Somebody could have done that right now as well, but nobody did make them so far (or used them in any significant way that people know of).
Instead of (ab)using somebody else's mistakes to your own advantage (and possibly have it backfire) you could also tell that person about their mistakes so the whole world could benefit and there would be 1 issue less in the world to worry about.
People have, in the past. The problem is that we will never remove all 0days until we stop releasing software. That's not to say we shouldn't try (to Quarrelsome's point), but eventually the stockpile today will be obsoleted by the stockpile of tomorrow. And if nation states didn't have a pile, the seedy side of the internet would, alongside trading botnets, credit card lists, etc. My point being that while noble efforts, it won't go away and we need to figure out how to deal with it.
Here's one reason such a stockpile could be used for good: say a previously unknown vuln is attacking "our" (whomever that is for you) infrastructure. The command and control has been traced back to a cluster that's vulnerable to one of the weapons in your stockpile. Now you can potentially disable it, stop it spreading, tell all of them to run an updated version of the code that essentially does nothing, etc. For all I know, this could have happened already.
> White House officials have deflected many questions, and responded to others by arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons.
Am i to understand that if somebody would manage to steal nuclear warheads and launch them we don't hold the people who failed to protect them responsible?
I agree that's a bit of a stretch for a comparison. I think it would be closer to saying that the NSA found a key to a company's system, didn't inform the company, and then got the key stolen from them by criminals which then brought down the system.
Obviously that's extremely simplified, but all parties here are at fault. And all we're seeing is a bunch of finger pointing, with not enough defensive and preventative action being taken.
Disclaimer: I am a parent. Regardles here's my 2c:
I can't speak for the places where this article was published but given this site is its only source this will mostly be read by people that are in general interested in programming or have some interest in open source software. I think we need some kind of future where these genes might be needed to actually help turn the tide on most of the problem with overpopulation, the environment and climate change.
This will most likely not be read by people that do not care about programming or open source software or simply do not care about any of this stuff. They will still reproduce and make the problem bigger. I would say the people that DO care about all these things need to be well represented in the future as well if we want to see change in the future as well.
I am not saying he makes no valid points but these points mostly miss their target audience and are read by the wrong group of people.
It doesn't necessarily need to be your own kids that you teach these skills to.
There are lots of programs to which you can donate your time to help teach children, and we should all be doing that more.
Yes, there is some amount of genetics that will not get represented, but I don't actually believe that the human genetic pool is so focused that we will actually miss out on some next evolutionary step.
It seems to work pretty well. I can understand how this is far from perfect so far but the thing that bothers me the most is that there is no apparent caching mechanism and even though my internet connection is pretty fast it will take a good 10-20 seconds to go through all the links. Once you have determined a site to be clickbait or not maybe cache it so i don't have to wait 20 seconds every time i come back. Additionally this will save a lot of bandwidth.
There are always jobs that are worse in some way. If a plumber screws up you might get a wet floor or sewage in the street. If some banking software makes a flaw, you can't just pick up a mop and clean it up.
There are always jobs that come out worse in some category compared to programming. The problem here specifically is that given you have written 50% of the software people are using and investors are making some millions out of it while you make $40K a year, because they sort of lured you into a deal that apparently is not working out too great for you because you were so focussed on getting the lines of code rolling out they sort of took advantage of the situation?
Investors may be taking advantage of your labour but this is the nature of every business. The business owners take advantage of employee labour to make a lot more money than the employees. I find the entitlement to better terms than people inother fields that frequently crops up here incredibly pretentious and self righteous.
I think that's a disingenuous comparison. If you're comparing to banking software, imagine a plumber that causes four floors of a high-rise to get flooded, leading to 5-figures of damage and additional lost time. Or perhaps an underwater plumber, where the cost to fix the leak is high.
If we're looking at house plumbing, it might be more fair to compare it to a CRUD app that facilitates iguana breeding (unsolved problem here, folks!).
So by the looks of the picture halfway down the page the porn filter in the UK has also been removed because they are labeled as 'free'? or is porn not a part of (internet) freedom anymore?
With Germany prosecuting people who download torrents, UK banning internet pornography and US manhunt against Edward Snowden and Assange, there is definitely more than one shade of free. The image of freedom is being shaped and tailored for everyone individually, it's a Brave New World out there.
Pretty neat for the older generation, until you run into one of these sites that persist that they know how to properly do password security and require you to have at least 1 number, at least a 'special character' (of which the definition is often very vaguely described) it should contain of at least 8 characters and also be no longer than 12.
You will soon come to the conclusion that it is still easier to teach people to use a password manager for this because these schemes are nice but only get you this far before you have to revert to remember that single password again.
I don't understand how that wouldn't work within the system described in the blog post. Couldn't you just write down `anger lunar @1` and follow your personal secret munging rule, so it becomes `ngeraunarl@1` (or whatever)?
The problem is that if you stumble upon three of these different requirement sites that break with your Two Step Authentication process as described in the article, you're going to forget about this rule.
I don't see why you couldn't modify the concept to always include numbers and spacial characters.
For example; your "password" could be a combination of words, numbers, and characters while the "thing you know" is something like capitalizing the even or odd first character corresponding with the even or odd number corresponding to the first letter of the site or company, and combine that with the even or odd sequenced number and character in their sequential location in the password or at the end or beginning of the entered password.
I'm sure I could describe that more clearly if I tried.
Then you run into the problem of idiotic sites not allowing special characters, or numbers, or even uppercase (I am looking at you, rvtrader.com...)
The second main reason passwords suck (after the fact users trend to choose weak passwords) is that developers implement all sort of contradicting password rules.
No, because standard UX only gives you the arbitrary rules at creation time vs login time, so when logging in you don't know which rules you had to comply with.
Can't wait till we check min entropy and otherwise don't care.
Between now allowing very long passwords, the free 2 factor token (hardware symantec vip, not SMS based), and being able to lock your accounts with a voice password/passphrase that you must give the rep to discuss your account on the phone (so then just SSN/mothers maiden name/birthdate isn't enough), I think they've pulled quite far ahead lately. It's better than any of the other banks I've used.
[Note: voice password is not their voice fingerprint sillyness their reps will think you are asking about at first]
That is valid question to ask authors of systems that do not allow passwords longer than 12 characters (or 8, which is another popular upper limit, which can have some vaguely meaningful technical reason for legacy systems).
My old bank required an exactly 5 character password.
They had two factor authentication though, with a phone call or SMS. What happened if you forgot your password? Well you had to reset it, using only phone call/SMS, of course!
Banks are more willing to eat the fraud costs involved with real-world compromised PIN codes than to deal with the customer support for forgetful users.
Our HR management system at work, that manages all payslips and tax returns only allows passwords between 8 and 9 characters, they have to start with a letter, they have to contain one of the following "@", "_", "-", "$", but no other special characters are allowed. It has to contain one number.
It's the most bizzare password requirement I have ever seen and I am pretty sure it's not secure. Have I mentioned it only works in IE and uses ActiveX controls?
This is usually the case but there are frequently short length restrictions even when it's hashed. Sometimes only on the client side too, so you can just remove the attribute from the input.
because a lot of companies have no technical expertise at all.
american express use to enforce insane limits on passwords back in 2010[0]. 6-8 characters for passwords, no special character and had to have 1 letter, 1 number and it wasn't case sensitive. unfortunately _I_ had an amex card.
that page i linked to also has a reply from amex support who shows little knowledge about the difference between passwords and website encryption.
they eventually started expanding that limit from 6-8 characters to 8-20 characters around 2012? 2013?
You could use a hash-based password generator and write the input seed, plus the constraints for the password. Or keep the password verbatim, it's not like the site is really secure anyway.
Not to mention that once again fear will be the great motivator to open up the debate about 'prohibiting encryption' and 'regulating bitcoin' and the likes.
I believe we would be far better of to not acknowledge whatever 'terrorist' organisation or group might have been behind this by spouting out '<terrorist organisation X> has taken credit for the attacks in Brussels' in the media. Yet we all know this is what will happen. Also the religion aspect will be brought in again because the organisation acts because of their beliefs. Hate will be harvested on both ends. We could possibly lose a bit of freedom, sit out and wait for the next attack.
I have not had the exact same experience but I traveled very often by car through Germany (as a Dutch citizen) for holidays. My experiences are as follows:
- Drive in a (new) Audi A3 on lease:
Get stopped every other time. Completely strip my car and luggage. Throw everything on the ground until everything was spread in a 3m radius around my car. Leave me to pick everything up and tetris it back into the trunk and instead start complaining about how the car is not registered on the same name as my passport.
Instead of (ab)using somebody else's mistakes to your own advantage (and possibly have it backfire) you could also tell that person about their mistakes so the whole world could benefit and there would be 1 issue less in the world to worry about.