The infrastructure to range issue is absolutely a very important consideration when evaluating whether the car is right for you today.
But my point was rather that the real improvement needs to come from the infrastructure side rather then the car. The car itself has, perhaps not great, but adequate range.
Because in the big scheme of things the internet isn't much more grandiose than a fancy telephone answering system like what any large corporation has.
When I'm on hold with AT&T I'm not in telespace. I don't have a virtual telepresence at AT&T. When my call is eventually connected to some fine chap in India I don't marvel that the two us are meeting in some virtual non-corporeal tele-reality.
Its also just as ubiquitous and just as democratic. Anyone can talk to anyone from anywhere, instantly.
I'm not looking to mock you, I'm just pointing out the logical flaw.
I remember BBS systems; and telneting into the university, and the rules back then were all perfectly rational without imagining being in some new space. The server was there. I was here. I communicated with the server. The laws that applied at the server applied at the server. The laws that applied where i was apply where I was.
The problem specifically addressed in the article is the idea that this isn't adequate, that cyberspace is 'somewhere else' where laws either don't go, don't apply, or need to be brought, or need to be fought off. The reality is the law applies and has always applied where the servers are, and where the participants are.
Some complexity arises due to instances where the law at the server and client but legally it really doesn't need to be more complicated then how we think about phone call.
Overnight charges before a short trip are unreasonable
Meh, my Porsche has a rated range of about 350 miles. That's really not all that much further than the Tesla S. And according to what I average, with my driving style its closer to 317.
Yet, I don't worry much about making "short trips" of a couple hundred miles even if the tank is only half full when I set out, for the simple reason that I am really rarely more than a couple dozen miles from a place to fill up, and there is pretty much always a gas station before any large stretches of highway.
That is really all the issue here with the Tesla. Its not the range so much that is a problem, but the availability of places to refill. If I can quick charge a Tesla S for 200 miles pretty much anywhere then I'll never have to do an overnight charge to get the 265 absolute max.
I'm not sure how ubiquitous fast-charge stations are for the tesla or electric cars in general in new york... or anywhere else for that matter. But if they can get even a good fraction of the penetration that regular gas stations have, the tesla's range is already good enough for most people. And its only going to get better.
The problem is that Microsoft had the manufacturers use an implentation that's hard to use for non-Microsoft OS's.
How so? Any hardware vendor that wishes to release linux preinstalled hardware will have no difficulty whatsoever.
The only part that is 'harder' is taking windows pre-installed hardware and converting it to another operating system. And that is ENTIRELY THE POINT OF SECURE BOOT -- that there is something preventing arbitrary unknown software booting up with the PC... whether a rootkit, or the neighbor kid 'hacker' with a live thumbdrive etc. Now, sure, switching operating systems on a computer that shipped with Windows requires the owner either disable the lock, or re-key the system to run something else.
But how is that 'evil'? That's the reasonable price of increased security.
The FSF proposed a fair implementation, but Microsoft said no.
Which FSF proposal are you referring to specifically? The one where they wanted systems to be shipped with secureboot off and then users could turn it on? Resulting in piles of confused users, and users who left it off and needlessly reduced their own security? Yeah, that would have been great.
That alone proves what their goal is.
Even without knowing exactly what you are talking about, it proves nothing. There is nothing about the current secureboot implementation that is overly discriminatory against alternative operating systems.
An honest person is honest because he is honest. He doesn't need anything to keep him honest.
Maybe. But we're talking about regular people not saints.
There's an awful lot of regular people who used napster, kazaa, and so forth. As those got shot down, a lot of them switched to convenient legal alternatives spotify, itunes, etc.
You can call them all dishonest people if you want. But the "old canard" about keeping honest people honest is really meant to apply to people like that. Most of us count them as honest people because they aren't exactly sociopaths and criminals with no regard for their fellow man... but if they can download something for free, nobody is visibly harmed, and its effortless then they will.
Make it just a little bit hard though, and they'll take the easier legitimate option.
he comparison assumes that you already have a server on hand. An accurate comparison would be if you were starting from scratch with nothing on hand.
Why would that be a more accurate comparison? He did have a server on hand. Many of us do. Many of our 'last desktops' are perfectly suited to be home servers. Mine is a Q6600 core 2 quad with 8GB of ram doing double duty as home server and htpc. I've got an E8400 core2duo with 8GB that I installed XenServer onto over the weekend just to fool around with. Lots of us have PCs to use as servers lying around.
Also, the comparison assumes you only need one IP address. With a VPS, you typically can get extra IP addresses for no additional charge.
I can't really see why anyone would need more than one IP address on it, especially since it's at home, and you have ready access to the console if there is an issue.
And lets not forget that servers need maintenance.
True enough. But lets not overstate the case either. I haven't done any hardware maintenance on either of my home servers in years. And running software updates from time to time is hardly a big commitment.
3 years ago I did have a server die, and it took around 6 hours and $100 in parts to resolve it.
Drives gotta get replaced probably at least once a year if you have any real kind of traffic on your site.
Say what now!?
That said the comparison was still pretty flawed. It didn't talk about what the bandwidth requirements were like at all. Maybe it fits comfortably into what he gets from his ISP particularly upstream, but I'm skeptical and it's something that should have been discussed.
And comparing the electrical usage as his sole cost center compared to effectively leasing hardware and service and concluding that raw electricity is cheaper is almost self evident to the point of not needing analysis.
Can I keep a server turned on for less money then it costs someone else to keep a server turned on while turning a profit, paying for advertising, replacing hardware, providing phone support, bandwidth, etc, etc, etc.
It's healthier for society to accept that people change than to let everyone reenact 1984 every time they get nervous.
I can control what I do. I can't control whether or not 'society will accept that I've changed'.
As long as that remains true (and I don't see it changing anytime) only a fool will 'rely on society to accept...' anything, if they have any choice in the matter.
So what's the correct solution, other than solutions that pose a substantial entry barrier to non-malicious students and hobbyists?
Ok.
An operating system control system that allows the user to define app profiles that dictate what hosts it can connect to, what parts of the filesystem can be read / written, etc, etc. is the first part.
The 2nd part is letting e.g. antivirus / antimalware / new-category-of-security-solution providers hook into that system, so that end users can simply subscribe to app profiles from a 3rd party provider they trust to externalize the burden of auditing and creating the profiles.
Several fans of game consoles and Apple consumer electronics would claim that some individual hardware owners can't be trusted not to disable security to see dancing animals, and taking control away from them is in their own good.
I'm sure you would even agree that this is true for some individual hardware owners, perhaps even most of them.
But the solution is not to take it away from them per se, but rather to easily enable them to delegate it to a 3rd party they trust.
The problem with, say, Apple, is that it asserts it is that trusted 3rd party and gives users no reasonable way to take control back from Apple and either exercise their own security or delegate to a different 3rd party -they- do trust.
Contrast that with Antivirus software for example. We select it, install it, and put some faith in its ability to identify malware while trusting it not to exceed that mandate. If it sees an infected file come in it quarantines it. The 'unsophisticated user' typically accepts the antivirus companies assessment of the file and moves on. Few will challenge the antivirus software and seek to disable it and restore the file from quarantine.
However, if the antivirus software were to start blocking things it really has no business blocking and which doesn't represent what the customers want from it they are free to uninstall it and switch to something else.
I can't recall what my brother was using, but one day a few months ago it up and blocked him from going to the pirate bay. He uninstalled it and uses something else now. This is pretty much ideal... we have an established a norm that one should have antivirus, but it is ultimately up to us, and we can change antivirus providers at will.
The reason viruses are such a problem is that blacklisting simply can't work, and "detecting malicious activity" is HARD. A white listing approach would in some environments be a lot more effective. And I've seen deployed in practice with excellent results in corporate environments.
Add some spaces in there first of all, then throw in some punctuation, preferably bad punctuation and grammar.
In other words: take a very easy to remember password and cram it full of junk that makes it just as hard to remember as a classical password.
If you want more security than is offered by 4 words, use more words. The security gained by mangling the the words with misspellings and symbols is no better than simply adding another word or two. And adding words is easier then remembering where you jammed symbles in which words were capitalized, which were mis-spelled and precisely how you mis-spelled them, etc.
That said, I agree that using a larger dictionary is good. Throw in urbandictionary.com and brand names and place names.
Then once you've had a randomized password generated from all that, sure if you know French or Portuguese or Dutch or whatever throw in a foreign word as well. If your a mathematician or doctor or whatever throw in a formulas or other domain jargon that you'll find easy to remember.
By dictionary I postulate an electronic edition of a dictionary with the ability to spit out random words.
In fact, most dictionary websites already have the ability to do this, but I have no idea how truly random the randomizer is.
But one can easily imagine that it would not be difficult for them to create a suitable properly randomized passphrase generator if they were so inclined.
If I ask somebody for four random words it is unlikely they'll consult a dictionary, and it is also unlikely that they'll do anything involving true randomness. That means that the set of possible words being selected from is less than the entire English vocabulary, and some words are more likely to be chosen than others.
This is true, but its also true of 'traditional' passwords. Unless they use a password generator they aren't likely to be generating particularly 'randomized' passwords either.
And if we allow for them to be using a password generator then we can allow for the passphrase users to use a suitablly randomized one as well.
Mine's an early 2010 mbp. 13". upgraded cpu and ram; its got whatever nvidia solution was available for it. Although the 13" was a bit weaker performance-wise than the larger ones to start with. But I value the portability and knew that going in.
Even so, it rarely heats up in regular OSX at all, except when running games.
But the fans kick on pretty much as soon as I start a VM.
Its not bad if I'm at a desk, with an external keyboard / mouse etc. The performance is acceptable. The fan noise isn't excessive. But I bought the 13" portable to be portable so the heat and battery life issues are a real problem -- it gets uncomfortably hot to have on my lap and enough heat is radiating upwards that even the trackpad gets just warm enough to be noticeable and mildly uncomfortable.
"steaming pile of crap" might be an overstatement; but i envisioned myself being able to fiddle around in linux while on the couch and its just not quite acceptable for that. Or to have win7 idling in the background so i can check things with various win browsers... and I can do that, i just don't leave windows idling between doing it.
I'll have to try Win 8 on it, thanks. I've got 8 on my HTPC so far, so that's where most of my real world hands-on with it has been, but if it runs in parallels better that would be a very nice bonus.
If you don't know what kind of a password someone uses,
That's an assumption we hadn't agreed on in advance.:)
There are many scenarios where you know what form someone's password takes. And there are many different password strategies, so even if you don't know an individuals strategy, trying common / probable ones first vs just treating it as a mindless brute force attack does work better on average.
Bottom line: most people don't use randomly generated strings. So working based on strategies is productive.
Never mind that when doing exhaustive searches, keeping track of all those special cases you might have tried, at some point will slow you down a lot. There's a point where the memory bandwidth demands for keeping track start exceeding any gains from limiting your search space. Trees quickly start suffering from cache locality issues:)
This is a fair point but there are strategies to address it. The simplest is to just allow yourself to retry passwords you already tried without worrying about it on later less specialized passes. If you can get more passwords faster it may be a fair trade off that the worst case running time is increased.
It also depends on the situation situations, hackers attacking a stolen database they won't be doing an exhaustive search anyway... rarely do they need to get into someone particulars account, rather they just want to get into anyone's accounts, or as many accounts as possible.
Throwing a botnet to work trying a million passwords at each of a million accounts will yield much more fruit than throwing that botnet towards trying a trillion passwords on one account... and possibly still not be anywhere near cracking it.
Yes, because people want what they ordered within a few days of ordering it. They do not want to make insurance claims even if they eventually get made whole.
So getting it to the customer right the first time has value.
Nope. Mangling it with symbols moves it into the symbol-by-symbol exhaustive search category
Nope. Mangling it with symbols is just mangling it with symbols.
Words + symbols does not transform the words into symbols.
Sure you assume that symbol frequencies are shaped in a certain way, so you can still do a tad better than fully exhaustive search where you start with all zeroes and go up, but it's really no worse than a similarly long bunch of random symbols with a certain distribution of individual symbols and maybe symbol pairs.
If you run the math on that claim that shaping symbol frequencies (and orderings) to put "words" ahead in the search you will find that the "tad better" is exactly the amount better that you'd get if you just considered it to be words + symbols in the first place.
When you are brute force searching spaces that big and accounting for letter arrangements, then something even like:
I have that, well parallels instead of vmware, but same difference.
Honestly, it is not the best of both worlds, its steaming pile of crap. The Windows 7 VM runs ok, as does linux, not awesome just ok.
Meanwhile the laptop heats up and the fans come on the battery drains while you watch just having a VM open idling, never mind really doing anything in it.
I've switched to using RDP back to my windows desktop PC for most of of my windows needs. Runs well, and the macbook doesn't melt from trying to pretend its a workstation instead of a little power efficient laptop.
All that said, seriously, I'd just get windows 8. Spend half an hour or so configuring it properly... e.g. map.jpg to use the desktop picture viewer instead of the metro app etc. Clean all the crap out of the start screen and really there is no big deal about 8.
Wouldn't some deliberate misspellings be sufficient for most of us? Such as "stapple" above? Try "Korrekt", and/or "batery".
Deliberate misspellings are great; in the sense that they dramatically increase the dictionary size.
But then you have to remember the specific misspellings you made. And the attacker would simply compensate by including all the common mispellings, leetspeak, lolcat spelling, etc to his attack dictionary:
so instead of just password: he'll also try p4assw0rd, p455w0rd,... passwerd, passwurd...
This adds' complexity and therefore adds security, but its harder to remember exactly what leetspeak or whatever you applied and exactly how you applied than it is to just add another word or two.
As always, if you want more security its generally easier to just add more words.
I don't know how password crackers work, but aren't they going to give up after hitting my bank account more than a few dozen/hundred tries, and move on to the next?
Typically they find a weakly protected password database online somewhere some random blog or forum or maybe something little higher profile like the Playstation network... , they download it, and then attack it directly. Allowing them to try millions, even billions of attacks on all and any account in it using clusters of computers, GPUs, and whatever else they have at their disposal for parallel computing.
Then once they find a password; they'll take that and the user name / email address and shotgun it into any other site they can find to see if it works there too. Did you use the same password for Playstation as you did for your bank? Ooops. They're in.
If you were clever and did something like my psn password is psn_whatever then that's a bit of a defense, but if they happen to notice they'll just fix it up... psn_xyz is for PSN... so try bmo_xyz for Bank of Montreal, hsbc_xyz for HSBC...
The point is they rarely actually hit the bank's online web portal more than a few times. The big attacks take place offline on stolen databases.
Oh, I agree completely.
The infrastructure to range issue is absolutely a very important consideration when evaluating whether the car is right for you today.
But my point was rather that the real improvement needs to come from the infrastructure side rather then the car. The car itself has, perhaps not great, but adequate range.
And why not?
Because in the big scheme of things the internet isn't much more grandiose than a fancy telephone answering system like what any large corporation has.
When I'm on hold with AT&T I'm not in telespace. I don't have a virtual telepresence at AT&T. When my call is eventually connected to some fine chap in India I don't marvel that the two us are meeting in some virtual non-corporeal tele-reality.
Its also just as ubiquitous and just as democratic. Anyone can talk to anyone from anywhere, instantly.
I'm not looking to mock you, I'm just pointing out the logical flaw.
I remember BBS systems; and telneting into the university, and the rules back then were all perfectly rational without imagining being in some new space. The server was there. I was here. I communicated with the server. The laws that applied at the server applied at the server. The laws that applied where i was apply where I was.
The problem specifically addressed in the article is the idea that this isn't adequate, that cyberspace is 'somewhere else' where laws either don't go, don't apply, or need to be brought, or need to be fought off. The reality is the law applies and has always applied where the servers are, and where the participants are.
Some complexity arises due to instances where the law at the server and client but legally it really doesn't need to be more complicated then how we think about phone call.
Overnight charges before a short trip are unreasonable
Meh, my Porsche has a rated range of about 350 miles. That's really not all that much further than the Tesla S. And according to what I average, with my driving style its closer to 317.
Yet, I don't worry much about making "short trips" of a couple hundred miles even if the tank is only half full when I set out, for the simple reason that I am really rarely more than a couple dozen miles from a place to fill up, and there is pretty much always a gas station before any large stretches of highway.
That is really all the issue here with the Tesla. Its not the range so much that is a problem, but the availability of places to refill. If I can quick charge a Tesla S for 200 miles pretty much anywhere then I'll never have to do an overnight charge to get the 265 absolute max.
I'm not sure how ubiquitous fast-charge stations are for the tesla or electric cars in general in new york... or anywhere else for that matter. But if they can get even a good fraction of the penetration that regular gas stations have, the tesla's range is already good enough for most people. And its only going to get better.
- Jhon, from The Los Angeles, The California, The U.S.
Jhon, from the city of angels, the state of california, the united states of america
The problem is that Microsoft had the manufacturers use an implentation that's hard to use for non-Microsoft OS's.
How so? Any hardware vendor that wishes to release linux preinstalled hardware will have no difficulty whatsoever.
The only part that is 'harder' is taking windows pre-installed hardware and converting it to another operating system. And that is ENTIRELY THE POINT OF SECURE BOOT -- that there is something preventing arbitrary unknown software booting up with the PC... whether a rootkit, or the neighbor kid 'hacker' with a live thumbdrive etc. Now, sure, switching operating systems on a computer that shipped with Windows requires the owner either disable the lock, or re-key the system to run something else.
But how is that 'evil'? That's the reasonable price of increased security.
The FSF proposed a fair implementation, but Microsoft said no.
Which FSF proposal are you referring to specifically? The one where they wanted systems to be shipped with secureboot off and then users could turn it on? Resulting in piles of confused users, and users who left it off and needlessly reduced their own security? Yeah, that would have been great.
That alone proves what their goal is.
Even without knowing exactly what you are talking about, it proves nothing. There is nothing about the current secureboot implementation that is overly discriminatory against alternative operating systems.
http://en.wikipedia.org/wiki/Billion
Yeah, i agree its beyond stupid that we ended up with two different definitions of billion in wide use.
An honest person is honest because he is honest. He doesn't need anything to keep him honest.
Maybe. But we're talking about regular people not saints.
There's an awful lot of regular people who used napster, kazaa, and so forth. As those got shot down, a lot of them switched to convenient legal alternatives spotify, itunes, etc.
You can call them all dishonest people if you want. But the "old canard" about keeping honest people honest is really meant to apply to people like that. Most of us count them as honest people because they aren't exactly sociopaths and criminals with no regard for their fellow man... but if they can download something for free, nobody is visibly harmed, and its effortless then they will.
Make it just a little bit hard though, and they'll take the easier legitimate option.
he comparison assumes that you already have a server on hand. An accurate comparison would be if you were starting from scratch with nothing on hand.
Why would that be a more accurate comparison? He did have a server on hand. Many of us do. Many of our 'last desktops' are perfectly suited to be home servers. Mine is a Q6600 core 2 quad with 8GB of ram doing double duty as home server and htpc. I've got an E8400 core2duo with 8GB that I installed XenServer onto over the weekend just to fool around with. Lots of us have PCs to use as servers lying around.
Also, the comparison assumes you only need one IP address. With a VPS, you typically can get extra IP addresses for no additional charge.
I can't really see why anyone would need more than one IP address on it, especially since it's at home, and you have ready access to the console if there is an issue.
And lets not forget that servers need maintenance.
True enough. But lets not overstate the case either. I haven't done any hardware maintenance on either of my home servers in years. And running software updates from time to time is hardly a big commitment.
3 years ago I did have a server die, and it took around 6 hours and $100 in parts to resolve it.
Drives gotta get replaced probably at least once a year if you have any real kind of traffic on your site.
Say what now!?
That said the comparison was still pretty flawed. It didn't talk about what the bandwidth requirements were like at all. Maybe it fits comfortably into what he gets from his ISP particularly upstream, but I'm skeptical and it's something that should have been discussed.
And comparing the electrical usage as his sole cost center compared to effectively leasing hardware and service and concluding that raw electricity is cheaper is almost self evident to the point of not needing analysis.
Can I keep a server turned on for less money then it costs someone else to keep a server turned on while turning a profit, paying for advertising, replacing hardware, providing phone support, bandwidth, etc, etc, etc.
Gee I wonder.
It's healthier for society to accept that people change than to let everyone reenact 1984 every time they get nervous.
I can control what I do. I can't control whether or not 'society will accept that I've changed'.
As long as that remains true (and I don't see it changing anytime) only a fool will 'rely on society to accept...' anything, if they have any choice in the matter.
So what's the correct solution, other than solutions that pose a substantial entry barrier to non-malicious students and hobbyists?
Ok.
An operating system control system that allows the user to define app profiles that dictate what hosts it can connect to, what parts of the filesystem can be read / written, etc, etc. is the first part.
The 2nd part is letting e.g. antivirus / antimalware / new-category-of-security-solution providers hook into that system, so that end users can simply subscribe to app profiles from a 3rd party provider they trust to externalize the burden of auditing and creating the profiles.
my impression of these 'capabilities' protections is that they are not nearly specific enough to be of much use in practice.
I download a cloud contact sync program and it asks for permission to connect to the internet, and permission to scan my contacts.
So then it sends my contacts to a 3rd party spam outfit.
It asks for the ability to send/read sms because it has a feature to send contacts to other app users via sms. Cool.
So it sends copies of all my sms messages to a 3rd party. And sends sms advertising spam from my phone.
Its fundamentally broken idea in my opinion.
Several fans of game consoles and Apple consumer electronics would claim that some individual hardware owners can't be trusted not to disable security to see dancing animals, and taking control away from them is in their own good.
I'm sure you would even agree that this is true for some individual hardware owners, perhaps even most of them.
But the solution is not to take it away from them per se, but rather to easily enable them to delegate it to a 3rd party they trust.
The problem with, say, Apple, is that it asserts it is that trusted 3rd party and gives users no reasonable way to take control back from Apple and either exercise their own security or delegate to a different 3rd party -they- do trust.
Contrast that with Antivirus software for example. We select it, install it, and put some faith in its ability to identify malware while trusting it not to exceed that mandate. If it sees an infected file come in it quarantines it. The 'unsophisticated user' typically accepts the antivirus companies assessment of the file and moves on. Few will challenge the antivirus software and seek to disable it and restore the file from quarantine.
However, if the antivirus software were to start blocking things it really has no business blocking and which doesn't represent what the customers want from it they are free to uninstall it and switch to something else.
I can't recall what my brother was using, but one day a few months ago it up and blocked him from going to the pirate bay. He uninstalled it and uses something else now. This is pretty much ideal... we have an established a norm that one should have antivirus, but it is ultimately up to us, and we can change antivirus providers at will.
The reason viruses are such a problem is that blacklisting simply can't work, and "detecting malicious activity" is HARD. A white listing approach would in some environments be a lot more effective. And I've seen deployed in practice with excellent results in corporate environments.
I hate fuckers who make software designed to prevent computer users from using their computer.
What they are developing is really not fundamentally different from something like SELinux.
DRM is only evil because someone who is not the computer owner is unilaterally dictating what you can do with it.
Secureboot, SE Linux, and this stuff from bit9 are all tools that enable the owner of the computer to dictate what software is allowed to run on it.
Why shouldn't the owner decide that flash shall not have access to the internet? Or that flash shall not run. period.
The only time any of this is evil is when the owner isn't in control.
Add some spaces in there first of all, then throw in some punctuation, preferably bad punctuation and grammar.
In other words: take a very easy to remember password and cram it full of junk that makes it just as hard to remember as a classical password.
If you want more security than is offered by 4 words, use more words. The security gained by mangling the the words with misspellings and symbols is no better than simply adding another word or two. And adding words is easier then remembering where you jammed symbles in which words were capitalized, which were mis-spelled and precisely how you mis-spelled them, etc.
That said, I agree that using a larger dictionary is good. Throw in urbandictionary.com and brand names and place names.
Then once you've had a randomized password generated from all that, sure if you know French or Portuguese or Dutch or whatever throw in a foreign word as well. If your a mathematician or doctor or whatever throw in a formulas or other domain jargon that you'll find easy to remember.
I use Parallels every workday with XP, not Windows 7
I appreciate the data point that you've got XP running without issue; but its not exactly evidence that I've done something wrong with Windows 7.
Windows 7 x64 and Windows XP are not exactly the same thing.
Yes, IF it is RANDOMLY chosen from a DICTIONARY
By dictionary I postulate an electronic edition of a dictionary with the ability to spit out random words.
In fact, most dictionary websites already have the ability to do this, but I have no idea how truly random the randomizer is.
But one can easily imagine that it would not be difficult for them to create a suitable properly randomized passphrase generator if they were so inclined.
If I ask somebody for four random words it is unlikely they'll consult a dictionary, and it is also unlikely that they'll do anything involving true randomness. That means that the set of possible words being selected from is less than the entire English vocabulary, and some words are more likely to be chosen than others.
This is true, but its also true of 'traditional' passwords. Unless they use a password generator they aren't likely to be generating particularly 'randomized' passwords either.
And if we allow for them to be using a password generator then we can allow for the passphrase users to use a suitablly randomized one as well.
Mine's an early 2010 mbp. 13". upgraded cpu and ram; its got whatever nvidia solution was available for it. Although the 13" was a bit weaker performance-wise than the larger ones to start with. But I value the portability and knew that going in.
Even so, it rarely heats up in regular OSX at all, except when running games.
But the fans kick on pretty much as soon as I start a VM.
Its not bad if I'm at a desk, with an external keyboard / mouse etc. The performance is acceptable. The fan noise isn't excessive. But I bought the 13" portable to be portable so the heat and battery life issues are a real problem -- it gets uncomfortably hot to have on my lap and enough heat is radiating upwards that even the trackpad gets just warm enough to be noticeable and mildly uncomfortable.
"steaming pile of crap" might be an overstatement; but i envisioned myself being able to fiddle around in linux while on the couch and its just not quite acceptable for that. Or to have win7 idling in the background so i can check things with various win browsers ... and I can do that, i just don't leave windows idling between doing it.
I'll have to try Win 8 on it, thanks. I've got 8 on my HTPC so far, so that's where most of my real world hands-on with it has been, but if it runs in parallels better that would be a very nice bonus.
If you don't know what kind of a password someone uses,
That's an assumption we hadn't agreed on in advance. :)
There are many scenarios where you know what form someone's password takes. And there are many different password strategies, so even if you don't know an individuals strategy, trying common / probable ones first vs just treating it as a mindless brute force attack does work better on average.
Bottom line: most people don't use randomly generated strings. So working based on strategies is productive.
Never mind that when doing exhaustive searches, keeping track of all those special cases you might have tried, at some point will slow you down a lot. There's a point where the memory bandwidth demands for keeping track start exceeding any gains from limiting your search space. Trees quickly start suffering from cache locality issues :)
This is a fair point but there are strategies to address it. The simplest is to just allow yourself to retry passwords you already tried without worrying about it on later less specialized passes. If you can get more passwords faster it may be a fair trade off that the worst case running time is increased.
It also depends on the situation situations, hackers attacking a stolen database they won't be doing an exhaustive search anyway... rarely do they need to get into someone particulars account, rather they just want to get into anyone's accounts, or as many accounts as possible.
Throwing a botnet to work trying a million passwords at each of a million accounts will yield much more fruit than throwing that botnet towards trying a trillion passwords on one account... and possibly still not be anywhere near cracking it.
It is different in different locations - just ask the crew of the ISS
That's why we have standard gravity
http://en.wikipedia.org/wiki/Standard_gravity
and even a (non-SI) unit for it, the g
Yes, because people want what they ordered within a few days of ordering it. They do not want to make insurance claims even if they eventually get made whole.
So getting it to the customer right the first time has value.
Nope. Mangling it with symbols moves it into the symbol-by-symbol exhaustive search category
Nope. Mangling it with symbols is just mangling it with symbols.
Words + symbols does not transform the words into symbols.
Sure you assume that symbol frequencies are shaped in a certain way, so you can still do a tad better than fully exhaustive search where you start with all zeroes and go up, but it's really no worse than a similarly long bunch of random symbols with a certain distribution of individual symbols and maybe symbol pairs.
If you run the math on that claim that shaping symbol frequencies (and orderings) to put "words" ahead in the search you will find that the "tad better" is exactly the amount better that you'd get if you just considered it to be words + symbols in the first place.
When you are brute force searching spaces that big and accounting for letter arrangements, then something even like:
p!a$s%s~w*o$r#d
will fall out LONG before a truly random string.
I have that, well parallels instead of vmware, but same difference.
Honestly, it is not the best of both worlds, its steaming pile of crap. The Windows 7 VM runs ok, as does linux, not awesome just ok.
Meanwhile the laptop heats up and the fans come on the battery drains while you watch just having a VM open idling, never mind really doing anything in it.
I've switched to using RDP back to my windows desktop PC for most of of my windows needs. Runs well, and the macbook doesn't melt from trying to pretend its a workstation instead of a little power efficient laptop.
All that said, seriously, I'd just get windows 8. Spend half an hour or so configuring it properly ... e.g. map .jpg to use the desktop picture viewer instead of the metro app etc. Clean all the crap out of the start screen and really there is no big deal about 8.
An NFC enabled phone would be ideal. Store passwords on the phone.
Meanwhile police around the country are facing an epidemic of cell phone thefts.
everything is stored in one place that you always have access to.
Well, you have access to it unless it was stolen.
Or you dropped and it now its broken. ...
Or the battery is dead.
Or
Wouldn't some deliberate misspellings be sufficient for most of us? Such as "stapple" above? Try "Korrekt", and/or "batery".
Deliberate misspellings are great; in the sense that they dramatically increase the dictionary size.
But then you have to remember the specific misspellings you made. And the attacker would simply compensate by including all the common mispellings, leetspeak, lolcat spelling, etc to his attack dictionary:
so instead of just password: ... passwerd, passwurd...
he'll also try p4assw0rd, p455w0rd,
This adds' complexity and therefore adds security, but its harder to remember exactly what leetspeak or whatever you applied and exactly how you applied than it is to just add another word or two.
As always, if you want more security its generally easier to just add more words.
I don't know how password crackers work, but aren't they going to give up after hitting my bank account more than a few dozen/hundred tries, and move on to the next?
Typically they find a weakly protected password database online somewhere some random blog or forum or maybe something little higher profile like the Playstation network ... , they download it, and then attack it directly. Allowing them to try millions, even billions of attacks on all and any account in it using clusters of computers, GPUs, and whatever else they have at their disposal for parallel computing.
Then once they find a password; they'll take that and the user name / email address and shotgun it into any other site they can find to see if it works there too. Did you use the same password for Playstation as you did for your bank? Ooops. They're in.
If you were clever and did something like my psn password is psn_whatever then that's a bit of a defense, but if they happen to notice they'll just fix it up... psn_xyz is for PSN... so try bmo_xyz for Bank of Montreal, hsbc_xyz for HSBC...
The point is they rarely actually hit the bank's online web portal more than a few times. The big attacks take place offline on stolen databases.