Forgot your password?
typodupeerror

+ - Beware the Internet

Submitted by frost_knight
frost_knight (885804) writes "Washington Post opinion writer Robert J. Samuelson writes "If I could, I would repeal the Internet. It is the technological marvel of the age, but it is not — as most people imagine — a symbol of progress. Just the opposite. We would be better off without it." It is his belief that the dangers of the Internet outweigh its benefits."

Comment: Re:Forcing strong passwords in the first place. (Score 1) 211

by x3CDA84B (#43575847) Attached to: Mitigating Password Re-Use From the Other End

The length of the hash will depend to some extent on the length of the original.

Um, no. All of the standard hashing algorithms return a fixed-length value. Collisions are certainly possible, but because the algorithms are strong, the chance of a collision for anything that's likely to be used as a password has an extremely low probability.

Comment: Re:Forcing strong passwords in the first place. (Score 1) 211

by x3CDA84B (#43575829) Attached to: Mitigating Password Re-Use From the Other End

Except that they do have the passwords, because of tools like HashCat that allow ridiculously-fast brute-force attacks on hashes, combined with statistical analysis of previously-stolen and -decrypted credentials to figure out the patterns that people use to create passwords (e.g. dictionary word + three digits + punctuation). Using salted hashes is great, but it only slows down the retrieval of passwords - it doesn't prevent it.

Comment: Re:Forcing strong passwords in the first place. (Score 1) 211

by x3CDA84B (#43575803) Attached to: Mitigating Password Re-Use From the Other End

This is great if it works for you. e.g. bhj648_+shlasdot.org as password for this site and bX3hj648_+google.com for google.

Yeah, and the first time that any one of those passwords is cracked by someone using e.g. HashCat, they will add your logic to the list of methods that are commonly used by people when creating a password, and now all of the other historical hashes that have been stolen from accounts you set up are now compromised as well.

When I look at where I work, most people need only two passwords. I have told them again and again that it is easier if they have the same password for both.

This is actually pretty terrible advice these days, because if something requires a separately-stored password (IE it is not integrated with your central auth system), there is a good chance it is transmitting or storing the password insecurely. Now your users have compromised their main account as well.

What I do is to take the month and year, add a 4 letter word and for the 10 letter password add ++. So now I have a password this month like 0413Foad and 0413Foad++.

That password would fall to an offline hash attack in minutes or seconds. And since it's procedurally-generated, again, now whoever cracked it can add your logic to the list of commonly-used methods, and crack all of your past and future passwords even faster.

First IT people should start with not needing to change my password every month. That will make me select a safer one, because I can remember it.

We do that because the assumption has to be that given enough time, your password will be compromised. The longer you have to wait to change it, the longer the window of exposure when that happens.

Comment: Re:I call bullpucky (Score 2) 170

by x3CDA84B (#43325895) Attached to: New Camera Sensor Filter Allows Twice As Much Light

You might want to open your eyes and look in the 490–520nm range on a representation of the visual range of the EM spectrum.

To nitpick, that's actually not cyan. Cyan is a combination of green and blue light. The wavelength you're describing stimulates the green and blue receptors in our eyes in a way that looks (to us) identical to cyan, but it's not the same thing. Sort of like how violet (in the sense of being around 400nm) light stimulates the red and blue receptors in our eyes, similar to (but distinct from) certain shades of purple.

This becomes important when discussing things like optical filters. A cyan filter passes green and blue light. In other words, it is a red-blocking filter. This is very different from a filter with a bandpass of 490-520nm, which would also block most green and blue light.

Comment: Re:I call bullpucky (Score 1) 170

by x3CDA84B (#43325865) Attached to: New Camera Sensor Filter Allows Twice As Much Light

Foveon does not promise more accurate colors.

Actually, that is one of the things that it was heavily-promoted as providing. The reason is that in a conventional Bayer-design sensor, you only get accurate green levels for every other pixel, and accurate red and blue levels for every fourth pixel, and everything else is interpolated. With the Foveon design, you get all three at every pixel.

Foveon is a loser in the market because it doesn't perform.

I think it's more the case that Sigma have kept it proprietary. As a smaller company, they don't have the funds to build a truly groundbreaking camera with it, or to continue improving the sensor design to e.g. keep pace with the megapixel count of other manufacturers. I would love to try a camera with a Foveon sensor, but Sigma's lackluster bodies mean it's probably not going to happen. It was only about two years ago that they finally introduced a model with LiveView, and that was some ridiculously-overpriced model targeted at professionals, but without most of the other features that professionals would want.

Comment: Re:URLs? (Score 1) 79

by x3CDA84B (#43302025) Attached to: One In Six Amazon S3 Storage Buckets Are Ripe For Data-Plundering

I thought that was the whole effing point of URLs/URIs? Whether or not you get authorized to access them should be a completely orthogonal issue...or not?

In systems with URLs that contain some sort of object identifier, using a non-predictable identifier is a great way to add another layer of security. It doesn't replace actual authentication or authorization checks, it just complements them.

For example, if I have a REST URL like this:

http://someserver/users/ID

If I use sequential numbers, or actual usernames as the identifier, it becomes trivial for someone to enumerate all of them by iterating through numbers, or a dictionary. However, if the ID is a 128-bit (or longer) random UUID, then that is no longer possible, because it would take millions of years. So even if I (as the developer) make a mistake that allows someone to view or change data that I shouldn't have access to, that attacker may not even get to the point of being able to exploit it, because they may not have any other valid UUIDs to work off of.

This is why Microsoft moved towards using random/non-sequential identifiers for things like IIS website IDs and so forth in the early 2000s. It's one of the few choices of theirs I really agree with.

Comment: Adventure Construction Set (Score 4, Interesting) 47

by x3CDA84B (#42457489) Attached to: AI Systems Designing Games

Not sure if this is the same type of game generation that the article is discussing or if it would be considered a different "class", but Electronic Arts' Adventure Construction Set (1984/1985) could automatically build an entire game-world, including thematic elements, character names, and so on. The user could also start to design a game manually, then have the software finish it for them if they didn't feel like doing so themselves.

I imagine it was more procedural than AI - the equivalent of Minecraft or River Raid - but I still thought it was pretty neat at the time.

Comment: Re:Covering up for a crony? (Score 5, Informative) 172

by x3CDA84B (#40878959) Attached to: Air Force Claims To Have Solved Fatal F-22 Oxygen Riddle

We didn't need an M-16. An AK-47 would do the job.

Have you ever actually fired those two weapons? I was sure I'd prefer the AK (due to high reliability) until I actually tried one and compared it with an M-4. The AK was almost embarrassingly inaccurate, and jumped around like a madman. The M-4 was extremely-accurate, and very stable while firing. It may take more careful maintenance, but there's no question which of the two I'd want to depend on as a weapon.

Comment: Re:stack ranking sounds like the strict curve (Score 3, Interesting) 407

by x3CDA84B (#40545881) Attached to: Microsoft's 'Cannibalistic Culture'

Exactly. It's as if MS' management are deliberately trying to prevent anyone from actually having an all-star team. They're also completely failing to understand that psychologically, for most people rewarding top performers will produce better results than punishing low performers, even though if you look at it as a math equation, they can be identical.

This stupid way of managing people is one of the main reasons I would never in a million years work at Microsoft, or other companies that use similar methods (Amazon, etc.).

Comment: Android (Score 1) 284

by x3CDA84B (#40508859) Attached to: The Leap Second Is Here! Are Your Systems Ready?

Hey, Sergey Brin: maybe you should take this as a reminder that it sure would be nice if Android devices actually took leap-seconds into account instead of setting themselves to GPS time. My phone now thinks it's 16 seconds in the future compared to every sane electronic system. Sooner or later, that's going to cause problems for certain types of encryption.

Comment: Re:and Merto is program manager full screen (Score 1) 484

by x3CDA84B (#40335699) Attached to: Windows 8 Pre RTM Metro UI Leaked

I was really skeptical of Metro until I heard a particular use case described: you have a tablet, and as a tablet you interact with it using Metro. When you're at your desk, you dock it into a station with a keyboard, mouse, and multiple full-size monitors. The monitors display the traditional Windows desktop (which you use for "serious" desktop/workstation apps), while the tablet display stays in Metro mode. So you have one system that functions both ways, which is an idea I think is pretty clever, and the complete opposite of the "multiple devices (desktop and mobile) that try to use the same interface (Metro)" model that I was envisioning previously.

Metro actually seems like a pretty good UI for mobile devices. My big complaint about it was always that Microsoft were trying to shoehorn it in where it didn't belong (desktop/workstation systems, the Xbox, etc.). It's great for touch interfaces, and IMO pretty terrible for everything else.

That having been said, this revised appearance is awful. It looks like some refugee from the ghetto of 80s/90s X Window systems. When Google showed off "Chrome OS", I thought "Wow. That looks like a third-rate, terrible copy of Windows 7", and I'm baffled that MS have decided to copy their copy. At least let me turn Aero Glass back on!

Comment: Re:Clunky is right (Score 1) 106

by x3CDA84B (#39909753) Attached to: 3D-Printed Circuit Boards, For Solder-Free Printable Electronics

How do you dispose of the used etchant? Do you have a fume hood for using it, or do you do it outside? Would you trust a child to use your etching method?

This technique isn't supposed to replace DIY PCB etching or soldering. It's another way of doing things that for some people will probably be a lot less of a headache and more fun. It's somewhere in-between DIY PCBs and one of those old "1000-in-1" electronics kits with the spring connectors.

Think of non-technical people who just want to make something like a guitar pedal or a panel of flashing LEDs. With this method, they can do that without having to worry about fumes or disposing of material that's considered hazardous waste in most areas.

It's the Lego Mindstorm or Technics of DIY electronics, and that's a great thing considering how few people consider that field accessible today.

"The value of marriage is not that adults produce children, but that children produce adults." -- Peter De Vries

Working...