The time/value calculation doesn't apply like illustrated if you can work on the bus or train. Or even if you can't do a full amount of work, you can discount the hourly rate by how useful the time is to you (reading emails, reading a book, etc).
Even worse is when they limit to 12 characters, but don't enforce it in the UI. I couldn't login once because the bank website truncated my password silently to 12 characters. On a whim, i tried the first 12 characters and i was able to login.
Are there sides? I'm just saying something you can do with it. I don't see this any different than magazine subscriptions like Home and Garden that have about half the pages as ads. I tear any double-sided ads out of the magazine.
There are defaults bcrypt and PBKDF2. There is no excuse for anyone to do anything less than salted hashes even if the decide not to follow bcrypt or PBKDF2.
Food safety is more about barriers to entry than safety these days. The regulators have been captured by the industry and used to keep out competition.
I agree with your point about restaurants, but you are not acknowledging the current trend in agriculture. I'm talking about the small "organic-like" farms that want to slaughter on premise or sell homemade items. The meat industry in particular has captured the regulators and use them to keep out competition. The large packers want more regulation, because they can absorb the cost of compliance and the cost of fines for non-compliance when they get slapped on the wrist.
I think you are propagating the myth that a scheme can be secure forever.
It's ok if WAP is breakable with cloud computing, because the whole point was to secure it for the next X years so that it takes more than Y dollars to break it. You only need to protect million dollar data enough that it costs 10 million dollars to get it.
If the data is valuable enough and protected heavily enough with crypto, the cheapest way to get it is through a meatspace attack (break-in, abduction, etc).
> WEP was considered "good enough"
Not by security professionals once they saw the effective size of the key. It's the downgrading of what looked like a 64bit key into a 48bit key that was the biggest problem.
> The PBKDF2 protocol allows you to safely brew your own password scrambler using any hash functions you choose. It is equivalent to bcrypt for common purposes, assuming the hash functions you pick are decent.
NO! Bcrypt in particular is designed to resist GPU brute forcing.
Define "make an effort." This gray area is an automatic settle out of court auto-win button.
If i'm a good farmer, wouldn't i be trying to isolate the best crops from my fields? And isn't there a high chance that the best ones were the genetically modified ones?
I think if they are going to claim IP rights over the natural reproductive system of these plants, that they should be able to be sued for massive damages when they knowingly "pollute" other people's crops with their genes. Property rights goes in both directions. Fine, it's your property -- why are you polluting all of my crops?
Ok, sorry for the harsh response, but i don't think that anyone is using it for "common purposes." Everyone should be using strong crypto, because it is inexpensive to do right.
I would argue that almost everyone that is storing passwords should start worrying about people bring racks of GPUs to bear against you, because it is so cheap. At 33.1 Billion MD5 hashes/s with 4 dual-linked GPUs (one machine), you can eat through all 8-digit alphanumerics very quickly for a few thousand dollars. (of course that is using PBKDF1 or less). I had done the calculations in a spreadsheet and forget how long it would take, but it is way shorter than you'd thik.
What's really worse? A bunch of emails or thousands of dollars of legal fees? Does anyone really care that this lawyer was on a receiving end of an attack that isn't part of his profession? Maybe he should keep a PR guy on retainer and pay per hour to help out his reputation.
Isn't this actually libel: "I really did not expect that [The Oatmeal] would marshal an army of people who would besiege my website and send me a string of obscene e-mails,"
His point is that he's pushing off the extra hard work to be done only once, rather than at every pipe. I'm not sure how he needs to recheck his assumptions there since he stated them.
Only if it is a permanent solution. I thought the main issue was that the (US) gov't was supposed to stabilize rapid price fluctuations, not exist as a constant state of subsidy.
Consent is usually for phone calls and amounts to notification (hang up if you don't consent). In public states like MA recording in public is mostly about awareness and not consent. If you have a giant camera recording things they won't succeed in prosecuting you for secretly taping audio.
Unfortunately, in 2-party states you need to make it completely obvious so they can't claim you were secretly recording their audio -- if it is obviously recording audio, it is ok.
> What prevents the same enumerating attack against the sign up form.
Good point. Nothing prevents this, but it is easier to detect this kind of abuse on the sign up form and alert on it than all of the noise on the sign-in side.
Yes, or changing it from a binary system to a continuum that maxes out at 20 years. Software patent? 5 years. New drug - 20 years. New algorithm (can't patent math of course) 10 years.
If you are leaving a company you don't like, why would you ever tell them anything that would make them better?
1. If you hate them you want them to fail anyway. Tell them things are really good.
2. Even if you don't hate them, your feedback can only cause you harm. There is zero upside to being honestly negative. They obviously don't have a culture that rewarded you for taking risks or being honest, so why take one now?
So, would you expect the company to tell you about strategic direction of the company up until the exact second of your leaving? Surely, if you are expected to bare your kimono up until the last second, they would have no problem sharing all of the same confidential information you've been privy to while working there.
Or is it more likely that both sides fully understand that there is an untangling and winding down of trust?
