Please create an account to participate in the Slashdot moderation system


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Power Outages (Score 1) 129

Whenever our power goes out, my wife and kids and I get together and actually spend quality time together - playing board games or something and just talking. It's sad that it takes a power outage for that. When you suggest it at other times, and the kids can be playing games or watching stuff online, they decline, but I do try. My favorite is hiking together... good long time, a lot of good conversation... and a lot of "no" when I ask the kids (and even the wife). It's depressing.

Comment Re:The author has a certain level of understanding (Score 1) 176

... Better let an application generate password for user's eyes only and force user to memorize it (or to write it down, at their own risk).

Let's see... my work account, two banks, several credit cards, two healthcare accounts (FSA AND HSA) as well as my health insurance, accounts for my kids in school (like paying for school lunches), ISP account, several streaming services, slashdot, reddit, and a number of other forums I participate in (and not me, but most people will have several social media accounts).... you get the idea. I'm supposed to remember all those completely random passwords?

Oh, and another pet peeve: changing passwords often - it does nothing for password guessing, all passwords with same randomness have same probability of being guessed. Changing passwords are meaningful only if old password is already compromised, but you never know when it exactly happened, so unless you are changing password after each session, it is almost completely useless.

Now that I can agree on - our company's policy is just damn annoying and often screws up our production work.

Comment Re:The author has a certain level of understanding (Score 1) 176

Yeah... I don't know anyone who writes it down on a post-it next to their computer, but we do have a 90 day policy, and my password strategy is not quite what the GP described, but it's not too far off, either. That's the stupidity of just not allowing us to create a really great pass-phrase that would take years to break. That's all on top of two-factor authentication (RSA SecureID) when not signing in from our internal network.

The stupidity is that on systems that have multiple users, we have a shared account that we use - it's actually assigned to a large number of systems; these are not user's desktops, but graphics productions systems that any number of operators might use. The problem is that the IT department implemented this password policy without asking any departments about the effects, and after 90 days we were blocked from this account because none of the operators had the authority to change it, and if they did they'd lock out everyone else who didn't know it - many offices, or even buildings away. Moreover, none of us get the email from that account - which doesn't even really have email, so nobody got a warning the password was expiring. So we do live TV, and people couldn't log into the systems that generate the on screen graphics. Of course now that login is an exception, but it points out a problem with IT blindly creating a policy without input from the people it's affecting.

The other stupid thing is that our MS Office accounts are tied to our logins, and we can authorize up to 5 boxes. There are at least 100 production boxes, and we can't license them by box. We do a lot of daily production data in spreadsheets because it's easy for the user and easy to use as a data source.

In any event, the more passwords humans are required to remember, and the more complicated they are required to be, the less secure we're going to make things as people do skirt the guidelines to make them as easy to remember as possible - or they write them down, or whatever.

Frankly, I don't see what's wrong with the scheme the GP described (although I would make it more complex). If someone has to brute force decrypt it, it will still take just as long. With the special characters in there, it's highly unlikely someone could guess it. It's true that once they got it once, they'd be able to guess it correctly later on, but the idea is to make it hard to get even once.

Comment But then who audits the auditors? (Score 1) 184

The solution is pretty simple, but often skipped:
1) The reason for every search should be required and logged by the searcher. ...
2) The logs be randomly spot-checked by an auditor(s) who verifies the reasons given by interviewing the person(s) who searched.

But to check it the auditors need detailed access to the records. So who audits THEM?

This kind of question has been asked repeatedly since at least the Roman Empire.

(The U.S. answer to "Who guards the guardians?" , at least for direct abuse of person under color of law, is the Fourth and Fifth amendments and the "fruit of the poisoned tree" doctrine: Fail to follow the law and you don't get a conviction, because misbehaving police are FAR more of a problem for the population than even a lot of violent private-enterprise crooks going back to work. But while it does reduce the incentive, it doesn't block the behavior.)

Comment The invisible hand strikes. (Score 4, Interesting) 124

Not one organization I have ever worked for has seriously cared about IT security.

When it comes to rolling out new products, ignoring security is the norm.

This is because the "window of opportunity" is only "open" for a short time - until the first, second, and maybe third movers go through it and grab most of the potential customers. Companies that spent the time to get the security right arrive at the window after it closes.

This happens anywhere the customers don't test for and reject non-secure versions of the "new shiny" - which means enterprises sometimes hold suppliers' feet to the fire (if the new thing doesn't give them an advantage commensurate with, or perceived as outweighing, the risk) but consumer stuff goes out wide open.

Then, if you're lucky and the supplier is clueful, they retrofit SOME security before the bad guys exploit enough holes to kill them.

I expect this will continue until several big-name tech companies get an effective corporate death penalty in response to the damages their customer base took from their security failings. Then the financial types will start including having a good, and improving with time, security story (no doubt called "best practices") among their check boxes for funding.

Comment Re:Why not coax? (Score 1) 154

And the reason you cannot do this with radio is that the noise from the transmitter is greater than the received signal.

Actually you CAN manage it with radio - very difficultly, with very careful antenna design.

But the combined antenna has to be far from anything that reflects, absorbs, or just phase-shifts any substantial amount of the transmitted signal energy. If not, the discontinuity destroys the careful balance that nulls out the transmitted signal at the receiver. That gets you back to the "transmitter shouts in the receiver's ear much louder than the distant communications partner" case. So it's not very practical in the real world.

Comment Re:Convenience isn't free (Score 1) 141

I've noticed there are often items that are cheaper non-prime, but then you get the choice - you don't have to order prime, you can pay a little less to order from someone else - but then it's often not two day shipping. Often the non-prime price + shipping is about the same as prime. I've been a prime customer for some years now, and with as much as I order, it's certainly worth it. Plus we get some subscriptions now, like the specialty dog food we need to get, which makes it even cheaper. So yes, I start with Amazon, and only if I can't find what I want, or I do see shenanigans from the seller w.r.t. shipping and so forth, do I search elsewhere.

Comment Re:Why not coax? (Score 1) 154

Coax is half-duplex too

No, it's not.

With proper impedance matching networks and reasonable termination at the ends of a run you can send separate signals at the same frequency/band of frequencies down a cable in each direction. (Impedance discontinuities DO reflect some of the signal going one way back the other way, causing some interference. But even that can be "tuned out" by suitable corrections if it's too severe to just ignore.)

You can do it on a balanced pair, too. Telephones have done this with audio for more than a century, and I recall encountering a simple hack to do it all the way down to DC back in the days of discrete-transistor logic. (And it has nothing to do with two wires being involved, either. With N (= any power of 2) conductors and "phantoming" you can have up to N-1 balanced and one unbalanced two-way transmission lines on N wires.

Time Domain Reflectometry does this to FIND and MEASURE discontinuities in a cable, essentially firing a pulse down the cable and listening to the reflections, radar-style.

Slashdot Top Deals

Those who can, do; those who can't, simulate.