Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:Easy Solution (Score 2) 220

by jeffmeden (#49355735) Attached to: Broadband ISP Betrayal Forces Homeowner To Sell New House

I guess it depends on what the fine is for not complying. For your above scenario to make sense, the fine itself would have to be more than the cost of installing the line. Otherwise, they would just pay the fine and forget about it. Also, there would need to be timelines for how long they can take to get the service working. If you have to live in the house a year without good internet before they get the service up and running then the law isn't very helpful. Also, what happens if you move in in December and they can't install the lines until March when the ground has thawed? Also, there's no law saying how much they are allowed to charge you, and they often don't charge the same fees for everybody. Once they've installed your lines, you're basically a slave to paying that provider's rates. If they want to jack up the rate 6 months down the road to recoup costs, there isn't much you can do about it, other than try to get some other provider to put in lines as well.

Actually there was only one important caveat: "Pass a law that if a service provider says that they offer service to an address they must do so by law." So the goal is not to get service to every address in the US, the goal is to make paying the fines more painful than generating a correct national broadband map. Correct map in hand, consumers can make a more informed choice and national providers will have a more flimsy straw man from which to argue behind.

Comment: Re:Ancient Chinese wisdom (Score 0) 113

Any civilisation that in 5000 years never managed to invent the fork and carried on using 2 sticks to eat with isn't that great.

Any civilisation that after 5000 years still makes food so hard to eat that it needs to be poked, chopped, ripped, etc AFTER the chef is done, isn't that great. Chopsticks are not a symptom of lack of refinement, the food that passes as "prepared" in western cultures is.

/flame on

Comment: Re:I wouldn't mind the NSA so much if... (Score 4, Interesting) 167

by jeffmeden (#49347377) Attached to: NJ School District Hit With Ransomware-For-Bitcoins Scheme

...they went after these criminals.

If our government actually did something about stuff like this, I think people would believe in their government a bit more, but as it stands, it seems like the NSA and such only want to either spy on us or topple governments that don't tow the line for the US.

I cannot imagine that finding these criminals is beyond the abilities of the US Government, it just seems like they don't even try.

The thing is, if they did, you would never know about it. It may seem like they don't even try, and they might not be, but they could also be defeating 95% of it. With a mission that is by design clandestine, no one may ever know until our kids get a peek at the public records dump 50 years from now.

Comment: Re:Trade secret? (Score 2) 74

by jeffmeden (#49347205) Attached to: Facebook Sued For Alleged Theft of Data Center Design

Yes, but if they had an NDA they should be suing for breaking the NDA, not theft of trade secrets.

Given that they had to redact a good bit of the material in the suit, my guess is that they are doing both. And why not? Trade secrets are internationally recognized as property, and property law is pretty easy to assert. If they can show a clear paper trail, they will probably win.

Comment: Re:Still waiting for a "hackability meter" (Score 1) 158

by jeffmeden (#49347085) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

You're a fucking shitheel. The vast majority of passwords are cracked offline. The only things saving you, the user, when (not if) shit gets hacked are using strong passwords and not reusing them across services. "2-factor" authentication doesn't do fuck shit because the company got fucking hacked anyway - you can't trust that the keys for the RSA clocks weren't taken at the same time the user table was.

Of course any passwords that get cracked are cracked offline, it has been a long long time since even the most poorly architected of sites had an auth service capable of responding fast enough to brute force. The point is that more often still, passwords are lifted out of databases that don't bother to encrypt them at all, or passwords are "Cracked" by exploiting a poorly built password reset system to overwrite them. In those cases (which account for almost all of the malicious per-account activity), it doesn't matter at all how complex (or uncomplex) your password is.

Comment: Re:Still waiting for a "hackability meter" (Score 1) 158

by jeffmeden (#49346917) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?

Are you secretly planning to use it as a Dunning-Kruger meter and avoid all that self-rate as 10 out of 10? Because if you think you'll get anything else useful out of it, I want some of what you're smoking...

Both are farcical. Good catch.

The point is that a site could very easily be giving you great password strength advice and then proceed to do something totally stupid with it (storing it with such a poor cipher that can be bruteforced in seconds.)

Comment: Re:Still waiting for a "hackability meter" (Score 1) 158

by jeffmeden (#49346615) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

Sorry, but password complexity matters a great deal. When a website's passwords get hacked, they're going to compare hashes and find all the easiest ones first (password, hunter2, 123456, etc). If yours is 15 characters of random letters, numbers, etc, yours will not get cracked first. Now, if someone like the NSA is targeting YOU, then it doesn't matter how complex it is; it will get cracked. But in a list of 5,000,000 passwords, having a complex password can help make sure yours is not one of those cracked.

This is my exact point. You are right if and only if the provider didn't bother to use an effective salt, which renders rainbow tables pointless. Why isn't that part of the meter? "Your password is stored in a hash of type XXX that is ### bits long, hashed for ### rounds, and salted with ### bits during each round." would tell the user all they need to know about how well their password is going to be protected, and they can make a more informed decision.

Comment: Re:Still waiting for a "hackability meter" (Score 1) 158

by jeffmeden (#49346559) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified

Considering how awfully many cases there have been where it has taken the company weeks or even months to notify anyone of the breach I'm going to have to disagree on that.

That's my exact point. If a system is compromised and they are going after user data unnoticed, you are boned even if can't brute force your 5000 character epic passpoem, detailing the life and works of seven mythical Norse heroes (apologies to http://www.schneierfacts.com/f...). The only thing keeping you safe in that instance is staying the fuck away from downright terrible and negligent providers.

Comment: Re:Still waiting for a "hackability meter" (Score 1) 158

by jeffmeden (#49346449) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.

Your basis for saying bassword-complexity is irrelevant is that bad people would be doing online brute-forcing? They do matter somewhat when it comes to online-cracking, but the real relevancy doesn't lie there. The passwords matter when it comes to offline brute-forcing: the more complex the password the longer it'll take to crack it even if you have the hash for it. With good passwords and well-done hashing and salting you may end up cracking them for weeks by which time whoever you obtained them from will hopefully already have made their users change their passwords.

Brute forcing offline is only a scenario that can take place after a breach has occurred. In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified(http://techcrunch.com/2015/01/...) make complexity 100% pointless, which is what I am getting at here.

Comment: Re:is this good? (Score 4, Interesting) 158

by jeffmeden (#49346331) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

123Password is very strong because it uses numbers and upper and lower case letters.
Those meters are stupid.

As long as it's not one of either this list: http://gizmodo.com/the-25-most... or just a copy of your exact username, then yep it will probably suit you just fine. Dictionary attacks don't happen in break ins nearly as often as exploiting password resets (via social engineering or otherwise) or other blatant sidesteps of security (token reuse, etc), since everyone tarpits bad logins, sometimes after as few as 3 attempts.

Comment: Still waiting for a "hackability meter" (Score 5, Interesting) 158

by jeffmeden (#49346243) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.

What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?

Comment: Re:Trade secret? (Score 2) 74

by jeffmeden (#49346115) Attached to: Facebook Sued For Alleged Theft of Data Center Design

How can you claim something is a trade secret if you show it to others? If you want to keep your design proprietary, patent it.

Via a handy catch-all called an NDA. Facebook is in trouble if it stipulated something like "BRG is presenting designs in confidence and all material is proprietary and not to be copied for any reason... Facebook will be held liable for any material/tangential loss due to disclosure of included designs..." etc since Facebook has allegedly shared their "secret modular designs" with the construction firm that won the bid, and Open Compute Project.

Comment: Re:Ummm.... (Score 3, Insightful) 74

by jeffmeden (#49346061) Attached to: Facebook Sued For Alleged Theft of Data Center Design

Did BRG have that concept patented?

Doesn't matter (but would help their case if it were). Note that the lawsuit isn't for infringement (patent or copyright) but for breach of contract and theft of trade secrets (that Facebook allegedly only had access to in confidence, i.e. via aforementioned contract). It all depends on if Facebook's agents signed anything similar to a NDA when negotiating with BRG for a design contract, in order to review a proposal using their "modular techniques". If BRG was smart they would have papered it up very specifically before they showed any sensitive bits to Facebook.

Like TFS says we don't have enough info to know if something super specific about the design was copied (like some allegedly optimal ratio of airflow to floorspace to TDP). This is most likely just a contract chase, hoping that the words of whatever Facebook signed are broad enough to catch them for designing anything similar to what BRG had proposed.

Comment: Re:Wouldn't be the first time... (Score 1) 74

by jeffmeden (#49345959) Attached to: Facebook Sued For Alleged Theft of Data Center Design

Wouldn't be the first time that Mark had blatantly stolen someone else's idea.

Next up, BRG will abandon their ridiculous claims, be put on trial for fraud, cut off their monitoring anklets and tape them to a broom handle mounted on a ceiling fan. You know, for fun. CYA in Belize!!!

It is masked but always present. I don't know who built to it. It came before the first kernel.

Working...