Yes, because a check fraud conviction with a judicially applied condition of not using the Internet except under approval of the court appointed authority is such an uncommon offense against free speech that I've seen and heard it described as "a routine condition". When one is convicted of a crime, one loses certain rights. That's completely consistent with the 14th amendment, deprivation of liberty with due process.

Nightshade is very organic. So is e. coli, and most of the nastier parasites around.

And that is why I won't eat organic.

I've come face to face with the "pre-union" results of education. Students who didn't perform were socially promoted, stuck in the back of the class because they knew they couldn't flunk the student out and didn't want to deal with them for another year. Better to just hand them off to the next teacher.

The result is adults who cannot read even now in their 60s or older. Any math beyond making change? Impossible.

Their education level was so rudimentary that a modern fifth grader is expected to know more reading, more math, more history (except for the parts these older adults lived through).

Yes, I've met also many highly educated people in their sixties, seventies and eighties, but I also have known personally enough who were socially promoted or encouraged to stop learning and then drop out without even being able to read to know that the problems you describe in education are hardly knew.

The problems you describe aren't new, aren't unique to the era of union teachers, unless you're saying they existed back before WWII through today.

When I was a child, that would be considered 30 minutes longer than traditional. I agree it isn't much longer and some schools have gone to such day lengths.

Actually, doing lots of problems is the right way to study math, no matter how much or little aptitude the student has. It doesn't matter if it is elementary school arithmetic, or high school calculus. I've heard so many stories of math students even in the college level come in not understanding even the basics of not only the math they should know, but how to study the material. The real galling thing? Is when the student who does not turn in their homework begs the instructor to let them pass, despite doing very poorly on their tests.

And no, it's not in any way bad for a student to study for a couple hours a day over the summer. I might suggest a bit of variety in the week, say twice a week math, leaving other subjects for the other weekdays. Maybe a little history that isn't the pilgrims and civil war, or music (theory or performance).

I hear music teachers bemoan every summer how every student immediately puts down their instrument for three months and refuses to touch it. When they come back, they've lost a lot of their ability and their practice ability. The teachers know about taking a break, and often offer fun pieces in different areas, or suggest a lighter practice schedule. There's a difference between taking a bit of a break and turning off the brain.

That culture predates extensive standardized testing. Even when such tests were introduced, a lot of students knew that it had no impact on their individual grades.

The four day week has interesting implications. Currently, our culture says that students should spend no more than 180 days in school per year. Accounting for 104 weekend days, 14 break days (using the federal holidays for a number, as that is one of the most generous in the US), you have 67 days off. That's incredibly generous.

If one took your four day week, that means 210 days, leaving 30 days for breaks scattered through the year. Quite generous, and if distributed evenly, would result in no longer a school year (still averaging 180 days), but avoiding the extra long break which is the real problem I've heard many a teacher complain about.

So teachers are now to blame for students coming in with an attitude of "I am supposed to forget everything I learned last year over the summer" and do not come at all prepared to learn?

Even RSA admits no one should use a 4 digit PIN. The reason the PIN is acceptable in length is the only way to test a PIN is valid or not is to use it with the code to enter a passcode on an authentication site. If you are allowing over a thousand bad guesses, you're doing something else wrong. The PIN is used to modify the 8 digit token displayed on the screen and then that result is what is entered. Hardware tokens still have you enter PIN and token manually in some cases (not all hardware tokens work this way), but the packet is in theory encrypted. You do make them authenticate over an encrypted channel, right?

Yes, someone might compromise the device with the software token, but that in theory should be hard. That's why people tell you to keep that bit better protected than most. Is it perfect? Of course not. We're breaking all six (5+1) rules of computer security (first being, don't have a computer). The point of this stronger authentication is never perfect security. Of course, no matter what authentication you use, if you actively compromise their source device completely, you'll get through it. It is to complicate the attack significantly.

In my job, whenever people say security must be cumbersome, I'm asked to go in and teach them that for the level of security appropriate to where I work, we can almost always find a clean solution. Good security, properly done, is done by professionals in a manner to hide most of it from the user so the user thinks it invisible.

Always keep your threat model in mind. Are you trying to protect against selected 3-6 letter government agencies with datacenters full of true supercomputers? Or are you trying to protect against a lesser threat?

The point of such software is the software alone is worthless. You still need that second factor of the "something you know" to make any use of it. For example, you must compromise both the device and the PIN in the SecurID case. As I understand, the software somehow binds itself to some kind of machine identifier on installation, and that is used in device setup, making migration difficult if not impossible. Maybe it is using a hostID to modify the generated number. Not necessarily impossible to fake, but raising the difficulty level.

We as security geeks are a bit two faced about authentication. We want good authentication services, we don't want a central authentication repository that can invade our privacy by knowing everywhere we authenticate. We want google to authenticate us with more than a simple password, we don't want to give google too much data about ourselves. We don't want to give a dedicated authentication service information about who we are authenticating to.

The solution that most comes to mind is a kerberos style approach where you create a ticket that anyone can validate readily, but they don't need to talk to the central repository to do so. You do need to talk to the central repository to create said ticket though, which would make availability crucial. Of course there are problems with this approach, but one has to start somewhere with tossing ideas out.

The old "security must be cumbersome" theory is one I'm constantly fighting in my job. My standard counterexamples are centralized security logs vs managing per system local logs, SSH keys vs local passwords. Even how we do SecurID is a lot simpler than local passwords for me.

Every factor could theoretically be reduced to something you "know", except it isn't something you know, because you can't key it in manually. Even a hardware token is really "something you know" in the strictest sense, the seed. But that's not what is generally meant by security folks when they speak of multi-factor.

The Google authenticator app last I saw only worked on android devices. Not everyone has a fancy cell phone. Some of us make do with a regular computer or laptop.

I think Google is trying to do mostly the right thing, but is falling down in implementation. Personally, I'm a fan of public key authentication of the client rather than just the server. Sometimes, older ideas really are good. We don't need brand new ones, just realizing how to reapply the old ones.

I've used real multi-factor auth in the form of SecurID. It isn't cumbersome. Doing it right doesn't have to be a PITA. If Google wanted to make it easy, they'd distribute a SecurID like local app to disgorge one time passwords when poked with your local passphrase.

Currently, I use the mobile SecurID app because my work phone I can treat like my physical factor. The fact that I can't copy that to another phone and have it "just work" suggests that it was done right here. (I'm not on the SecurID support team).

We aren't trying to protect national secrets here. Always keep in mind your threat model when designing your security. The real failure of Google's design is it presumes everyone has a mobile phone supporting SMS that they are willing to use regularly.

The TSA always gets nervous when they see me about to enter the scanner holding a permitted object in my hand? They have told me I should not feel safe in the security area.

The object in question is an emergency asthma inhaler. The TSA panics completely when someone has an asthma attack in the security area.

The first exit interview I did was used by HR to write the requirements to hire my replacement. I was hired as a very junior SA, but did intermediate SA work, and the shop could no longer survive on a brand new SA. (I was the most senior SA technical skills wise in the division).

In my case, the manager blew it and forgot to tell HR I was leaving until I went down to turn in my badge. This was typical for him. HR was rather upset I was leaving because I gave them support on their computers and printers, so they knew who I was.

Two weeks later, I saw two job requests at my old job, both for people of at least intermediate skills, to replace me. A month after that, I was told by former coworkers that my boss (who was a major reason I was leaving) had been forcibly transferred out of the department.

My answer to why I was leaving was not a lie, but it was not the whole truth either. I emphasized a positive about why I was leaving rather than a negative. "I'm moving to a position with more opportunity for growth and a significant salary increase" (both true.) I raised concerns over the level of employee the company was hiring not as a statement of incompetence of $boss (though true) but as a statement of the complexity of the job when I left.

When I checked them out a few months ago, I didn't see more than one movie in three that had any captioning. It was simply awful. Things I read around that time said that Netflix had added some content, but chose not to continue aggressively adding closed captioning. I then dropped the service entirely. That was one of my selection criteria to decide if I'd go for more than the free trial.