There's a good reason for not reading beyond the first couple sentences in this case.
And that's not just to avoid the standard lack of editing around here: "assuming you tune they [sic] system along the way" ???
You tell that to the President of (what remains of) Ukraine. Ever since Obama has said "Yeah, well, don't cross this line. I mean it!" Putin has known exactly how much he can get away with.
Do you think that simply because you omitted that common attack vector that it's magically not going to happen?
Rate limiting, et al, has a singular primary purpose: to make things hard enough that an attacker doesn't get the password hash. Anything else is pure gravy.
Once the attacker has the password hash, the next defense is a strong password. And that's where we need to focus the entire debate about passwords vs passphrases vs biometrics vs telepathy. Assume the attacker has your password hash. This worst-case scenario is reality all too often. Yes, throttle password attempts and all that, but if your server has Sarah Palin or Barack Obama on it, assume that someone, somewhere, will deploy sufficient resources to getting that password hash through some zero-day vulnerability. (If your site is just discussing hooch for local rednecks in Bumfuk, Virginia, then the passwords are likely safe, regardless of how insecure the system is.)
Clang warns about bad variable names? I need to switch!
Real science is always open to upending. If they weren't willing to listen to critics, they'd be called a religion.
Excersise for the reader: are there any other scientists not willing to listen to their critics?
I'd suggest the penalty be based on the savings, not the cost.
If the illegal is simply indentured, unpaid servant, the penalty goes to zero? Instead, I'd suggest asking a local union (just for kicks, mind you) what the going rate is for that work, subtracting the actual pay, and using that as your basis for penalty. If the illegal was paid full union rates, I could live with "no penalty" - they've been penalised enough, I suppose.
I used to be a huge fan of C++.
All those negatives you cite seem to me to be advantages. Because when you know how to use them, they become powerful forces for good. Sure, there's plenty of room to shoot your foot off, but there are some things you can do in Perl that a stricter language wouldn't let you do.
I've put that bullet through that approach.
I've grabbed the precise versions of everything that we're going to use, checked into our version control system, complete with a full build-from-scratch setup that will build perl from source, with the exact options we need (or at least the exact same options every time, not sure if we need threading, for example), and the precise list of CPAN modules that we are using, along with standard patches to said modules where required (some of them don't support AIX as well as we need). Upgrading a module will require a degree of regression testing, etc.. And all developers will use exactly the right levels of everything as the level that is going into production.
I'm a huge fan of CPAN. It has issues, such as some crap code, but yet it remains one of Perl's greatest strengths. Like anything else worth having, it provides sufficient rope to hang yourself with, so you do have to be careful, putting the onus back on the developer to find a mode that works for them. And yet, to fulfill corporate requirements, I'm using precise levels of code. There's no reason why you can't have the best of both worlds.
Gee, if that was the criteria, I'd be banning Java at work. Because I've seen first-hand a number of Java devs writing absolutely stupid things resulting in a heap of vulnerabilities.
The reality is that you get a bunch of stupid developers, and it doesn't matter what language you put in front of them, they're going to write stupid code. The people who've worked under me in perl don't get the opportunity to write code that dumb because a) I provide a saner framework work in where those gotchas are centralised into common functions and objects, and b) I code review everything that goes in until they acquire a better knowledge base to work from and then I do spot reviews and review anything they feel, with their now better experience, might be tricky and should get extra eyes.
I don't care what language you're working in. If you don't realise that calling the shell with special characters that you didn't know you had will cause problems, it's the developer at fault, not the language. I don't care if it's cmd = "do-stuff " + tainted_value; Process p = java.lang.Runtime.exec(cmd); or my $cmd = "do-stuff $tainted_value"; my $rc = system($cmd);, that's going to result in broken code. If you don't realise that doing the same thing with SQL is going to cause problems, you shouldn't be doing SQL. Or running a subprocess, waiting for it to exit, and THEN reading its stdout. These are all common things, in my experience, and most of them I've seen in Java code, though I do get to work with some nimwits in a different reporting chain using perl stupidly as well. I don't ascribe the bad code to the language, but to the bad developers. Maybe you should look, too, and you'd find it's your developers that are the problem, not the language.
Given that this is SCARY and NEW TECHNOLOGY, I can see an abundance of caution here. Also, it's the manufacturer that has to have the insurance, which seems to me to be rather cheap, especially since many players, especially Google, could self-insure something like this and wouldn't really notice any pinch. To be honest, this seemed to me to be somewhat low if their primary purpose is to ease peoples' minds about the new technology.
Remember that the state is going down uncharted waters here, regulating these things prior to actual use as opposed to the catch-up-with-existing-practices we did the first time round with these horseless carriage things. So they're taking things easy. It's probably the best way to make everyone comfortable with the process, other than perhaps the manufacturers.
I know that reading the fine article is frowned upon, but I
The article had this weird text and stuff, and it overwhelmed me, but when I finally sobered up long enough to take my eyes off the road and read my tablet, I saw this odd text:
Approximately 41 million people receive speeding tickets in the U.S. every year, paying out more than $6.2 billion per year, according to statistics from the U.S. Highway Patrol published at StatisticBrain.com. That translates to an estimate $300,000 in speeding ticket revenue per U.S. police officer every year.
(my emphasis.) Now, I get that the cost of policing isn't simply the officer's salary, but the cost of the vehicle, maintenance, gas, supervisors, etc. But I highly doubt that the cost per officer is $300k per year. I would say that $150k per year might be an excessive estimate. So let's call it $200k/year/officer. It seems like there's a significant profit being made here somewhere. I just don't know where it's all going, other than possibly into municipality coffers.
But anyone who thinks our goal should be to avoid altering our environment really hasn't thought it through, because the only way to achieve that goal is for us to cease existing.
There are people who believe that those espousing "avoid altering our environment" have thought it through, and their goal really is for humans to cease existing. I'm currently leaning toward believing these people.
How? By not prohibiting the sale itself, only who is making the sale. Tesla can sell all the cars they want, as long as they use local dealers to do so. Therefore interstate commerce is not prohibited. Still a dumb law, but I don't see anything here that makes it unconstitutional or federal.
Controlled substances can only be sold through pharmacies by licensed pharmacists. And new cars can only be sold through local car dealerships. Now why only local car dealerships should be allowed to sell cars, or why we're equating new cars to controlled substances, I don't understand. But we are, and it's legal for the states to make dumb laws like this.