On the other hand, this should also provide you with a list of the sites where you should be changing your password.

Hopefully everyone will manage to do that before any of the hashes are cracked (if the crackers managed to get both the algorithm and salt).

I have different concerns with that article.

"Security is not a property of a technical system," she noted in her talk at the Hack in the Box conference in Amsterdam. "Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users."

No. "Security" does not exist. You can be MORE secure than X or you can be LESS secure than X but you cannot achieve "security".

For me, being MORE secure means that fewer people can successfully attack you (or that the attack requires more of them to work together).

Saitta realized that a lot of what we know in the security world can't be effectively used if someone in the real world is targeted by a determined adversary.

No. That is getting back to the MORE secure or LESS secure. If the attacker has to drop armed forces onto your office building then you are MORE secure than if they exploited a 0-day on your web site.

We shouldn't work on assumptions or go by intuition - we should set aside our egos, and consult with the end users - learn about their goals and adversaries.

I'd say that 99.9+% of them have no idea who their adversaries are. Other than "that asshole Bob" or "the Chinese".

In the case of high-risk users, usable security is a must.

Is there ever a case where unusable security is a must?

As she vividly put it: if you're on a rooftop, trying to get a connection and successfully send out an encrypted message because your life or freedom - or that of others - depends on it, and you know that there are snipers waiting to take a shot at you - there is simply zero room for using a tool as complex as PGP.

Choose the right tool for the job AND LEARN HOW TO USE IT PRIOR TO THE EMERGENCY.

And if her example is, literally, snipers on the rooftops then whomever did the computer security did a fucking great job. This is an example of a win, not a failure.

https://en.wikipedia.org/wiki/Valerie_Plame

If there is a political point to be made, yeah, I'd expect them to name every single one of them.

They'd have nothing to lose and everything to gain.

Let me quote part of that RFC for you.

By default, generate a set of addresses from the same (randomized) interface identifier, one address for each prefix for which a global address has been generated via stateless address autoconfiguration.

Parsing that shouldn't be a problem for anyone with a CCNA or equivalent experience. But there are going to be problems when the average user is trying to set up his home router.

Fat fingers. ...and I don't think we should design the internet with the most basic web surfing home user in mind.

But that is where the most problems will be.

IPv6 will support everyones needs. IPv4 supports only the most trivial.

It is not whether it will support X or not. It is how much expertise it takes to get such support configured AND maintain the same level of security available with IPv4.

With a current home router and IPv4 + "NAT" the average home user can handle everything they know about today. Without having to learn anything new.

The IPs I'm leaving in web server logs are also throw-away addresses - read up RFC-4961.

You may be referencing the wrong RFC. That is more about port numbers than different IP addresses. The IP address of your machine should still be showing up in /.'s logs.

Without NAT, you're still hitting the stateful firewall and default deny rule at the edge of my network... Most home routers should default to this sort of behaviour.

Either that breaks most of the functionality of IPv6 or it entails a lot more effort and expertise on the part of the home user.

None of this crap with forwarding port 80 to one box and then... Oh, I need another web server... Hmm. 8080? Other random / arbitrarily selected ports? That sucks! It's broken.

So your hypothetical home user has a single IP address and runs multiple web servers. And you feel that "Most home routers" should default to supporting that?

The difference is, I can open up as many ports as I need with no limitations.

While I can manage as many ports AS I NEED without problems. Even with more than a 1,000 users at a single site.

Which is why IPv6 has been so slow to be implemented. You either lose the benefits in order to get the same level of security you had with IPv4 or you lose that level of security for features that the average person is not demanding today.

My home subnet is 2610:1e8:800:101::/64. Go ahead and tell me how many machines are in there...

Somewhere between 0 and approximately 18,446,744,073,709,551.

But, as always, the issue isn't hiding and hoping that no one finds you. The issue is how do you protect your systems and networks from people who (in the worst case scenario) already know what your IP address is?

With NAT they are attacking a single firewall.

With having all of your systems directly accessible to the Internet, the crackers can attack any and all of them.

Getting your IP address can be as simple as putting up a web server with some stupid content and having /. link to it.

... are just ornamental and serve no other purpose?

You added the "and serve no other purpose" onto the original statement:

Nothing except the ornamental bits.

Everything you listed DOES serve another purpose.

BUT none of them affect the operation of the weapon. I spent 7 years in the Army and I can shoot a weapon with a carrying handle as effectively as one without a carrying handle.

If you perform enough miracles enough times when THEIR decisions have caused (predictable) problems they will start to believe that THEY are the ones performing miracles.

At which point the problems will pile on.

Be ready to leave before that point. If there are certifications, collect them and keep them current.

Try to interview at least once every quarter. Even if you do not intend to leave your job.

OK, then give us QFP version with less pins.

I mean, Rockchip offers a competing range of SoCs in LQFP176, up to quad core, and they're huge sellers. Too bad that the Chinese companies typically won't talk to anyone.

Freescale would be smart to follow suit. If they did, they'd become a standard, quickly. I'd be happy to trade having gobs of GPIOs for cheaper and easier assembly.

It's great that Freescale is making a version of the ultralite that's easier to manufacture - but it'd be even better if they had a non-BGA version. BGA means "ball grid array", and it's one of the more difficult component in terms of electronics assembly.

Some companies charge a 3x premium if there are any BGAs at all. Having version that has the pins on the side (QFP), even if it was huge, or had less functionality, would allow for easier prototyping and assembly.

There'd be a market for it.

Actually, PowerPoint is so horrendously clunky and limited that even if you want to make a compelling presentation, it works against you. In short, the only thing that you can do easily is to use bullet points.

PowerPoint still cannot do what the long dead Persuasion could do, and do efficiently.

I'd love an decent alternative to PowerPoint, but it really doesn't exist.

Eagle is pretty horrible.

If you want to try something that's much easier and, frankly, sane, try Diptrace. Really nice software, totally Wine friendly, and there's a free version.

Saving out Gerbers is trivially easy, too.

I've seen several gushing articles -- things I saw linked to on Twitter, glanced at, thought "Yeah right" and didn't give a thought to bookmarking -- claiming that there was some kind of space-time warping effect detected in the Em-drive.

It is difficult to know where along the chain of articles-quoting-articles that "WARP DRIVE!" got added to "reactionless thruster."

I doubt it. It's too easy NOT to be.

Just realize that you are NOT smarter than the people reporting to you. You just happened to get stuck in that management slot.

Next, learn that just because you've been TALKING since you were 2 does not mean that you are a master at COMMUNICATION. Take classes. Read books. LEARN to communicate.

Now you can give rapid feedback to your people. Instead of the once-a-year-review aim for the every-2-weeks-review. That way you will remember all the reasons why the main project was delayed. Remember your new communication skills.

Finally, decide whether you're going to fuck your people in order to make other managers look good or whether you're going to help your people get the skills to move up and onward.

He's part of the "system". Therefore, his view is that anyone who isn't directly supporting the "system" is opposing it. Which means you're opposing him and the "good" work that he is doing. You are friendly to the "terrorists".

"Terrorists" in this case being defined as anyone Mark Rowley does not agree with.

Personally, I think that there are far more corrupt cops and corrupt politicians and so on who would abuse their authority than there are terrorists who can attack us.