. and I don't plan to waste those on some whimsical notion that I should be having fun all the time. In other words, for me, it is a business decision, not an emotional one. Good luck!
That's OK - nobody knows what a "fuck twad" is anyway. If one can't express themselves without insulting someone else and/or resorting to profanity for lack of any appropriate alternative, then it is likely that one hasn't much to contribute after all. Have a great day!
It affects sites whose *DNS* is hosted by GoDaddy. That would make any site hosted by GoDaddy fair game... as well as any site that uses their DNS Manager, but hosts off-site.
I second that - their customer service sucks, flat out. Our webmaster passed away and with her went the master password for our corporate account at Dreamhost. A seemingly trivial matter for someone in customer service to handle, but after 8 months of trying they still have not successfully recovered access to the account. They have *never* received a return phone call or email back from Dreamhost support people. That includes even looking up Deamhost employees on their own site's staff directory, including the CEO himself via LinkedIn, sending emails directly to staff members, developers, IT folks, anyone we could find in the company to urge *someone* to return a damn phone call or email. Nothing. the best part was the phone number listed on their website that appeared to go to one guy's cell phone voicemail. Utter BS. I'm not going to promote GoDaddy hosting, but there are far better companies out there to deal with than Dreamhost. Don't just pick the first one you see advertising over 20 million suckers paying them every month...
By your logic, the API doc should instead simply read:
function addNumbers(num1, num2)
... which has the same problem - the function name itself bears no reflection on what the code actually does. What you have described is not a problem limited to comments; it's just, plain sloppy work.
So a couple years ago I was recollecting to a friend who is in the U.S. Coast Guard about a science program I had seen on TV about a new boat the CG was experimenting with which used hydrofoils to lift the main hull clear of the water when the boat was at speed. I asked him whatever happened to that program as it looked super interesting and promising for high speed water craft. He said they were abandoned because they would routinely be cruising along and strike a submerged log floating in the water which would rip one or more of the hydro foil skis off, and that would be the end of that boat. It happened *all* the time.
This vehicle appears to me that it would suffer the same problem - strike something submerged just below the surface and one of those pontoons becomes damaged or separated and down goes your boat.
A regular boat hull has the advantage of coming up to an obstacle at speed like that and skip right over the top of it, no harm, no foul, (albeit with a horrible sound within). At least the CG ships had a regular hull + the hydrofoil skis so that if there was a problem of that sort, it just sank back down to the regular hull. For the design proposed, it doesn't look like the craft would even float without the two pontoons, so those guys would be farkt. I suggest not buying it.
I say stop making excuses for and pandering to "young people". If they can't integrate with the "real world" IRL then they can just starve to death in their pathetic little digital corners. There are plenty of things in life that require one to get off one's own ass - voting is one of them.
Probably not a name you see recommended often, but I recall his books being rather light and airy, adventuresome, lots of humor infused - if the kid is not a die-hard who takes sci-fi too seriously, he might enjoy just about anything from Piers Anthony.
Also Robert Asprin wrote a number of stories that were comical in nature with his whole Myth series. Pick up any one and run with it - they're fun!
Also, I second the nomination for Jules Verne reading from above.
I agree that it would be a great localized resource to leverage, however I think it would be foolish to use it as rocket fuel. Fuel cell where what goes in comes right back out again? Ok, no problem. But burning it up in a rocket means it goes away and never comes back - and rockets can burn an awful lot of fuel real quick. I, for one, vote no on rocket fuel.
My understanding is that SAS-70 is entirely self-defined. The point of the certification is to validate that your company has established operational processes and procedures for itself, and that the processes and procedures established are adhered to.
Nothing about SAS-70 requires any measure of quality or completeness. When the business claims, "yes, we have a disaster recovery plan. yes, we have a business continuity plan. yes, we have a backup, fault tolerance, order handling, fulfillment, budgeting, auditing, security process, etc." being SAS-70 compliant implies that those claims were audited by an independent third party and found to be true statements. It does not mean that any one of those plans is worth a hill of beans, but at least they're there.
That said, while I am actively involved in such planning for my company, we do not pay for certification because we are selective about who we give our money to. This is just to say that passing SAS70 certification (AC parent) is thoroughly unrelated to the state of sin that the operational systems are in.
"Unlike traditional vocational schools, this new school will have a rigorous academic component and will prepare students for college."
I read this as a declaration that computer science will be integrated with Math, English, Science, etc. It wouldn't be college prep without. So what's to object?
Would you want to go (or have gone) to such a school? Would you want your kids to attend?
Yes, and maybe. I would want my kids to focus on what they have a natural propensity for, not necessarily to follow in my footsteps.
When I went to high school the programming class and the advanced programming class were both based on Borland Pascal, and taught by the piano teacher who dabbled in programming computer-generated music as a hobby. Each class I challenged the course at the beginning of the semester and found that I was able to pass the course requirements without dragging out the rest of the year. This freed me up to be able to research whatever I wanted and also help my class mates. When I discovered that I was able to pre-compile inline assembly code into my Pascal programs and gain very low level control over the system (I started experimenting with SVGA hardware control, and fast triangle rendering for 3D graphics - nothing amazing by today's standards, but this was in the the early 90's). When I began to ask the instructor about the significance of various assembly language instructions and he cluelessly speculated that they might be some form of C, I realized that I have just exhausted his usefulness. Sadly I had no Internet, BBS'es were largely beyond my reach, and the most impactful thing I discovered was the Simtel CDROM which came packed with sample source code - thank God for 90's Shareware.
I would have very much enjoyed having more knowledgeable resources and guidance at my disposal. As it was I was resource limited to what I could reverse engineer on my own, or save up my allowance to purchase that absolute most important books I could find at the local book store. This was back at a time when computers were still relatively simple. Windows 3.0 was a novelty. DOS Extenders and protected mode programming was just emerging. Hackers like me could build their own 16 bit ISA bus boards and expand the physical capabilities of their own computers. And information flow was at a trickle.
I believe today's blooming Computer Science majors face new hurdles and have even greater need of wisdom in the field. You can't just hack the PC bus from a simple pin-out diagram. There are now 25 layers of abstraction designed specifically to keep you from understanding what goes on in the hardware layer. Some software developers don't even know what a hard drive looks like. A school with an emphasis on computing systems would be ideal for hungry minds, although, I imagine, the same could be said of any profession.
There are a couple like this that I've heard of. Their commitment is to get as much traction as possible out of every dollar by minimizing administrative costs, etc. This one claims upward of 96% going to feed the hungry around the world:
http://www.foodforthepoor.org/
/. summary must be wrong.Gizmag itself states in the caption, "this one will be the largest ever flown, spanning a whopping 15,543 square feet, or 1,444 square meters."
I was gonna say - roughly 20x20 feet never sounded so exciting before!
The article mentions that they would have very specific requirements for the method by which data is protected. Not having seen the specifics, if they get too specific, I would be rather suspicious of the law becoming a barrier to future improvements - what they think of today as being "the right way" to do it doesn't mean it's the ONLY way and could end up being prohibitive based on the architecture of the system in question. I'm just sayin...
Just curious if anyone has experience managing large, mechanical disk arrays, if you installed an array of such a size using identical hard drives and bringing everything online relatively at the same time, would there be an increased likelihood of ALL the drives dying at roughly the same time? Could failure statistics bite you with enough simultaneous failures to negate redundancy?
I don't know about your forefathers, but mine are not imaginary. I think.
Anyway, I don't think profitability is necessarily even the right thing to attribute the rise/fall of innovation. What is more alarming to me is the general feeling that the walls are closing in on us with respect to legal barriers to accomplishment. The U.S. in particular has adopted an increasing mentality of "you can't do that", and is reinforced by extended copyright, asinine patent, and punitive damages to anyone who so much as moves in a direction that someone else has already thought of. How many viable businesses, processes, and potential jobs are sitting locked away in the patent system right now just waiting for someone to get their act together? How come I can't dig a hole in my yard without the county demanding cash for a permit or they put me out on the street?
We have paralyzed ourselves, and I'm sure this same dysfunction is spreading...
Slashdot Mirror
While it sounds stupid, they could have been storing multiple hashes for every password all along. Like if they had a minimum password length of 8, they could store N hashes to get every variation from 8 to N+7 password lengths. When you create the account, log in, or change the password, they could regenerate the entire hash set at any time. They could have been preempting this move for years, and collected statistics on accounts with > 16 length passwords (I bet there are not that many, comparatively). A little advance planning here and they would not have ever had to store the plain text password.
It didn't say it was the size of a football, it said it was the shape of one. Wouldn't be much of a "ship" if all it could carry was an ant colony.
The final shape should actually end up looking not like a toroid, but a disc, or... "flying saucer" if you will. The absolute first thing we should do with them though is send them back in time and play mind tricks on generations past, otherwise we'll miss many decades of inspiration on Hollywood films which ultimately serve to desensitize the populace towards first contact.
And what if the salt was more than two characters whose bits were distributed throughout the hash, and changed with every one? It would be pretty tough to spot, I think. Ultimately you're right - any crypto is subject to eventual cracking, but what's critical is the ability to add a microscopic fingerprint on the bill that counterfeiters cannot do at this point in combination with it. I think over the long term, the U.S. Treasury is simply going to have to set up a moving target, continually changing the face of the dollar with one trick after the next to keep counterfeiters on a rotating obsolescence plan. The more elusive the trick, the longer it will take them to replicate the capability. In this case, the micro printing with specialized ink AND and a cryptographic model would all need to be figured out - that will take time.
What article are you referring to exactly? The Engadget summary says nothing about reading the codes and sending them to URLS. The press release linked to it also says nothing of the kind. It wouldn't even make any sense to do this unless,for example, you expect every vending machine on the planet to be internet connected. If a bill-handling machine can read in a bill, optically/magnetically/otherwise read the plain text face serial number or the metal strip inserted, and micro-optically read and decipher this QR code and get a match, it can be used to accept or reject the bill that was inserted. Think ATM, change machine, parking pay stations, toll booths, etc. None of those things need the internet, or a URL, to get a useful function out of such a system, so it doesn't make sense to include a URL. I see nothing of what you suggest the article is proposing in either location. (Have they since been edited out of shame?)
Cute trick, I like it :^)
It would be super amazing to own a smartphone with an infrared laser illuminated microscope.
I'm baffled by all the comments about the security concerns on this. Barcode scanners have been reading UPC codes at PC-based cash registers operated by high school dropouts for decades, and nobody has yet been able to craft a magic barcode that can crash the system. The argument is asinine. It is not that hard to establish a standard and write some firmware with strict adherence to that standard that will reject anything that is non-sense. Seriously does nobody understand how things work any more?
Here, let's invent a specification and a bill sorter that uses it, it'll be fun. The QR code will implement a cipher using 6-bit characters supporting an input character set of [A-Z0-9] with an exact string length 11 characters, or 66 bits. This is sufficient to encode the serial number on the $5 bill in my pocket right now. The cipher will put out the exact same number of bits, and the "QR style code" will encode exactly those bits, no more, no less (for extra credit, we can add some checksum / error correction bits). When a scanner picks up the code, it will check the bit length and verify that it is 66 bits, then it will reverse the cipher and compare it to the plain text serial number on the front of the bill. If the 66-bit strings match, the sorter will drop the bill in the "accepted bin", else it will be diverted to the "inspection bin".
Now you go ahead and think up a scheme by which you can crash and/or infect my scanner. Any firmware developer worth their salt would be able to see you coming a mile away in such a simple system.
That doesn't make sense. You don't want a piece of paper with a serial number plus a certificate that validates itself, "trust me, I'm so legit!" You encode minimal information onto the paper and validate externally just as the GP suggested. It can be compared to SSL certificates - unless it has that externally verifiable data source (the CA) then the validation is not accepted.
When faced with a choice like this, I have always chosen the path that would further advance my career, usually in combination with better pay. It is not that important to me to have fun at work or enjoy it - work is work... I'm not here to screw around, make friends, waste time, or engage in office drama. There are only so many years we have as top-earning grunts to plan for retirement, etc. and I don't plan to waste those on some whimsical notion that I should be having fun all the time. In other words, for me, it is a business decision, not an emotional one. Good luck!
That's OK - nobody knows what a "fuck twad" is anyway. If one can't express themselves without insulting someone else and/or resorting to profanity for lack of any appropriate alternative, then it is likely that one hasn't much to contribute after all. Have a great day!
It affects sites whose *DNS* is hosted by GoDaddy. That would make any site hosted by GoDaddy fair game... as well as any site that uses their DNS Manager, but hosts off-site.
I second that - their customer service sucks, flat out. Our webmaster passed away and with her went the master password for our corporate account at Dreamhost. A seemingly trivial matter for someone in customer service to handle, but after 8 months of trying they still have not successfully recovered access to the account. They have *never* received a return phone call or email back from Dreamhost support people. That includes even looking up Deamhost employees on their own site's staff directory, including the CEO himself via LinkedIn, sending emails directly to staff members, developers, IT folks, anyone we could find in the company to urge *someone* to return a damn phone call or email. Nothing. the best part was the phone number listed on their website that appeared to go to one guy's cell phone voicemail. Utter BS. I'm not going to promote GoDaddy hosting, but there are far better companies out there to deal with than Dreamhost. Don't just pick the first one you see advertising over 20 million suckers paying them every month...
By your logic, the API doc should instead simply read:
... which has the same problem - the function name itself bears no reflection on what the code actually does. What you have described is not a problem limited to comments; it's just, plain sloppy work.
function addNumbers(num1, num2)
So a couple years ago I was recollecting to a friend who is in the U.S. Coast Guard about a science program I had seen on TV about a new boat the CG was experimenting with which used hydrofoils to lift the main hull clear of the water when the boat was at speed. I asked him whatever happened to that program as it looked super interesting and promising for high speed water craft. He said they were abandoned because they would routinely be cruising along and strike a submerged log floating in the water which would rip one or more of the hydro foil skis off, and that would be the end of that boat. It happened *all* the time.
This vehicle appears to me that it would suffer the same problem - strike something submerged just below the surface and one of those pontoons becomes damaged or separated and down goes your boat.
A regular boat hull has the advantage of coming up to an obstacle at speed like that and skip right over the top of it, no harm, no foul, (albeit with a horrible sound within). At least the CG ships had a regular hull + the hydrofoil skis so that if there was a problem of that sort, it just sank back down to the regular hull. For the design proposed, it doesn't look like the craft would even float without the two pontoons, so those guys would be farkt. I suggest not buying it.
I say stop making excuses for and pandering to "young people". If they can't integrate with the "real world" IRL then they can just starve to death in their pathetic little digital corners. There are plenty of things in life that require one to get off one's own ass - voting is one of them.
Probably not a name you see recommended often, but I recall his books being rather light and airy, adventuresome, lots of humor infused - if the kid is not a die-hard who takes sci-fi too seriously, he might enjoy just about anything from Piers Anthony.
Also Robert Asprin wrote a number of stories that were comical in nature with his whole Myth series. Pick up any one and run with it - they're fun!
Also, I second the nomination for Jules Verne reading from above.
I agree that it would be a great localized resource to leverage, however I think it would be foolish to use it as rocket fuel. Fuel cell where what goes in comes right back out again? Ok, no problem. But burning it up in a rocket means it goes away and never comes back - and rockets can burn an awful lot of fuel real quick. I, for one, vote no on rocket fuel.
My understanding is that SAS-70 is entirely self-defined. The point of the certification is to validate that your company has established operational processes and procedures for itself, and that the processes and procedures established are adhered to.
Nothing about SAS-70 requires any measure of quality or completeness. When the business claims, "yes, we have a disaster recovery plan. yes, we have a business continuity plan. yes, we have a backup, fault tolerance, order handling, fulfillment, budgeting, auditing, security process, etc." being SAS-70 compliant implies that those claims were audited by an independent third party and found to be true statements. It does not mean that any one of those plans is worth a hill of beans, but at least they're there.
That said, while I am actively involved in such planning for my company, we do not pay for certification because we are selective about who we give our money to. This is just to say that passing SAS70 certification (AC parent) is thoroughly unrelated to the state of sin that the operational systems are in.
Hi. did you RTFA?
"Unlike traditional vocational schools, this new school will have a rigorous academic component and will prepare students for college."
I read this as a declaration that computer science will be integrated with Math, English, Science, etc. It wouldn't be college prep without. So what's to object?
Would you want to go (or have gone) to such a school? Would you want your kids to attend?
Yes, and maybe. I would want my kids to focus on what they have a natural propensity for, not necessarily to follow in my footsteps.
When I went to high school the programming class and the advanced programming class were both based on Borland Pascal, and taught by the piano teacher who dabbled in programming computer-generated music as a hobby. Each class I challenged the course at the beginning of the semester and found that I was able to pass the course requirements without dragging out the rest of the year. This freed me up to be able to research whatever I wanted and also help my class mates. When I discovered that I was able to pre-compile inline assembly code into my Pascal programs and gain very low level control over the system (I started experimenting with SVGA hardware control, and fast triangle rendering for 3D graphics - nothing amazing by today's standards, but this was in the the early 90's). When I began to ask the instructor about the significance of various assembly language instructions and he cluelessly speculated that they might be some form of C, I realized that I have just exhausted his usefulness. Sadly I had no Internet, BBS'es were largely beyond my reach, and the most impactful thing I discovered was the Simtel CDROM which came packed with sample source code - thank God for 90's Shareware.
I would have very much enjoyed having more knowledgeable resources and guidance at my disposal. As it was I was resource limited to what I could reverse engineer on my own, or save up my allowance to purchase that absolute most important books I could find at the local book store. This was back at a time when computers were still relatively simple. Windows 3.0 was a novelty. DOS Extenders and protected mode programming was just emerging. Hackers like me could build their own 16 bit ISA bus boards and expand the physical capabilities of their own computers. And information flow was at a trickle.
I believe today's blooming Computer Science majors face new hurdles and have even greater need of wisdom in the field. You can't just hack the PC bus from a simple pin-out diagram. There are now 25 layers of abstraction designed specifically to keep you from understanding what goes on in the hardware layer. Some software developers don't even know what a hard drive looks like. A school with an emphasis on computing systems would be ideal for hungry minds, although, I imagine, the same could be said of any profession.
There are a couple like this that I've heard of. Their commitment is to get as much traction as possible out of every dollar by minimizing administrative costs, etc. This one claims upward of 96% going to feed the hungry around the world: http://www.foodforthepoor.org/
/. summary must be wrong.Gizmag itself states in the caption, "this one will be the largest ever flown, spanning a whopping 15,543 square feet, or 1,444 square meters."
I was gonna say - roughly 20x20 feet never sounded so exciting before!
The article mentions that they would have very specific requirements for the method by which data is protected. Not having seen the specifics, if they get too specific, I would be rather suspicious of the law becoming a barrier to future improvements - what they think of today as being "the right way" to do it doesn't mean it's the ONLY way and could end up being prohibitive based on the architecture of the system in question. I'm just sayin...
Just curious if anyone has experience managing large, mechanical disk arrays, if you installed an array of such a size using identical hard drives and bringing everything online relatively at the same time, would there be an increased likelihood of ALL the drives dying at roughly the same time? Could failure statistics bite you with enough simultaneous failures to negate redundancy?
I don't know about your forefathers, but mine are not imaginary. I think.
Anyway, I don't think profitability is necessarily even the right thing to attribute the rise/fall of innovation. What is more alarming to me is the general feeling that the walls are closing in on us with respect to legal barriers to accomplishment. The U.S. in particular has adopted an increasing mentality of "you can't do that", and is reinforced by extended copyright, asinine patent, and punitive damages to anyone who so much as moves in a direction that someone else has already thought of. How many viable businesses, processes, and potential jobs are sitting locked away in the patent system right now just waiting for someone to get their act together? How come I can't dig a hole in my yard without the county demanding cash for a permit or they put me out on the street?
We have paralyzed ourselves, and I'm sure this same dysfunction is spreading...