Become a fan of Slashdot on Facebook


Forgot your password?

Comment Re:time or cost. 99.95 by size (Score 1) 304

> If my house cost $10 in bricks and mortar and $200,000 for light fittings.

If you made any sense we could have a conversation.
If you have a $150,000 house, you have about about $500 of light fixtures. Your house is less than 1% light fixtures.

Pro tip for thinking clearly and learning new things:
When you find yourself stringing together completely non-sensical groups of words to try to support a position, celebrate. That position may be mistaken, meaning a chance to grow. Yay!

Comment ps - you're right, fool (Score 2) 304

> Sorry, but ALL software is an expression of math.

Thinking about that for a minute, seems that statement his true, and almost meaningless such that it's misleading. Lara Croft is of course software, and pure art. No mathematicians were harmed in the making of this character. Music - rhythm, tone, and harmony is math. Although harmony is a mathematical phenomenon, you would be fooling yourself, and doing yourself a disservice, to say "eh, music is just math."

Gears and levers are an expression of division - arithmetic. Yes, E = MC2 and all of the universe is an expression of math. This is true. Once you decide that everything is math, though, the word "math" is a synonym for "anything"; the word loses it's meaning.

In order to discuss, and to think, meaningfully, we need words to have meaning. "Everything and anything is an expression of math", while technically true, leaves us unable to say anything useful about math. A useful definition, one that allows us to discuss and think clearly, is one where "math" refers to the work on mathematicians and engineers, distinct from the work if painters and composers. Harmony is a hidden expression of math, but Concerto #5 is art, not math. So it is with Lara Croft - art, not math, for any useful meaning of the word.

Comment time or cost. 99.95 by size (Score 1) 304

I'm thinking from the perspective of a creator or consumer of a game. Over 90 percent of the budget will grow into art versus the math for collision detection and such. The buyer / player chooses a game primarily based on it's characters, graphics, and storyline, all artistic elements. I'd bet more than 90% of players have commented on a games graphics and fewer than 5% have said somethingl like "wow this game has awesome physics stimulation".

Byte size isn't very meaningful, of course. By that measure, games would be 99.5% artistic media. Size wise, a picture truly is worth 1000 words.

Comment common misconception. basic laws not patentable (Score 4, Interesting) 304

> software is math

Games are art, and are software.
Most games are 95% art, 5% math, and 100% software.
Math CAN be done as software, but so can art and many other non-math things. Some software is math. A LOT of software has little to do with math.

> math isn't supposed to be patentable.

That's a common misconception, started and encouraged by people with a particular agenda. The rule in the US is:

    The LAWS of nature, including mathematics, are not patentable.

Note that it's the basic laws that aren't patentable. Things that USE those laws are.

Gravity isn't patentable. An elevator is.
Momentum isn't patentable. A brake system is.
Division isn't patentable. eBay's feedback system is.
Light reflection isn't patentable. The way Blender simulates reflection is, if it's novel.

Comment FIPS 46 in 1977, IBM before that. I crack, try it (Score 1) 230

It sounds like you saw my correction. I typed 3DES when I meant DES, so I'll reply to your comments DES.

> DES doesn't go back nearly as far as 1972. (nor does DES for that matter)

Below is the official NIST paper describing DES. You'll note that after a four year approval process, DES officially became a government standard in 1977. As described in the paper, IBM was using it by 1974 after it was developed in the years prior.

You could reasonably choose any year between 1972-1977 as the beginning of DES usage, so you're mistaken about "not nearly as far back as 1972, sorry.

> rather a large number of milliseconds

Try cracking a password database sometime. I do this stuff for a living. The larger the database, the faster you'll get working passwords, so we'll give you the benefit of the doubt and use a fairly small database of only 1,000 accounts as an example. We'll also be generous to you and not use a rainbow table. With a small (difficult) database like that, you can expect to get maybe 12 passwords in the first second or two. In the first ten minutes, probably 250 working accounts.

A 100X larger database will yield roughly 100X as many passwords per time - around 1,000 working accounts in the first few seconds, or 2-3ms per account at first.

If we want to go fast, we use a rainbow table. Standard DES password hashing ala crypt() collides at about 1:1000 since it uses only the first eight characters. On modern PCs with GBs of RAM, we can use in-memory tables and crack millions per second. No need for that, though, I don't mind waiting several milliseconds.

Comment Kim Komando is not a "computer security expert" (Score 1) 230

I'm almost offended by your post. Almost, but you did say "so called experts" in one sentence. The linked XKCD comic is right on the money, and experts know that.

Computer geeks and code monkeys are not computer security experts. Security experts know what what entropy is and know that password entropy comes primarily from length.

    "Computer geeks" ala Kim Komando (and many people on Slashdot) go around telling people to use strange mixed case, numbers, punctuation, etc. Code monkeys design login systems that require at least one upper case letter, one lower case, some numbers, some punctuation - and it has to be 6 - 8 characters.

Computer security experts know that 6 -8 characters guarantees weakness, and punctuation increases tech support calls far more than in increases security. (Such requirements often actually DECREASE security by making resets so routine). Experts have known for a long time that the thing to drill into people's heads is "Use LONG passwords! Make it a sentence or phrase. Make it LONG".

The one problem is that a TON of web applications have been authored by coders with almost zero security training. They make an effort to do it right. The encrypt passwords using crypt(). Crypt defaults to a 1972 algorithm that throws away everything but the first eight characters. That thoroughly screws up security.

Comment very few programers trained in security, hire secu (Score 1) 230

Indeed very few programmers are trained in security. Probably a minority have any security training to speak of and darn few are trained to design a security system. Yet, most companies don't hire a security professional, or even bring one in for a consultation. Security is my field. When another division was designing a single-sign-on system, they had me spend an hour with them to avoid the top 10 most common problems. Before bringing me in, they had already planned falling prey to at least two of those "obvious" problems. An hour with a security professional can make all the difference.

Comment Not at all safe in this instance (Score 1) 230

XKCD showed why it's not at all safe in this instance. Here's the table:

email cryptw hint 737462 first apostle 737462 hot neighbor

From the encrypted password, we see that these two users have the same password. Now look at the password hints. What do you suppose is the password they BOTH used?

Comment 90%+ do it wrong - plain text or 3DES from 1972 (Score 2) 230

Of the 12,000 or so sites I've seen, well over 90% do it wrong. I'd estimate 95%. Many store passwords in plain text.
Most use 3DES, which was reasonably secure in 1972. Today, 3DES is cracked in milliseconds.
Sometimes we see an unsalted hash, including MD5.

A few have used MySQL's PASSWORD() and the phpass gimmick scheme which are reasonably secure but non-portable.

I consider "doing it right" to be a salted hash. For new software, bcrypt / blowfish or a SHA primitive.
Preferably, SHA-256 or SHA-512 via crypt($5$salt$, password) for portability and consistency.
For existing code, I consider SALTED MD5 to be acceptable, but the length of the input should certainly be validated.


Comment It means it USED to be "encrypted", a year ago (Score 2) 230

According to Adobe, until a year ago, they were doing it wrong, using the wrong encryption in the wrong way.
The bad guys got a year-old backup, so it was encrypted using the old (wrong) method.

Since the old backup is done wrong, that tells us only that the primary USED TO be done wrong, which is exactly what Adobe is saying. It tells us nothing about the current database.

Comment good argument for anything else, this is enumerate (Score 1) 65

> There's probably also a constitutional argument to be made in the case of the IIRIRA. Practically every policy the Federal
> Government tries to force on the states now is an unconstitutional overreach of their explicitly enumerated powers.

Most are unconstitutional overreach. The Constitution grants only ~18 powers to the federal government.
Regulating immigration happens to be one thing the federal government can and arguably must do. (Consider the effect of article IV otherwise).

One of the enumerated powers is "To establish a uniform Rule of Naturalization". Naturalization means:

1) to confer upon (an alien) the rights and privileges of a citizen. [such as a driver's license]
2) to introduce or adopt (foreign practices, words, etc.) into a country or into general use

Comment the judge know better, based on evidence (Score 1) 599

He boo y trapped the system,locked out other authorized users, etc.
The judge or jury would look at that and determine that either :a) he'slying or
b) forgetting wouldn't be a problem if he hadn't set bobby traps etc., and locking out other users was an intentional criminal act.

It's interesting to me how often people say "just claim that [transparent bullshit]. 99% of the time, judges aren't stupid. Their law degree indicates they have above average intelligence, but sometimes people assume judges must be drooling morons.

Granted, occasionally there are rulings that seem pretty dumb, but even those are normally much less dumb than the headlines make them out to be.

Slashdot Top Deals

Truth is free, but information costs.