Forgot your password?

Comment: Re:not news (Score 1) 208

by Tom (#48230939) Attached to: Passwords: Too Much and Not Enough

Because everyone writes absolutely perfect code, no one ever loses anything, and there are no exploits out there.

No, because there is a difference between looking for the perfect castle and realizing that maybe having a wall isn't so stupid and closing the door and night isn't a bad idea, either.

Making brute force attacks difficult is not a question of perfect code. It's a question of not allowing unlimited tries at unlimited speed (online) or not storing unsalted password hashes (offline). It's not a matter of protecting your server from compromise. A serious defense strategy always includes the assumption that several layers of your protection fail and you should still not suffer a total defeat.

you'd better hope they're salted with a strong salt, per-user, and hashed with a function like bcrypt or PBKDF2.

You see, this is the point. Whether or not they are is not a matter of hope like rain and sunshine. It's something you actively control.

There aren't any magical solutions.

No, but there are good and stupid solutions, and it's time we stop using the stupid ones. It's a feature of this anarchy we love so much, because if software was a car... well, at least in the western world you can't legally sell a car without brakes anymore.

Comment: Re:Computers: They can respond fast -and- slow (Score 1) 208

by Tom (#48228319) Attached to: Passwords: Too Much and Not Enough

or lock out the console/IP entirely, after N failed attempts.

Which opens the door to DOS attacks on target accounts, but there are several smart ways to work around that (send an unlock link to the e-mail address for that user, for example).

I hope security "analysts" catch on to reality soon.

There are two kinds of security people in the business world. Those with a real interest in advancing the field and making computing more secure, and those working for large consulting and IT "Security" companies. I am exaggerating some, of course, and there are great people in those companies as well, but unfortunately the business concept of too many of them is based on solving problems in such ways that you can sell the solution to many other customers, not on finding a solution that takes care of the actual problem.

It's the same with consulting companies and the insource/outsourcing cycles. There are good arguments for both of them, but if you've watched the business world for a decade or two you understand that they are hyped in cycles so the same consultants who sold outsourcing to a company last period can sell insourcing to the same company next period or after the next CTO change.

Comment: not news (Score 1) 208

by Tom (#48228297) Attached to: Passwords: Too Much and Not Enough

Me and other security experts have been saying such things for years.

Basically, our password handling systems and policies are completely broken. It's not just what xkcd pointed out - it's worse. Those policies are based on making brute-force attacks more difficult. But to sum up a complex topic in a soundbite: If your system allows for brute-force attacks, your system is fatally broken.

Comment: Re:Can the counterfeit chip be detected? (Score 1) 543

by Andy Dodd (#48220623) Attached to: FTDI Removes Driver From Windows Update That Bricked Cloned Chips

From looking at how their stuff works, no. The driver tries to change the PID on all devices, but genuine hardware doesn't actually write out the EEPROM until further action is taken, while clones immediately write out the EEPROM.

Although it isn't really a "brick" - it sets the PID to 0. Which is invalid, but happens often enough these days that you can still force the hardware to be used. Someone wrote a Linux patch that would register the correct driver for FTDI's VID and a PID of 0.

Another option FTDI could have done is: Change the PID to one reserved for clones, then spit out warnings when that PID is seen.

Comment: Re:Alternatives? Same problem.. (Score 1) 543

by Andy Dodd (#48220593) Attached to: FTDI Removes Driver From Windows Update That Bricked Cloned Chips

"are not sold as made by the company" - They use FTDI's USB VID/PID - this is representing yourself as an FTDI chip.

The tough thing is HOW to do it on first plug-in. The only method I can see that would work is to perform the same alteration the driver is doing, but instead of changing the PID to 0, change it to one reserved for fake chips. Then have the driver spit out lots of warnings if the "fake chip" PID is seen.

(As to how their driver is doing its thing - from what I've read of decompiled code, it attempts to change the PID to 0 on all chips. However, genuine hardware needs additional steps to actually start the EEPROM write, while clone hardware immediately writes out the EEPROM.)

Comment: Re:Computer Missues Act 1990 (Score 2, Informative) 543

by Andy Dodd (#48220551) Attached to: FTDI Removes Driver From Windows Update That Bricked Cloned Chips

"The issue is that the FTDI driver is deliberately reprogramming a chip that is not theirs"

Except they're only doing this to their USB VID/PID - which IS THEIRS.

If you use FTDI's VID/PID, you're trying to pass yourself off as an FTDI chip, and it is YOUR FAULT ALONE if an operation that does not cause issues on genuine FTDI hardware does bad things to your own.

(If you look at the decompiled code, the driver attempts to write the EEPROM on all hardware. However, genuine FTDI hardware won't actually START the write operation until the driver does "additional stuff" - but clones will immediately write the new EEPROM value.)

Comment: Research in this area is probably a good thing. (Score 1) 147

by Wycliffe (#48220023) Attached to: Incapacitating Chemical Agents: Coming Soon To Local Law Enforcement?

Research in this area is probably a good thing if done right. Mace, tear gas, and stun guns are not
very effective in a large crowd or hostage situation. I agree with the article that current methods
rely on exact dosage to prevent fatality but it's highly probable that we can find better chemicals that don't.
Marijuana is one of many known substances where the effective dose and the lethal dose are orders of
magnitude apart. Research into incapacitating substances with very low effective doses but very high
lethal doses would be where I would want to focus. Something like this would be very useful. You could
make everyone pass out and then isolate the bad guys before they wake up saving both civilian and
criminal lives.

Comment: Re: $3500 fine? (Score 3, Interesting) 281

by Wycliffe (#48219919) Attached to: Tech Firm Fined For Paying Imported Workers $1.21 Per Hour

old school apprentices were rarely a "guaranteed job at the end" but more like "a shot at taking over the business at the end" if
you paid your dues, learned well, and did a good job. IT has actually moved that direction a little bit. When I interned for HP
while in college, they made it very clear that interns that they liked moved immediately to the top of the stack of resumes when
applying for a full time position practically guaranteeing you a job if they liked you and your performance. It's alot less risk for
them. Places like microsoft have also started using contractors and temp agencies for that purpose. They try you out for a
while, if you do a good job then they bring you on, if you don't, they don't have to worry about all the steps to fire you. It also
helps with company morale as then very few "official" employees ever need to be fired.

Comment: Re:$3500 fine? (Score 0) 281

by Wycliffe (#48217731) Attached to: Tech Firm Fined For Paying Imported Workers $1.21 Per Hour

A more sensible argument in favour of minimum wage is that if there isn't one, government assistance to low income earners are in practice a subsidy to companies that then don't have to pay a living wage.

What percentage of people working at (or close to) minimum wage receive government assistance?
I read somewhere that the vast majority of people close to the minimum wage have moved up after a short time.
Noone I personally know who works for minimum wage receives government assistance. Most people
I personally know who work for minimum wage are single kids usually still living at home and getting
their first job. The problem I see with a high minimum wage is that it kills alot of entry level job so you
end up with a bunch of people who have no way of getting job experience. And you can't solve this
by making teenagers exempt from minimum wage as then companies have an incentive to only
hire inexperienced people and the few people who really do need minimum wage jobs are passed over
because they have a higher minimum wage.

Comment: Re:So Who Cares (Score 1) 290

by Wycliffe (#48217675) Attached to: Will Fiber-To-the-Home Create a New Digital Divide?

Why would they charge more? Because it is technology? My guess is that when/if they start doing this
it will be so that they can see more patients in a given period of time and/or cut down on buildings,
staffing, etc... i.e. They will be doing it to save money. You might not see the saving but it doesn't
make sense that they would charge more for this service.

Comment: Re:We had a distributed social network (Score 2) 258

by IamTheRealMike (#48215593) Attached to: We Need Distributed Social Networks More Than Ello

If you ignore the ability to restrict personal data to particular people, news feed with intelligent ranking that tries to guess who your real friends are so you don't have to upset people who post a lot by defriending them, the ability to tag people in photos, the lack of any need for meaningless URLs and a seamless way of organising events ...... then sure. Facebook is just like the web.

Comment: Social networks area compilation of free tools (Score 1) 258

by gurps_npc (#48215199) Attached to: We Need Distributed Social Networks More Than Ello
They are a blog (your 'page' has words and pictures, time stamped, aka a BLOG).

Connected to an email service.

With some automated responses (like) and mass mailing features.

Connected to some games

All held together by exclusivity That is, they won't let you someone's blog, email them, or get emails, unless you join them.

Well, I did leave some extra stuff out - but basically the other stuff is all the privacy killing back office things that no users wants - i.e. the ability to tag other people's photos, the ability to track people viewing, etc. etc.

If you make a distributed version of it, it's called THE INTERNET.

P.S. It already exists. Frankly, the entire thing is just a simplified way for non technical people to get involved on the internet. Not everyone realizes how useful a blog, mass mailings, etc. are so they packaged them up as a "Social Network" and suddenly people that never heard of a blog are blogging.

Comment: Re:Can we stop trying to come up with a reason? (Score 1) 767

by Maxo-Texas (#48213183) Attached to: NPR: '80s Ads Are Responsible For the Lack of Women Coders

It's a bit of a chicken or egg thing. If women made up 90% of minecraft players, this probably wouldn't be happening/be permitted.

I hadn't seen that on the servers I played on (Madrealms) but maybe that's because I felt like I was with peter pan and the lost boys. There were no female players.

I was introduced to minecraft by a female player but she clearly couldn't comprehend the way I liked it. She was still spending 4 hours a day and building stuff when I was making redstone devices and spending 8+ hours a day on it. It was a serious addiction! (and it's running right now while I test some things for an adventure area in our survival server).

To err is human -- to blame it on a computer is even more so.