Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Comment: Re:But... (Score 1) 101

by knarfling (#49039039) Attached to: US Gas Pump Hacked With 'Anonymous' Tagline

Can you change the price?

From the article photo, it looks like the 'pump' is actually some sort of monitoring device used to track how much gas/diesel is in the storage tanks. I imagine that gets used by suppliers to anticipate delivery requirements.

I don't know if the same system is used to control the pricing at the customer pumps, and the article doesn't make it clear. I'd guess than since this was published there are going to be some who will be trying it out though.

Depends on the monitoring device. Some of the monitoring devices connect to both the pumps and the tanks so that you can compare how much gas was pumped vs how much gas is left in the tank. Although it is not 100% accurate, if there are leaks or pumps that are way out of calibration, the device might be the first indication that there is a problem. And yes, the major use is to track how many times a tanker needs to come by and fill up the storage tanks.

On systems with Pay-at-the-Pump that take credit/debit cards, the same device connects the pumps to the authorization systems. Sometimes this is over a phone line, but some deal with satellite or internet connection to the authorization centers. These monitoring devices have a lot more control over what is displayed at the pump, and sometimes you can change pricing through the device. The ones that have this kind of control are *supposed* to have better security, but having to type a pin or password each time you connect to it is "really inconvenient."

Comment: Re:Star Traders? (Score 1) 227

by knarfling (#48856183) Attached to: Sid Meier's New Game Is About Starships
I LOVE that game!! Don't want to be a trader? Try being a smuggler!
Don't like smugglers? Be a Bounty Hunter!!
Fighting not your style? Play an Explorer!
Maybe intrigue between factions is more your thing. Play a Spy!
There are many ways to play Star Traders.

Come to think of it, I play Star Traders on Android, so maybe that is why this new game is only for Windows, OSX, or iPad. The market already has this game (or a better game) on Android.

Comment: Work with your Optometrist! (Score 1) 464

by knarfling (#48718953) Attached to: Ask Slashdot: Are Progressive Glasses a Mistake For Computer Users?

I have progressive lenses and work on computers all day long. But my first pair were horrible! When I complained to my optometrist, he asked me to demonstrate where I held my book/phone for reading. He explained that my distance was not average, but that he could adjust the focal length to fit. The second pair of lenses was much better.

Remember Knarfling's Universal Law of Individuality. "No one else is me!" Your optometrist usually makes a good guess at making your glasses fit your eyesight, but he is not you and cannot see what you see.

Some people never get used to progressive lenses. Some people cannot live comfortably without them. Only you are you, and only you will know if progressive lenses will work for you. But if you never tell your optometrist about the problem, there is no way he or she can fix it! When you do go back in to explain the issue, be prepared to demonstrate the distance from your eyes to your reading material. It will make a difference.

Comment: Definition of ClickBait (Score 2) 238

by knarfling (#48171137) Attached to: Favorite clickbait hook?

It all depends on you definition of clickbait. The most strict definition is bait that makes you click somthing. It could be a link in an email, or a link on a web page. Since some people, not just advertisers, keep score by the number of clicks they receive, and clickbait is something that gets people to click.

A more broad definition would include clicking on a remote control of a TV. News programs are famous for clickbait lines designed to keep you from clicking the remote to a different channel. "When we come back...." It is all designed to keep you watching their advertisements, or watching their news. (Sometimes there is no difference between news and advertisements.)

To me it is all the same. Once in a while it is worth it to click/watch, but most of the time I remember that they don't really care if I learn something or am entertained. To them I am one more set of eyeballs or one more mouse click. Anything as long as they can get me to "click," and I increase their score by one.

Comment: Re:I watched half an episode (Score 1) 193

by knarfling (#48107031) Attached to: A Critical Look At Walter "Scorpion" O'Brien

I don't like receiving my packages unbroken, could we use UPS instead?

ummm.... perhaps I should clarify. While charging "shipping and handling" implies that something will be shipped, I did not actually say that the bridge would be shipped. Only that you would be charged shipping and handling fees at FedEx rates.

Comment: Re:Death bell tolling for thee.... (Score 1) 322

by knarfling (#47519503) Attached to: Microsoft's CEO Says He Wants to Unify Windows
I have to agree. I think I understand why they want to do this: Only one code base, less overhead and more profit.

But it is a stupid idea. The different devices provide different functions and shouldn't look the same or be the same. Servers are different from desktops which are different from tablets which are different from phones.

For those who need a bad car analogy, it is like trying to put the same user interface on bicycles, motorcycles, cars, trucks and trains. No one complains that their car doesn't have handlebars. Or that there is no steering wheel on a their bicycle or motorcycle.

Comment: Re:This makes sense. (Score 1) 280

by knarfling (#47468227) Attached to: Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

The 90 day password change is a fixture of compliance regulations. If you deal with PCI, SOX or HIPA, you probably have to force password changes every 90 days. With PCI, you can lose your ability to take credit cards if you can't show that you force password changes at least every 90 days. (There are ways around it, the most common is lying to the auditor, but that is a different story.)

I have my own theory as to why the 90 days became standard, but was told that my theory was all wrong without any explanation as to why it was wrong. Suffice it to say that 90 days is a standard and if anyone really knows why it became a standard, they aren't talking.

If you ask an auditor, they will tell you that if someone does find your password, either through a key logger, finding your post-it or cracking your password database, they will only have a limited time before that password is changed. You don't even have to know that someone got your password if you change your password on a schedule. Of course, it might not take long before they learn the new password, but that concern is usually dismissed.

Comment: Re:This makes sense. (Score 2) 280

by knarfling (#47467937) Attached to: Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.

I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.


I tried to do something basically like this - I have three password strengths, one for low-security throwaway stuff, another for regular stuff (with suffixing so one compromised site won't affect others unless I am specifically targeted), and a max-security one.

Guess which one I use for banking. It's the mid-tier one, MINUS the special characters and suffix. They have an upper length limit that keeps my max-security password from being used for the one thing it really should have been used for.

The only thing that max-security password secures now is root access to my BSD box (and I have sudo set up with nopw, so I never even use that). Everything else is secured by something that really isn't secure enough.

So in other words, nothing has your max security. if you left your screen open and unattended for a moment, a person wouldn't even need your password to crack your BSD box. I hope your BSD box doesn't have anything important on it. The nopw option of sudo should NEVER be used. It is like putting a huge un-pickable lock on your door and then never locking it because it is too inconvenient to pull your keys out. If you use sudo (which I do use often and I believe it is useful, convenient and CAN be secure), you should make sure your password is complex and you need to type it in when you use sudo. Otherwise, you are reducing your security. Yes, sudo can be restricted by host, but most people do not do that, and what happens when that host dies?

I understand that good passwords can be difficult, but they don't have to be. Once I learned how to create good passwords, it became very easy. Even my low security passwords are fairly complex and will pass most complexity requirements. My work password, which has to be changed every 90 days, is usually between 14-20 characters long, has multiple complex characters, and is easy to remember. Although work allows rotation after 6 passwords, I have not re-used a password in six years. My biggest issue is not remembering the password, it is fat-fingering such a long password. The longer it is, the more likely there will be a fat-finger at some point.

Comment: Re:This makes sense. (Score 4, Interesting) 280

by knarfling (#47467541) Attached to: Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

I see that someone has had problems with a sysadmin.

Try to remember that not all sysadmins are BOFH. Some actually agree with you on the need for complex passwords and how often they should be changed. Many of them, however, have to follow outdated and impractical guides forced upon them by government standards in order to comply with HIPA, SOX, or PCI.

There are a couple of things that bother me, though. The first is pattern re-use. P@$$word521 does meet the complexity requirements of many systems. But when you use P@$$word125, P@$$word251, P@$$word215 and then tell everyone that you use P@$$word with the same three numbers and just rotate the numbers, it is not much better than a post-it under the keyboard. Complex passwords do not have to be difficult to remember. Just because someone has difficulty coming up with good passwords does not mean that a hard-to-remember password is actually complex.

The second thing that bothers me is when a sysadmin will force a password policy on you, but won't use it himself. I know one admin that forced a password change every 90 days for all accounts except his. When he left the company, his password history was completely blank. He had used the same password for years. While I think passwords could live longer than 90 days and twice a year would be sufficient for many passwords, if a change is required, it should be required for all users including the sysadmin.

Just my little rant.

Comment: Re:Why didn't they just listen to users? (Score 1) 681

They were not listening because the feedback did not feed into their internal narrative. That narrative was that, to establish a position in tablets and phones, the UI had to be common across all types of devices. If your feedback went against this directive, it could not be accepted.

I wonder how many people tried to point out how completely stupid this directive was. Can you imagine what would happen if the auto industry tried to make their user interface common across all types of vehicles? They could have tried building cars with handlebars that have the brakes and acceleration controlled by hands, or motorcycles with steering wheels and a brake pedal.

It amazes me that the "unified UI" concept got as far as it did. I suppose those that did point out how stupid it was were let go for "creative differences."

Comment: Password change frequency (Score 1) 116

by knarfling (#46943765) Attached to: It's World Password Day: Change Your Passwords

Although I do not have proof of this, I believe that the the password change policy came from the way early UNIX systems handled the password files.

Early UNIX systems did not separate the username file from the password file. Both were kept in /etc/password. This file had to be world readable in order for anyone to log in. So if you had any access at all, including guest access, it was easy to copy the password file. Although the passwords in the the file were hashed, it they could be cracked or a rainbow table created if you had access to a powerful enough computer. At the time, only mainframes or mini computers had the power needed, and cracking a password took between three to five months.

The thought process was that if someone did steal the password file, and you changed your password every three months, It was very likely that the password was changed by the time the passwords were cracked. These days, more powerful computers can crack the passwords much, much faster, and the UNIX/Linux systems have broken out the passwords from the password file and placed them in a shadow file that is not world readable.

The danger of the password file being stolen is no longer the same issue as it once was, but the "standard" password policy has never changed. Today, the reason most often given for a change policy is: "This is best practices, so we are going to do it." Few security consultants can give you the real reason for the policy, although many will refer to recent examples of passwords being stolen and tell you that you need to change a password often just in case someone does steal the password. The danger today is not that the person stealing your password will use it, but that they will sell it to someone else. On the one hand, that does give you a little time to change your password, but on the other hand, some people may feel that since their account was not cracked right away that their accounts are still safe.

Science and religion are in full accord but science and faith are in complete discord.