Forgot your password?

Comment: Re:Death bell tolling for thee.... (Score 1) 322

by knarfling (#47519503) Attached to: Microsoft's CEO Says He Wants to Unify Windows
I have to agree. I think I understand why they want to do this: Only one code base, less overhead and more profit.

But it is a stupid idea. The different devices provide different functions and shouldn't look the same or be the same. Servers are different from desktops which are different from tablets which are different from phones.

For those who need a bad car analogy, it is like trying to put the same user interface on bicycles, motorcycles, cars, trucks and trains. No one complains that their car doesn't have handlebars. Or that there is no steering wheel on a their bicycle or motorcycle.

Comment: Re:This makes sense. (Score 1) 280

by knarfling (#47468227) Attached to: Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

The 90 day password change is a fixture of compliance regulations. If you deal with PCI, SOX or HIPA, you probably have to force password changes every 90 days. With PCI, you can lose your ability to take credit cards if you can't show that you force password changes at least every 90 days. (There are ways around it, the most common is lying to the auditor, but that is a different story.)

I have my own theory as to why the 90 days became standard, but was told that my theory was all wrong without any explanation as to why it was wrong. Suffice it to say that 90 days is a standard and if anyone really knows why it became a standard, they aren't talking.

If you ask an auditor, they will tell you that if someone does find your password, either through a key logger, finding your post-it or cracking your password database, they will only have a limited time before that password is changed. You don't even have to know that someone got your password if you change your password on a schedule. Of course, it might not take long before they learn the new password, but that concern is usually dismissed.

Comment: Re:This makes sense. (Score 2) 280

by knarfling (#47467937) Attached to: Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.

I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.


I tried to do something basically like this - I have three password strengths, one for low-security throwaway stuff, another for regular stuff (with suffixing so one compromised site won't affect others unless I am specifically targeted), and a max-security one.

Guess which one I use for banking. It's the mid-tier one, MINUS the special characters and suffix. They have an upper length limit that keeps my max-security password from being used for the one thing it really should have been used for.

The only thing that max-security password secures now is root access to my BSD box (and I have sudo set up with nopw, so I never even use that). Everything else is secured by something that really isn't secure enough.

So in other words, nothing has your max security. if you left your screen open and unattended for a moment, a person wouldn't even need your password to crack your BSD box. I hope your BSD box doesn't have anything important on it. The nopw option of sudo should NEVER be used. It is like putting a huge un-pickable lock on your door and then never locking it because it is too inconvenient to pull your keys out. If you use sudo (which I do use often and I believe it is useful, convenient and CAN be secure), you should make sure your password is complex and you need to type it in when you use sudo. Otherwise, you are reducing your security. Yes, sudo can be restricted by host, but most people do not do that, and what happens when that host dies?

I understand that good passwords can be difficult, but they don't have to be. Once I learned how to create good passwords, it became very easy. Even my low security passwords are fairly complex and will pass most complexity requirements. My work password, which has to be changed every 90 days, is usually between 14-20 characters long, has multiple complex characters, and is easy to remember. Although work allows rotation after 6 passwords, I have not re-used a password in six years. My biggest issue is not remembering the password, it is fat-fingering such a long password. The longer it is, the more likely there will be a fat-finger at some point.

Comment: Re:This makes sense. (Score 4, Interesting) 280

by knarfling (#47467541) Attached to: Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

I see that someone has had problems with a sysadmin.

Try to remember that not all sysadmins are BOFH. Some actually agree with you on the need for complex passwords and how often they should be changed. Many of them, however, have to follow outdated and impractical guides forced upon them by government standards in order to comply with HIPA, SOX, or PCI.

There are a couple of things that bother me, though. The first is pattern re-use. P@$$word521 does meet the complexity requirements of many systems. But when you use P@$$word125, P@$$word251, P@$$word215 and then tell everyone that you use P@$$word with the same three numbers and just rotate the numbers, it is not much better than a post-it under the keyboard. Complex passwords do not have to be difficult to remember. Just because someone has difficulty coming up with good passwords does not mean that a hard-to-remember password is actually complex.

The second thing that bothers me is when a sysadmin will force a password policy on you, but won't use it himself. I know one admin that forced a password change every 90 days for all accounts except his. When he left the company, his password history was completely blank. He had used the same password for years. While I think passwords could live longer than 90 days and twice a year would be sufficient for many passwords, if a change is required, it should be required for all users including the sysadmin.

Just my little rant.

Comment: Re:Why didn't they just listen to users? (Score 1) 681

They were not listening because the feedback did not feed into their internal narrative. That narrative was that, to establish a position in tablets and phones, the UI had to be common across all types of devices. If your feedback went against this directive, it could not be accepted.

I wonder how many people tried to point out how completely stupid this directive was. Can you imagine what would happen if the auto industry tried to make their user interface common across all types of vehicles? They could have tried building cars with handlebars that have the brakes and acceleration controlled by hands, or motorcycles with steering wheels and a brake pedal.

It amazes me that the "unified UI" concept got as far as it did. I suppose those that did point out how stupid it was were let go for "creative differences."

Comment: Password change frequency (Score 1) 116

by knarfling (#46943765) Attached to: It's World Password Day: Change Your Passwords

Although I do not have proof of this, I believe that the the password change policy came from the way early UNIX systems handled the password files.

Early UNIX systems did not separate the username file from the password file. Both were kept in /etc/password. This file had to be world readable in order for anyone to log in. So if you had any access at all, including guest access, it was easy to copy the password file. Although the passwords in the the file were hashed, it they could be cracked or a rainbow table created if you had access to a powerful enough computer. At the time, only mainframes or mini computers had the power needed, and cracking a password took between three to five months.

The thought process was that if someone did steal the password file, and you changed your password every three months, It was very likely that the password was changed by the time the passwords were cracked. These days, more powerful computers can crack the passwords much, much faster, and the UNIX/Linux systems have broken out the passwords from the password file and placed them in a shadow file that is not world readable.

The danger of the password file being stolen is no longer the same issue as it once was, but the "standard" password policy has never changed. Today, the reason most often given for a change policy is: "This is best practices, so we are going to do it." Few security consultants can give you the real reason for the policy, although many will refer to recent examples of passwords being stolen and tell you that you need to change a password often just in case someone does steal the password. The danger today is not that the person stealing your password will use it, but that they will sell it to someone else. On the one hand, that does give you a little time to change your password, but on the other hand, some people may feel that since their account was not cracked right away that their accounts are still safe.

Comment: Re:For those of us not in the US (Score 1) 465

by knarfling (#46895055) Attached to: Lessig Launches a Super PAC To End All Super PACs

What's a PAC? It sounds like it's a way of buying politicians, but surely that can't be it.

Yes, it really can be a way to buy politicians, and stop calling me Shirley. defines a PAC like this:

Political Action Committee (PAC) — A popular term for a political committee organized for the purpose of raising and spending money to elect and defeat candidates. Most PACs represent business, labor or ideological interests.

Comment: Re:AZ License plates (Score 4, Funny) 325

by knarfling (#46730481) Attached to: Can You Buy a License To Speed In California?
The goal in AZ is to match your speed with the number of the freeway. On the I-10 and the I-17 it slows things down to a crawl. The 51 and the 60 are a bit more challenging, especially in rush-hour. But with the 101, the 202 and the 303, you better have those "honoring fallen officers" plates attached.

Comment: AZ License plates (Score 4, Funny) 325

by knarfling (#46730437) Attached to: Can You Buy a License To Speed In California?
There is a reason for all the different colors of license plates. You used to be able to say that you could tell the changing seasons by the changing colors ... of the license plates. There are so many out-of-state visitors during the winter that it used to be easy to tell the snowbirds from the residents.
Probably someone decided that the snowbirds were either getting picked on or getting preferential treatment, so lots of colors of AZ plates were made. As a bonus, more money comes in!!

Did you know that AZ has very short winters? Last year it was on a Tuesday.

+ - Samsung Galaxy S5 Released 2 Weeks Early in S.Korea->

Submitted by knarfling
knarfling (735361) writes "The Samsung Galaxy S5 is on sale now in South Korea, two weeks early — much to Samsung's surprise.
The S5 is set to go on sale around the world on 11 April, hitting shop shelves in 150 countries before the month is out. But the wait is too long for impatient South Korean carrier SK Telecom, which has made the phone available today for around 866,800 won."

Link to Original Source

Comment: Re:Do electric cars actually produce CO2? (Score 5, Insightful) 330

Exactly!! The TFA (I know, I know. Why read the TFA.) calls it the wells-to-wheels carbon profile. And Mazda is comparing only to the "dirtiest" areas.

And those levels would likely be better than the wells-to-wheels carbon profile of an electric car running in a coal-heavy country--Poland, for example.

Not only that, but the engines themselves are not yet designed. They are "projected" be available by 2020.

I realize the air is a bit dirty, but still -- That is a long time to hold your breath.

Comment: Anti-virus definition (Score 1) 452

by knarfling (#46486675) Attached to: Lies Programmers Tell Themselves
Definition of anti-virus. Noun: A piece of malware sometimes purchased, designed to a) use up resources and slow down a machine, b)report activity to a central repository, and c) insure that it is the only malware on a given machine. Because of (c), it is one of the few pieces of malware that is REQUIRED to be installed in order to pass several security certifications. In a rare form of honesty, some anti-virus programs have correctly identified themselves as malware and disabled themselves. Others have identified essential Windows libraries as a virus and have managed to shut down the OS.

Comment: Re:Lie #12 (Score 2) 452

by knarfling (#46486009) Attached to: Lies Programmers Tell Themselves

Subset of Lie # 12: "It must be run as root/Administrator." Also known as: "I need the user program to access system calls and the *BEST* way to accomplish that is to run the program with admin privilages since admin can do that without annoying pop-ups.

It amazes me how many Win7 programs I run into that were originally programmed with XP or Win2000 in mind. The official Tech Support answer is: Oh, you have to be logged in as an administrator. If that doesn't work, right click on it and run it as an administrator."

Comment: Password length is important (Score 2) 162

by knarfling (#46458235) Attached to: Top E-commerce Sites Fail To Protect Users From Stupid Passwords

Several years ago, I used to work for a now defunct online web site company that provided websites to customers. Customers were required to activate their site and sign in to a site management web page. Although the password policy was not as sophisticated as it should have been, we did require password to be between 6 and 16 characters.

We received an email from one customer who was helping a new customer activate and sign up for the web management page. The new customer liked to pick passwords based on a mild shock value and wanted to use "Penis" as his password. The customer wanted us to know that they almost died laughing when the web page responded back with the message:
"Password rejected. Not long enough. Please try another."

Remember, password length is important. Choose your length wisely.

10 to the 12th power microphones = 1 Megaphone