Might be good, certainly wasn't very funny... or does it need Javascript?

Anyway, 1336 was much funnier...

Didn't you forget some kind of reference to "my eyes"?

They would have been sued for infringement by the rightsholders to Asterix.

I kid you not... this is actually why we now have linux-laptops.net rather than the original mobilix.org (or mobilix.net, I don't remember anymore)...

What with all kinds of inter-country intelligence sharing deals being reality, it could very well be that whatever information the Germans dug up was actually wanted by, for example, the NSA, but obviously couldn't be directly obtained by them legally.

Did you just pirate yourself? How on-topic!

> Whether or not a physical object was stolen is useless in 2014.

Ah, so the first-sale doctrine applies to all those legal downloads I have? Terrific!

We're getting spam here because someone, somehow, got our Active Directory mailing list out of Outlook Web Access. I know all of your admin accounts.

Well, well, sounds like both of us are in big trouble because of Microsoft, and not even because of the problem you originally complained about. :-)

Anyway, thanks for the interesting discussion. As someone whose job doesn't include having to worry about Microsoft's idiocies... I wish you the best of luck!

The first part is that the network log-in source can be grouped as an infinite number of terminals--lots of connections--so a per-connection rate limit is useless; thus all network service log-in (caveat: Active Directory handles console log-ins... over network) must be grouped as one thing to be effective.

OK, I agree that your argument here is OK, if the 1-2 second delay is an artificial one generated by the OS (and the OS doesn't sufficiently limit the number of active connections). If the 1-2 second delay comes from actual computational overhead of the authentication process (e.g., PBKDF2), then your argument still fails.

I can lock you out of your server by constantly trying to log into your server, so you can't apply patches anymore. Then I hack it on Tuesday.

Well, if I understand correctly, the lock-out is on a per-account basis, so you'd have to know the usernames of all my admin accounts, so this seems to me to not be very likely to succeed if I have heard about the attack ahead of time (thanks to your post)...

Thanks for the hint to look at the USB-HIB standard (1.1) in which even high-speed devices are limited to 64KB/s. That's interesting info. Does the USB hardware + operating system on most computers actually enforce that?

You don't actually seem to be addressing my argument here, perhaps you misunderstood? It's clear to me what you did, my argument was that doing what you did made no sense given the "1-2 second delay" you state, and given that datum, your characterizing Windows as "retarded" for not distinguishing between 750 char/s and the much faster network, was illogical.

Yes, I am capable of reverse engineering your math. You err, though. "We're talking about..."? No, you're talking about...

I'm not quite getting this. You dismiss the possibility that weak passwords are used, so that hardware password attacks are dismissable, but at the same time address the problem that these same non-weak passwords aren't strong enough to withstand network password attacks without lock-outs? Yes, I suppose there is some real-life situations in which that's true, but why would you rag on Microsoft for trying (in what I agree is not a reasonable way) to cover other possible situations (and, given their user base, much more probable ones)?

> The IRS will know who you are when you bought your bitcoin from a regulated exchange.

OK... I suppose so (still doesn't address the "multiplicity of jurisdictions" problem), but that is a quite different scenario than that posed by the poster I replied to, who wanted bitcoin "criminalized and shut down" via legislation.

Your comment was already covered by, for example, this poster.

> That's called a movie plot security threat, and it's not a concern.

Do you always start out your arguments by "poisoning the well"? BTW, the person who coined "movie plot security threat" doesn't exactly agree with you.

> Aside from all the obvious shit like "how do you get in there unnoticed?"

Did you miss the "on a public computer" part of my post? Never heard of social engineering?

> Even without a 1-2 second turn-around for testing a password, keyboards can only enter 750 characters per second.

Where did this "750 characters per second" come from? Is this a limit built into Windows? USB 2.0 runs at 35 MB/s, according to Wikipedia.

OTOH, comparing the "1-2 second turn-around" in your reply to the "750 characters per second" undercuts your original argument as a whole --- if the password check itself is the limiting factor, even for the "slow" keyboard, it make no sense to make a distinction between password attempts from the keyboard and those from the network, so it would be silly to call Windows "retarded" for doing so.

> That's less than 100 password attempts per second for 8 character passwords,
> or 10^12 seconds to try them all. 800,000 years!

Your naivety about the average entropy in a typical 8 character password is striking.

Windows does stupid shit like lock the local console if you set up rate-limit log-in...when logging in through the Microsoft log-in manager. That's retarded. A person is sitting at that console, and can't enter passwords fast enough; it should NEVER BE LOCKED.

You have limited imagination, what about an attack on a public computer via replacing its keyboard with one which includes a CPU + password cracking program?

So Windows isn't quite as retarded as you think; it's just retarded in that it doesn't rate-limit the two kinds of logins separately (i.e., still very retarded).

I think nowadays that one can assume that 1400 random infections (for the botnet in question) on the net would include most countries. Even more so for the larger botnets which exist. So my suspicion is that this tactic has limited utility, possibly so limited that it is no longer worthwhile ("Damn, I forgot to turn off the geoblocking before my unexpected trip to Peru!").

No, I won't bite on the Ponzi flamebait. But <sarc>I'm sure Satoshi is quaking in his boots</sarc>.

Er, reality check?

• Your "little bit of legislation" is only going to affect people in your little bit of jurisdiction.
• Except for someone who actually is stupid enough to directly declare he has bitcoin, it is trivial to conceal it, and trade/spend it outside problematic jurisdictions.

Are you one of those who also believe that we just have to pass stricter laws and piracy will disappear?

> They were convicted for making statements that earthquake will not happen

And they actually made such statements? Or, perhaps they merely said that "as far as science knows, the probability of an earthquake is no larger than, say, last year". The whole thing looked like a witch hunt to blame someone for damages which were caused by natural causes, because no politician is going to get up in front of the electorate and actually tell them "Sorry, there is a very small chance that large numbers of people in our country could die from X, Y, or Z and there is no practical way to prevent these dangers."

It frankly looked like scientists sacrificed on the stage of security theater.