Forgot your password?

Comment: Re:Time for a revolution (Score 5, Informative) 421

by julesh (#48235897) Attached to: Law Lets IRS Seize Accounts On Suspicion, No Crime Required

So in this case, if you deposit slightly less than $10,000 then that also triggers the bank to privately report you to the government. All of the people mentioned in the article deposited slightly less than the $10,000 to avoid triggering, and they knowingly avoided it, although for different reasons (some did it because they thought it was a hassle for the bank, and they were trying to be nice?). So if you need to deposit $10,000+ in an account, then fucking do it! In this case, it "triggers" an event, but that event doesn't remove your money.

At least one had an entirely different reason - they were banking their cash before it reached $10,000 each time because their insurance policy had a $10,000 limit on claims for cash. Another was described as depositing wildly varying amounts at regular intervals, apparently just banking their business's weekly takings (or whatever) that just happened to always be between $5k and $10k.

Yes, there were a couple of cases where the avoidance of the limit sounded to be intentional, but that wasn't the case in all of the instances presented in the article.

Comment: Re:Key stretching with PBKDF2 (Score 1) 222

by julesh (#48235807) Attached to: Passwords: Too Much and Not Enough

a CPU that can manage a trillion hashes per second (easy)

A trillion (10^12) hashes per second can still check only 100 million (10^8) passwords per second if checking each requires 5000 rounds of PBKDF2. In the common PBKDF2 built on HMAC, each round is two hashes, making a 5000-round PBKDF2 take 10,000 (10^4) hashes.

That, and the fact that there's no CPU on earth that can calculate 10^12 cryptographic hashes in a second using any algorithm that's ever been commonly used for password hashing. Even hardware using custom ASICs designed for the purpose struggles to approach this rate; the fastest bitcoin miner money can buy manages 4x10^11 hashes per second in each of its 15 processors. Any single chip solution can't really do much better than that, because cooling.

Comment: Re:Why are we still using passwords? (Score 1) 222

by julesh (#48235743) Attached to: Passwords: Too Much and Not Enough

Or to put it another way, your xkcd password, if the user has a vocabulary of 10k words, being cracked by a CPU that can manage a trillion hashes per second (easy) means your password can be brute forced in less than 3 hours.

Err... that's rather faster than any CPU or indeed GPU I've ever heard of. Depends, of course, on your hashing algorithm, but the fastest I've ever heard of is 3.5 x 10^11 NTLM hashes, which wasn't a single CPU but a cluster of 25 GPUs, so call it 2x10^10 for a single processor, or approximately 2 orders of magnitude slower than your suggestion of what is "easy" to achieve.

Also note that this was NTLM, which is a lot weaker and easier to calculate than most of the algorithms used by web-based systems today. The same cluster only managed 71,000 hashes per second against bcrypt, which is the algorithm that is usually recommended for new systems at the current time. That's about 3,000 hashes per second per processor.

So cracking that XKCD-style password in less than 3 hours...? Not in reality it can't. That's 10^12 possible passwords. If they were hashed using NTLM and you were using all 25 nodes of the fastest password cracking cluster that has been publicly described, and they were as short as the passwords used in the original benchmark it would take about 3 hours, yes. But (1) nobody seriously uses NTLM, and (2) few attackers have that kind of hardware available, with cost estimated at around $30,000.

Used on a site complying with modern standards of password encryption against a realistic attacker (a script kiddie using a couple of high-end gaming system with 2 top-end GPUs, thus cranking out about 10^4 bcrypt hashes per second) your XKCD-style password would last about 5x10^7 seconds, or approximately 1.5 years.

Change your password every 6 months and as long as the site uses modern encryption techniques you'll be just fine.

Comment: Worse is worse (Score 3, Insightful) 240

by Geoffrey.landis (#48139861) Attached to: Fighting the Culture of 'Worse Is Better'

I would assert precisely the opposite. "trade-offs to preserve compatibility and interoperability" do not cripple the functionality to users-- failures to engineer compatibility and interoperability is what cripples functionality.

The number of times that there's been a new feature and I've said "oh, excellent, it's true that my old files no longer work, but this is so wonderful I don't care" has been very close to zero. The number of times there's been a new feature and I've said "those assholes, I have twenty thousand files that don't work any more, what in the world were those idiots thinking?" is decidedly not zero.

Comment: Re:Steve Jobs' products changed the world? (Score 2) 181

by Geoffrey.landis (#48123687) Attached to: The Cult of Elon Musk Shines With Steve Jobs' Aura

I'm not sure to what extent Tesla innovated to create the cars they have, but certainly they made the first EV that people actually wanted to have for reasons other than it being an EV or hybrid.

The Tesla Roadster made electric cars cool, in that it was a car for the ultra-top end market, people who otherwise would be buying a Lotus or Ferrari. So, it was an existence proof that you could make an EV that contended with top-end sports cars.

It was also one of the first mass market EVs that doesn't look like utter crap (the Honda Civic hybrid being the other one).

Actually, Leaf is the top selling EV on the market right now. If you count electric cars with gasoline backup, Volt would be on the list.

Tesla doesn't make a mass-market EV yet; their Model S right now is rather a luxury car rather than something for the average buyer. While I'd love to have one... I don't think Tesla comes anywhere close to being "the first" in the way of mass market EVs. There are a lot of electric cars out there, both mass-market and otherwise.

Comment: Re:Maybe affects Boeing, not SpaceX (Score 1) 139

by Geoffrey.landis (#48072919) Attached to: NASA Asks Boeing, SpaceX To Stop Work On Next-Gen Space Taxi

This is just typical politics in the aerospace industry. It's so critical to national defense infrastructures that it tends to develop more cruft on its surface than others despite dealing with such incredibly interesting high tech. Also, US congressional budgets have been starving the budgets for the projects dealing with basic scientific research and study, which is a shame.

I would prefer to see NASA bet on all three horses so you have better odds of one of winning the race!

I would too, but they haven't been given the budget to do so. In fact, congress has been demanding the opposite: it had previously been very insistent that NASA needs to downselect to just one.

It's quite a victory that they managed to keep on funding two options.

Comment: Re:Bullcrap (Score 1) 349

by julesh (#48061477) Attached to: Possible Reason Behind Version Hop to Windows 10: Compatibility

Trust me, MS doesn't give the slightest concern about any broken Java apps.

Trust me, they do. Windows 10 won't fly if they can't get corporate types to adopt it. The corporates won't adopt it if their large number of custom (and frequently very shoddy) Java apps (in use in 90% of large corporations according to a recent survey) won't run. MS cares about making sure Java apps work OK.

Comment: Re:How bad is the Microsoft API? (Score 1) 349

by julesh (#48061467) Attached to: Possible Reason Behind Version Hop to Windows 10: Compatibility

for whatever reason, a lot of Java code checks the "" property to determine the OS version instead of "os.version".

Because Java's API design is fucked up.

Windows NT 4.0: = "Windows NT", os.version = "4.0"
Windows 95 (= MSDOS 7.0): = "Windows 95", os.version = "4.0"
Windows 98: (also MSDOS 7.0): = "Windows 98", os.version = "4.1"
Windows 2000 (aka NT 5): = "Windows 2000", os.version = "5.0"

Given these 4 versions as the likely target platforms, how do I determine if I'm running on Windows-the-DPMI-DOS-Extender or Windows NT?

Comment: Re:This is the stupidest thing I've ever heard (Score 1) 349

by julesh (#48061413) Attached to: Possible Reason Behind Version Hop to Windows 10: Compatibility

So you're telling me that Microsoft decided/had to skip a version number because of existing Java code? Rly? Srsly?

Yes, I can believe it. Microsoft needs to sell the latest version of Windows to all of its big corporate clients, and almost all of them run custom Java applications. Java applications are quite likely to have bugs like this because Java doesn't provide an easy way to get the operating system version number.

Comment: Re:This is Java code (Score 1) 349

by julesh (#48061399) Attached to: Possible Reason Behind Version Hop to Windows 10: Compatibility

So, it basically makes no sense using a Java example of getting the OS version string, as essentially nobody uses Java for any tightly integrated desktop app where you need to know exactly what version of Windows you're on.

The code I see in almost all of the search results isn't really trying to determine an exact version: it's trying to work out which basic operating system family is in use, i.e. distinguish between Windows-which-was-a-DPMI-DOS-Extender and Windows NT.

Comment: Re:And Java fail again (Score 1) 349

by julesh (#48061373) Attached to: Possible Reason Behind Version Hop to Windows 10: Compatibility

And looking at the code examples like 90% of the cases where in the Java sources.


The problem isn't Windows, the problem is incompetent programmers. Instead of calling the proper API to get the version number, morons are doing things like

if (os.startsWith("Windows 9")

Right. And what is that proper API in Java?

Comment: Re:And Java fail again (Score 2) 349

by julesh (#48061361) Attached to: Possible Reason Behind Version Hop to Windows 10: Compatibility

Because only Java attracts bad programmers?

Because only Java was designed to discourage operating-system-version-dependent code and therefore intentionally lacks a way of checking the operating system version except through a string; most other languages provide an API that gives you major & minor version numbers in integers, which is much more convenient.

Comment: Re:And Java fail again (Score 1) 349

by julesh (#48061347) Attached to: Possible Reason Behind Version Hop to Windows 10: Compatibility

What's more interesting is why the OS detection is being done in the first place - the cynic in me says it's probably because they're using the OS version to make assumptions about file system locations.

Most of them are trying to choose between "sh -c", " /c" and "cmd.exe /c" as a way to parse & execute command lines.

Never trust a computer you can't repair yourself.