Passwords: Too Much and Not Enough
Why would it ever be even close to that high. Every decent system I have ever encountered raised some serious flags after 3-5 wrong guesses. If you flag an account after 10 wrong guesses, start requiring a CAPTCHA after the first one, and ban ip addresses when you detect massive multiple account attempts, you can offer security fool proof security, with, lets say, around 100 guesses.
If it only takes 100 guesses, then an attacker can slowly try passwords stretched out over time, depending on his victim's routine behavior of logging in a couple times per day to reset the fail count. Or maybe he can try 1 guess (with 1/100th odds) on each account in the target system. If there are hundreds of accounts... well, you get the idea.
IP-based banning can make this harder (forcing the attacker to find/use multiple victim PC's), but it's not widespread yet (for instance, I don't think Active Directory or slapd support it).
How To Beat Online Price Discrimination
[Coupons are] there to get people to make decisions that they otherwise wouldn't make, usually bad ones.
In addition, they serve as a form of price discrimination: you can save a nice chunk of change on groceries by taking an hour each week to clip your way thru the Sunday paper, but once you have enough disposable income (and perhaps less leisure time) it's no longer worth it.
DHS Investigates 24 Potentially Lethal IoT Medical Devices
Don't get me wrong: safer programming languages and runtimes definitely help, especially with buffer overflows (thanks C++!), but it's one aspect of many that impact security.
it won't prevent devs from concatenating SQL with user input
You can't do this in, say Haskell, unless you write your own SQL interface library that builds solely on strings.
Granted, I lost interest in Haskell somewhere around hitting the Functor/Monad point, but if devs can send raw SQL to the database, they will do so.
misusing threading primitives
You can't do this in concurrent safe languages, like Concurrent ML, Rust and Haskell.
Yes, you can.
So basically, safety properties have importance on par with domain requirements, and must be subject to the same rigour that domain features get, ie. testing, verification, etc.
Good luck spreading that attitude. Makers of device drivers, SCADA, etc., dearly need it.
Basically, the safer the language, in the sense that the more properties can be assured at compile-time, the more features and safety properties you can verify, and the fewer security vulnerabilities.
That helps get us closer, certainty. The language and runtime can help catch/eliminate common, elementary mistakes. It's not the silver bullet though: wherever creative work is being done, therein lies the potential for new vulnerabilities.
DHS Investigates 24 Potentially Lethal IoT Medical Devices
Anything computerized with a network connection can (and most likely WILL) be hacked...
Not if you take appropriate precautions, like using a safe programming language.
Don't be naive... security is a deep and subtle problem, full of nasty surprises. There is no magic bullet solution... your "safe programming language" has thousands of bugs in its standard API and run-time; it won't prevent devs from concatenating SQL with user input, misusing threading primitives, or bungling up an authentication protocol; it certainly won't patch up the numerous ways of subverting https or the modern web browser. To be secure (or have a reasonably good chance at being secure), you must at minimum use an approach where (1) security is a primary design concern thru the entire product lifecycle, (2) security solutions are deployed in a structured/layered approach using (3) actual expertise, and (4) security is an ongoing program with both proactive and reactive elements.
(Convincing your government to help software/hardware/network companies fix their security problems instead of purposely introducing them would be a good idea too, but it looks like society is determined to learn this the hard way.)
How Our Botched Understanding of "Science" Ruins Everything
Countless academic disciplines have been wrecked by professors' urges to look 'more scientific' by, like a cargo cult, adopting the externals of Baconian science (math, impenetrable jargon, peer-reviewed journals)...
How dare those academics use math, specialized jargon, and peer-review! Witchcraft, I tell thee, witchcraft!! (Quick hint for whatever PR firm submitted this: science is extremely complex and extremely specialized these days. Sorry if your marketing degree didn't prepare you for anything better than spreading FUD.)
This is how you get people asserting that 'science' commands this or that public policy decision, even though with very few exceptions, almost none of the policy options we as a polity have have been tested through experiment (or can be).
Yah, we only have one earth at the moment, so it's sort of hard to directly test the effects of (1) implementing or (2) NOT implementing a carbon excise tax on the next 100 years of climate change. Science can't do that. Of course, neither can lobbyists or SIG's or true believers or anyone else.
What science can do (for a sincere policymaker) is provide the firmest foundation of knowledge to work with. And science quite confidently tells us a lot of things we don't want to hear (like "all this carbon is going to make the environment go wack, do something about it" or "your ass is getting fat on all that sugar and processed foods", or "life arose thru such-and-such set of processes and not ex post nihlo, sorry if that challenges your theology LOL").
U.S. Supreme Court Upholds Religious Objections To Contraception
What happened was that the president of Chik-Fil-A, Dan Cathy, expressed an opinion on same-sex marriage
You forgot to mention the part where Chik-Fil-A's charitable organization was donating millions of dollars to anti-LGBT political organizations. The protests were largely effective at halting those donations.
But, he doesn't claim to be a "Democrat", which is an allegiance which absolves one from all responsibility and repercussions from their opinions.
Obama--for all of his many problems--has done more than any other president to support equal protection under law for people who are LGBT.
NYC Loses Appeal To Ban Large Sugary Drinks
Maybe we could just work together on that and then most of these abortions need never happen.
Good idea, but you need to get conservatives on board with embracing contraceptives. For many of them, it isn't just about eliminating abortion, it's also about eliminating non-martial sex and boosting the pregnancy rate after marriage. To get there, they are willing to (1) withhold medically pertinent information, (2) cultivate sexual fears and stigmas, (3) encourage premature marriage, and (4) prescribe rigid/misogynistic gender roles. (Source: grew up in a christian school.) A lot of this just naturally flows from the fundamentalist/authoritarian worldview... other christian subcultures may be different.
The number of unplanned pregnancies in the US every year is Insane.
Actually, the rate of teen pregnancies has hit an historic low.
Docker 1.0 Released
Double click it
Insert password, hit ok
Seriously it is a hell of a lot easier than Windows
Oh, I'm sorry. You need libglib2.0-0 (>= 2.35.9), but I'm on libglib2.0-0 (2.34.8) and upgrading it will cause a conflict with libwtf5.0 (1:5.0.99) and also require installing libancientrelic0.8 (0.8.0.012), which I can't seem to find anywhere. Let me suggest removing a bunch of packages (leaving some things broken). Accept this solution? (y/N) Alternately, I could suggest you blow your weekend learning to build a dummy package just to shut me up... there so many wonderful commands that start with deb and dpkg, you'll love digging thru layers and layers of accumulated shell scripts!
Registry Hack Enables Continued Updates For Windows XP
The true mind-blower of Unix is how so many people defend their flat files unto death
And their scripts. Don't forget the piles upon piles of scripts that preclude any straightforward notion of what's going on. (Coincidentally, dpkg is a good example of this failure too.)
Mathematical Model Suggests That Human Consciousness Is Noncomputable
As always, the truth is in the Bible
Yep, this speciously-reasoned physics paper supports the Absolute Truth(TM) revealed to us in an ancient text of unknown authorship!
Mozilla Offers FCC a Net Neutrality Plan With a Twist
Why? Nothing is blocked, it is just slower. This sucks for streaming, but streaming is not the only way to share information. Speeds that will not work at all for Netflix work fine on The Pirate Bay... It just requires people to think differently and not stream everything but download it instead.
Why? Because now if you want to start an internet business (streaming or not) that becomes even modestly successfully, every ISP on the planet will start looking for a way to demand a chunk of your profits. "Yeah, sorry that that little 100ms latency spike is affecting 1 million customers of yours, Blizzard, but we'll be happy to form a collaborative network-tuning relationship with you for $250,000/mo."
Cumulatively, it means that ISP's can rent-seek off of internet businesses, cutting down on the quantity and competitiveness of such businesses while simultaneously forcing them to raise prices.
Could Google's Test of Hiding Complete URLs In Chrome Become a Standard?
The benefit is ease of use for people who have no idea what a URL is. They just look up there and see, "yes, this is definitely my bank's website," instead of "holy shit what does long string of symbols that mean."
Maybe a basic part of web literacy is learning what a URL is and what it's useful for. "Whoa!" you say, "we need to do anything we can to make computers easier and more self-explanatory." Well, yes, I agree with that, but we're reaching a point where designers start to "overtrain" their design. Take this "origin chip", for example. You make it slightly easier to identify the site you're on and perhaps slightly less intimidating for a newbie [which is sort of ridiculous in this context because the web is do damn ubiquitous now], but you've also made a host of other tasks slightly harder (viz., copying/emailing a link, fixing a link, manually entering a link, inspecting a link, etc.). In addition, you're no longer subtly informing the intuitions of future authors, librarians, technicians, webmasters, programmers, and judges/juries as to the URL~=page association. That's ultimately making it harder for people to understand how their technology works.
Usability design is a noble endeavor, and I'm all on board with Norman, Tufte, etc. What I'm NOT on board is the current fad of software that drops functionality, removes technical visibility, and overhauls the interface with each release. That's just user-hostile.
[ranting because Google Camera dropped exposure control recently]
An MIT Dean's Defense of the Humanities
"Culture's worth huge, huge risks. Without culture we're all totalitarian beasts." -- Norman Mailer
NASA Proposes "Water World" Theory For Origin of Life
mind-boggling complexity of life that could never be duplicated but by a mind-boggling intelligence
Complexity can arise spontaneously out of simple interactions. We see this over and over and over again. Pretending it requires intelligence just reveals our collective cognitive bias towards personifying the world and ascribing agency to inanimate objects and processes.
This is our tax dollars being spent on a national religion.
No, it's merely a line of scientific questioning that threatens your worldview. A lot of things can threaten a worldview (science, humanities, foreign travel, self-reflection, getting older, etc.), but we should only call them a "religion" if they substantially function like a religion (e.g., providing things like community, life ceremonies, spirituality, moral codes, holy texts, etc.).
Duplicating all pagan religions. They start with water because Genesis starts with the Holy Spirit hovering over the water.
Civilization begins with agriculture, and agriculture begins with water. It was true in lower Mesopotamia (the world's first civilization) and on the banks of the Nile (Egypt, the second civilization). It seems appropriate, then, that many creation myths--including those much older than the Genesis 1:1 account--feature water as prominent (and often chaotic) element.
How the Internet Is Taking Away America's Religion
I know too many smart highly-educated Christians to think that religion is merely some lack of applied thought. It's a choice they made, knowingly and subjectively, to have religious faith.
Skeptics seem to have this assumption that humans are inherently rational, and it's only those who are intellectually weak that let bad/illogical ideas into the mind. I'd argue that this is a bad model because we are forced throughout life to rely on incomplete/inaccurate information from a wide variety of sources... our senses, our emotions, our peers and society at large, etc. Our brains are a very muddy place that was never tidy and logically "clean" to begin with, but we make do (more or less). A purely skeptical species would go extinct questioning the need to plant crops, etc.,
The way I see it, rationality (and the engineered pursuit of it, science) is a skill that must be developed and subsequently imposed on various facets of our worldview. How we select those facets (and how vigorously we investigate them) is a strategic question ("what is my biggest blindspot?") that we're not well equipped to answer (they're called "blindspots" for a reason). And we ALL have blindspots of various topic and magnitude.
In the case of religion, it's particularly hard to investigate these blindspots because adherents have been strongly conditioned to self-identify with the cause. Their parents, friends, community, and everyone they trusted as a child told them "this is what we believe, it is the only way to live a good life, and everything outside of it is corrupt and destructive". Like Tevye says in Fiddler on the Roof, "tradition tells us who we are and what G-d expects of us".
Analytically re-evaluating one's faith as an adult requires a tremendous amount of courage and vigour. To do so, they must overcome:
- Religious instructions to defer to authority.
- Implied instructions to not question faith.
- Perceptions that questioning is risky and/or evil.
- The nastiness of some skeptics (e.g., living examples of the "evil" of questioning)
- Accusations that the questioner's "real problem" is something spiritual and not intellectual.
- Desperate feelings that the faith "has to be true", precluding need for further analysis.
- Anecdotal proofs and feel-good stories ("testimonies") that offer emotional evidence for faith.
- Single-shot ad hoc arguments (emotional or intellectual) that preclude comprehensive analysis
- Apologetics literature or speakers that sound convincing initially, esp. when presented without opposing views.
This is not the only way people leave their faith, but it's relevant to skeptics because it's the "rational" route. I suspect that those who use "emotional evidence" as their primary waypoints for evaluating complex situation have it easier... they see the history of Christanity's/Islam's treatment towards women or they consider how wholly abhorrent the concept of hell is, and then they proceed to reject the system that generated those ideas.
Instead of offering mockery (a tempting practice), skeptics would do better to (1) humbly remember that we all have blindspots, (2) that every population has smart and dumb individuals, (3) that believers make many valuable contributions to rationality/science, (4) and that social and emotional arguments against a faith can compliment their existing intellectual arguments.
Microsoft To Allow Code Contributions To F#
Let me elevate the question: why do we need yet another programming language?
Because we're nowhere near figuring out how to best express ourselves to computers for the wide variety of problems we wish to solve and the large diversity of skill-sets and backgrounds we wish to solve them with.
In this example, F# solves the problem of "how do we do statically-typed functional programming (a la OCaml and Haskell) in a way that integrates with the .NET ecosystem?". C# doesn't solve that problem because you can't do nearly enough type theory. OCaml doesn't solve that problem because it's not vendor-supported and it's not designed from the ground up with the .NET platform (and the existing base of C# programmers) in mind.
While I share your unstated assumption... that it seems like there are too many half-baked programming languages instead of a few really good ones, I also think Microsoft deserves credit (much as I hate to say it) for recognizing the need to focus on platforms (like .NET) instead of languages. Of course, then they go and do the whole WinRT thing... :-\
How Many People Does It Take To Colonize Another Star System?
Instead of turning around at the halfway point and using the same thrust to decelerate, would it be possible to, theoretically, initiate an explosion in front of the craft, equal in yield to the amount of thrust used to achieve whatever speed your craft is at when you need to start accelerating?
Yes, because the explosion you propose is simply a shorter duration, higher intensity version of retro-thrusting. (Incidentally, some sci-fi authors have proposed using explosions [such as nukes] for the initial thrust as well [Anathem comes to mind].)
However, the problem with your approach is that it's less efficient: first, it requires extra machinery because you're building a second propulsion system instead of reusing the one you already have; second, it requires extra structural support because you're going to subject the vehicle to higher delta-V's. Obviously, this adds a lot of weight, a lot of extra engineering, and several more points of failure.
The implicit engineering assumption you're running into here is that the most viable approach for interstellar voyages (if anything is viable, which is doubtful) will be a regime of nearly symmetrical acceleration/deceleration provided by a single propulsion system.
P vs. NP Problem Linked To the Quantum Nature of the Universe
The distinction that P algorithms are "efficient" and NP algorithms are "inefficient" is merely a convention of complexity theorists. You could easily draw the dividing line further in or out depending on your purposes. That makes me wonder what constitutes their assumption that this particular P/NP type "efficency" is necessary for a macroscopic Schrodinger algorithm.
Department of Transportation Makes Rear View Cameras Mandatory
If you think this makes a car too expensive, what price do you put on accidentally running over a human being?
This article says it will save (max) 15 deaths/year at a (min) cost of $132/vehicle. With 15.6 million vehicles sold in the US last year, that implies a >$137 million dollars per death avoided. That's way above the $6million you referenced.
At any rate, it certainly seems that if we're going to spend >$2 billion dollars, we should able to save more than 15 lives with it. But no... some mum went to Washington and proclaimed it should "never happen again", so we get this crap. (Granted, my analysis isn't including injuries... that could swing the balance.)
Security Evaluation of the Tesla Model S
Reality. At the end of the day, what will the insurance company accept as sufficient security...
No, the security only has to be sufficient enough to blame you for the theft.
the balance of easy usability vs number of features vs security implementation, with a modern electric computerised vehicle that might best be left to a consultation between the sales consultant and the end user
The salesman and customer are the least informed for making security tradeoffs, and the complications of having multiple security arrangements across a fleet of supported vehicle isn't worth the extra headache for the manufacturer.
The "balance" of this situation should not lie in the boneheaded territory of elementary security mistakes... if you're going to have a remotely accessible API, hire programmers who understand security and have them design the damn thing to be secure from the ground up. It's not impossible or mystical or some big unknown.