Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:24/7 job (Score 5, Informative) 513

That's exactly what IBM did. It even ended pager-pay... since we were always on the clock.

For reference, https://www.labour.gov.on.ca/english/es/tools/srt/coverage_government_it.php

Information technology professionals are not entitled to overtime pay.

And my favourite:

Information technology professionals are not covered by the daily and weekly limits on hours of work

From what I could find, these were laws meant to cover fisheries and agriculture, where the seasonal nature of the work meant that the only time you would work on a harvest or catch was when there would be work. It was understood that the nature of the work was feast-or-famine, and it was paid hourly. If they had to pay overtime, they would be paying nothing but overtime. Strangely, the rules also included accounting, some screwball argument that month-end and year end was a busy period and that people could take time in lieu or have downtime between busy periods.

Somehow this slippery slope was extended to IT. As a salaried employee, it meant they could pay you *nothing*.

Thank you Dalton McGuinty.

Comment Re:Infosec professionals (Score 1) 498

Alicebob, ALICEbob, aliceBob, aliceBOB, ALICEBoB, AliceBob....

But then, we're talking about systems which usually require three character classes, so more likely:

AliceBob!, Alic3bob, AliceB0b, Alice1Bob, alice-Bob, Alice!bob, alice4Bob....

All of this assuming a twit user who's intentionally trying to pick something weak.

"something better" is more likely trust relationships or automated secret management in the form of tight password manager integration. I don't think it unlikely to see this in the next 10 years. Some people have it today. You might say a 64 character random unicode string is still a password, but it's getting tough to distinguish it from a more arbitrary shared secret.

Comment Re:Infosec professionals (Score 1) 498

Yes, mandatory character classes reduce the entropy of the password, but password attacks are not random and most passwords are not random. If you use a 2^16 character set for the password on an 8-character password, yes, a user might pick a random number between 1 and 340282366920938463463374607431768211456 and render it in printable and non-printable unicode but more than likely they'll pick "alicebob".

Removing the combinations comprised solely of a single character class means that yes, the attacker doesn't need to guess the smaller set of passwords, but it also means that no password is within that smaller set.

Password managers and solutions for the hundreds of unique passwords users have is a separate issue. There are a lot of issues around passwords, none of which can be looked at in isolation. Password management and character classes are two parts.

E.g., the specific details as to why a password policy is put in place has to do in part with what the specific technology supports. This NIST guideline means that software should be supporting better methods. 10 years from now, one would hope they're universal, but one would also hope that in 10 years passwords will be replaced with something better.

Comment Infosec professionals (Score 1) 498

Leave the interpretation of NIST and its relevance to your organization to the Infosec team. Infosec is very aware NIST exists.

If you'd rather not, you can go explain to auditors, customers and executives about your "bullshit" theory.

Realistically, you'll probably just include some mixed case and a number in a password rather than fight this battle, it's much less effort. The news here from an infosec standpoint is that NIST is getting sane about this stuff. No doubt because of the decades of feedback from infosec professionals.

Personally, I disagree with the position on mandatory character classes, but fortunately it's a "SHOULD NOT" and not a "MUST", nor is NIST a rule, it's a guideline. For certain types of passwords and certain types of leaks, mandatory character classes increase the space *required* to break a password. It doesn't matter that 'ahwfovuu' could be randomly generated from upper/lower/symbols/numbers etc, when it could be brute forced with only one character class.

OTOH, I regularly sat on calls and stated flat out to customers that we do not and would not do arbitrary password expiration, regardless of standards. I would highlight it as a point where we're not compliant and would not be compliant. As dumb as it sounds, this statement would appear on reports up to the top.

I'm not looking forward to smart-ass developers raising this as a "counterargument" to why Infosec should bend policies because their favourite password generator tool doesn't support mandatory character classes.

Comment "New Interface?" (Score 2) 224

"The issue is that users didn't want to learn a new interface"

No. My issues with the ribbon are:

  • Keyboard shortcuts?
  • "Responsive" design moves the icons around as you're using the product... e.g., shrink the window to work on two docs side-by-side
  • Cryptic icons require hovering over or clicking on to figure out what they do, icons change between versions of course
  • Screen real-estate wasted displaying 80% of features I rarely or never used
  • Features given prominence which sabotage the use of styles and screw up documents
  • They removed the menus (In Windows)

Comment Re:As someone with a masters in this -exact field- (Score 1) 339

"If you are a true master, you should be able to explain concepts in a way that even a child can understand. "

This isn't needed to be a master in a field and it isn't necessary unless you're speaking to novices or people outside the field. Sagan, Hawking or Feynman are good examples of this. Einstein was a real aberration, where even some of his papers were written with disarming clarity.

For Trump, I think you're mixing this up with the Dunning Kruger effect, where a person's inability to understand what's going on around them makes them think they have a better understanding than the experts.

Comment Beer? (Score 2) 172

BSD is free like the Grimm fairytales.

Sometimes you're shared the stories and you're allowed to reshare them, e.g. from Gutenberg. Sometimes you're not. E.g. from Disney.

BSD gives you the freedom to take it, modify it, distribute it and not allow the recipient the same benefit.

"Free as in beer" doesn't imply the knowledge nor right to start a brewery and produce your own. It's ridiculous to say Linux is free as in beer.

Comment Re:Marketing to the Cult (Score 4, Informative) 168

"True, it's the only smartphone on which you can't install an application unless approved by the phone manufacturer. Nobody had that idea before."

Other phones at the time didn't let you install an application, updates, ringtones or anything unless approved by the TELCO.

So yep, opening it up to the manufacturer to sell you apps was a huge move forward. It meant strong-arming the telcos with overwhelming demand else they wouldn't carry Apple's new little product.

Comment Re:I have an idea (Score 1) 470

The assertion of em drive is not based on theory, but alleged observation.

Conflicting measurements are evidence of experimental error. China's trying a new experiment, hopefully their measurements agree with some others. I think we both expect the outcome to be "no thrust".

It looks like a fun experiment. Not sure why they feel it's worth investigating, but maybe it's related to another project and not a high cost item for them.

If it works, you can propose your unicorn attractor constant.

Comment Re:Not at all fake news (Score 1) 600

No, the "fake news" of the last few months has been the fabricated news pupping up hysterical memes so as to generate millions of dollars in ad revenue. It's genuinely fake. The people writing it don't even believe it.

https://en.wikipedia.org/wiki/List_of_fake_news_websites

This is an example of a well-shared fake news story on a fake news site: http://web.archive.org/web/20161107053425/http://denverguardian.com/2016/11/05/fbi-agent-suspected-hillary-email-leaks-found-dead-apparent-murder-suicide/?utm_content=buffer013fc

"Denver Guardian is Denver's oldest news source and one of the longest running daily newspapers published in the United States. With a focus on local content, the Guardian thrives to maintain a non-partisan newsroom making our content the most reliable source available in print and across the web. "

The Denver Guardian isn't a real newspaper.

https://en.wikipedia.org/wiki/Denver_Guardian

Comment Re:aka PgDn "trick" (Score 1) 309

They're what Mac users use because in the interest of ease-of-use, they have no home or end keys, but have two-extra modifier keys (Fn and Cmd). Ctrl-a => home (Windows), Ctrl-e => end, Ctrl-k => shift-end, delete.

Cmd-a => Ctrl-a.

https://support.apple.com/en-us/HT201236

I think some of these keys derive from ancient Unix days. Jobs being reluctant to even put arrow keys on the Mac. They are basic and have been around forever, but only if you're a Mac user or ancient Unix guy.

Slashdot Top Deals

I do not fear computers. I fear the lack of them. -- Isaac Asimov

Working...