> I switched away when they made the up and down arrow keys...
Didn't notice that yet. What's putting me on the verge of switching is Google's phasing out (or appearance thereof) of any kind of "hard" searching. Unfortunately, I haven't found any good alternatives with better "hard" search capability.
I agree with the title but for a totally different reason, namely, that no official connected with the NSA who would have reviewed any such "concerns", who has also commented about the affair (and there have been several, already), has said that they would have done anything whatsoever (possibly except, of course, something about that suspicious/PIA Snowden character).
Wow, the whole first comment thread and no pro-NSA anti-Snowden posters. What happened, did the NSA budget for Slashdot dry up? Or is this a sign that even the NSA has given up on Slashdot and has moved on to other alternatives?
> and loaded Ubuntu on VirtualBox for my Linux stuff
"My Linux stuff"? If you were loading Linux as a native OS in the first place, what "other stuff" were you planning on doing with the laptop? Was the original plan to run Windows in a VM?
Ah, from other posts I guess you were planning on dual-booting... sorry, please ignore...
> With the amount of troubleshooting and driver research I had to do I could have > purchased 10 copies of Windows 7.
Or, simply, a computer with Linux already installed, from the various vendors who sell such devices...
It's a tribute to how far Linux has come that you originally thought you didn't have to do that. Or, possibly, it shows a considerable amount of personal hubris. Without knowing you personally, I can't really tell...
Thank you for the anecdotal report. At least from your other comments I see that you're not like that poster years ago who kept on whining about Ubuntu not installing on a second internal hard drive and erasing his files (the details have, wonderfully, been erased from my mind).
It's a pity that there is no way to evaluate how significant your report is versus the question at hand. What percentage of experienced Windows users burn 20 hours trying to get Windows to work exactly the way they want (or work at all)? What percentage of Linux users? How dependent is this on the particular user (I know that I personally burn up lots of time being pedantic about any OS I use)?
> and loaded Ubuntu on VirtualBox for my Linux stuff
"My Linux stuff"? If you were loading Linux as a native OS in the first place, what "other stuff" were you planning on doing with the laptop? Was the original plan to run Windows in a VM?
It's no longer called "Epiphany". In what seems like an epiphany, the GNOME developers decided that it's much, much, easier to search for help for a browser called "Web". Great idea, there, guys. Was this intentional, to prevent intelligible bug reports from less sophisticated users?
One wonders whether they actually "eat their own dog food", or if they do, if they understand that the average user of GNOME isn't a GNOME developer.
It's no longer called "Epiphany". In what seems like an epiphany, the GNOME developers decided that it's much, much, easier to search for help for a browser called "Web". Great idea, there, guys. Was this intentional, to prevent intelligible bug reports from less sophisticated users?
One wonders whether they actually "eat their own dog food", or if they do, if they understand that the average user of GNOME isn't a GNOME developer.
What with all kinds of inter-country intelligence sharing deals being reality, it could very well be that whatever information the Germans dug up was actually wanted by, for example, the NSA, but obviously couldn't be directly obtained by them legally.
We're getting spam here because someone, somehow, got our Active Directory mailing list out of Outlook Web Access. I know all of your admin accounts.
Well, well, sounds like both of us are in big trouble because of Microsoft, and not even because of the problem you originally complained about.:-)
Anyway, thanks for the interesting discussion. As someone whose job doesn't include having to worry about Microsoft's idiocies... I wish you the best of luck!
The first part is that the network log-in source can be grouped as an infinite number of terminals--lots of connections--so a per-connection rate limit is useless; thus all network service log-in (caveat: Active Directory handles console log-ins... over network) must be grouped as one thing to be effective.
OK, I agree that your argument here is OK, if the 1-2 second delay is an artificial one generated by the OS (and the OS doesn't sufficiently limit the number of active connections). If the 1-2 second delay comes from actual computational overhead of the authentication process (e.g., PBKDF2), then your argument still fails.
I can lock you out of your server by constantly trying to log into your server, so you can't apply patches anymore. Then I hack it on Tuesday.
Well, if I understand correctly, the lock-out is on a per-account basis, so you'd have to know the usernames of all my admin accounts, so this seems to me to not be very likely to succeed if I have heard about the attack ahead of time (thanks to your post)...
There's this link that references USB-HID specifically at 750 characters per second. I can't find other references to USB HID rates, and the HID protocol is semi-flexible (i.e. it's really fucking hard to implement NKRO on HID, since HID keyboard protocol specifies 6KRO in boot mode; but you're free to implement an alternate HID protocol once your keyboard's out of boot mode).
Thanks for the hint to look at the USB-HIB standard (1.1) in which even high-speed devices are limited to 64KB/s. That's interesting info. Does the USB hardware + operating system on most computers actually enforce that?
OTOH, comparing the "1-2 second turn-around" in your reply to the "750 characters per second" undercuts your original argument as a whole
1-2 second delay is an expected human-facing turn-around: this actually happens on most modern systems. I pointed it out and then theorized eliminating that rate limit entirely, instead relying on the limits of the HID keyboard protocol at 750 characters per second, which is the faster measurement and thus can be taken as a worst case.
You don't actually seem to be addressing my argument here, perhaps you misunderstood? It's clear to me what you did, my argument was that doing what you did made no sense given the "1-2 second delay" you state, and given that datum, your characterizing Windows as "retarded" for not distinguishing between 750 char/s and the much faster network, was illogical.
Your naivety about the average entropy in a typical 8 character password is striking.
We're talking about theoretical password complexity here, not dictionary attacks.
Yes, I am capable of reverse engineering your math. You err, though. "We're talking about..."? No, you're talking about...
I'm not quite getting this. You dismiss the possibility that weak passwords are used, so that hardware password attacks are dismissable, but at the same time address the problem that these same non-weak passwords aren't strong enough to withstand network password attacks without lock-outs? Yes, I suppose there is some real-life situations in which that's true, but why would you rag on Microsoft for trying (in what I agree is not a reasonable way) to cover other possible situations (and, given their user base, much more probable ones)?
> The IRS will know who you are when you bought your bitcoin from a regulated exchange.
OK... I suppose so (still doesn't address the "multiplicity of jurisdictions" problem), but that is a quite different scenario than that posed by the poster I replied to, who wanted bitcoin "criminalized and shut down" via legislation.
Your comment was already covered by, for example, this poster.
> Aside from all the obvious shit like "how do you get in there unnoticed?"
Did you miss the "on a public computer" part of my post? Never heard of social engineering?
> Even without a 1-2 second turn-around for testing a password, keyboards can only enter 750 characters per second.
Where did this "750 characters per second" come from? Is this a limit built into Windows? USB 2.0 runs at 35 MB/s, according to Wikipedia.
OTOH, comparing the "1-2 second turn-around" in your reply to the "750 characters per second" undercuts your original argument as a whole --- if the password check itself is the limiting factor, even for the "slow" keyboard, it make no sense to make a distinction between password attempts from the keyboard and those from the network, so it would be silly to call Windows "retarded" for doing so.
> That's less than 100 password attempts per second for 8 character passwords, > or 10^12 seconds to try them all. 800,000 years!
Your naivety about the average entropy in a typical 8 character password is striking.
Windows does stupid shit like lock the local console if you set up rate-limit log-in...when logging in through the Microsoft log-in manager. That's retarded. A person is sitting at that console, and can't enter passwords fast enough; it should NEVER BE LOCKED.
You have limited imagination, what about an attack on a public computer via replacing its keyboard with one which includes a CPU + password cracking program?
So Windows isn't quite as retarded as you think; it's just retarded in that it doesn't rate-limit the two kinds of logins separately (i.e., still very retarded).
I think nowadays that one can assume that 1400 random infections (for the botnet in question) on the net would include most countries. Even more so for the larger botnets which exist. So my suspicion is that this tactic has limited utility, possibly so limited that it is no longer worthwhile ("Damn, I forgot to turn off the geoblocking before my unexpected trip to Peru!").
No, I won't bite on the Ponzi flamebait. But <sarc>I'm sure Satoshi is quaking in his boots</sarc>.
Er, reality check?
Your "little bit of legislation" is only going to affect people in your little bit of jurisdiction.
Except for someone who actually is stupid enough to directly declare he has bitcoin, it is trivial to conceal it, and trade/spend it outside problematic jurisdictions.
Are you one of those who also believe that we just have to pass stricter laws and piracy will disappear?
Slashdot Mirror
I always thought that he should have made it a $5.38 wrench, instead...
> I switched away when they made the up and down arrow keys...
Didn't notice that yet. What's putting me on the verge of switching is Google's phasing out (or appearance thereof) of any kind of "hard" searching. Unfortunately, I haven't found any good alternatives with better "hard" search capability.
"issue | Snowden" ? What does the "issue" command output to stdout, Polonium-210?
> Who fucking cares?
I agree with the title but for a totally different reason, namely, that no official connected with the NSA who would have reviewed any such "concerns", who has also commented about the affair (and there have been several, already), has said that they would have done anything whatsoever (possibly except, of course, something about that suspicious/PIA Snowden character).
Wow, the whole first comment thread and no pro-NSA anti-Snowden posters. What happened, did the NSA budget for Slashdot dry up? Or is this a sign that even the NSA has given up on Slashdot and has moved on to other alternatives?
> and loaded Ubuntu on VirtualBox for my Linux stuff
"My Linux stuff"? If you were loading Linux as a native OS in the first place, what "other stuff" were you planning on doing with the laptop? Was the original plan to run Windows in a VM?
Ah, from other posts I guess you were planning on dual-booting... sorry, please ignore...
> With the amount of troubleshooting and driver research I had to do I could have
> purchased 10 copies of Windows 7.
Or, simply, a computer with Linux already installed, from the various vendors who sell such devices...
It's a tribute to how far Linux has come that you originally thought you didn't have to do that. Or, possibly, it shows a considerable amount of personal hubris. Without knowing you personally, I can't really tell...
Thank you for the anecdotal report. At least from your other comments I see that you're not like that poster years ago who kept on whining about Ubuntu not installing on a second internal hard drive and erasing his files (the details have, wonderfully, been erased from my mind).
It's a pity that there is no way to evaluate how significant your report is versus the question at hand. What percentage of experienced Windows users burn 20 hours trying to get Windows to work exactly the way they want (or work at all)? What percentage of Linux users? How dependent is this on the particular user (I know that I personally burn up lots of time being pedantic about any OS I use)?
> and loaded Ubuntu on VirtualBox for my Linux stuff
"My Linux stuff"? If you were loading Linux as a native OS in the first place, what "other stuff" were you planning on doing with the laptop? Was the original plan to run Windows in a VM?
People have already forgotten that the high-temperature superconductors were discovered, not by the power industry, but by IBM.
It's no longer called "Epiphany". In what seems like an epiphany, the GNOME developers decided that it's much, much, easier to search for help for a browser called "Web". Great idea, there, guys. Was this intentional, to prevent intelligible bug reports from less sophisticated users?
One wonders whether they actually "eat their own dog food", or if they do, if they understand that the average user of GNOME isn't a GNOME developer.
It's no longer called "Epiphany". In what seems like an epiphany, the GNOME developers decided that it's much, much, easier to search for help for a browser called "Web". Great idea, there, guys. Was this intentional, to prevent intelligible bug reports from less sophisticated users?
One wonders whether they actually "eat their own dog food", or if they do, if they understand that the average user of GNOME isn't a GNOME developer.
Might be good, certainly wasn't very funny... or does it need Javascript?
Anyway, 1336 was much funnier...
Didn't you forget some kind of reference to "my eyes"?
They would have been sued for infringement by the rightsholders to Asterix.
I kid you not... this is actually why we now have linux-laptops.net rather than the original mobilix.org (or mobilix.net, I don't remember anymore)...
What with all kinds of inter-country intelligence sharing deals being reality, it could very well be that whatever information the Germans dug up was actually wanted by, for example, the NSA, but obviously couldn't be directly obtained by them legally.
Did you just pirate yourself? How on-topic!
> Whether or not a physical object was stolen is useless in 2014.
Ah, so the first-sale doctrine applies to all those legal downloads I have? Terrific!
Well, well, sounds like both of us are in big trouble because of Microsoft, and not even because of the problem you originally complained about. :-)
Anyway, thanks for the interesting discussion. As someone whose job doesn't include having to worry about Microsoft's idiocies... I wish you the best of luck!
OK, I agree that your argument here is OK, if the 1-2 second delay is an artificial one generated by the OS (and the OS doesn't sufficiently limit the number of active connections). If the 1-2 second delay comes from actual computational overhead of the authentication process (e.g., PBKDF2), then your argument still fails.
Well, if I understand correctly, the lock-out is on a per-account basis, so you'd have to know the usernames of all my admin accounts, so this seems to me to not be very likely to succeed if I have heard about the attack ahead of time (thanks to your post)...
There's this link that references USB-HID specifically at 750 characters per second. I can't find other references to USB HID rates, and the HID protocol is semi-flexible (i.e. it's really fucking hard to implement NKRO on HID, since HID keyboard protocol specifies 6KRO in boot mode; but you're free to implement an alternate HID protocol once your keyboard's out of boot mode).
Thanks for the hint to look at the USB-HIB standard (1.1) in which even high-speed devices are limited to 64KB/s. That's interesting info. Does the USB hardware + operating system on most computers actually enforce that?
OTOH, comparing the "1-2 second turn-around" in your reply to the "750 characters per second" undercuts your original argument as a whole
1-2 second delay is an expected human-facing turn-around: this actually happens on most modern systems. I pointed it out and then theorized eliminating that rate limit entirely, instead relying on the limits of the HID keyboard protocol at 750 characters per second, which is the faster measurement and thus can be taken as a worst case.
You don't actually seem to be addressing my argument here, perhaps you misunderstood? It's clear to me what you did, my argument was that doing what you did made no sense given the "1-2 second delay" you state, and given that datum, your characterizing Windows as "retarded" for not distinguishing between 750 char/s and the much faster network, was illogical.
Your naivety about the average entropy in a typical 8 character password is striking.
We're talking about theoretical password complexity here, not dictionary attacks.
Yes, I am capable of reverse engineering your math. You err, though. "We're talking about..."? No, you're talking about...
I'm not quite getting this. You dismiss the possibility that weak passwords are used, so that hardware password attacks are dismissable, but at the same time address the problem that these same non-weak passwords aren't strong enough to withstand network password attacks without lock-outs? Yes, I suppose there is some real-life situations in which that's true, but why would you rag on Microsoft for trying (in what I agree is not a reasonable way) to cover other possible situations (and, given their user base, much more probable ones)?
> The IRS will know who you are when you bought your bitcoin from a regulated exchange.
OK... I suppose so (still doesn't address the "multiplicity of jurisdictions" problem), but that is a quite different scenario than that posed by the poster I replied to, who wanted bitcoin "criminalized and shut down" via legislation.
Your comment was already covered by, for example, this poster.
> That's called a movie plot security threat, and it's not a concern.
Do you always start out your arguments by "poisoning the well"? BTW, the person who coined "movie plot security threat" doesn't exactly agree with you.
> Aside from all the obvious shit like "how do you get in there unnoticed?"
Did you miss the "on a public computer" part of my post? Never heard of social engineering?
> Even without a 1-2 second turn-around for testing a password, keyboards can only enter 750 characters per second.
Where did this "750 characters per second" come from? Is this a limit built into Windows? USB 2.0 runs at 35 MB/s, according to Wikipedia.
OTOH, comparing the "1-2 second turn-around" in your reply to the "750 characters per second" undercuts your original argument as a whole --- if the password check itself is the limiting factor, even for the "slow" keyboard, it make no sense to make a distinction between password attempts from the keyboard and those from the network, so it would be silly to call Windows "retarded" for doing so.
> That's less than 100 password attempts per second for 8 character passwords,
> or 10^12 seconds to try them all. 800,000 years!
Your naivety about the average entropy in a typical 8 character password is striking.
You have limited imagination, what about an attack on a public computer via replacing its keyboard with one which includes a CPU + password cracking program?
So Windows isn't quite as retarded as you think; it's just retarded in that it doesn't rate-limit the two kinds of logins separately (i.e., still very retarded).
I think nowadays that one can assume that 1400 random infections (for the botnet in question) on the net would include most countries. Even more so for the larger botnets which exist. So my suspicion is that this tactic has limited utility, possibly so limited that it is no longer worthwhile ("Damn, I forgot to turn off the geoblocking before my unexpected trip to Peru!").
No, I won't bite on the Ponzi flamebait. But <sarc>I'm sure Satoshi is quaking in his boots</sarc>.
Er, reality check?
Are you one of those who also believe that we just have to pass stricter laws and piracy will disappear?