Ok, that's fair. Although the bitcoin attack amounted not to reading any data, but rather deducing the key over watching several iterations of it being used to encrypt. So they were able to get some insight into what the key must be by watching how the hashing algorithm operated using it.
Neat stuff.
A theoretical similar attack might be to watch a browser use its https session key to grab the key, and then allow a malicious user to decrypt the https stream (assuming they had a separate means to capture / record that...) and that would be pretty bad.
I was already on board with this being fixed, and it seems that preventing browser javascript from having access to high resolution timers is a "quick fix" until something better comes along.
Oh I know it can be done; but thanks for providing the proper name, acronym, and citation.
Thus with a big enough incentive (such as getting access to your bank account) the danger is real.
But that's what I'm not seeing. The cache usage fingerprinting, at worst, knows when I visit my bank*
But it can't steal my bank account number or password. Whether my password is 1-2-3-4 or 4-3-2-1 is not going to be discernible from a cache timing side channel attack. They won't get my bank account number either.
At worst they might be able to guess how many characters it is.* (And only if I type it... which I don't... I use a password safe, and copy/paste it. So maybe they can detect a copy/paste event.... )
But the practical security risk is pretty miniscule. They can't get access to my bank account... some random website "striking the jackpot" now knows that somebody on the internet uses bank X with a password of 11 characters.
I could have told you that.
How do they get access to my bank account with that?
I could literally log onto amazon, add a credit card to my account, and have this side channel attack running the whole time... and at WORST... some malicious website now knows that a person at my ip address... wait for it... has a VISA credit card. I can live with that.
What is the real risk here?
* Note, this attack is bad enough that YES, we ABSOLUTELY should be looking to close the holes, and disrupt or block the side channel to make this impossible in the future. But what is a real practical attack that could really actually harm me from this?
I suspect this is the old "set up a webgl context, read back a framebuffer, maybe you will see some old shit in the framebuffer" attack that Microsoft used to attack WebGL back in the day.
No. That's not it I don't think. (And the guard for that is trivial; zero the memory in all allocations.)
Although a user process shouldn't even be able to read "someone elses cache"; it should only be able to read from the cache something cached from its own process/address space so all it should be able to see is its own old shit.)
From my skim of the attack; I think its using high resolution timers plus carefully crafted memory usage to force the cache to flush/reload etc to detect "fingerprints" for certain types of activity... e.g. I could see how maybe one could craft a "signature" for what chrome looks like when loading a particular web page. Or a signature outlook starting up... etc.
And then you could watch for that sequence of cache event / timings (ie watch for the "signature" and discover with high reliability when that event happened.)
But I fail to see how this translates into being able to log keystrokes, steal encryption keys, steal data, or anything else.
It seems to me roughly the equivalent of monitoring the energy draw of a home and being able to determine when the fridge, stove, vaccuum, TV, or microwave, or hair dryer, are being turned on and off... provided you know what make and model of each they have. And then based on durations and so forth you can make educated guesses whether they heated some soup or are roasting a turkey, or whether its the short haired mother or the long haired daughter who is drying her hair...
But in all truth it is illegal for a repossessor to go into a private building, or enclosed locked area without permission from the owner the property.
There is a lack of transparency inherent using a random generator. If it gets manipulated it would be very difficult to detect or audit that the time selected were in fact random.
The idea of a guarantee of at least 6 hours; or any other sort of timing guarantee allows for statistical optimization of timing trades etc.
Keeping the book secret, is another requirement you have, but it is impractical, and is difficult to audit or enforce. Large brokerages inherently know what orders are placed through them, and may have means to spy on competing brokerages for advantage. So even if the book is "secret" large players will need to have a good idea what it is in it, just to track their own customers trades.
Why not take orders in real time, but only execute them each hour on the hour?
Here's a counter scenario. Suppose you put in a sell order for companyX for 20,000 shares @ Y$.
y$ is say $1 above the trading activity over the last hour, and a nickle over the average price for the last month. Over the last three months its traded within a 2$ band. Long story short this is pretty reasonable trade. Your looking to unload a position at just above market rates... and over the next week odds are you will succeed.
20 minutes after you place it. Word hits the street the the company's landed a huge patent or whatever, and the value of the company is going to go through the roof.
Your sitting there with 40 minutes on a sell that somebody else is going to come along and just scoop. You'd cancel if you could, right... why does someone else get to lock in a buy based on information that came out after you posted the sale. How is that fair.
On the other hand, if you ARE allowed to cancel, then traders can spam the market with a zillion trades, and then cancel the ones they don't want at the last second, millisecond, microsecond....
A somewhat real time market is good. I think. A 1 second resolution is my preference. That eliminates a lot of HFT crap without the issues described above.
A 0.01 cent fee (tax) per trade listed, whether it closes or not also gets rid of a bunch of bogus manipulative crap.
Or simply making it such that every trade must be individually entered and confirmed by a human being responsible for the trade.
"Access without authorization" is best defined as, well, access without authorization.
Intent is frequently considered in the prosecution of crime. And evidence of intent can and should dramatically change the sentencing.
If I come home and find a note that my lock is weak pasted to my fridge, and my home otherwise undisturbed that's one thing. (And the perpetrator should be caught and punished.)
But If I come home and find you busily listing all my stuff on craigslist, while you arrange it all at the door for people to come pick up... Even if a sale hasn't actually been completed and nothing is actually missing yet.
It's still something else entirely, and we both know it.
I'm with you. My kids are vaccinated. I'm not an antivaxxer. I recognize the science is valid.
However, what about the anecdotes? I even have one myself.
One of our friends daughters went in for a vaccination shot, reacted badly to it, (high fever, seizures, rushed to hospital...) She was around 3, she was communicative (limited vocabulary and speech), walking, made eye contact, etc,.. came home from the hospital - massive regression to earlier state, and subsequently diagnosed as autism.
You can show me as many studies as you like. But the anecdote still sits there. I know the little girl. It happened.
The vaccination event in that childs case clearly seems to have triggered the onset of autism.
And that deserves an explanation. And a better one than "Your a crazy loon, we have a study that shows your reality didn't happen."
So I don't know. Maybe the studies aren't big enough. Can they catch a 1 in 100,000 event? Or 1 in 1 million? Maybe the risk is that small. Or maybe the child would have developed autism anyway so the vaccine as a trigger event was just that and triggered something today that would have happened anyway next month or next week or the next time the kid caught a cold so the overall autism rates aren't effected; and all the vaccine did was move the onset date to "today" instead of "some other day".
I just don't know. I believe the science. I think the benefits of vaccination are clear, and the studies show pretty clearly that autism is not a significant risk. However, I also believe the anecdotes -- not enough to let them change my behaviour with respect to vaccination, but enough that I think we haven't laid this issue to rest yet, and think it does to be explained properly.
For 4X there is simple AI strategy that would incredibly piss players: Borg diplomacy. At first turn all AI players do distributed roll of dice to select borg player. Every other bot transfers all his resources to borg or makes everything for borg to win.
One of the constraints for any interesting solution is that the AIs not prioritize beating the human player over the other AIs; and that the AIs are each playing to win themselves.
Now, the NSA can do whatever they want, because they're completely A: outside of the USA B: totally foreign SIGINT
This is correct but also wrong.
For example, one thing the NSA can't do now is simply get a court to order the company to bend over, hand over the data, and then stick a gag order on it so the company isn't allowed to even resist.
By moving it outside the company, yes the NSA is now free to target them without restraint, but they are also free to talk about any attacks, and they are free to actively resist the NSA.
Also:
then they would be *safer* here in the USA where the NSA is not allowed to spy on them, because it's A: in the USA (FBI territory, right?)
Not really.
B: whoever it is would need a warrant.
Which they can get, from a secret court, that rubber stamps warrants. And they can also broadly interpret various legislation (patriot act, etc) to grant them all sorts of priviledges to collect data without a warrant...
And again, if they have a warrant, with a silence gag on it, you cannot resist. In any other country, the NSA can attack you all they like - but you can defend yourself. They don't get to just order you around.
An algorithm-on-a-chip (with tiny keypad and LCD) never stores any sensitive data. It's never connected to a potentially-compromised desktop. It can't be brute-forced, since there's nothing present to "unlock".
That's fair, but its also slightly different from your original proposal as it now explicitly requires custom dedicated hardware. You originally just stipulated "hardware assist" and allowed for "trusted desktop" or other otherware (e.g. smartphone/tablet/etc..)
Its not a practical solution if it doesn't actually exist.
Although there might be a market for a such a device.
It also still requires you need to memorize a password (even an easy one) for each situation. I have well over 100 passwords; and could not remember them all even if they were "easy" -- some I don't use for over a year at a time, unless I relied on a system -- and relying on a system breaks down as soon a site is compromised as I would then need to come up with a new password that deviates from the "system".
I would suggest that perhaps a combination of the two is the holy-grail. Password safe-like functionality for the majority of relatively unimportant passwords, and then some dedicated hardware for a smaller subset of important passwords.
The only problem left is that we can't compute hashes in our head, but there are hardware answers to that.
At which point using a password safe(s) on a trusted device is basically the same thing. Except more convenient. Since you can have as many safes as you want, with an arbitrary number of records in them, protected by passwords as is suitable to the class of passwords in them. Its less data entry on average to retreive a password, and it eliminates having to worry about which sites you need a 123!@# tacked on the end, and which sites don't, etc.
Decent password safes also let you securely store notes, usernames, urls, and so forth... which is often just as important and just as difficult to remember as the actual password.
You can concatenate a strong password system with their weak requirements, and the result is still strong.
But this requires I memorize "their weak requirements" for each site as this is not usually disclosed on the usual login page?!
And it still doesn't address the fact that if they get compromised I have to CHANGE my password.
If I'm using a 'system' to generate passwords, then I can't use that system for this site anymore, because the password the system generates for the site is compromised.
You could also use a system to vary the passwords. [... describes system loosely...]
The problem I have with systems like this is:
One site won't let you have punctuation... another site requires it. One site says your password is too short. Another says its too long. A site that was happy with your "system" password gets hacked and you have to change it.... and these exceptions build up over time rendering the system an excercise in futility.
Then eventually you get fed up with the exceptions devise a new system and start all over again...
But if you miss any sites when you switch over you have to retain your old system as well.
This sort of all defeats the purpose of a system.
So I have a loose system for the passwords I need daily. And a password app for everything else.
. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done).
And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
I had a similar system for a while. The problem? One of the sites that had one of my passwords got hacked. Then I had to change it for every other site in that "category" which was a lot of sites, and I'm sure even now that I've missed some. Plus now I have to remember a new password; but still the old one for any sites I missed...
Then another site I used got hacked. And at that point I decided I was better off using a password manager and using different passwords for each site.
Because if some rinky-dink forum I use gets hacked I don't want to have to change my p/w on 40 other sites.
I still use passwords I can remember on sites I log into daily, but my utilities, random stores I rarely shop at, etc all have random strings in a password manager.
When some jackass on the Internet disagrees with reality, I'll go with reality
I'm not saying it didn't actually happen. I'm saying had you challenged it, they would legally have HAD to give you more time. Of course, if you didn't challenge it and just said ok, then its ok. Its like the police demanding to search your car... if you say "ok"... then they can.
Well it did work just fine for me. So "doesn't always work" is probably accurate.
They changed the charge after I got there to one I wasn't prepared to disprove (but was no more valid).
Yeah that seems pretty dubious. But if they had actually pulled that on me I'd have responded that I'll need time to prepare a new defense against these new charges; and time to consult my lawyer.
There's no way they can charge you with a new offense AT YOUR TRIAL and then prosecute you for it immediately like that.
I got a ticket when I crashed a motorbike because the cop that responded thought I deserved punishment for his trouble of showing up. Speeding (30 in a 55,
Speeding is more than just exceeding the posted limit. Driving too fast to maintain safe control of the vehicle is illegal. You lost control of your vehicle. That the issue was your own inexperience more than the weather or the condition of the road doesn't really matter.
with lots of witnesses), and passing in a no-passing zone, because I crossed the center line when I crashed.
Crossing the center line (when not part of a legal passing maneuver is also illegal.)
You can of course legitimately argue that those aren't the best offenses to charge you under; and you might even be right. But face facts -- you were driving and you crashed and you were 100% responsible for the crash -- its pretty hard to do that and not run afoul of the motor vehicle acts in some way.
so he flat made-up tickets unrelated to what I actually did
I think the tickets, while perhaps not ideal, were reasonable choices.
to make sure I got punished for bothering him on a Saturday Afternoon.
Perhaps; perhaps not. I don't know what happened, what the damage / injury level was. It certainly could have been him just being a dick -- or it could be that he felt you were a legitimate danger to yourself and to the public and wanted to send you that message.
At this moment, as rare as it might be it does happen,
Do you have actual stats on the frequency? Context is important after all. After all, people fall down and die in bathtubs more often than your scenario happens -- and its the reason you need a gun. But what have you done to make your bathtub safe?
don't you have the right to defend yourself with the finest armament of your choice?"
Why? Because your life *might* be at some point be at risk? Therefore you should, nay, MUST have the means to kill people via point-and-click in your closet? Maybe its not-reasonable, but I'm not convinced by your argument that its the only reasonable conclusion.
And not just you, a fine upstanding responsible adult, (that's you right?) but every american should have this option; no matter how stupid or irresponsible they prove themselves to be, and they shouldn't have to take any sort of firearms training or competency test to show they have any idea how to use one either. They should even be allowed to have one if they are clinically depressed, or taking anti-psychotics, or if they are habitual drug users etc without any sort of evaluation at all.
I own guns to protect myself from a crazed psychotic individual"
Maybe if you didn't let crazed psychotics have guns in the first place (see above) you wouldn't need to defend yourself against them with guns as often.
or government.
Wait, was it the governement breaking down your closet door? No? I didn't think so. Someone mentioned dictators becoming president for life etc earlier -- have the rebels in the civil wars and rebellions that followed ever shown much difficulty getting their hands on small arms when it came time to fight? Large armanents sure - its are to get surface to air missiles, but pistols and rifles and such? They flow like water. Why do you think you need one in your closet in advance, just in case "of the government"?
The problem with phones is that you can lose them or break them or have them stolen. I agree that it's a good place to start, though.
How is that "not a problem" with a bracelet? Perhaps the bracelets are slightly less likely to be lost or stolen. Then again, I've found a lot more lost bracelets in the last 10 years than lost phones... and if they are valuable for identity theft, stealing them might well become a real thing.
Basic geometry dictates that any regular polygon can be inscribed in a circle.
The radius of the circle will be the distance from the center of the polygon to any point. And the diameter double that.
Its pretty self evident (and easily proven) that a regular polygon with an even number of sides will have pairs of parallel sizes opposite each other.
Its pretty self evident (and easily proven) that these pairs of opposite sites form parallel chords.
Bisect the polygon through the centers of a pair of chords.
The length of from the center of the circle to the center of a chord is necessarily less than the radius. (Because the chord is inside the circle.)
Therefor the length of the polygon from point to opposite point through the center is the diamter.
The length of the polygon from chord-center to chord center is less.
So its clear you can rotate the polygon to align the chord centers ol the cover with the points on the hole. Rotate the cover upright so that looking down, you are now fitting a line that is less than the distance between two points between two points.
That's because almost everyone in court for speeding is guilty and hoping for a reduced sentence or guilty and an idiot.
Yup plus
- guilty, but is protesting the system by showing up. (if they are going to steal $200+ from me via a speed trap, I'm going to at least force them to lose a percentage of that to paying a judge, and police officer, etc to formally take it from me. Especially when it was a BS speed trap on a stretch of road where the flow of traffic is always higher than the posted limit.
- guilty, but hoping the police officer doesn't attend to win a default judgement. Hey, if you've got nowhere else to be that day, why not try for a free pass on a ticket.
- guilty, but the police officer screwed up the ticket. I've won on prima facie cases before.... well not won... in actual fact the police at the very last second asked that the case be dismissed. (So they too are playing the "hope I don't show up in court to win a default judgement game"; because they knew damned well they'd have lost their case the moment I opened my mouth.
- actually not guilty; it happens. Especially with speed camera based systems, where the ticket was issued by mail.
or maybe have special contacts that doesnt pass any light from behind them but reflects what you want and be able to pass as someone else
Uh... no.
A rigid non-moving pattern, either complete, or just a partial overlay would be pretty trivially detectable by equipment programmed to look for it. (or monitored by a human being).
The iris is much more alive and dynamic than a fingerprint. That said, sure, I guess an iris scanner, made by the lowest bidder, with no eye towards security despite being a security device could fail spectacularly; and be just as happy with a random marble or contact lens as an actual iris.
With a PPI value, anyone can figure out if it will benefit them at their viewing distance, and based on that viewing distance, what resolution is their 'sweet spot'.
True enough.
The resolution value without the PPI is meaningless.
If you have the resolution value; and the screen dimensions you've got PPI, if you want it. Or you can add viewing distance and go straight for PPD.
PPI is, at best, an intermediate calculation step that really doesn't need to be used. I suppose its somewhat useful to save you some calculation effort to find your sweet spot; but the truly educated don't need it and calculate it themselves. And the general consumer should really just be given PPD at standard viewing distances; with a caveat that human eyes get 400 PPD or 900PPD... or whatever the number is scientifically valid...
8k resolution is 7680x4320. At 32" that's only 275 PPI. My OnePlus One phone is 400 PPI, and even an iPhone manages 325 PPI. It's not actually that extreme for the largest monitor you would reasonably want on a typical desk.
PPI is a meaningless stat. An inch 11' feet away (my TV) is not the same as an inch 3' away (my PC monitors), is not the same as an inch 12" away (rougly where I usually hold my phone.)
pixels per degree (of field of view) is what matters. This is why a phone needs hundreds of PPI while a movier theatre 40 feet away needs a fraction of that to look just as good. The human eye only has so many receptors after all.
There is some debate on just how many pixels per degree the human eye can discern, and there are things like moire patterns and aliasing show that humans can detect "artifacts" in motion even when the actual resolution is sufficient for a still image. But whatever we come to agree the maximums of human eyesight are, it will be the case that we will need more PPI in a phone than a monitor, and in a monitor than a TV.
Like I said, I think long term 8k and beyond is going to happen and desireable. But today, the price premium and performance hit to driving that many pixels just isn't justifiable.
For games, just run at 1/2 or even 1/4 (full HD) of the native resolution and there are no scaling issues.
Thanks, although that's a use case for something that needs extremely high resolution its not a use case for that high of a resolution on an imac screen. Unless I sit 1.5 inches from it.
Slashdot Mirror
Ok, that's fair. Although the bitcoin attack amounted not to reading any data, but rather deducing the key over watching several iterations of it being used to encrypt. So they were able to get some insight into what the key must be by watching how the hashing algorithm operated using it.
Neat stuff.
A theoretical similar attack might be to watch a browser use its https session key to grab the key, and then allow a malicious user to decrypt the https stream (assuming they had a separate means to capture / record that...) and that would be pretty bad.
I was already on board with this being fixed, and it seems that preventing browser javascript from having access to high resolution timers is a "quick fix" until something better comes along.
Oh I know it can be done; but thanks for providing the proper name, acronym, and citation.
Thus with a big enough incentive (such as getting access to your bank account) the danger is real.
But that's what I'm not seeing. The cache usage fingerprinting, at worst, knows when I visit my bank*
But it can't steal my bank account number or password. Whether my password is 1-2-3-4 or 4-3-2-1 is not going to be discernible from a cache timing side channel attack. They won't get my bank account number either.
At worst they might be able to guess how many characters it is.* (And only if I type it... which I don't... I use a password safe, and copy/paste it. So maybe they can detect a copy/paste event.... )
But the practical security risk is pretty miniscule. They can't get access to my bank account... some random website "striking the jackpot" now knows that somebody on the internet uses bank X with a password of 11 characters.
I could have told you that.
How do they get access to my bank account with that?
I could literally log onto amazon, add a credit card to my account, and have this side channel attack running the whole time... and at WORST ... some malicious website now knows that a person at my ip address... wait for it... has a VISA credit card. I can live with that.
What is the real risk here?
* Note, this attack is bad enough that YES, we ABSOLUTELY should be looking to close the holes, and disrupt or block the side channel to make this impossible in the future. But what is a real practical attack that could really actually harm me from this?
I suspect this is the old "set up a webgl context, read back a framebuffer, maybe you will see some old shit in the framebuffer" attack that Microsoft used to attack WebGL back in the day.
No. That's not it I don't think. (And the guard for that is trivial; zero the memory in all allocations.)
Although a user process shouldn't even be able to read "someone elses cache"; it should only be able to read from the cache something cached from its own process/address space so all it should be able to see is its own old shit.)
From my skim of the attack; I think its using high resolution timers plus carefully crafted memory usage to force the cache to flush/reload etc to detect "fingerprints" for certain types of activity... e.g. I could see how maybe one could craft a "signature" for what chrome looks like when loading a particular web page. Or a signature outlook starting up... etc.
And then you could watch for that sequence of cache event / timings (ie watch for the "signature" and discover with high reliability when that event happened.)
But I fail to see how this translates into being able to log keystrokes, steal encryption keys, steal data, or anything else.
It seems to me roughly the equivalent of monitoring the energy draw of a home and being able to determine when the fridge, stove, vaccuum, TV, or microwave, or hair dryer, are being turned on and off... provided you know what make and model of each they have. And then based on durations and so forth you can make educated guesses whether they heated some soup or are roasting a turkey, or whether its the short haired mother or the long haired daughter who is drying her hair...
lol :)
But in all truth it is illegal for a repossessor to go into a private building, or enclosed locked area without permission from the owner the property.
There are lots of problems with this:
Arbitrage between different markets for one.
There is a lack of transparency inherent using a random generator. If it gets manipulated it would be very difficult to detect or audit that the time selected were in fact random.
The idea of a guarantee of at least 6 hours; or any other sort of timing guarantee allows for statistical optimization of timing trades etc.
Keeping the book secret, is another requirement you have, but it is impractical, and is difficult to audit or enforce. Large brokerages inherently know what orders are placed through them, and may have means to spy on competing brokerages for advantage. So even if the book is "secret" large players will need to have a good idea what it is in it, just to track their own customers trades.
Its not practical.
Why not take orders in real time, but only execute them each hour on the hour?
Here's a counter scenario. Suppose you put in a sell order for companyX for 20,000 shares @ Y$.
y$ is say $1 above the trading activity over the last hour, and a nickle over the average price for the last month. Over the last three months its traded within a 2$ band. Long story short this is pretty reasonable trade. Your looking to unload a position at just above market rates... and over the next week odds are you will succeed.
20 minutes after you place it. Word hits the street the the company's landed a huge patent or whatever, and the value of the company is going to go through the roof.
Your sitting there with 40 minutes on a sell that somebody else is going to come along and just scoop. You'd cancel if you could, right... why does someone else get to lock in a buy based on information that came out after you posted the sale. How is that fair.
On the other hand, if you ARE allowed to cancel, then traders can spam the market with a zillion trades, and then cancel the ones they don't want at the last second, millisecond, microsecond....
A somewhat real time market is good. I think. A 1 second resolution is my preference. That eliminates a lot of HFT crap without the issues described above.
A 0.01 cent fee (tax) per trade listed, whether it closes or not also gets rid of a bunch of bogus manipulative crap.
Or simply making it such that every trade must be individually entered and confirmed by a human being responsible for the trade.
"Access without authorization" is best defined as, well, access without authorization.
Intent is frequently considered in the prosecution of crime. And evidence of intent can and should dramatically change the sentencing.
If I come home and find a note that my lock is weak pasted to my fridge, and my home otherwise undisturbed that's one thing. (And the perpetrator should be caught and punished.)
But If I come home and find you busily listing all my stuff on craigslist, while you arrange it all at the door for people to come pick up... Even if a sale hasn't actually been completed and nothing is actually missing yet.
It's still something else entirely, and we both know it.
and they have even anecdote to boot.
I'm with you. My kids are vaccinated. I'm not an antivaxxer. I recognize the science is valid.
However, what about the anecdotes? I even have one myself.
One of our friends daughters went in for a vaccination shot, reacted badly to it, (high fever, seizures, rushed to hospital...) She was around 3, she was communicative (limited vocabulary and speech), walking, made eye contact, etc,.. came home from the hospital - massive regression to earlier state, and subsequently diagnosed as autism.
You can show me as many studies as you like. But the anecdote still sits there. I know the little girl. It happened.
The vaccination event in that childs case clearly seems to have triggered the onset of autism.
And that deserves an explanation. And a better one than "Your a crazy loon, we have a study that shows your reality didn't happen."
So I don't know. Maybe the studies aren't big enough. Can they catch a 1 in 100,000 event? Or 1 in 1 million? Maybe the risk is that small. Or maybe the child would have developed autism anyway so the vaccine as a trigger event was just that and triggered something today that would have happened anyway next month or next week or the next time the kid caught a cold so the overall autism rates aren't effected; and all the vaccine did was move the onset date to "today" instead of "some other day".
I just don't know. I believe the science. I think the benefits of vaccination are clear, and the studies show pretty clearly that autism is not a significant risk. However, I also believe the anecdotes -- not enough to let them change my behaviour with respect to vaccination, but enough that I think we haven't laid this issue to rest yet, and think it does to be explained properly.
For 4X there is simple AI strategy that would incredibly piss players: Borg diplomacy. At first turn all AI players do distributed roll of dice to select borg player. Every other bot transfers all his resources to borg or makes everything for borg to win.
One of the constraints for any interesting solution is that the AIs not prioritize beating the human player over the other AIs; and that the AIs are each playing to win themselves.
Now, the NSA can do whatever they want, because they're completely
A: outside of the USA
B: totally foreign SIGINT
This is correct but also wrong.
For example, one thing the NSA can't do now is simply get a court to order the company to bend over, hand over the data, and then stick a gag order on it so the company isn't allowed to even resist.
By moving it outside the company, yes the NSA is now free to target them without restraint, but they are also free to talk about any attacks, and they are free to actively resist the NSA.
Also:
then they would be *safer* here in the USA where the NSA is not allowed to spy on them, because it's
A: in the USA (FBI territory, right?)
Not really.
B: whoever it is would need a warrant.
Which they can get, from a secret court, that rubber stamps warrants. And they can also broadly interpret various legislation (patriot act, etc) to grant them all sorts of priviledges to collect data without a warrant...
And again, if they have a warrant, with a silence gag on it, you cannot resist. In any other country, the NSA can attack you all they like - but you can defend yourself. They don't get to just order you around.
An algorithm-on-a-chip (with tiny keypad and LCD) never stores any sensitive data. It's never connected to a potentially-compromised desktop. It can't be brute-forced, since there's nothing present to "unlock".
That's fair, but its also slightly different from your original proposal as it now explicitly requires custom dedicated hardware. You originally just stipulated "hardware assist" and allowed for "trusted desktop" or other otherware (e.g. smartphone/tablet/etc..)
Its not a practical solution if it doesn't actually exist.
Although there might be a market for a such a device.
It also still requires you need to memorize a password (even an easy one) for each situation. I have well over 100 passwords; and could not remember them all even if they were "easy" -- some I don't use for over a year at a time, unless I relied on a system -- and relying on a system breaks down as soon a site is compromised as I would then need to come up with a new password that deviates from the "system".
I would suggest that perhaps a combination of the two is the holy-grail. Password safe-like functionality for the majority of relatively unimportant passwords, and then some dedicated hardware for a smaller subset of important passwords.
I read your link.
The only problem left is that we can't compute hashes in our head, but there are hardware answers to that.
At which point using a password safe(s) on a trusted device is basically the same thing. Except more convenient. Since you can have as many safes as you want, with an arbitrary number of records in them, protected by passwords as is suitable to the class of passwords in them. Its less data entry on average to retreive a password, and it eliminates having to worry about which sites you need a 123!@# tacked on the end, and which sites don't, etc.
Decent password safes also let you securely store notes, usernames, urls, and so forth... which is often just as important and just as difficult to remember as the actual password.
You can concatenate a strong password system with their weak requirements, and the result is still strong.
But this requires I memorize "their weak requirements" for each site as this is not usually disclosed on the usual login page?!
And it still doesn't address the fact that if they get compromised I have to CHANGE my password.
If I'm using a 'system' to generate passwords, then I can't use that system for this site anymore, because the password the system generates for the site is compromised.
You could also use a system to vary the passwords.
[... describes system loosely...]
The problem I have with systems like this is:
One site won't let you have punctuation... another site requires it. One site says your password is too short. Another says its too long. A site that was happy with your "system" password gets hacked and you have to change it.... and these exceptions build up over time rendering the system an excercise in futility.
Then eventually you get fed up with the exceptions devise a new system and start all over again...
But if you miss any sites when you switch over you have to retain your old system as well.
This sort of all defeats the purpose of a system.
So I have a loose system for the passwords I need daily. And a password app for everything else.
. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done).
And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
I had a similar system for a while. The problem? One of the sites that had one of my passwords got hacked. Then I had to change it for every other site in that "category" which was a lot of sites, and I'm sure even now that I've missed some. Plus now I have to remember a new password; but still the old one for any sites I missed...
Then another site I used got hacked. And at that point I decided I was better off using a password manager and using different passwords for each site.
Because if some rinky-dink forum I use gets hacked I don't want to have to change my p/w on 40 other sites.
I still use passwords I can remember on sites I log into daily, but my utilities, random stores I rarely shop at, etc all have random strings in a password manager.
When some jackass on the Internet disagrees with reality, I'll go with reality
I'm not saying it didn't actually happen. I'm saying had you challenged it, they would legally have HAD to give you more time. Of course, if you didn't challenge it and just said ok, then its ok. Its like the police demanding to search your car... if you say "ok"... then they can.
Doesn't work.
Well it did work just fine for me. So "doesn't always work" is probably accurate.
They changed the charge after I got there to one I wasn't prepared to disprove (but was no more valid).
Yeah that seems pretty dubious. But if they had actually pulled that on me I'd have responded that I'll need time to prepare a new defense against these new charges; and time to consult my lawyer.
There's no way they can charge you with a new offense AT YOUR TRIAL and then prosecute you for it immediately like that.
I got a ticket when I crashed a motorbike because the cop that responded thought I deserved punishment for his trouble of showing up. Speeding (30 in a 55,
Speeding is more than just exceeding the posted limit. Driving too fast to maintain safe control of the vehicle is illegal. You lost control of your vehicle. That the issue was your own inexperience more than the weather or the condition of the road doesn't really matter.
with lots of witnesses), and passing in a no-passing zone, because I crossed the center line when I crashed.
Crossing the center line (when not part of a legal passing maneuver is also illegal.)
You can of course legitimately argue that those aren't the best offenses to charge you under; and you might even be right. But face facts -- you were driving and you crashed and you were 100% responsible for the crash -- its pretty hard to do that and not run afoul of the motor vehicle acts in some way.
so he flat made-up tickets unrelated to what I actually did
I think the tickets, while perhaps not ideal, were reasonable choices.
to make sure I got punished for bothering him on a Saturday Afternoon.
Perhaps; perhaps not. I don't know what happened, what the damage / injury level was. It certainly could have been him just being a dick -- or it could be that he felt you were a legitimate danger to yourself and to the public and wanted to send you that message.
At this moment, as rare as it might be it does happen,
Do you have actual stats on the frequency? Context is important after all. After all, people fall down and die in bathtubs more often than your scenario happens -- and its the reason you need a gun. But what have you done to make your bathtub safe?
don't you have the right to defend yourself with the finest armament of your choice?"
Why? Because your life *might* be at some point be at risk? Therefore you should, nay, MUST have the means to kill people via point-and-click in your closet? Maybe its not-reasonable, but I'm not convinced by your argument that its the only reasonable conclusion.
And not just you, a fine upstanding responsible adult, (that's you right?) but every american should have this option; no matter how stupid or irresponsible they prove themselves to be, and they shouldn't have to take any sort of firearms training or competency test to show they have any idea how to use one either. They should even be allowed to have one if they are clinically depressed, or taking anti-psychotics, or if they are habitual drug users etc without any sort of evaluation at all.
I own guns to protect myself from a crazed psychotic individual"
Maybe if you didn't let crazed psychotics have guns in the first place (see above) you wouldn't need to defend yourself against them with guns as often.
or government.
Wait, was it the governement breaking down your closet door? No? I didn't think so. Someone mentioned dictators becoming president for life etc earlier -- have the rebels in the civil wars and rebellions that followed ever shown much difficulty getting their hands on small arms when it came time to fight? Large armanents sure - its are to get surface to air missiles, but pistols and rifles and such? They flow like water. Why do you think you need one in your closet in advance, just in case "of the government"?
The problem with phones is that you can lose them or break them or have them stolen. I agree that it's a good place to start, though.
How is that "not a problem" with a bracelet? Perhaps the bracelets are slightly less likely to be lost or stolen. Then again, I've found a lot more lost bracelets in the last 10 years than lost phones... and if they are valuable for identity theft, stealing them might well become a real thing.
Basic geometry dictates that any regular polygon can be inscribed in a circle.
The radius of the circle will be the distance from the center of the polygon to any point. And the diameter double that.
Its pretty self evident (and easily proven) that a regular polygon with an even number of sides will have pairs of parallel sizes opposite each other.
Its pretty self evident (and easily proven) that these pairs of opposite sites form parallel chords.
Bisect the polygon through the centers of a pair of chords.
The length of from the center of the circle to the center of a chord is necessarily less than the radius. (Because the chord is inside the circle.)
Therefor the length of the polygon from point to opposite point through the center is the diamter.
The length of the polygon from chord-center to chord center is less.
So its clear you can rotate the polygon to align the chord centers ol the cover with the points on the hole. Rotate the cover upright so that looking down, you are now fitting a line that is less than the distance between two points between two points.
The cover will drop into the hole.*
* assuming its not to thick
Q.E.D.
That's because almost everyone in court for speeding is guilty and hoping for a reduced sentence or guilty and an idiot.
Yup plus
- guilty, but is protesting the system by showing up. (if they are going to steal $200+ from me via a speed trap, I'm going to at least force them to lose a percentage of that to paying a judge, and police officer, etc to formally take it from me. Especially when it was a BS speed trap on a stretch of road where the flow of traffic is always higher than the posted limit.
- guilty, but hoping the police officer doesn't attend to win a default judgement. Hey, if you've got nowhere else to be that day, why not try for a free pass on a ticket.
- guilty, but the police officer screwed up the ticket. I've won on prima facie cases before. ... well not won... in actual fact the police at the very last second asked that the case be dismissed. (So they too are playing the "hope I don't show up in court to win a default judgement game"; because they knew damned well they'd have lost their case the moment I opened my mouth.
- actually not guilty; it happens. Especially with speed camera based systems, where the ticket was issued by mail.
or maybe have special contacts that doesnt pass any light from behind them but reflects what you want and be able to pass as someone else
Uh... no.
A rigid non-moving pattern, either complete, or just a partial overlay would be pretty trivially detectable by equipment programmed to look for it. (or monitored by a human being).
https://www.youtube.com/watch?...
The iris is much more alive and dynamic than a fingerprint. That said, sure, I guess an iris scanner, made by the lowest bidder, with no eye towards security despite being a security device could fail spectacularly; and be just as happy with a random marble or contact lens as an actual iris.
With a PPI value, anyone can figure out if it will benefit them at their viewing distance, and based on that viewing distance, what resolution is their 'sweet spot'.
True enough.
The resolution value without the PPI is meaningless.
If you have the resolution value; and the screen dimensions you've got PPI, if you want it. Or you can add viewing distance and go straight for PPD.
PPI is, at best, an intermediate calculation step that really doesn't need to be used. I suppose its somewhat useful to save you some calculation effort to find your sweet spot; but the truly educated don't need it and calculate it themselves. And the general consumer should really just be given PPD at standard viewing distances; with a caveat that human eyes get 400 PPD or 900PPD... or whatever the number is scientifically valid...
8k resolution is 7680x4320. At 32" that's only 275 PPI. My OnePlus One phone is 400 PPI, and even an iPhone manages 325 PPI. It's not actually that extreme for the largest monitor you would reasonably want on a typical desk.
PPI is a meaningless stat. An inch 11' feet away (my TV) is not the same as an inch 3' away (my PC monitors), is not the same as an inch 12" away (rougly where I usually hold my phone.)
pixels per degree (of field of view) is what matters. This is why a phone needs hundreds of PPI while a movier theatre 40 feet away needs a fraction of that to look just as good. The human eye only has so many receptors after all.
There is some debate on just how many pixels per degree the human eye can discern, and there are things like moire patterns and aliasing show that humans can detect "artifacts" in motion even when the actual resolution is sufficient for a still image. But whatever we come to agree the maximums of human eyesight are, it will be the case that we will need more PPI in a phone than a monitor, and in a monitor than a TV.
Like I said, I think long term 8k and beyond is going to happen and desireable. But today, the price premium and performance hit to driving that many pixels just isn't justifiable.
For games, just run at 1/2 or even 1/4 (full HD) of the native resolution and there are no scaling issues.
Rather defeating the point of the investment.
Thanks, although that's a use case for something that needs extremely high resolution its not a use case for that high of a resolution on an imac screen. Unless I sit 1.5 inches from it.