Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Submission + - Beware the Internet

frost_knight writes: Washington Post opinion writer Robert J. Samuelson writes "If I could, I would repeal the Internet. It is the technological marvel of the age, but it is not — as most people imagine — a symbol of progress. Just the opposite. We would be better off without it." It is his belief that the dangers of the Internet outweigh its benefits.

Comment Re:Forcing strong passwords in the first place. (Score 1) 211 211

The length of the hash will depend to some extent on the length of the original.

Um, no. All of the standard hashing algorithms return a fixed-length value. Collisions are certainly possible, but because the algorithms are strong, the chance of a collision for anything that's likely to be used as a password has an extremely low probability.

Comment Re:Forcing strong passwords in the first place. (Score 1) 211 211

Except that they do have the passwords, because of tools like HashCat that allow ridiculously-fast brute-force attacks on hashes, combined with statistical analysis of previously-stolen and -decrypted credentials to figure out the patterns that people use to create passwords (e.g. dictionary word + three digits + punctuation). Using salted hashes is great, but it only slows down the retrieval of passwords - it doesn't prevent it.

Comment Re:Forcing strong passwords in the first place. (Score 1) 211 211

This is great if it works for you. e.g. bhj648_+shlasdot.org as password for this site and bX3hj648_+google.com for google.

Yeah, and the first time that any one of those passwords is cracked by someone using e.g. HashCat, they will add your logic to the list of methods that are commonly used by people when creating a password, and now all of the other historical hashes that have been stolen from accounts you set up are now compromised as well.

When I look at where I work, most people need only two passwords. I have told them again and again that it is easier if they have the same password for both.

This is actually pretty terrible advice these days, because if something requires a separately-stored password (IE it is not integrated with your central auth system), there is a good chance it is transmitting or storing the password insecurely. Now your users have compromised their main account as well.

What I do is to take the month and year, add a 4 letter word and for the 10 letter password add ++. So now I have a password this month like 0413Foad and 0413Foad++.

That password would fall to an offline hash attack in minutes or seconds. And since it's procedurally-generated, again, now whoever cracked it can add your logic to the list of commonly-used methods, and crack all of your past and future passwords even faster.

First IT people should start with not needing to change my password every month. That will make me select a safer one, because I can remember it.

We do that because the assumption has to be that given enough time, your password will be compromised. The longer you have to wait to change it, the longer the window of exposure when that happens.

Comment Re:I call bullpucky (Score 2) 170 170

You might want to open your eyes and look in the 490–520nm range on a representation of the visual range of the EM spectrum.

To nitpick, that's actually not cyan. Cyan is a combination of green and blue light. The wavelength you're describing stimulates the green and blue receptors in our eyes in a way that looks (to us) identical to cyan, but it's not the same thing. Sort of like how violet (in the sense of being around 400nm) light stimulates the red and blue receptors in our eyes, similar to (but distinct from) certain shades of purple.

This becomes important when discussing things like optical filters. A cyan filter passes green and blue light. In other words, it is a red-blocking filter. This is very different from a filter with a bandpass of 490-520nm, which would also block most green and blue light.

Comment Re:I call bullpucky (Score 1) 170 170

Foveon does not promise more accurate colors.

Actually, that is one of the things that it was heavily-promoted as providing. The reason is that in a conventional Bayer-design sensor, you only get accurate green levels for every other pixel, and accurate red and blue levels for every fourth pixel, and everything else is interpolated. With the Foveon design, you get all three at every pixel.

Foveon is a loser in the market because it doesn't perform.

I think it's more the case that Sigma have kept it proprietary. As a smaller company, they don't have the funds to build a truly groundbreaking camera with it, or to continue improving the sensor design to e.g. keep pace with the megapixel count of other manufacturers. I would love to try a camera with a Foveon sensor, but Sigma's lackluster bodies mean it's probably not going to happen. It was only about two years ago that they finally introduced a model with LiveView, and that was some ridiculously-overpriced model targeted at professionals, but without most of the other features that professionals would want.

Comment Re:URLs? (Score 1) 79 79

I thought that was the whole effing point of URLs/URIs? Whether or not you get authorized to access them should be a completely orthogonal issue...or not?

In systems with URLs that contain some sort of object identifier, using a non-predictable identifier is a great way to add another layer of security. It doesn't replace actual authentication or authorization checks, it just complements them.

For example, if I have a REST URL like this:

http://someserver/users/ID

If I use sequential numbers, or actual usernames as the identifier, it becomes trivial for someone to enumerate all of them by iterating through numbers, or a dictionary. However, if the ID is a 128-bit (or longer) random UUID, then that is no longer possible, because it would take millions of years. So even if I (as the developer) make a mistake that allows someone to view or change data that I shouldn't have access to, that attacker may not even get to the point of being able to exploit it, because they may not have any other valid UUIDs to work off of.

This is why Microsoft moved towards using random/non-sequential identifiers for things like IIS website IDs and so forth in the early 2000s. It's one of the few choices of theirs I really agree with.

Comment Adventure Construction Set (Score 4, Interesting) 47 47

Not sure if this is the same type of game generation that the article is discussing or if it would be considered a different "class", but Electronic Arts' Adventure Construction Set (1984/1985) could automatically build an entire game-world, including thematic elements, character names, and so on. The user could also start to design a game manually, then have the software finish it for them if they didn't feel like doing so themselves.

I imagine it was more procedural than AI - the equivalent of Minecraft or River Raid - but I still thought it was pretty neat at the time.

Comment Re:Covering up for a crony? (Score 5, Informative) 172 172

We didn't need an M-16. An AK-47 would do the job.

Have you ever actually fired those two weapons? I was sure I'd prefer the AK (due to high reliability) until I actually tried one and compared it with an M-4. The AK was almost embarrassingly inaccurate, and jumped around like a madman. The M-4 was extremely-accurate, and very stable while firing. It may take more careful maintenance, but there's no question which of the two I'd want to depend on as a weapon.

Comment Re:stack ranking sounds like the strict curve (Score 3, Interesting) 407 407

Exactly. It's as if MS' management are deliberately trying to prevent anyone from actually having an all-star team. They're also completely failing to understand that psychologically, for most people rewarding top performers will produce better results than punishing low performers, even though if you look at it as a math equation, they can be identical.

This stupid way of managing people is one of the main reasons I would never in a million years work at Microsoft, or other companies that use similar methods (Amazon, etc.).

Comment Android (Score 1) 284 284

Hey, Sergey Brin: maybe you should take this as a reminder that it sure would be nice if Android devices actually took leap-seconds into account instead of setting themselves to GPS time. My phone now thinks it's 16 seconds in the future compared to every sane electronic system. Sooner or later, that's going to cause problems for certain types of encryption.

Comment Re:and Merto is program manager full screen (Score 1) 484 484

I was really skeptical of Metro until I heard a particular use case described: you have a tablet, and as a tablet you interact with it using Metro. When you're at your desk, you dock it into a station with a keyboard, mouse, and multiple full-size monitors. The monitors display the traditional Windows desktop (which you use for "serious" desktop/workstation apps), while the tablet display stays in Metro mode. So you have one system that functions both ways, which is an idea I think is pretty clever, and the complete opposite of the "multiple devices (desktop and mobile) that try to use the same interface (Metro)" model that I was envisioning previously.

Metro actually seems like a pretty good UI for mobile devices. My big complaint about it was always that Microsoft were trying to shoehorn it in where it didn't belong (desktop/workstation systems, the Xbox, etc.). It's great for touch interfaces, and IMO pretty terrible for everything else.

That having been said, this revised appearance is awful. It looks like some refugee from the ghetto of 80s/90s X Window systems. When Google showed off "Chrome OS", I thought "Wow. That looks like a third-rate, terrible copy of Windows 7", and I'm baffled that MS have decided to copy their copy. At least let me turn Aero Glass back on!

Comment Re:Clunky is right (Score 1) 106 106

How do you dispose of the used etchant? Do you have a fume hood for using it, or do you do it outside? Would you trust a child to use your etching method?

This technique isn't supposed to replace DIY PCB etching or soldering. It's another way of doing things that for some people will probably be a lot less of a headache and more fun. It's somewhere in-between DIY PCBs and one of those old "1000-in-1" electronics kits with the spring connectors.

Think of non-technical people who just want to make something like a guitar pedal or a panel of flashing LEDs. With this method, they can do that without having to worry about fumes or disposing of material that's considered hazardous waste in most areas.

It's the Lego Mindstorm or Technics of DIY electronics, and that's a great thing considering how few people consider that field accessible today.

The reward of a thing well done is to have done it. -- Emerson

Working...