Store the sha1 hash of the password. Then, when the user inputs "open sesame", compare sha1("open sesame") to the stored hash. If they're the same, assume the user input the right password.
(Other cryptographic hash functions will do, and you probably want to add salt, but that's the basic idea.)
Well yes, true, that's the basic idea. But as you probably also know, if you really want a secure system there's a lot more to it than just storing a hash along with a salt.
You'll now need to protect the storage where you keep your hashes, to prevent the evildoer from overwriting your hash with a value of his own choosing.
You'll also need to protect the code accessing the storage, as well as every piece of code along the path, to ensure that the evildoer doesn't shortcut the authentication.
It doesn't exactly make your life any easier that we're talking about Windows 95 here. All jokes aside, I sincerely doubt that this would even be possible without a complete rewrite of the OS.
But yes, if you are on a system that gives you all that you need for free without adding to the complexity of your code then by all means, go for the secure solution.
For instance, the windows 95 screen saver password (at most 14 characters) was stored in the registry, xor'ed with a fixed key of length 14. Probably a const char screen_saver_xor_pad[14] = [...], "safely" hidden away in some undisclosed source code. Security by obscurity.
Storing passwords securely is anything but trivial, and in almost all other situations I'd suggest a slightly more advanced approach. In this case however I'd say that the simple XOR does the job quite well: It ensures that an evildoer glancing over your shoulder while you browse your registry won't be able to snoop your password, as memorizing a sequence of 28 semi-random hexadecimal digits is quite a lot harder than memorizing say 'Open Sesame'. Yes, it's hopelessly insecure if the evildoer gains access to your box, but in that case loosing your screen saver password should be the least of your worries.
A significant part of the job of designing secure systems is identifying when it's necessary to roll in the big cannons.
I'm not too sure that we disagree on anything at all here. I just thought it interesting that you brought up an example where security through obscurity was plenty sufficient.
[...] modern and useful layers of abstraction and code checking that were already in Java (typed delegates, generic types, garbage collection, etc)
I'm not trying to start a war here, but Java delegates?
Also Java's Generics by Type Erasure are nothing more than compiler inserted typecasts - I imagine Sun wanted to maintain compatibility with existing JREs - whereas C#/CLI generics are the real thing.
Java is still there.
True, and Java will probably be around longer than any of us, but while C# seems to be alive and thriving (LINQ, lambda-expressions, inferred types), it looks to me as if Java has lost much of its momentum.
Mininova and other websites took over as the leading Torrent hubs.
Just to correct an all too common misunderstanding, Mininova really cannot be compared to The Pirate Bay.
Mininova is nothing more than an index.
Mininova does not operate a tracker.
The majority (if not all) of the torrent files found at Mininova would be pretty useless if the Pirate Bay servers weren't around to do the heavy lifting.
The torrent network really isn't as decentralized as most people seem to think; torrent traffic would take a major hit if the servers at TPB were shut down...at least for a while.
Why would people hate Microsoft for making available a free release candidate of their new OS that can be used with no restriction for the next 11 months?
Do you honestly believe that it's to cater for the needs of home users that XP is still around?
Home users aren't the ones causing Microsoft to worry about the adoption of Windows 7. Most home users don't even pay much attention to the operating system. They'll use whatever comes with the Dell they got, as long as it allows them to surf the web, write the occasional document in Word and load music to their iPod - things that work well on Vista.
Enterprises however, who hold several million worth of internally developed business critical software - code that relies on all the cracks and crooked ends of XP; these are the ones causing sleepless nights at Redmond.
I wouldn't be surprised if these are the same people who complain, "Why does Microsoft spend all its effort on making Windows 'look cool'? They should spend all their efforts on making technical improvements and just stop making visual improvements."
And with Calc, that's exactly what happened: Massive technical improvements. No visual improvement. And nobody noticed. In fact, the complaints just keep coming. "Look at Calc, same as it always was."
The innards of Calc - the arithmetic engine - was completely thrown away and rewritten from scratch. The standard IEEE floating point library was replaced with an arbitrary-precision arithmetic library. This was done after people kept writing ha-ha articles about how Calc couldn't do decimal arithmetic correctly, that for example computing 10.21 - 10.2 resulted in 0.0100000000000016.
Just for the record, most of the IRC bots out there are based on either the SDBot or the Agobot/Phatbot code base.
Both source bundles are actually released under the GPL, though of course it really doesn't make any sense once you think about it.
Getting hold of the source doesn't require much effort. Just Google for phatbot+agobot+rapidshare and the first hit will give you 23.5MB of source code, documentation, and build tools.
I've never bothered to take a look at the SDBot source, but the Agobot source bundle packs quite a lot of punch, including among other things: the required IRC client and command interpreter, code for harvesting information from the host, packet sniffing, for orchestrating a DDoS attack, for acting as a web-proxy, and an already large collection of target exploits. The design is straightforward and I'd say that most people with a bit of coding experience would be able to add the new exploit.
It's probably a fact, but while the programmer in me is having a hard time accepting this I'm not entirely convinced that it's a sad fact.
Users are rarely idiots. It may well be that the bells-and-whistles version, despite all its flaws, cracks and leaks, will fit their needs better than the trimmed down version.
To be fair, the cheap stab at Microsoft was added by the submitter or the editor, in an attempt to stir up the pot a bit.
Other than that, yes, your assessment is spot on.
While the reduction in network throughput is real and verifiable, there's really no reason to believe that it should be related to DRM in any way - the throttling sets in when playing back uninfected media as well.
But don't take my word for it, Mark Russinovich shed a bit of light on things in a posting on his blog.
There ya go, myth verified.
A link to unfounded speculation here on slashdot hardly qualifies as proof now does it? No, in fact you ended up confirming what you set out to refute;-)
I doubt they ever will. ISO is about a lot more than just the OOXML. Consider the number of standards a company like IBM needs to deal with on a daily basis. Giving up their rights to influence what goes into said standards because of one failed process wouldn't make any sense from a business point of view.
What do you call all that stuff that runs on top of the Linux kernel?
Exactly that, "stuff that runs on top of the kernel". There's no such thing as an operating system without a kernel (and no posting of links to wikipedia will change that).
RMS may have accomplished much of what he set out to do, but creating an operating system isn't among his achievements (and probably never will be, HURD failed and now the gap has been filled by Linux).
Slashdot Mirror
Well yes, true, that's the basic idea. But as you probably also know, if you really want a secure system there's a lot more to it than just storing a hash along with a salt.
You'll now need to protect the storage where you keep your hashes, to prevent the evildoer from overwriting your hash with a value of his own choosing.
You'll also need to protect the code accessing the storage, as well as every piece of code along the path, to ensure that the evildoer doesn't shortcut the authentication.
It doesn't exactly make your life any easier that we're talking about Windows 95 here. All jokes aside, I sincerely doubt that this would even be possible without a complete rewrite of the OS.
But yes, if you are on a system that gives you all that you need for free without adding to the complexity of your code then by all means, go for the secure solution.
Storing passwords securely is anything but trivial, and in almost all other situations I'd suggest a slightly more advanced approach. In this case however I'd say that the simple XOR does the job quite well: It ensures that an evildoer glancing over your shoulder while you browse your registry won't be able to snoop your password, as memorizing a sequence of 28 semi-random hexadecimal digits is quite a lot harder than memorizing say 'Open Sesame'. Yes, it's hopelessly insecure if the evildoer gains access to your box, but in that case loosing your screen saver password should be the least of your worries.
A significant part of the job of designing secure systems is identifying when it's necessary to roll in the big cannons.
I'm not too sure that we disagree on anything at all here. I just thought it interesting that you brought up an example where security through obscurity was plenty sufficient.
I'm not trying to start a war here, but Java delegates?
Also Java's Generics by Type Erasure are nothing more than compiler inserted typecasts - I imagine Sun wanted to maintain compatibility with existing JREs - whereas C#/CLI generics are the real thing.
True, and Java will probably be around longer than any of us, but while C# seems to be alive and thriving (LINQ, lambda-expressions, inferred types), it looks to me as if Java has lost much of its momentum.
Then your Firefox installation has somehow gotten borked.
On a fully patched XP system with Firefox 3.0.11 set as the default browser Explorer launches FF as it should.
Actually, I just checked on a second system, same thing. So, it's at most a 33% lie ;-)
Actually that's what you're getting. Explorer != IE.
If you type a URL in the address bar of Explorer, it'll launch your default browser, and not IE as the GPP wrongly claims.
Only if you've set IE as your default browser.
Just to correct an all too common misunderstanding, Mininova really cannot be compared to The Pirate Bay.
Mininova is nothing more than an index. Mininova does not operate a tracker. The majority (if not all) of the torrent files found at Mininova would be pretty useless if the Pirate Bay servers weren't around to do the heavy lifting.
The torrent network really isn't as decentralized as most people seem to think; torrent traffic would take a major hit if the servers at TPB were shut down ...at least for a while.
...and we've already discussed it here at least once: http://tech.slashdot.org/article.pl?sid=09/02/01/2143218
Actually most people already do.
Perhaps you've been hanging around here for too long, Mr 130905 ;-)
You really must be new around here... ;-)
-1 Clueless
Do you honestly believe that it's to cater for the needs of home users that XP is still around?
Home users aren't the ones causing Microsoft to worry about the adoption of Windows 7. Most home users don't even pay much attention to the operating system. They'll use whatever comes with the Dell they got, as long as it allows them to surf the web, write the occasional document in Word and load music to their iPod - things that work well on Vista.
Enterprises however, who hold several million worth of internally developed business critical software - code that relies on all the cracks and crooked ends of XP; these are the ones causing sleepless nights at Redmond.
I guess you didn't bother to read past the fourth paragraph?
And somehow managed to miss this nugget:
Right!
This is actually not the first time Calculator has received an update, but of course When you change the insides, nobody notices:
Just for the record, most of the IRC bots out there are based on either the SDBot or the Agobot/Phatbot code base. Both source bundles are actually released under the GPL, though of course it really doesn't make any sense once you think about it. Getting hold of the source doesn't require much effort. Just Google for phatbot+agobot+rapidshare and the first hit will give you 23.5MB of source code, documentation, and build tools.
I've never bothered to take a look at the SDBot source, but the Agobot source bundle packs quite a lot of punch, including among other things: the required IRC client and command interpreter, code for harvesting information from the host, packet sniffing, for orchestrating a DDoS attack, for acting as a web-proxy, and an already large collection of target exploits. The design is straightforward and I'd say that most people with a bit of coding experience would be able to add the new exploit.
So, in this case I'd say that McAfee are spot on.
Priceless!
It's probably a fact, but while the programmer in me is having a hard time accepting this I'm not entirely convinced that it's a sad fact.
Users are rarely idiots. It may well be that the bells-and-whistles version, despite all its flaws, cracks and leaks, will fit their needs better than the trimmed down version.
To be fair, the cheap stab at Microsoft was added by the submitter or the editor, in an attempt to stir up the pot a bit. Other than that, yes, your assessment is spot on.
What evidence? Seriously, I'm curious.
While the reduction in network throughput is real and verifiable, there's really no reason to believe that it should be related to DRM in any way - the throttling sets in when playing back uninfected media as well. But don't take my word for it, Mark Russinovich shed a bit of light on things in a posting on his blog.
There ya go, myth verified.
A link to unfounded speculation here on slashdot hardly qualifies as proof now does it? No, in fact you ended up confirming what you set out to refute ;-)
You've probably got the article The Final Hours of Half-Life 2 in mind; it was posted on GameSpot back in November 2004. Gabe Newell tells about his encounter with DaGuy on page 21 I'm Getting My Crowbar.
The 25-page article covers quite a bit of ground. Slightly dated perhaps, but still a great read.
Sorry for straying off-topic, but no. Dictionaries document languages; they do not define any.
No, they've threatened to do so, but as of yet haven't resigned.
I doubt they ever will. ISO is about a lot more than just the OOXML. Consider the number of standards a company like IBM needs to deal with on a daily basis. Giving up their rights to influence what goes into said standards because of one failed process wouldn't make any sense from a business point of view.
Don't trust anyone under 25" -- John Holmes
Sorry, but I don't think the word innovative means what you think it means:
> Apple is doing something innovative in comparison to what Intellisync is doing. It's obvious, but also different.
Different perhaps, but don't mistake being different for being innovative.
> I haven't seen it anywhere in any OS or operating environment, and in that case it is innovation.
Again no. Don't mistake not done before for innovative either.
> Obvious, but innovative.
You deliver the fatal blow, yet somehow fail to notice your kill... If it's obvious, then it definitely does not qualify as being an innovation.
Exactly that, "stuff that runs on top of the kernel". There's no such thing as an operating system without a kernel (and no posting of links to wikipedia will change that).
RMS may have accomplished much of what he set out to do, but creating an operating system isn't among his achievements (and probably never will be, HURD failed and now the gap has been filled by Linux).