Feeds

* Posts by Michael Wojcik

2473 posts • joined 21 Dec 2007

It's Big, it's Blue... it's simply FABLESS! IBM's chip-free future

Michael Wojcik
Bronze badge

Re: It's not a metaphor

No, it's a metaphor

You're both wrong. The statement in question is exaggerated for rhetorical effect, which makes it hyperbolic; and it involves an (implied) association with no direct connection between vehicle and (implied) tenor, which makes it metaphoric. Tropes aren't mutually exclusive.

While we're at it, it's also a cliché, argumentum ad baculum and ad populum, amphidiorthosis (in the footnote), epiphonema, exuperatio, deinosis, praemunitio (again in the footnote), and no doubt several others.

And this whole thread, of course, is an exercise in correctio. Or diorismus, epanorthosis, epidiorthosis, or epitimesis; though the last sometimes is used to mean epiplexis.

HTH. HAND.

0
0

NOT OK GOOGLE: Android images can conceal code

Michael Wojcik
Bronze badge

Supporting 6 year old machines is quite good i think.

Really? I'd call it a barely-acceptable minimum, if that.

0
0

Trips to Mars may be OFF: The SUN has changed in a way we've NEVER SEEN

Michael Wojcik
Bronze badge

Half-marks for headline

Really, you couldn't have gone with something like "Boffins: Sun lazy, useless (for Mars trip)"?

Also:

the Sun may be entering a so-called "Maunder Minimum", a lengthy spell of low to no activity. Such a minimum occurred from 1645-1715.

I've had coworkers who enter a period of low to no activity that lasts from 16:45 to 17:15. Coincidence?

0
0
Michael Wojcik
Bronze badge

Re: PROJECT ORION!

And so did a bunch of other people.

Pro tip: The comments on any Reg story about interplanetary travel will very quickly come to include multiple posts on Project Orion, nuclear rockets, VASIMIR, etc. This is a small pond with a lot of like-minded fish.

Here, I'll save us all some time: Project Orion VASIMIR nuclear rockets cooling radiation shielding delta-v robots1. Just link to this in the forums for future such articles and we can skip 90% of the comments.

(Not that it hasn't been fun, but really - we're clearly at the Frequently Posted Comments stage.)

1I am suddenly reminded of Snow Crash. Here, doggie!

0
0
Michael Wojcik
Bronze badge

Shielding weight would be a non issue in the vacuum of space anyways.

Plus, there are no dangerous shadows in the vacuum!

The real trick, of course, is to have the ship travel in whatever direction the vacuum is sucking.

0
0
Michael Wojcik
Bronze badge

Re: Re. water

used condoms filled with said waste would be great

Rule 34, now in interplanetary space.

(Why used condoms? "We need a used condom! Fire up the pornograph!")

0
0

How to get $542m from Google: Dress as a SPACEMAN with dayglo dancers – Magic Leap

Michael Wojcik
Bronze badge

Augmented reality and virtual reality. Pity they didn't throw in speech recognition for the Triumvirate of Crappy UI Concepts.

0
0
Michael Wojcik
Bronze badge

Re: A Magic Leap for Augmented Reality.

Lord, save us from the "pretty cool".

0
0

OnePlus One cut-price Android phone on sale to all... for 1 HOUR

Michael Wojcik
Bronze badge

My phone is less than a year old, but it cost me less than $100 - unsubsidized. (I'm on an MVNO PAYG subscription. I've had contracts with Sprint and AT&T in the past, and I don't see any reason why I'd ever want another.)

No, it's not a "top of the line" phone. And I can't see any reason why I'd need one. The model I have does calls and SMS just fine. It keeps my contact list. It has GPS and the navigation software is adequate. Those are the only things I really need my phone to do. As a bonus, it also does pretty well at things like keeping a calendar, keeping little to-do notes and shopping lists, playing music (on the rare occasions I want that), and displaying e-books (handy if I'm stuck waiting somewhere with nothing better to do).

I'm sure some people need a pocket equivalent of an '80s supercomputer for, um, some reason. I don't. I could certainly afford to spend $400 every year on a new shiny, but I'm much happier sticking with my perfectly-adequate phone and putting that money toward something else.

(My phone's battery is also good for 2-3 days of regular use. And it has a physical qwerty keyboard, which this "steal", like most whizzbang phones, seems to lack.)

0
0

Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan

Michael Wojcik
Bronze badge

Re: Zoe Lofgren is a Dem

He called her a "Republication and anti-surveillance crusader", I believe. I assume that means she's in favor of publishing things again (but only things that were public to begin with, and not anything that was private).

Later in the article he wrote "Lofgren's stance was backed up by fellow Republican Darrell Issa". Darrell is a fellow, but Lofgren is not one of his fellow Republicans. That is, as a member of Congress she's probably a republican, but she's not a Republican.

I hope that clears things up.

0
0

MARS NEEDS WOMEN, claims NASA pseudo 'naut: They eat less

Michael Wojcik
Bronze badge

Re: Looking the wrong way...

fat is a more efficient way to store energy than food

Fat is food. We've been conducting a decades-long national experiment in the US to demonstrate that.

There's nothing stopping NASA from providing astronauts with foodstuffs that have the same average caloric density as body fat. They also need to supply other nutrients, obviously, but they'd have to do so for the mooted fatstronauts too.

0
0

You can crunch it all you like, but the answer is NOT always in the data

Michael Wojcik
Bronze badge

Re: Coin flipping

The article's also wrong about 50:50 being the most probable outcome. Its probability is tied with that of 51:49 and 49:51 (considering heads-dominant and tails-dominant cases separately; if you treat "off by one" as a single case, then that case is more probable than heads=tails).

To get 50:50, on the previous toss you must be at 49:50 or 50:49 (i.e., one more head than tail, or vice versa). It doesn't matter how you got there; you have one flip left, and you've flipped the coin 99 times, so this last flip has to bring you equal, or fail to do so.

The probability of the last outcome (assuming a fair coin &c) is 0.5 heads, so you now have equal probability of ending up with 50:50 or 49:51 (or 51:49, if heads were ahead).

So 50:50 is among the most probable outcomes, but it is not the most probable.

0
0
Michael Wojcik
Bronze badge

Re: New Noun

So now we're all doing Grammar Overanalyzing? I didn't know that was a thing.

You must be new here.

But yes, in this context, "data mining" (and indeed "mining" all by its lonesome) is a nominative verbal or gerund, which in English grammar functions exactly as a noun. Dictionaries conventionally label gerunds and gerundial phrases as "nouns" when they define them, so the original quote is using the standard form for the genre.

0
0
Michael Wojcik
Bronze badge

Re: Let's hear it for the hypothesis

All this digging around just gives random rubbish.

That is demonstrably, empirically wrong, as any number of applications of unsupervised machine-learning algorithms demonstrate. Take Maximum-Entropy Markov Machines, for example; they start with no hypothesis by definition (that's what "maximum entropy" means in this context), but in suitable applications they converge on a model which has a probability of getting the correct answer1 which is significantly higher, and indeed often much higher, than random.

Man, look at these sophomores all over my lawn.

1As measured by whatever metric is appropriate in the circumstances, such as f0, which is the mean of the recall and precision metrics for MM decoding applications.

0
0

HBO shocks US pay TV world: We're down with OTT. Netflix says, 'Gee'

Michael Wojcik
Bronze badge

Re: Broadcast and Comercial TV is dead

i don't think ive watched a live transmitted program bar major news story at all so far this year

And no doubt generalizing from your individual experience to a universal rule is perfectly valid.

1
0

US government fines Intel's Wind River over crypto exports

Michael Wojcik
Bronze badge

Re: Irony

They're not clueless at all. They're assigning penalties based on someone's failure to jump through the hoops (ie, get an export license). That's precisely what they're employed to do.

And while Joan Daemen and Vincent Rijmen are indeed Belgian, they submitted Rijndael to the AES competition. You could say it was "imported", but that's rather a strained claim. And it has nothing to do with US export licensing in any case.

1
0
Michael Wojcik
Bronze badge

Re: Two thoughts

1. I thought this BS ended like a decade ago.

Nope. Export restrictions were relaxed, not eliminated. You still can't sell to the "enemy" states, and you still need an export license, in both the US and the UK. I've been through the process.

Fortunately, once you have the licenses, renewals are generally easy, provided nothing significant has changed in how the crypto tech is used in the product. (We've added new TLS ciphersuites and had our renewals rubber-stamped, for example.)

1
0

Internet finally ready to replace answering machine cassette tape

Michael Wojcik
Bronze badge

... which line was recorded using an answering machine. (Don't know if you're already aware of that, and this was just a wink for the knowing. If that's the case, no soap, radio.)

0
0
Michael Wojcik
Bronze badge

Re: Awesome band.

Triangle man was about wrestling wasn't it ? Bless Loony Tunes !

The song's title is "Particle Man", and the cartoon in question is part of an episode of Tiny Toon Adventures, not the older WB Loony Tunes series. It's a good one, though, with Plucky Duck in the eponymous role.

The wrestling interpretation used by the TTA writers is a variant reading that doesn't fit particularly well with the entire text. A less-resistant reading is probably just to see the song as the typical TMBG dream-logic treatment of the four-color-comic superhero genre.

But meaning inheres in the reader, not the text. It can be as much about wrestling as you like.

0
0
Michael Wojcik
Bronze badge

Re: NIght Light

Yes, the lyrics are hardly difficult to interpret, particularly if you ask your friendly reference librarian for help with the more obscure references. What are they teaching in schools these days?

I'm having trouble thinking of a TMBG song that isn't pretty clear with a modicum of thought. "Minimum Wage", maybe.

0
0

City council thinks what we're all thinking: 'Comcast is terrible – and NOT welcome here'

Michael Wojcik
Bronze badge

Re: Ugh

This would be like the state of New York named after "New York City, New Jersey".

Even if that were the case, it'd be considered child's play in the Midwest. For a while I attended (and taught at) Miami University, which of course is in Ohio (and for which Miami, Florida was probably named1). Miami University is located in Oxford (Ohio). I had a joint seminar with students from the Indiana University of Pennsylvania, in Indiana, Pennsylvania (Jimmy Stewart's home town), and not to be confused with the far-flung (but not that far) campuses of Indiana University of, um, Indiana.2

1There is some dispute. Miami University, of course, is in turn named for the Myaamia, well-known for defeating the US in war, for which they received a treaty that was promptly abrogated, removal, and a university namesake.

2Pennsylvania also has a California University of Pennsylvania, but that never causes confusion.

2
0
Michael Wojcik
Bronze badge

Re: Ugh

I live in a town that shares its name with at least 40 other towns in the US, all in different states.

I live in a town that shares its name with another town in the same state. Different counties, fortunately.

Of course, I live in a state that's nearly two states, connected by a rather long bridge.

0
0

Bad news, fandroids: He who controls the IPC tool, controls the DROID

Michael Wojcik
Bronze badge

Re: To quote the piece. "featured a proof of concept rootkit for the Binder component"

"featured a proof of concept rootkit for the Binder component"

Yes, but from their paper (linked to in the article):

Most importantly, all the techniques described in this paper require running with root permissions.

The concept they're proving is that "if you can get access to Binder messages, you can do a lot of stuff". They demonstrate keylogging, form interception, SMS interception, and so on - but all of their exploits require root.

As others have said above (though I'm not sure any of the people making this claim actually looked at the slides or read the paper), this talk was very much about why the Binder is a juicy target for malware authors, and not about actual vulnerabilities that exist today. While there may well be such vulnerabilities, the authors do not describe any.

In short, it's "look at this whopping great attack surface!".

1
0

Scientists skeptical of Lockheed Martin's truck-sized FUSION reactor breakthrough boast

Michael Wojcik
Bronze badge
Joke

Re: Beware

Especially if they use 'neutral beams'.

Yeah, that's a red flag too. When there's a problem, how will the chief engineer reverse the polarity?

1
0

Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat

Michael Wojcik
Bronze badge

Re: I wonder

It would require a tremendous stretch to believe any of these were plants. One (support for TLS_FALLBACK_SCSV) is in fact a new feature; it isn't a "fix" by any definition. Of the other three, two are DoS issues, which are of very low value to the SIGINT community.

The last could have some SIGINT utility, since getting a product to downgrade to SSLv3 leaves it open to decryption attacks like POODLE and BEAST (when using a block cipher) or RC4 bias exploitation. But few OpenSSL installations use a version built with --no-ssl3, so on the whole it'd be a very low-value attack. If a SIGINT agency had an opportunity to sneak a flaw into the OpenSSL sources, they could do much better.

0
0

Forget passwords, let's use SELFIES, says Obama's cyber tsar

Michael Wojcik
Bronze badge

Re: Access required?

Robert M Lee has a good piece in Forbes online arguing why a non-technical "Cybersecurity Coordinator" (apparently Daniel's actual title) is a bad idea. Even if you agree on principle (as it seems most or all the commentators here do), it's worth a quick read.

As usual, we see that IT-security pronouncements from people who aren't security researchers aren't worth the bits they're encoded with. Schneier was explaining to non-technical audiences why biometrics weren't a silver bullet a decade ago. Looks like the Powers That Be still haven't caught on (or, as a number of people here have suggested, have - but of course they don't have users' interests in mind).

1
0
Michael Wojcik
Bronze badge

Nothing is "completely secure". The phrase is meaningless.

Biometric identification isn't even vaguely secure, under most reasonable threat models.

1
0
Michael Wojcik
Bronze badge

Re: Cut'n'paste

There are plenty of good arguments from actual security researchers (Daniel is not one) against making biometrics the default for authentication. While not all facial-recognition systems can be fooled this easily, certainly the potential for forged credentials is among them.

0
0

Chrome 38's new HTML tag support makes fatties FIT and SKINNIER

Michael Wojcik
Bronze badge

Re: Seems pointless.

Phones are bordering on having larger resolutions that many laptops and desktops these days.

Not everyone wants to spend their money on expensive phones.

Resolution isn't the entire story, particularly for people with reduced visual acuity. Which is pretty much everyone who lives long enough to tell you damn kids to get off our lawns.

0
0
Michael Wojcik
Bronze badge

No, it's another way for sites to offer user agents ("browsers") more choices about how to display the page. If the user agent is well-written, the new img attributes give the user more control over rendering.

The picture element is a bit of a mixed bag, since the media rules are supposed to be mandatory.

1
0
Michael Wojcik
Bronze badge

Re: Mixed blessing

Part of the point of picture and the new img attributes is to handle precisely that case. Read the blog post that the article links to.

2
0

I didn't invent Bitcoin! Send Bitcoin to help me fight this slur – Dorian Nakamoto

Michael Wojcik
Bronze badge

Re: Not a lot he can sue for

Freedom of Speech in the US means that the press/media can say anything they like.

That is wildly, fabulously wrong.

There are most certainly limitations on expression in the US, both expressly legislated and in practice. In the case of the "media" (which, for most purposes, has no special legal status here, as distinct from any other public expression), libel law attaches, as do various consumer protections that restrict forms of expression deemed dangerous, such as making certain kinds of claims about medical efficacy.

In order to claim damages he'd have to prove it was malicious or similar.

You do see this contradicts your first claim, right?

In the US, there are a variety of libel laws at the federal and state level, so to some extent it depends on in which jurisdiction Nakamoto files suit. In many cases the barrier for libel is high (and in general it's higher in the US than in most other countries, thank goodness), but Nakamoto is not a public figure, which helps.

Ordinarily, under US federal libel law, he'd have to demonstrate that Newsweek knew their statements were false, or they recklessly disregarded the possibility they were false; that the statements didn't constitute "opinion" or "fair comment" (seems a priori true, but IANAL); and that his character was impeached and his reputation damaged. I think he could make a decent case there, but I wouldn't want to bet on it.

He could also claim "defamation per se", which has weaker tests. The two possible categories that could apply there (in this case) are accusing someone of a crime, and interfering with their ability to conduct business. But creating Bitcoin probably wasn't a crime now, and even if cryptocurrencies are criminalized in the future, the prohibition on ex post facto criminalization means that doesn't apply. And from what I've read, I think he'd have a hard time making the case that Newsweek has interfered with his ability to make a living.

1
0

Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE

Michael Wojcik
Bronze badge

Re: Misleading Language

It's as though snprintf isn't available everywhere or something...

It isn't - at least not a conforming version. MSVC's is still broken, for example (wrong return value if the buffer is too small, and fails to nul-terminate in that case also). The same for the C library on at least one UNIX platform (HP-UX 11.23, maybe?).

Of course Microsoft C doesn't actually provide snprintf. It provides a family of functions with names beginning with "_snprintf", which is an identifier reserved to the implementation, so it can do whatever Microsoft damn well pleases.

So no, snprintf is not available everywhere.

We use it, but we have to wrap it in code that Does The Right Thing for both conforming and brain-dead implementations.

2
0

It's 2014 and you can still own a Windows box using a Word file or font

Michael Wojcik
Bronze badge

Re: Why would you PARSE FONTS in the kernel? @AC - Linux drivers

In fact, if you try hard, you don't even have to run the X server as root. Generally speaking, modern distributions do run the X server as root because it is started up before the graphical login starts, and that needs X, but if you disable the graphical login, log in as an ordinary user using a text-based authentication method, and then run up an X server (using something like startx), it works just fine.

And indeed this is how most people did it, back in the day. It wasn't until X11 R4, if memory serves, that xdm became popular. (It was part of X11 R3, a contrib client written to support the "X Terminals" that were just starting to come out, but I don't recall many people using it until R4.) So for the first four years or so of X's existence people would typically log on to a conventional pty device, and then start X (often on a different display), a window manager, and some clients.

1
0
Michael Wojcik
Bronze badge

Re: Why would you PARSE FONTS in the kernel?

"the video drivers are on the kernel too"

We need to stay stupid because we started off stupid.

Except, of course, they didn't. Video was outside the kernel, and called into the HAL, until NT 4. Then it was moved into the kernel to address complaints about video performance.

So it's more a case of "we started out doing it correctly, but people complained, so we decided to convert to stupid, and we'll be damned if we're going back now".

2
0

NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)

Michael Wojcik
Bronze badge

Re: Yet more reason to disable SSL 3

Yes. SSL 3 is broken for serious use - it's only useful if your threat model is "don't be the low-hanging fruit".1 That's a reasonable threat model for many cases, frankly - but there's almost never a reason to support clients that don't have TLS support, unless you must support IE 6. And even then IE 6 use should be restricted to only those legacy apps that can't run in anything else, and those apps should be scheduled for replacement.

1The typical POODLE attack against SSL 3 using a block cipher, for HTTPS, requires about 256 attempts per byte of the data being extracted. If that's a session cookie (the obvious target), hijacking an SSL 3 HTTPS session with POODLE using malicious Javascript is quite feasible. See the POODLE paper for more information.

0
0
Michael Wojcik
Bronze badge

Re: Thank $deity for proprietary software

Lions 27, Christians 1.

Not bad, particularly for trolling on the Reg. I wouldn't put it on the CV but it's a good day's work.

(Cue victims calling "Poe's Law!".)

0
0

10 Top Tips For PRs Considering Whether To Phone The Register

Michael Wojcik
Bronze badge

Re: Confession - OED

The OED records common usage, not proper usage. At least not any more.

The OED has always been a descriptive dictionary.

There are other sources of (correct) information.

Prescriptivist fallacy.

I know my language

Epistemological-phenomenological fallacy.

0
0
Michael Wojcik
Bronze badge

Re: Confession

most people drop the pronunciation of the leading letter

Citation needed.

0
0

Jaguar Sportbrake: The chicken tikka masala of van-sized posh cars

Michael Wojcik
Bronze badge

Transponder unlocking

Keep the key in your pocket, walk up to the car and press the button on the lock and the car opens

Press the button? What is this, 2004? I walk up to the Volvo with the transponder in my pocket and pull the door handle and it unlocks and opens.

It's a gimmick, but if we're going to wax gee-wiz about it, we should at least require that Jaguar get it right.

0
0
Michael Wojcik
Bronze badge

Re: Jaguars are astonishingly awful in the snow

Turbochargers are a cheap way to boost performance while actively exacebating the long-term (<100K miles) UNreliability of the powertrain

Tell that to my stepdaughter's turbocharged 1998 V70, now on its third owner and nearly at 300K miles. And rather casually maintained for at least the past 12 years or so. Biggest powertrain issue to date was a rear-gasket replacement eight or nine years ago.

1
0
Michael Wojcik
Bronze badge

Re: Not the cache

Yes. My 2015 XC70 T6 - the AWD version of the V70 - has most of the "goodies" mentioned in the article, and the rest can be added as options if you want (I didn't, particularly), with better cargo capacity. The car is luxurious and the I6 engine very nice. The XC70 is decent on country roads; while it's not a true off-roader, between AWD, traction control, skid plates, and considerable ground clearance it gets by very well.

And available for a bit more than half the price.

I can't see any advantage to the Jag at all.

1
0

Look ma, no hands! The machines are speaking our language

Michael Wojcik
Bronze badge

Re: There's a dark side to it

Yes, that's why Google had their free voice-search 411 (telephone directory services) service for a few years. They admitted publicly that it was offered simply so they could harvest speech input and automatically confirm recognition - if the user used the results returned by the search, Google could assume they'd recognized the query successfully.

Speech input lowers the cost of use (for users who don't find it annoying), which encourages use, which lets the provider harvest more data, which improves recognition, which lowers the cost of use (because greater accuracy means the search is more likely to be successful on the first try). It's a virtuous cycle, for very particular meanings of "virtuous".

0
0
Michael Wojcik
Bronze badge

Re: Minutes of meetings

I, so often the 'acting minutes secretary', would like to see a system that could listen to a meeting with one or more microphones, and five minutes after the meeting ends the system produces a coherent set of minutes.

Conversational entailment (figuring out whom someone's responding to), plus summarizing with a really large and site-specific knowledge domain. Simples! We should have it working in another fifty years or so.

Some researchers have been making good progress on the entailment front, at least. And general summarization is a largely-solved problem (for English; I don't think the necessary databanks are available for most other languages). Unfortunately, domain-specific summarization is a lot harder.

0
0

Intel 'underestimates error bounds by 1.3 QUINTILLION'

Michael Wojcik
Bronze badge

Re: Isn't this obvious?

you wouldn't really expect an accurate result for sin(1e99), would you?

There's no reason why that input can't be range-reduced.

In any case, the problem is that Intel's fsin is inaccurate for values close to π. That's a bit more of an issue. Try reading Dawson's post.

0
0

Return of the Jedi – Apache reclaims web server crown

Michael Wojcik
Bronze badge

Re: Active Sites versus All Sites

you end up with a server that runs as efficiently as nginx but within the Apache environment

Possibly, if you're running Apache 2.2 with a suitable MPM (worker or event) configured. With a forking MPM, Apache is never going to be as "efficient" (either in resource consumption or responsiveness) as a threaded event-driven server - and that includes Apache itself, when it's configured for threading rather than (exclusively) forking. For many sites, the robustness and security advantages of forking make it a fine choice, but it's always going to be heavier.

I don't know of a methodologically-sound benchmark comparing current Apache with worker or event MPM and nginx.

There is nothing wrong with nginx, it is a perfectly fine webserver. It is just that httpd is also a perfectly fine webserver.

Agreed. It would be very foolish to recommend one over the other as a general rule, without considering any context. Few sites have to worry about thousands of simultaneous requests - and the ones that do generally have load balancers in front anyway. And many sites don't need Apache's more esoteric capabilities (though certainly many do).

0
0
Michael Wojcik
Bronze badge

Re: Closed is out of flavour these days.

I nominate "out of flavour" for Eggcorn1 of the Week2.

1Prolepsis: "out of flavor" barely charts on Google Ngrams; "out of flavour" isn't found at all.

2Though it could also be "... of the Weak", for those sick of this particular tiresome and utterly unproductive religious war.

0
0

US astrophysicist Neil deGrasse Tyson: US is losing science race

Michael Wojcik
Bronze badge

Re: Salary

It's true that higher-education funding in the US is badly broken, and that the career track for new science graduates is highly flawed as well. This is broadly true of all the STEM fields - there was a piece in CACM not long ago pointing out that poorly-compensated, temporary post-docs are the main source of employment for new CS PhDs, for example.

Despite that, the US still produces more STEM graduates at all levels than any other country (at least the last I checked), still publishes more basic research, still generates more patents... Tyson and others can say that the US is "falling behind", but it's far from clear what metric justifies that evaluation. Falling behind whom, and on what grounds?

I'd like to see more money spent on primary and secondary R&D. I'd like to see STEM grads get good jobs (and see those jobs distributed more equitably, instead of the lion's share going to grads from a handful of schools, for highly dubious reasons). I'd like to see higher-ed funding fixed. But I'm not sure that "we're falling behind" is a valid justification for those things. "It'd be broadly useful for everyone" seems a lot more plausible and persuasive.

0
0

'Bill Gates swallowing bike on a beach' is ideal password say boffins

Michael Wojcik
Bronze badge

Password policies

By forcing users to reset their password frequently an organization forces its users to remain within the most difficult rehearsal region

Absolutely. That's one reason why reputable security researchers don't recommend short password / passphrase lifetimes. Doesn't stop know-nothing administrators from imposing such policies, though, because they like to rely on the "standard practice" excuse.

Account lockout is another idiotic policy that's rarely justified by any sensible threat model. If your password / passphrase strength requirements are decent, it's vanishingly unlikely that anyone will correctly guess a user's password with three tries. What is likely is that users will mistype strong passwords or passphrases (per the discussion above) three times, get locked out, and have to request account unlocking or password reset - which means lost productivity and opportunities for social engineering. Three-strikes account lockout is a great example of a policy that does far more harm than good to password-based security.

But here again, the people making these policy decisions generally seem to be actively hostile to sound security research, preferring instead to rely on a cargo-cult set of "standard" practices.

0
0
Michael Wojcik
Bronze badge

Sounds more like a typing problem than a password problem?

I'll argue it isn't. I'm a trained touch-typist - I was taught to touch-type on manual typewriters in the early '80s, and between programming and my academic work I've touch-typed the equivalent of thousands of pages of text. I still mistype my passphrases (which are now generally around 40 characters) on a regular basis.

Passphrases often aren't especially amenable to touch-typing. The typical passphrase system has zero tolerance for error and doesn't provide useful feedback. With Windows, for example, the standard password dialogs show bullet symbols for each character and are only 26 characters wide; after that, you don't even get feedback to show that you've successfully entered a character, because the identical bullet symbols just scroll horizontally.

And passphrases generally aren't typical natural-language phrases, because those would be weak against dictionary attacks. And since many passphrase systems are actually just password systems that allow long "passwords", they are often configured to require a large alphabet, so your passphrase has to include numerals and punctuation. Those elements make it easier to mistype the passphrase.

Back in the days of non-correcting typewriters, it's true that touch-typists typically had a much lower error rate than they do today, when correcting typographical errors is trivial. But a vanishingly small number of people use such typewriters now, so very few users have the training to eliminate typographical errors. And expecting users to do so once again puts the security burden on the wrong part of the system.

1
0