2943 posts • joined Monday 31st May 2010 16:59 GMT
With no European servers? No US legal attack surface?
Re: Good op-ed, but unfortunately Canada is probably part of the system.
China's GDP: 7.318 Trillion
China's Population: 1344 Million
Canada's GDP: 1.736 Trillion
Canada's Population: 34.48 Million
I have the deep and abiding suspicion that we can build all the goddamned drones we feel like and have no problems with either the US or China. After all, we can afford to feed our people and build a robot army. We also don't have to buy the resources from a third-party country because we are sitting on all the resources we could ever want. Canada just has to wake up and start building.
Unlike China we don't need massive labour to build our drones. We have our robots build our drones. As for Chins building "better" drones, I beg to differ. Canada's aerospace technologies are second to none. We have advanced weapons R&D and some of the best and brightest nanotech researchers on the entire planet live in my very own city. If we do need more labour, well, we seem to import it just fine. I hear India has more than a few highly-trained people, perhaps they'd be willing to send some over.
Canada having an army capable of defending itself against all comers is entirely feasible. I really wish we'd get on with it and stop being beholden to the vagaries of others.
Besides, a strong drone-manufacturing industry would be a great way to export manufactured goods. We could stop exporting resources and waiting for others to add value and start doing it ourselves. I am certain that the EU, non-EU European nations and the rest of the commonwealth would love a second-source provider for critical defence components that wasn't tied to the US or grossly incompetent. We really should get on that...
Re: Not all cloud tech is bad
Your solution to angry men with guns and a warrant is what, exactly? Please do remember they can crack most encryption is they so choose.
Re: Very well said
I travel to the US. I have clients there. I go to conferences there. If they want to hassle me for speaking my mind, well...oh well. It may be that the price I pay for having principle is that they extend the war on journalism to encompass me. That would suck, but this is way bigger and way more important than just me.
Stopping our descent and getting back on the path starts with one person willing to say "hey, I think we took the wrong fork back there."
Re: Hello pot, this is kettle.
I don't think so. Corporations don't need government intervention to illegally pollute, to destroy someone's credit rating, to create dangerous workplaces -- in fact the only reason they don't do more of that crap is because of government intervention.
Absolutely correct. Don't mistake me for a pro-corporatist...I"m not. I am saying very specifically that I trust a corporation with my personal data more than a government. I don't truly trust either, but I find the government far more likely to do something untoward with that info. The corporation is probably just going to advertise at me (or maybe hike my insurance premiums.) There is a place for government. Public health care. Environmental regulation. National defence, emergency services and policing. That place is not "spying on it's own citizens.
Says who? How many US government employees have you observed being "accountable to no one"? Give me some real data on this. Most US government agencies are answerable to at least two of the major branches (often Executive and Legislative, but also Executive and Judicial (think law enforcement), and even Legislative and Judicial) and there are more regulations targeting government employee behavior than targeting corporate employee behavior.
Obama's former director of speechwriting. Look up the interview on the Daily Show between Stewart and Jon Favreau. He is very frank about how damn-near impossible it is to create change int he government because each section reports to a different committee made up of members of the house. Decisions on what to change (if anything) are politically motivated, not based on requirements.
He makes specific mention of how intractable most agencies are and how resistant to change they have become. He is not remotely the only one to have said so of late, but is the only on at the top of my mind that I can remember a name for.
It's easy to paint any large organization with broad strokes, but the fact of the matter is that more than 90% of the 2 million US government employees you mention have (a) no access to the data discussed in the original article, (b) little to no direct control over the fate of individuals, (c) a hell of a lot more people looking over their shoulder than you or I have and hence way more accountability than you think, and (d) would really rather you just left them to do their job, rather than lumping them in with all of those shady types.
Far more of those people have access to the data than should have. Many of them abuse it. Far - far - to many of them (especially border guards) take obvious and notable pleasure in making others suffer. Ultimately, it isn't required that to totality of the organization be corrupt. Enough of the wrong people in the wrong places having abdicated their duty of care is more than enough to turn the whole thing into the very monster it exists to defend against.
It's too bad, too...because there are examples of governments that actually work well in other parts of the world. Places where accountability and transparency are more important than anything else. Where the government's duty is to the people, not merely keeping one's head down so that they can stay employed.
Apathy is not an excuse for abdication of ethics.
Re: The Cuckoo's Egg
Scale matters. A targeted intercept with a warrant for a single individual (or relatively small group of interconnected individuals) is an understandable and entirely acceptable law enforcement requirement. Dragnet style operations are another thing entirely. Law enforcement and intelligence agencies are not supposed to be carrying out fishing expeditions. This has been established over and over at all levels of our courts.
What about "with a computer" makes it somehow morally, ethically or even legally acceptable to throw out the presumption of innocence? "Because we can" is no justification for changing "innocent unless proven guilty" to "guilty unless proven innocent."
That's really what this boils down to: it is not my job to prove my innocence. The burden of proof is on the accuser to prove me guilty. Guilty of what, well, since I haven't done anything illegal (that I am aware of) I haven't the foggiest clue. There was a speeding ticket a few years ago, but I paid the fine.
So what give you/him/her/them the right to presume me guilty and montior all that I do just in case I might be guilty of something? That whole concept goes against the very foundations of our society's belief systems.
Innocent unless proven guilty. To give that up is to render all of the struggles for liberty through the ages utterly and completely meaningless. If you demand of me and mine that we give up that essential liberty then it's time for the struggle to recommence.
Re: Hello pot, this is kettle.
We have recently (as in with in the past year) dragged this through our parliament, our senate and our judicial system. We have had three separate law enforcement/spy agencies investigate eachother to ensure that they are not overreaching and breaking the laws that are very much under debate in our country.
What's more only one and a half (as in Bell and the eastern portion of Shaw's network) are even capable of massive dragnets involving more than phone records. In theory, it is possible that you could pull the phone records of the cell phone providers en masse. I have my doubts about the landline/sip providers. Retention requirements aren't exactly eternal, and I know a few who are privacy types who will delete the instant they can.
If there was room 641A-style dragnet snooping going on in Canada it would legitimately be a conspiracy. The kind of conspiracy that has people lying under oath. The kind that is really, really hard to keep a tight lid on and would have quite a few people in the not very nice jails until the end of time when it all came out.
I am as sure as it is humanly possible to be without actively monitoring every single person at all levels of our government 24/7 that nobody in Canada is operating a dragnet-style monitoring operation on our citizens. Given that I can only point to a handful of politicians in all of Canada that are legitimately corrupt (and not mistakenly trying to do do the right thing while having lost what that right thing truly is) I'm willing to accept the word of the people involved that we are not spying on eachother here.
That doesn't mean our cops don't want to...but it does mean that they go through proper channels to do so. Those proper channels - in this country at least - require public debate. Besides, I know one of the blokes that runs the tech forensics side of CSIS; he's a good chap and he'd not stand for that sort of thing. Since he's still working there, I have to assume they've not gone yank on us quite yet.
Re: Good op-ed, but unfortunately Canada is probably part of the system.
Frankly, I've been a strong proponent for bloody ages of Canada sinking a hundred billion or so into a revitalized navy. We need to defend our interests in the north and be fully capable of projecting force anywhere on the continent of our choice from a pile of boats at sea.
You don't need boots on the ground. Tomorrow's wars will be fought by robots, and with a GDP of 1.8 Trillion Canada should damned well be able to defend its interests against anyone. We should not be dependant on the US for anything.
Re: Hello pot, this is kettle.
Yes; corporations are by default less corrupt than governments. Corporations do nothing without a profit motive. There is no advantage to a corporation noticing that you are interested in cartoon porn of girls and aliens and then having you arrested and thrown in jail for an indeterminate period of time. Potentially while being held without charge for over a month and not allowed to even contact your family or employer to tell them why you're missing.
There's no profit in labelling a journalist as a "threat to national security" because they spoke out about a problem in their home country caused by an American country an then have them hassled at the border, refused entry or otherwise severely hassled.
There's no profit in digging into text files to identify individuals, claim they are somehow a threat (without saying how, because it's all secret) and then beating protesters (in some cases nearly to death) who are occupying a public park trying to get some banks held accountable and demand social change.
I could go on and on and on. Look; corporations don't have the power of governments to completely ruin your life. They can only do so by involving a government in the first place.
The US government employs over 2 million people. 2 million! The overwhelming majority of them accountable to no one. The bureaucracy has become paranoid, defensive and dedicated to preserving their own jobs above all else.
Most of them are good people, but good people can to terrible things when bored, scared or apathetic. When you start to develop and "us and them" mentality you dehumanize the people you are paid to serve and that's where this whole mess starts. Border guards, the tax man, cops, the DMV, you name it! THe US governmental apparatus is deeply embedded in "us" versus " them" where "them is not only "other countries" it is their own damned people!
So yes, I believe that the cumulative actions of 2 million bitter, disillusioned people who just don't give a damn led by a handful of the truly corrupt are a heck of a lot more damaging than any corporation I can name.
Re: Hello pot, this is kettle.
Our spooks tried to obtain the same powers. We shot them down in full public view. Multiple times. They keep trying. We keep denying. If they did it anyways, our supreme court would have a goddamend field day slapping them right back down to earth. There are no Patriot Act style laws here that allow the government to claim "National security" and slap a gag order on it. For that matter if our government attempted to introduce such laws, our supreme court would slap it back down.
So yeah, I"m damned sure CSIS isn't monitoring my internets. The NSA is (hi, ECEHELON!) and CSIS may periodically go hat in hand to them for stuff, but only once they've a warrant and an individual to target. There are no dragnet style snooping operations in Canada. If there were, I promise you, we'd resolve that right fucking now.
Aye, and before France the idea persisted in various cultures for thousands of years. It was the US that made 'em stick and immortalized them with that constitution. There were other things attached that for the first time designed an entire nation in an attempt to preserve those beliefs. Separation of of power being only the start of the things they tried to put in place to ensure that those beliefs couldn't be corrupted.
Every other time we'd tried in the past it was cute, but layered on top of an existing governmental structure desperate to preserve it's own power and thus severely limited. Though France came damned close...
First, they came for the Jews...
And targeting political ideologies with the taxation gestapo. And initiating a war on journalism. And PRISM. And...
Re: False positives
No. Most people - most people who aren't American - would say that liberty is something you can only purchase in lives and that the cost is worth it. The totality of human history demonstrates our willingness to pay the price with each new generation.
My life, the lives of my family or friends...if they are required so that we can retain liberty then so be it. I promise you my wife and my friends feel the exact same way. Some things, you have to be prepared to defend, to the death if necessary. Liberty is one. It is more important than the individual. More important than many individuals. At a large enough scale, it is even more important than entire nations.
Only the unbelievably selfish would put their own security above the liberty of their entire nation.
Re: False positives
Are you saying "it's all worth it so long as one person's life is saved?" I entirely disagree. Some things are worth dying for, liberty is one. That means not becoming the thing you hate. It means not negotiating with terrorists and it means that you live with a little more risk in the world because you refuse to have your ideals and beliefs compromised by extremists with a grudge.
Your beliefs are either worth defending or they are not. In the end, the person who is most willing to stick to his beliefs - come what may - will win. So, which beliefs are you prepared to live under? Which are you willing to defend? Or will you simply choose apathy and let someone else dictate the shape of the society you will inhabit?
Re: Vice versa.
Never ask anyone to explain why they like something. It doesn't help you improve a product and people like strange things. Some people juggle geese...
Re: #1 is good but #2 is even better :-
Well, the first was highly tongue in cheek. I was mocking myself for all the flak I got for a previous article about how much of yiur data US.gov could access if you stored it there...a few days before shit hit fan. Aaron's tweet was raw frustration, and all the more poingant because of it.
No, you can not use any provider. Only those that have received the magic stamp of approval.
Re: 'Interesting question. Can you expand on it?'
RE: #1 nobody uses the web apps unless forced to. That means that all e-mails are downloaded locally and cached on the local Outlook. They use local copies of Office. That makes it work as fast as an exchange server, excepting for Very Large Files which are attached and aren't cached. These down have to download when you open them, but I have not heard a single complaint from my Office 365/MS Office customers or my Google Apps/Thunderbird/LibreOffice customers.
RE: #2 cloud provider will generally offer a testbed platform for CRM alongside the production version. The migration process is a bitch and a half, but this is no different than migration from any installed CRM to a new installed CRM. Latency is generally improved in cloudy versions because the cloudy infrastructure is almost always faster and better maintained than internal stuff. Costs only make sense if you fire a bunch of nerds and factor that in. Otherwise, cloud is always more expensive.
RE: #3 I have e-mailed myself that question so I can go hit it with a hammer. I'll make you a complete article on that, fair enough?
Re: Cloud Latency...?
Interesting question. Can you expand on it? What are you precise concerns? I've not seen latency as an issue on anything I've tested or run in production...not even Lync! (Though, admittedly, Office 365's exchange/HTTPS mail does get crappy as hell if you are on a thready wireless connection in the third world...but Outlook does do caching...)
Re: Vice versa.
Oh, I admit that I'm an edge case. I do, however, believe that "edge case" here is defines as anything not 2 sigma from the centre. That leaves a lot of people kicked to the curb. A lot.
I don't mind being "different." I do mind people taking something that was working and then breaking it. I Ioathe the arrogance of a company (and it's fanboys) demanding that I explain why I don't want to buy a given product. It's my fucking money! The burden is on the vendor to convince me why I should spend my hard-earned.
That's really what the whole thing boils down to for me. Microsoft - and Microsoft fanboys - have taken an attitude that constant upgrades, subscription fees and so forth are their due. They Deserve it on some moral level. Those who choose not to pay the fees (all of them, and they are many) every year, every upgrade cycle and then turn around and evangelize the product are suspect, questionable and above all guilty of something.
There is a concerted push to berate, belittle, ostracize and condemn anyone who doesn't accept blindly the assertions, claims and propaganda shovelled at them. There is a well thought out strategy to put the customer on the defensive and make them repeatedly explain the choice not to upgrade.
That's fucking asinine and I have nothing but contempt for those who practice such utter bullshit.
If you want my money - either to keep your business running (Microsoft) or to prop up your personal ego by ensuring you feel like you've made the right choices with your money (Microsoft fanboys) then you will have to convince me that what's on the table makes my life and my workloads, use cases and extant estate run better.
I'm the customer, damn it. Not a terrorism suspect captured at the border with a truck full of semtex and a USB key full of 56,000 American jobs in MP3 format. So don't get shocked and shaken if I get all ornery when you treat me like a US Customs and Border weasel with wide eyes at the prospect of finally having a chance to validate the existence of their job.
There is no moral equivalence in the online debate. One side is selling something and wants money from the other side. There are valid reasons for customers to be skeptical and they have every moral right not to spend money. There are no valid reasons to attack the customers and no company has a moral right to a customer's money.
Grok the gap?
Re: Dennis Miller
Um...Microsoft didn't bend on Win 8. The "compromises" they offered were an outright insult. None of the issues I raised were addressed at all. They made one grudging concession to the masses by putting in a button where the hotcorner was. That's it. Then they told the world how wonderful they are while secretly laughing and demanding we go twist.
To hell with the clientOS team. They can each and every one of them [something truly horrible]. Bastards to the very last one of them.
Re: Local GUI is not a problem
Because VMware is easy to set up and use. Install ESXi (which takes seconds) and wait for it to boot. Get the IP address it came up with and point vSphere at it. *BAM*. No other configuration required.
Hyper-V requires [expletive deleted] about with the [expletive deleted] thing just to be able to access it remotely. You either have to
1) Deploy through SCVMM in the first place
2) Install, then type a bunch of stuff in to domain join the host, wait for GPOs to apply, reboot. Oh, and you have to make GPOs in the first place to deal with firewall, etc because the thing doesn't ship "useful out of the box."
3) Faff around with a bunch of powershell in order to get it working off domain, which will either involve downloading and executing a script locally (fun times, wget is where?) or it will involve shooting yourself in the face as you try in vain to figure out what arcane madness that Microsoft wants configured to get a usable non-domain host that you can remotely work on using the standard management tools.
We like VMware because VMware is so simple to use you would have to have been lobotomized by a rototiller as a small child to screw it up. DO you remember why Microsoft got where it is today? It sold the world on ease of use. Today Microsoft is the one making software with an incomprehensibly difficult to use "out of box experience" simply because it wants to sell you on the up-jumped pricey management tools. The tools themselves (of course) don't work properly without buying even more Microsoft software so by the time you've tallied all the little marks on your stick Microsoft is easily as expensive (or more) just to get the same job done.
So which do you think people are eager to use? The one that says on the front "love us, we're cheaper" but in fact is the same price and significantly harder to get running outside of the very narrow cone of use case they've described with their automated install SCVMM spanky fun time woo-woo method, or the one that is equal cost, but consists of "click, click, DONE?"
Think about this really, really hard.
Re: I can't recommend it.
I am a Microsoft customer.
I am a Microsoft partner.
I am a Microsoft Certified Professional.
I am a Microsoft blogger.
I've written some pretty damned explicit things on the topic and asked some very direct questions. The response always goes like this:
Me: [Concerns listed in the article]
Microsoft: "We are constantly working to improve our compliance!"
Me: "You compliance doesn't change your legal obligations. I want the ability to run Office 365/Azure/etc as part of a push-button-simple on-premises solution, or the ability for hosted providers in my own nation (who do not have business ties with, employees in or use servers in the USA) to provide me Office 365/Azure/etc such that my data is never, ever legally exposed to the government of the USA."
Microsoft: "We work hard to provide top notch technological solutions, but we cannot meet every edge case requirement."
I call bollocks. They have a deployable "Hosted Azure" solution as part of Server 2012 R2. No hosted Office 365. No hosted skydrive. Just a user portal that backs onto System Center and Server to allow users to spin up some VMs. Huzzah! They've finally caught up to VMware vCloud Request manager! Be awed by their might.
This is no different than my circular arguments with Microsoft (or hardened Microsoft fanboys) regarding Windows 8.
Me: [List of usability complaints we're all familiar with]
Microsoft "Microsoft has worked hard to incorporate touch as a first-class input mechanism and has enhanced productivity on all devices by providing a common interface regardless of where you use your computing device!"
Me: "Touch is not a benefit. I use a keyboard and mouse for [long list of activities and reasons]. What I want is for you to make using the keyboard and mouse better than it was in the previous version, especially for those people (like me) who are mouse-driven, not keyboard shortcut mavens. For [list of reasons] I do things like use windowed remote desktop sessions that don't pass through ctrl-alt-esx/Windows key, so your 'just use Windows-key and start typing' marketing verbiage is simple malarky.
I also realise that with enough effort and additional third-party applications I can make Windows 8 as easy to use as previous versions, but what I want is for you to release a product that actually makes how I work better, less irritating and easier out of the box. Without having to buy additional hardware or third-party software beyond what I already have. I have a massive investment in my existing estate and if you want money out of me then I want to make that existing investment work more smoothly and efficiently for my real-world use. I don't want to have to piss around for hours on every new install I touch just to make things as usable as they were even one generation of your product ago."
Microsoft: "We work hard to provide top notch technological solutions, but we cannot meet every edge case requirement."
The really assholish ones simply are even funner.
Me: "Man, Windows 8 is ass-tastic".
MS Fanboy: "It works for me, so it's not ass-tastic."
Me: "It doesn't work for me without way too much third-party customization. Is choice too much to ask for?"
MS Fanboy: "Well it works for me, so you're not the majority. The majority is all that matters. They shouldn't be giving you choice because you need to be dragged kicking and screaming into the future. You need to be like the majority. We know that this is what people want because Microsoft took metrics on that. It's science. Anyone who disagrees is an edge case who thinks they are a lot more important than they really are. There are only a handful of people who don't like Microsoft's design, because metrics tell us what the majority wants and we should all strive to be like the majority. Humanity can't afford to be held back by giving choice to the few. Microsoft did the right thing and you just need to learn to live with it."
Me: "Fuck this, I'm using Linux."
MS Fanboy: "See? You're a nobody nerd that is too full of ego, pride and hating the man to admit that Microsoft has designed a better way to work. You need to shave your neckbeard and jsut learn how to use things the way Microsoft designed things, you'd be happier then."
Me: "I can't hear you over the sound of my keyboard as I'm actually getting shit done over here."
Long story short: it doesn't matter if it is about privacy or user interfaces. Microsoft doesn't have a forum for the disenfranchised to voice their opinions and gives zero fucks about those who don't fit it's very middle-of-the-bell-curve, American-centric view of the universe. They will design what they design and the rest of the world can go hang. Since the majority of multinationals are USian in nature, they have the planet by the business-document-format balls and that's all they need to keep on keeping on.
Where there is no requirement to care, Microsoft doesn't. But everyone is on the edge of the bell curve at some point and the more narrowly you tailor to the centre of that curve the more people fall outside the design lines. Microsoft and Microsoft fanboys complain about the "religious hatred" that greets them at every turn. I submit that the head --> desk experiences of nearly every person on the planet who has at one point or another found themselves on the edge of the bell curve with Microsoft refusing to give any fucks might perhaps be an explanation.
So I'll keep on being a refusnik until my needs are discovered by MS metrics to be no longer colour outside the lines. What else can a body do?
Then you have an easy job. The kind robots will be doing soon.
Re: RDP to the server itself?
You can RDP into the free hyper-v server itself. THere is no classic GUI, however there is enough of one to be RDPable and it presents two CMD.EXE boxes for you to work with. (Just type powershell into the one to turn it into a powershell console.)
It's free to try and free to use. You can even run it on VMware with minor modifications for testing purposes (links at the end of the article.) Go give it a boo!
Re: You really expect Microsoft to actually DO something?
They have "Azure on premises" for Server 2012 R2. Where the fnord is my "Office 365 on Azure on Premises?" I'll go back to Microsoft's productivity suite if they give me a hosted version I can host on my OWN cloud to my customers.
You say "200 rainbow tables would have to be generated" like this was a barrier of some variety. I don't think you comprehend just how mind-bogglingly huge the compute resources of US.gov are.
Re: Simple technique to increase cypher strength
I think the idea of a crypto system that relies on randomness and ever-increasingly large primes is fundamentally flawed. It's flawed because the system simply relies on entropy to be safe. "It's harder to brute" means nothing when humans are not nearly so different as they think. There are seven billion of us; there are an incredible number of us who chose the same "unguessable" password, or password patterns.
So while some of the techniques you mention do certainly raise the barrier to entry for the crackers, fundementally we need a chance in how we approach crypto. What that approach is, I honestly can't say. I'm not a crypto genius. We need a revolution that is to crypto what general relativity was to newtonian physics. That takes an Einstein. Someone who can think so far out of the box they redefine said box and it's interactions with the universe.
Until then, the bad guys will continue to get better and we will continue to be even more vulnerable. Thus my call for "trustworthy by design." Don't assume that ANYONE is trustworthy when you design your application; including yourself or whomever is going to run the application.
Do not rely on cryptography alone to secure data.
Establish and maintain data custody at all points where the only person(s) with access are those who the creator of said data authorized explicitly. Any hole that a "bad guy" can slip through, a "good guy gone bad" can get through even more easily.
Re: Simple technique to increase cypher strength
In practice, the above would also be coupled with a random salt.
Except, in reality virtually nobody seems to salt their passwords hashes.
As for salt cracking, there are at least three good methods I know of:
1) Crack 2 (or more) passwords by brute force. Find what's the same and take that as salt. Attack rest of hashes.
2) Sign up for the service and use your known password to attack the hash to determine salt.
3) Find an e-mail address associated with a password hash that you already know the password to (because you cracked that user's password on another site and we all reuse passwords.) Use the known password to attack the hash and determine salt.
These are just the ones I know about and I am not a security expert.
Now, you're correct in that huge key sizes and large character values with password requirements that force the password to be something humans can't remember stands a chance of surviving even a trained hashcat operator with a 50-GPU mini-super sporting 12 ASICs for fun. (Which I am seeing more and more of on the cracking scene these days.)
That said: A) nobody uses those in reality. B) It still doesn't protect you against US.gov. And again, there are supposedly salt attacks out there I haven't heard of - I'm not cool enough to be in those password cracking clubs, you see - so I wouldn't be so sure about the security of hiding behind large numbers.
Re: the off-line solution
How's that any different from two-factor authentication in terms of time required to execute? All the while being even less secure? As discussed in the article, 30 seconds-ish per login mounts up...
Re: Simple technique to increase cypher strength
Dan Goodin at Ars Technica has a series of articles on cracking passwords that you really should read. Some of what you say is true. Some of what you say is...out of date. I'd have agreed with you a few years ago, before Hashcat, modern pattern matching, anti-salt techniques and GPU + ASIC mini-supers.
Re: Simple technique to increase cypher strength
The problem is that brute forcing a password is only actually a requirement for a very small number of passwords in any given list of hashes. Our techniques for cracking password hashes and encryption have evolved so far beyond brute force that mere entropy is not longer a workable measure of password difficulty. Instead, randomness is becoming highly critical; passwords cannot be allowed to match any known pattern.
Re: Lastpass crypto
Whatever the handwaving, the end result is that your passwords are encrypted and stored in the LastPass cloud. When I download the client to a new computer and log in with my LastPass master password I instantly have access to my full database of password on that new computer. I can log in to anything I want.
That means that there is enough information on the LastPass cloud to reconstitute my username and password for every single website I have stored in there. There may be layers to the encryption, but encryption can be - and is - broken. I'm sure you're next going to trot out some obscenely long period of time it takes to brute force whichever set of algorithms were chosen. Let me save you the trouble.
You know and I know that encryption and password hashes both are rarely brute forced anymore. There are about eleventy squillion techniques ranging from the humble dictionary attach to pesudo-brutes using "common patterns" combined with various advanced dictionaries that will solve the overwhelming majority of decryption tasks. Brute forcing is rarely every necessary.
In a lot of ways, LastPass is even more vulnerable than a simple database of hashes because of the vulnerability of that master password. The Master Password has to be something a human can remember in order for the system to work. So even if the encrypted container/hashes/what-have-you on the lastpass side can't be bruted, the master password is highly vulnerable and thus so is everything it protects.
Look, I"m not bashing LastPass here. I wouldn't use it unless it kicked ass. It's probably the best defence we currently have. It is, however, not remotely perfect. If nothing else, it is vulnerable to the feds. They could walk through the LastPass defences like a hot knife through butter if they wanted to and there isn't a damned thing anyone can do about it.
So long as enough information exists in a a cloud service stored on United States soil to reconstitute my passwords enough to log in to online services then those passwords - and everything they are meant to protect - belongs to the United States government as surely as if I had written it all down on a sheet of A4 and left it in my pocket whilst crossing the border.
The LastPass hashes live in the cloud. All you have to do is download the client, feed it the password and it will fetch the hashes and install them locally. Your master password is not stored on the LastPass cloud, but a hash of that password is, so that you can authenticate and then download your password information.
That makes the whole thing a pretty damned tempting target. A hash is almost as vulnerable today as a plaintext password. It's pretty terrifying how quickly a well-trained cyrpto-cracker can wade through a list of millions of hashes and crack upwards of 95% of them in a few days. We like to ignore it, yet it happens with alarming regularity.
It doesn't matter if the hashes are stored in a database as hashes in the traditional sense, or an encrypted file filled with password info (which is probably worse, as it's a single attack point.) The point is that your information is wrapped up in increasingly easy-to-defeat encryption then stored centrally, alongside everyone else's.
As to storing them on my local machine being somehow "safe"...tell me, sir, are you 100% positive - willing to bet your finances, your job, your life on the fact - that your local machine is not compromised by malware? If you are then I invite you to please write an article for The Register detailing exactly how you know that. Nothing is really safe, it's just a question of which systems are worth the value to attack.
Re: I'm not sure Microsoft *has* won.
8.11 for Workgroups does not fix any bloody issues. A Start button that brings up the Start Screen? *bzzzzzzt* Wrong answer! Explorer (and so much else) still has Ribbon bars? *Bzzzzzzzzt* I could go on - at length - but 8.11 for Workgroups doesn't actually address any of the concerns that the general public raised. It was a shitty token gesture designed to seem like outreach without doing a goddamned thing to change the real issues.
8.11 for Workgroups is Microsoft's way of "doing something" that is in fact nothing so that they can get on their horse a month later and scream "but we did what you want!" They'll claim "persecution" and will start a P.R. war whereby they blame their opponents (Google, Amazon, etc) for "fighting dirty" by funding (or arranging airtime for) people who continue to highlight legitimate grievances with Windows 8, or the general "trustability" of Microsoft.
8.11 for Workgroups is a mirage. A handwave to befuddle the gullible and give them justification for a protracted campaign aimed at silencing dissent. Microsoft has thrown power users under a bus and done so on purpose. They've done it for the same reasons Apple has. It will come back to bit both of them in the ass in short order; on that day, I will give out free popcorn. Until then, well, Windows 7 doesn't end support until 2020 and Cinnamon works just fine for me...
Hmm...I'll buy that. Gods know I choose to drive instead of facing the airport security types. Not that the border guards at the road crossings are all that much better...
Because you often have to set the damned thing up using IPMI or other such things to get them remotable *before* you can get remote access even working. Other times you want to work on a file that lives on the system without dragging the file off the system or finding some way to get access to the local file storage on that system from your remote station.
In a unix world the shell is all. I just need one port open and I can get through to do my administration. No additional services, no additional windows, no nothing. Just one black box per server. In the Windows world I have to strip the bloody server naked and let all the bits hang out so that I can even edit a text file! WHAT. THE. FUCK.
Microsoft still lives and breathes eggshell security. Harden your edge, but behind that edge you need to wander around with your WMI, SMB and $deity only knows what else hanging out just to do basic administration! This is in contrast to a Linux world; there I have a hardened edge and layers of security - from obscurity by changing SSH off default ports to things like Fail2Ban to lock out attacks to layers of logwatching - that lock down a server INSIDE my network just as though it were facing the internet itself with no deprecation in usability or administerability.
Look, I don't buy eggshell security. Securing the edge is not enough. A) the edge is coming to you. IPv6 will eat your family. B) Something behind your edge is always compromised. Wee willy wonka the lobotomised salesdrone really likes barney BDSM porn and he's perpetual infected. Meanwhile, you forgot to firmware update your IPv6 lightbulbs and half of them are supporting malware that's probing your infrastructure from the inside.
So no, I don't want to use the PowserShell ISE. This doesn't solve my problem of opening a test file on the remote server without opening more holes. Not only that, the damned thing is Windows only; I stopped using Windows as my primary desktop environment ages ago. Have you seen Windows 8? Microsoft lost the plot and their corporate ego won't let them regain it.
Powershell is a necessary evil. It is unquestionably the future of administering Windows Servers because Microsoft says it is the future of administering Windows servers. What it isn't is good enough. It's all sorts of bitchin' and powerful but it is still designed solely for cleanroom sysadmins with their procedure manuals and testlabs and 3 month concept-to-implementation timeframes.
It is not something that lets me log in to a system and fix the fucking thing. It is a configuration tool that I see akin to "the Cisco IOS for Windows Server and associated applications." You don't log on to a CIsco router and just fix it. You never make live changed to a production unit without simulating and testing and layers of covering your own ass.
PowerShell is the same thing. You build your PowerShell config carefully in your cleanroom and then you push it out to the system and set that system's state. PowerShell really, really wants to be Puppet when it grows up. Given the awesomeness of Puppet, DevOps as a model for enterprise and commercial midmarket IT and so forth...that's great! Go Microsoft!
Systems administrators for smaller shops where budgets, staff and every other conceivable resource are as minimal as possible are firefighters. When you fight fires all day long, you want this. This is what Bash and the associated bog-standard utilities are.
When I'm in the middle of trying to put out 50 fires at the same time and you tell me to use PowerShell you are telling me to put out a burning building with this.
PowerShell is not a way to administer a system. It is a way to configure it. They are still completely different things. You can get yup on your horse and sneer disdainfully at the rest of the world and say asinine things like "well, if those sysadmins were any good, they'd never have fires to put out because they'd have adopted DevOps and be doing everything with huge pre-planning and simulation and testing." I'm sure you've thought it more than once reading this comment.
The reality of the matter, however, is that the majority of systems administrators simply don't get that option. They aren't in control of the budget. They don't set corporate IT policy. They don't have much control over any aspect of their jobs, really, and they simply do as they are told or they get replaced. They are told what to do not by some senior IT person who is themselves responsible for setting policy, but by the accountant, the sales clerk, the marketing wonk, the CEO and the janitor.
In most companies, sysadmins are the lowest ranking member of the corporate structure. They are there to serve. To make things happen whenever they are told and they are not expected - or allowed - to talk back. If they say no, they get fired; pure and simple.
In this situation, these people are fighting fires all day. They are fighting fires because they have to make quick changes to live hardware without simulations or a testlab. They need to back all this up (before and after) and they need to manage hundreds (if not thousands) of different types of devices and applications.
They move from device to device, server to server, application to application solving other people's problems in real time. This is why they can't use eggshell security. IT could be months or even years before they get back to a given system and then only because it did something it wasn't supposed to.
Every system they use has to have a complete set of tools on it. They can't wander around remotely accessing the system from their carefully maintained desktop; there may be layers of firewalls, VPNs, and gods only know what else between them and the target system. They may be RDPing in to server then RDPIng into another system then launching PuTTY to manage something because of a series of political and economic decisions taken by the business over the course of decades that isolated that system in that office in this particular way.
PowerShell as it stands today is virtually useless in that environment. Again: it is for configuration not administration. Maybe next version...
No, I can't use the old ones because they aren't ubiquitous. The Text editor *NEEDS* to be part of the CLI and installed on BLOODY EVERYTHING with PowerShell on it. This is why I won't move back to Windows for my unattended servers; the tools I need just aren't there as part of the CLI shell. If I have to start installing a bunch of tools onto my Hyper-V boxes then they cease being simple, interchangeable deployments and start being special flowers that each need attention. EDIT was part of the DOS-style command line for ages. BRING IT BACK.
Perl is good for those raised on Perl. I cut my teeth on VB and PHP. I'm not a developer by trade, and while I can read Perl, I don't think in Perl. I have coded so much PHP in my life that I think in PHP. I don't know of any other way to explain it; every other language I use is one for which I have to build a translation matrix in my head and map that functions of that language back to PHP functions that are part of my mental "muscle memory."
I can go months without using PHP and then pick it up again in minutes. If I go even a few days between Perl, Python, PowerShell or other coding stints, I'm pretty much back to square one. I don't know if that makes sense, but that's how it is. I don't have an eidetic memory; if I am going to learn a language it is going to have to be something I use every single day for so many months that it is burned into my synapses. For me, the ONLY things that ever achieved that level are DOS BATCH, HTML, and PHP.
If you want the barrier to uptake, it's that, RIGHT THERE. PowerShell is the bee's knees if you can work with it for 8 hours a day for months on end and you have time to learn, play, explore and so forth. If you manage a heterogenous environment and spend the majority of your time hip-deep in Linux, VMware and DSM (with Windows largely taking care of itself) then PowerShell is a hindrance, not an enabler.
PowerShell is a bitch of a thing to get in to if you only do Windows part-time...and the majority of that isn't "experimenting", it's "putting out fires."
Re: shells, configs, editors etc
Trevor is weirded out by all the third person references to himself. Also: I'm ambivalent about PowerShell, myself. I prefer flat config files wherever possible. I like to be able to get in with some basic string manipulation stuff that I know knock together in any scripting language (from BASH to PHP) and pick apart whatever the file is. PowerShell is very...Microsoft.
If it has to be "not a flat text file" I'd prefer that all configs be something I can pull and then re-enter as XML - which admittedly is sort of possible in PowerShell - by using the language of my choice. I don't have *time* to learn a new scripting language. Certainly not one as badly documented as PowerShell. (Though again, Microsoft is getting better here.)
I *like* doing my configs in PHP for two reasons: I know the language by heart, and PHP.NET has the best damned documentation on the planet. Replete with examples and a community contribution section where commenting, common use cases and expansion on the functions in the language are integrated into the documentation.
In Linux I can easily knock together a BASH script that takes down a service, runs a PHP script to make whatever changes I need, then lights back up the service. I can manipulate all sorts of stuff in the file system in PHP and basically work in an environment I'm comfortable in without having to learn a whole pile of new stuff.
PowerShell is amazing. It's a great technological achievement and a good way of doing things. But it still doesn't have a command-line text editor. I can't simply *live* in PowerShell the way I can in bash. I have hundreds of servers I have only ever interacted with using SSH and BASH...PowerShell always requires me to pull up a PowerShell IDE or Notepad (at least!) and probably a dozen browser tabs to figure out what the hell I am supposed to do.
There's an element of "Get off my goddamned lawn" to my PowerShell ambivalence. But there is also a sense that the people designing PowerShell are DevOps-style "we're developers that think we're sysadmins" types who design for great big farms of identical machines. They aren't sysadmins who have only a handful of servers and who have to make changes to live systems without 8 days of testing in the lab.
PowerShell is for people who live in cleanrooms. BASH is for people who take cars apart and have grease on their hands. At least, that is how it has seemed to me so far.
Re: @Trev - IPMI?
Yeah; I'd have to agree. My gripe with Supermicro's IPMI is that the KVM client runs on Java...but otherwise, solid stuff. There's a look into it here: http://www.theregister.co.uk/2013/04/22/dont_buy_without_ipmi/
Re: Like for like comparison required
Derp; I meant 64-bit ARM.
Re: Like for like comparison required
If and when a 64-bit Afom falls into my lap...
Re: Still prefer a HP 54L
Uh...the Centerton has two hyperthreaded cores...
But for tossing a few Linux VMs that just wake up, respond to something and go back to sleep it's not a bad little box. It's a lot less of a pain than trying to build some Raspberry-pi-alike box for each function then lashing the lot of them to a pole. Standard software, standard management tools, etc.
It's "good enough" for a lot of things that might have driven me to ARM. Which, really, is the only reason the thing exists in the first place, so it's doing it's job, I suppose...
Re: Elephant time again
This is addressed in a future article.
- World's OLDEST human DNA found in leg bone – but that's not the only boning going on...
- Lightning strikes USB bosses: Next-gen jacks will be REVERSIBLE
- Pics Brit inventors' GRAVITY POWERED LIGHT ships out after just 1 year
- Beijing leans on Microsoft to maintain Windows XP support
- Storagebod Oh no, RBS has gone titsup again... but is it JUST BAD LUCK?