"If I do X, Y, then Z, and sometime in the next 5 seconds do A, B,C, followed by ctrl-shift-A, I get an error message."
That's not the bug. That's a symptom of the bug. The bug itself will be something like a race condition, or a temporary variable that is not deleted after use. If it's triggered by sequence A,B, C-- and you don't actually what the bug is-- then why do you think know what else will trigger the bug?
...It's not a difficult process to figure out how much a bug affects your user
Sure... if you can predict everything that your users are ever going to do with your software, now and in the future.
Well, sure, except that this assumes that you are PERFECT in your ability to predict the effect of a bug. And if you're not, that bug that you think will only happen in some situation that's vastly improbably will, in fact, actually hit at exactly the WORST possible time, because maybe that key sequence gets used in some extremely important operation that you hadn't realized your software was going to be used for. Or maybe that bug is ALSO triggered by some different sequence that you weren't quite prescient enough to realize would be common.
Uh, so paraphrasing what you just said: not only does nobody know how many attacks are frustrated by strong passwords, nobody knows whether strong passwords frustrate any attacks at all. But maybe they will be needed in 2016.
No wonder the security people don't tell that to the users: they'd be lynched.
If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.
Good, that's what I want. A strong password, written on a card that the user keeps in their wallet or pocketbook along with their other valuables.
Since the standard demands that the password be used to exit screensaver, and screensaver must activate in fifteen minutes of disuse, keeping passwords written down in the wallet wastes too much time. Expect passwords to be on a post-it note posted to the screen, or written in pencil on the keyboard.
...People aren't afraid of strong passwords, they're afraid of having to memorize and recall strong passwords.
Users aren't "afraid" of anything of the sort. They are, however, massively pissed off by "security" measures that have no rational claim to thwart attacks in the real world, but which waste hours of user time as if user time had no value whatsoever. Guess what: changing my password from an eight character alphabetic password to twelve characters mixing upper, lower, numbers, and symbols is not going to thwart even one phishing attack ever.
The referenced article suggested that system admins should treat user time as if it's worth 2.6 billion dollars an hour. (200 million users, times $13/hour). Current system administrators treat it as if it is free.
CFLs last about 5 years, so I get 4 years of pure savings. Assuming I had to replace each bulb about once every 5 years, in 20 years I'd have an average of 16 years of savings.
I have to say, I haven't verified that five year lifetime for CFLs in my own home. I have a whole drawer of failed or burned-out CFL bulbs that I have to take over to recycling one of these days when I find the free time. It may be a quality control issue-- I suppose it may depend on manufacturer. (Also, the big wear on CFL bulbs is done in the on/off cycling-- the CFL bulbs that I have in fixtures that are continuously or near-continuously on have been behaving superbly.)
Cheapest LED bulbs that I've gotten are a couple of strings of Christmas lights, at five dollars for five watts of LED lighting. I'm tempted to just buy a bunch of these, and string them all over the house for lighting.
Excellent! Glad to see that they're moving into LED lighting; I love LED lights. I've been testing out several of the early model LED lights in my house, and they have been working great-- low power requirement, long life. And the technology has been getting better very rapidly.
(And, unlike incandescent and CFLs, they're not particularly fragile).
I have to say, the linked article is the best article on security that I have ever read; and, for that matter, just about the first one that ever considers the radical concept that the user's time is of value.
"Third, the claimed benefits are not based on evidence: we have a real scarcity of data on the frequency and severity of attacks."
This is a very good point. What fraction of attacks are frustrated by making users change their passwords from one which is chosen from a set of 1E12 possible passwords, to one which is one of 1E20 possible passwords? How much safer do they get if you then say they have to have a symbol as well?
When they make me jump through hoops, I'd like to know what exactly I'm gaining.
And when management replies with the inevitable, "Password aging provides a fail-safe against compromised accounts," then what is your reply?
I would reply that requiring passwords to be changed frequently provides little or no fail-safe against compromised accounts.
Once they've installed the malware on your machine, it doesn't matter that you changed the locks.
However, frequent mandatory password changes, along with a requirement for impossible-to-remember passwords, will pretty much insure that users will write their passwords down. If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.
I prefer not to have a keyboard on my smartphone because typing on a tiny keyboard, whether physical or not, is an enormous pain in the ass
Yes-- complete agreement here.
What I really want is a full-size keyboard as a detachable accessory. When I'm using the phone as just a phone, or for most simple browsing, I don't need to carry a keyboard around, but when I do need one, I'd like a full-sized one, not the little toys.
(It doesn't have to have all the useless keys that clutter up most computer keyboards these days-- just the old QWERTY ones.)
So pretty much I just have to sit back and wait for the major automakers to offer these cars?
I'm afraid you read the article backwards. Repeating the critical point here: "The company...plans to manufacture its system itself, rather than licensing the technology. It plans to build its first factory in 2013".
You can't "sit back and wait for the major automakers to offer these cars" because the major carmakers are not going to offer these cars, because they are not planning to license the technology to major carmakers.
Sounds like the fresh country rube is insulated from the snake oil salesman by the car manufacturers who apparently are prepared to buy into it.
To the contrary, not only do we have no reason to think that the major car makers "are prepared to buy into it," in fact the car manufactures are not even being offered it.
... If you have a citation of high pressure transonic combustion in the 1970s, I'd love to read about it.
Well, I have no idea of whether this is legit or a scam (not enough info), but one characteristic of scams is that they constantly change the names of their companies and of the technologies being peddled, so as to not get caught. There's a reason they call them "fly by night." So the fact that the particular phrase doesn't have citations dating from 1970s does not mean that it's not a scam dating to the 1970s. The names change, even when the scams don't..
When measuring in l/100km, I can get zero (the fuel line is closed)
Huh? If the fuel line is closed, the car is not going to get zero liters per 100 km, because it's not going to get 100 km. It will get 0/0 l/100km, which is undefined.
and I can never go to infinity.
It's trivial to get infinity as the fuel consumption per 100 km: just turn on the engine, but stay parked.
When measuring in mpg, the value approaches infinity as the consuption approches zero and I can never get zero mpg.
Again: zero miles per gallon is easy. On the other hand, infinite miles per gallon is only possible if you stretch your definitions of the measurement. ("my car gets infinite miles per gallon because I only run it downhill!")
Yes, the article seems to be just stating the obvious.
"casual contributor" is defined, apparently, a somebody who adds text, but not citations or links. An "A" quality article is defined as one, among other things, incorporating a lot of citations and links. Surprise, the casual contributors mostly contribute to articles that aren't "A" quality!
Number one answer would be to make error messages that are actually useful.
Here's an error I got recently. It's a pretty common error in our SAP* system: "Error Code: -1 Error Desciption: Code: K/101. Error occurred in derivation rule. See long text." (Please note that there is no long text.)
Here's another recent error message I encountered. Is this helpful? You have either entered an invalid Member ID, an invalid PIN, or your User Account is locked. Please validate that you are entering the correct member ID and PIN and try to log in again. " Translation: when you did the mandatory password change (required every 90 days), you entered a password that contained the } character. Although the rules say you must include symbol characters, we didn't mean that symbol character.
And dozens of other equally useless ones.
-- *"SAP" is not actually an acronym. It is the word used to describe the customers who have been persuaded to buy this software.
Sooo... the launch of this Falcon rocket is like a punch in the face to the old Constellation program ?
Not exactly; the Falcon-9 was actually being funded by the old program. The idea was to fund multiple developments, not just one-- the COTS (Space-X and Orbital) to develop new cargo launch vehicles to station, and the Ares to develop exploration vehicles.
The tag of "rant" is correct. "Rambling" would have been correct, too.
I do note that a lot of the "evidence" put forth here is actually simply assertions:
... because if you put 10 judges in separate rooms and ask them how they would rule on the case, you could get 10 different, mutually contradictory answers.
That's an amusing argument; suggesting that your argument is correct because, if something that didn't happen would have happened, it would have proved it.
Repeated many times, e.g.,
... If different judges had been randomly assigned to J.S.'s case and Evans's case, then it might have been J.S. who won and Evans who lost.
Remember the times "scientists" claimed it would be deadly to go more than 20mph in a car because the air would get too thin around you and you would suffocate? Good times..
They already figured this out nearly a hundred years ago.
In fact, erosion by interstellar matter (both hydrogen and dust) was a major plot element in Arthur C. Clarke's 1986 novel The Songs of Distant Earth.
A while back, at the old 1994 Planetary Society conference on Interstellar Flight, I had a paper proposing a plasma erosion shield to protect an interstellar spacecraft-- I ought to dig that one up and put it on the web somewhere, but New Scientist ought to know about it, since they mentioned it in an article back in 1995.
Now that the return to the moon has been cancelled, I wonder if NASA will extend Shuttle missions beyond this year?
Extremely unlikely; Congress zeroed out the money to do that, and so the parts simply aren't in the pipeline and the facilities to prepare for flights beyond 2010 have shut down. If they wanted to keep the shuttle flying, they needed to have kept that option open (with funding) several years ago.
If they do extend shuttle flights it will only take a few years to blow up the ones they have left....
It may be modded funny right now, but its also correct. If an orbiter is destroyed every 50 flights, and they launch ten times per year
I don't think any of these assumptions are correct. It was about a hundred flights between the first shuttle loss and the second, so it's hard to justify an estimated loss rate much higher than about one in a hundred (and if the Columbia problem is indeen understood and mitigated, less.) And they've never had a flight rate of ten per year before, so it's unlikely that they would increase the flight rate when the program is cancelled.
That would, indeed, be restraint of trade, which is illegal. As it happens, though, you've got the situation exactly backwards: that's not what Macmillan is trying to do; it's what Amazon is trying to do.
the devil is in the small print; to get the 30% rate, you have to agree that Amazon is a publisher, license your rights to Amazon to publish through the Kindle platform, guarantee that you will not allow other ebook editions to sell for less than the Kindle price, and let Amazon set that price, with a ceiling of $9.99. In other words, Amazon choose how much to pay you, while using your books to undercut any possible rivals (including the paper editions you still sell).
Amazon (not Macmillan) is the one who wants to prevent you from selling to others at a lower price.
Slashdot Mirror
It's not hard.
Bug Report:
"If I do X, Y, then Z, and sometime in the next 5 seconds do A, B,C, followed by ctrl-shift-A, I get an error message."
That's not the bug. That's a symptom of the bug. The bug itself will be something like a race condition, or a temporary variable that is not deleted after use. If it's triggered by sequence A,B, C-- and you don't actually what the bug is-- then why do you think know what else will trigger the bug?
...It's not a difficult process to figure out how much a bug affects your user
Sure... if you can predict everything that your users are ever going to do with your software, now and in the future.
Well, sure, except that this assumes that you are PERFECT in your ability to predict the effect of a bug. And if you're not, that bug that you think will only happen in some situation that's vastly improbably will, in fact, actually hit at exactly the WORST possible time, because maybe that key sequence gets used in some extremely important operation that you hadn't realized your software was going to be used for. Or maybe that bug is ALSO triggered by some different sequence that you weren't quite prescient enough to realize would be common.
Uh, so paraphrasing what you just said: not only does nobody know how many attacks are frustrated by strong passwords, nobody knows whether strong passwords frustrate any attacks at all. But maybe they will be needed in 2016.
No wonder the security people don't tell that to the users: they'd be lynched.
If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.
Good, that's what I want. A strong password, written on a card that the user keeps in their wallet or pocketbook along with their other valuables.
Since the standard demands that the password be used to exit screensaver, and screensaver must activate in fifteen minutes of disuse, keeping passwords written down in the wallet wastes too much time. Expect passwords to be on a post-it note posted to the screen, or written in pencil on the keyboard.
...People aren't afraid of strong passwords, they're afraid of having to memorize and recall strong passwords.
Users aren't "afraid" of anything of the sort. They are, however, massively pissed off by "security" measures that have no rational claim to thwart attacks in the real world, but which waste hours of user time as if user time had no value whatsoever. Guess what: changing my password from an eight character alphabetic password to twelve characters mixing upper, lower, numbers, and symbols is not going to thwart even one phishing attack ever.
The referenced article suggested that system admins should treat user time as if it's worth 2.6 billion dollars an hour. (200 million users, times $13/hour). Current system administrators treat it as if it is free.
CFLs last about 5 years, so I get 4 years of pure savings. Assuming I had to replace each bulb about once every 5 years, in 20 years I'd have an average of 16 years of savings.
I have to say, I haven't verified that five year lifetime for CFLs in my own home. I have a whole drawer of failed or burned-out CFL bulbs that I have to take over to recycling one of these days when I find the free time. It may be a quality control issue-- I suppose it may depend on manufacturer. (Also, the big wear on CFL bulbs is done in the on/off cycling-- the CFL bulbs that I have in fixtures that are continuously or near-continuously on have been behaving superbly.)
Cheapest LED bulbs that I've gotten are a couple of strings of Christmas lights, at five dollars for five watts of LED lighting. I'm tempted to just buy a bunch of these, and string them all over the house for lighting.
Excellent! Glad to see that they're moving into LED lighting; I love LED lights. I've been testing out several of the early model LED lights in my house, and they have been working great-- low power requirement, long life. And the technology has been getting better very rapidly.
(And, unlike incandescent and CFLs, they're not particularly fragile).
I have to say, the linked article is the best article on security that I have ever read; and, for that matter, just about the first one that ever considers the radical concept that the user's time is of value.
"Third, the claimed benefits are not based on evidence:
we have a real scarcity of data on the frequency and
severity of attacks."
This is a very good point. What fraction of attacks are frustrated by making users change their passwords from one which is chosen from a set of 1E12 possible passwords, to one which is one of 1E20 possible passwords? How much safer do they get if you then say they have to have a symbol as well?
When they make me jump through hoops, I'd like to know what exactly I'm gaining.
And when management replies with the inevitable, "Password aging provides a fail-safe against compromised accounts," then what is your reply?
I would reply that requiring passwords to be changed frequently provides little or no fail-safe against compromised accounts.
Once they've installed the malware on your machine, it doesn't matter that you changed the locks.
However, frequent mandatory password changes, along with a requirement for impossible-to-remember passwords, will pretty much insure that users will write their passwords down. If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.
I prefer not to have a keyboard on my smartphone because typing on a tiny keyboard, whether physical or not, is an enormous pain in the ass
Yes-- complete agreement here.
What I really want is a full-size keyboard as a detachable accessory. When I'm using the phone as just a phone, or for most simple browsing, I don't need to carry a keyboard around, but when I do need one, I'd like a full-sized one, not the little toys.
(It doesn't have to have all the useless keys that clutter up most computer keyboards these days-- just the old QWERTY ones.)
So pretty much I just have to sit back and wait for the major automakers to offer these cars?
I'm afraid you read the article backwards. Repeating the critical point here: "The company ...plans to manufacture its system itself, rather than licensing the technology. It plans to build its first factory in 2013".
You can't "sit back and wait for the major automakers to offer these cars" because the major carmakers are not going to offer these cars, because they are not planning to license the technology to major carmakers.
Sounds like the fresh country rube is insulated from the snake oil salesman by the car manufacturers who apparently are prepared to buy into it.
To the contrary, not only do we have no reason to think that the major car makers "are prepared to buy into it," in fact the car manufactures are not even being offered it.
...
If you have a citation of high pressure transonic combustion in the 1970s, I'd love to read about it.
Well, I have no idea of whether this is legit or a scam (not enough info), but one characteristic of scams is that they constantly change the names of their companies and of the technologies being peddled, so as to not get caught. There's a reason they call them "fly by night." So the fact that the particular phrase doesn't have citations dating from 1970s does not mean that it's not a scam dating to the 1970s. The names change, even when the scams don't..
When measuring in l/100km, I can get zero (the fuel line is closed)
Huh? If the fuel line is closed, the car is not going to get zero liters per 100 km, because it's not going to get 100 km. It will get 0/0 l/100km, which is undefined.
and I can never go to infinity.
It's trivial to get infinity as the fuel consumption per 100 km: just turn on the engine, but stay parked.
When measuring in mpg, the value approaches infinity as the consuption approches zero and I can never get zero mpg.
Again: zero miles per gallon is easy. On the other hand, infinite miles per gallon is only possible if you stretch your definitions of the measurement. ("my car gets infinite miles per gallon because I only run it downhill!")
Yes, the article seems to be just stating the obvious.
"casual contributor" is defined, apparently, a somebody who adds text, but not citations or links. An "A" quality article is defined as one, among other things, incorporating a lot of citations and links. Surprise, the casual contributors mostly contribute to articles that aren't "A" quality!
Problem is if the password doesn't fit the required format this should have been caught when the password was changed.
Yeah, ya think?
You were walking the user through the process, and you never asked them what's on the screen?
Number one answer would be to make error messages that are actually useful.
Here's an error I got recently. It's a pretty common error in our SAP* system: "Error Code: -1 Error Desciption: Code: K/101. Error occurred in derivation rule. See long text." (Please note that there is no long text.)
Here's another recent error message I encountered. Is this helpful?
You have either entered an invalid Member ID, an invalid PIN, or your User Account is locked. Please validate that you are entering the correct member ID and PIN and try to log in again. "
Translation: when you did the mandatory password change (required every 90 days), you entered a password that contained the } character. Although the rules say you must include symbol characters, we didn't mean that symbol character.
And dozens of other equally useless ones.
--
*"SAP" is not actually an acronym. It is the word used to describe the customers who have been persuaded to buy this software.
The word "energy efficiency" now gets appended to anything. The story really isn't about energy efficiency, that's just a buzzword.
Of course, if you do anything faster or more efficiently, if doing it uses energy, then doing it more efficiently uses less energy. Paint it green!
Sooo... the launch of this Falcon rocket is like a punch in the face to the old Constellation program ?
Not exactly; the Falcon-9 was actually being funded by the old program. The idea was to fund multiple developments, not just one-- the COTS (Space-X and Orbital) to develop new cargo launch vehicles to station, and the Ares to develop exploration vehicles.
The tag of "rant" is correct. "Rambling" would have been correct, too.
I do note that a lot of the "evidence" put forth here is actually simply assertions:
... because if you put 10 judges in separate rooms and ask them how they would rule on the case, you could get 10 different, mutually contradictory answers.
That's an amusing argument; suggesting that your argument is correct because, if something that didn't happen would have happened, it would have proved it.
Repeated many times, e.g.,
... If different judges had been randomly assigned to J.S.'s case and Evans's case, then it might have been J.S. who won and Evans who lost.
Actually, that's a different one. (Some similarities, though).
Remember the times "scientists" claimed it would be deadly to go more than 20mph in a car because the air would get too thin around you and you would suffocate? Good times..
No, I don't.
They already figured this out nearly a hundred years ago.
In fact, erosion by interstellar matter (both hydrogen and dust) was a major plot element in Arthur C. Clarke's 1986 novel The Songs of Distant Earth.
A while back, at the old 1994 Planetary Society conference on Interstellar Flight, I had a paper proposing a plasma erosion shield to protect an interstellar spacecraft-- I ought to dig that one up and put it on the web somewhere, but New Scientist ought to know about it, since they mentioned it in an article back in 1995.
I read news, and I also do read humor, but I agree, I like it when they're correctly labelled as to which is which.
Phrasing it more succinctly:
The situation with Constellation cancellation is consternation.
Now that the return to the moon has been cancelled, I wonder if NASA will extend Shuttle missions beyond this year?
Extremely unlikely; Congress zeroed out the money to do that, and so the parts simply aren't in the pipeline and the facilities to prepare for flights beyond 2010 have shut down. If they wanted to keep the shuttle flying, they needed to have kept that option open (with funding) several years ago.
If they do extend shuttle flights it will only take a few years to blow up the ones they have left....
It may be modded funny right now, but its also correct. If an orbiter is destroyed every 50 flights, and they launch ten times per year
I don't think any of these assumptions are correct. It was about a hundred flights between the first shuttle loss and the second, so it's hard to justify an estimated loss rate much higher than about one in a hundred (and if the Columbia problem is indeen understood and mitigated, less.) And they've never had a flight rate of ten per year before, so it's unlikely that they would increase the flight rate when the program is cancelled.
That would, indeed, be restraint of trade, which is illegal. As it happens, though, you've got the situation exactly backwards: that's not what Macmillan is trying to do; it's what Amazon is trying to do.
Here's a quote from Charlie Stross' blog (discussing the terms Amazon wants):
the devil is in the small print; to get the 30% rate, you have to agree that Amazon is a publisher, license your rights to Amazon to publish through the Kindle platform, guarantee that you will not allow other ebook editions to sell for less than the Kindle price, and let Amazon set that price, with a ceiling of $9.99. In other words, Amazon choose how much to pay you, while using your books to undercut any possible rivals (including the paper editions you still sell).
Amazon (not Macmillan) is the one who wants to prevent you from selling to others at a lower price.