The point is to minimize the amount of information you actually have. You don't need to know the password itself, you only need to know that they know the password. So, you store just enough information to be able to check that the person attempting to log in knows the password.
Very interesting and insightful troll. I was tempted to mod you up, but I figured a reply would be preferred.
Originally I disagreed with your post, but upon attempting to reply, I found that I agree that "both sides are equally bad/dishonest/wrong" is a cop-out, but I disagree that it's embarrassing. It's only embarrassing if you aren't doing anything to back up your belief, and voting is a good start, but it isn't enough.
Ever since this first started being discussed, I've been thinking M/W/F and T/Th/Sa makes a lot of sense. (a different route for each.) You could toss in 5 or 6 day delivery for commercial addresses.
As I've learned, the correct answer is, "Sure, but it'll cost them $n megabucks, and it will take x amount of time." (I'm sure rimcrazy also figured this out since then.)
Thank you, that answers my question perfectly. An immoral act is immoral in and of itself. Someone's suicide does not affect the morality of the original act.
To the dispassionate and disinterested outside observer, a mentally disturbed man committed suicide. The only one at fault is the mentally disturbed man.
I've long believed that suicide is nobody's fault except for the one who committed the act. However, I very much want to blame the DA for pushing him to commit suicide. I realize it's an emotional response, but there must be some basis in fact. At what point does provoking someone who then commits suicide become the moral and ethical responsibility of the provocateur?
I know I'm responding to a troll, but it hits upon an issue I've been thinking about for some time. It's well known how DAs threaten disproportionate punishments in order to get a plea bargain. And it's easy to see how this might get someone who was previously not seriously considering suicide to start doing so. Where should the line be drawn? Online/offline bullying? Threats of imprisonment? Threats of physical violence and/or torture? Or is it never someone else's fault?
security through obscurity
I do not think that means what you think it means.
"Security through obscurity" is being deliberately insecure and relying on other people not knowing about the insecurity as your defense.
Something like this relies on the fact that choosing a random address is much easier than guessing a random address that was previously chosen. This flaw results in forcing the victim to choose a non-random address when they intend to choose a random one. And "address spraying" works by increasing the size of the target the attacker must hit from a single exact address to a large number of ranges which covers most of the available addresses.
Mega holding a copy of your encrypted key does not reduce security, and slightly improves security. A password generally has a laughably low number of bits. Anyone who knows or can guess your password can get your key and thus your files. Not very surprising. There is no way around the crypto entropy being limited by the password entropy. However, if your password has 2048 bits of entropy, then the attacker must crack 2048 bits of entropy to recover your key and your files.
Password entropy is an incredibly difficult problem to solve. xkcd has what has become the canonical example of this. 28 bits of entropy for a "typical" password. 44 bits of entropy for 4 random words strung together. The mega key is 2048 bits, which is roughly equivalent to 186 random words strung together or about 311 completely random typed characters. Anyone attempting to crack your crypto is going to attack the password, not the mega key.
The security increase comes from two factors. The net effect of padding your password so that its length is unknown, and the real world security from using a known, trusted and tested security algorithm.
In summary, your encryption isn't any more or less secure than the password you use. If it helps, you can think of the key stored on the servers as a salt, and the password you type in as the actual key.
(Also, if they were so inclined, why would they capture the decrypted key rather than just capturing the password itself?)
Maybe use their whatever-it's-an-option encryption as added layer and call it a day.
I thought I remember reading that encrypting an encrypted file can actually make it less secure than either encryption step alone.
Sort-of. If you make a mistake in your crypto, you can make things substantially less secure. A mistake, such as using the same key for both encryption steps. Also, encryption is not necessarily additive. Encrypting something multiple times with different keys may not improve the security, or may improve the security less than the cumulative total number of key bits indicate.
As an example, let's take the caesar cipher. If you encrypt twice with a key of 13, you end up with no encryption at all. If you encrypt once with a key of 15 and a second time with a key of 12, you end up with exactly the same security as encryption once with a key of 1.
"Just following orders" is wrong not because someone higher up gave the order. It's wrong because despite the government condoning the action, the person doing it should know better. Therefore "everyone does it" is pretty much the same thing as "just following orders".
ITYM assault weapon.
!growing != !aging
No hard feelings, I was just struck by the visual of all the bangs.
I don't know what it says about me, but I wasn't. It's a bit frightening that I read and grokked it without a second thought. It didn't register until I reread it a couple of times.
If you hired somebody to remodel your house, check his references, chose him as the best candidate based on his experience and quality of work, and came home one day and saw him watching TV and some body else actually doing the work, would you say, my I applaud your idea, great job? Probably not.
Oddly enough, this is pretty much exactly what a general contractor does. Although they tend to do other things rather than watching TV.
I agree. My first thought on reading the headline and summary was that Cisco claimed it was fixed, so DefenseCode released it into the wild.
Specifically, the site argues that the scriptures say that foreign substances should not be injected into the body and also that that the human body is perfect and shouldn't be altered in any way. (A few other things are thrown in for good measure, but this is the crux of it.)
Personally, I think their interpretation has so many holes it would be laughable if the idea wasn't so dangerous and widely accepted. It also falls under the "If your religion requires human sacrifice, is murder protected by the Constitution?" heading.