It's definitely a very focused search. There will almost certainly be more coverage over the coming days/weeks. It is reported that a full list of names and companies linked will be released in early May. http://www.irishtimes.com/business/what-are-the-panama-paper...
I understand that in principle, but is that the end of it in reality?
I'm pretty sure NewEgg was recently taken to court by a patent troll, and after the troll realized that NewEgg fights instead of paying, they backed off. Then NewEgg sued to get a judgement that would guarantee this couldn't happen to them again.
I know this is a different venue and there are topical differences. But are you absolutely certain that there is no counter-action Apple (or any company, for that matter) can pursue to get a judgment about this?
Newegg's actions were different, in that the patent owner's dropping the suit didn't actually resolve the question of infringement. It was still out there, and the patent owner could re-file suit at any point in the future. Between now and then, if Newegg were in fact infringing, monetary damages would continue to pile up. So the uncertainty can have a pretty significant impact on business decisions and impair their ability to operate. A request for declaratory judgment seeks to resolve that uncertainty so that both parties can get back to normal.
For Newegg, the request accomplishes a few things. It lets them clear the air, indirectly help solve the resulting from the remaining suits against retailers selling Rosewill products, and it's the legal equivalent of spiking the football and giving the troll a swift kick in the nuts. Minero Digital now gets to defend itself in a Delaware court, absent all of the little advantages of East Texas. It's a rather bad break for them.
Honestly, if I were a patent troll, I'd be scared shitless to send a letter to someone like Newegg. With their stance on patent suits, they're exactly the sort of company that would preemptively file a request for declaratory judgment after they were contacted.
This court case is over. But the fight for encryption was never really in court anyway, it was in Congress and the White House. It became obvious over the past month that there is still a lot of education on encryption that needs to happen.
Boo. IANAL so I can't quite see where the harm may lie in requiring the "moving party" to see through what they started (if the defending party wants it, of course).
I'm all for it. If you bring suit the other party should be allowed to cause you to have to continue if you feel like dropping it. There is some potential for abuse there though, this is not a simple matter.
Counterpoint: if you want to sue everyone in the Unites States for pirating your porn, ask for $50 in settlement for dropping charges, and drop charges for anyone who shows up in court with legal representation, should the judge be sympathetic to you? Isn't a frivolous lawsuit a frivolous lawsuit anymore?
In addition to the counterpoint that newjersey brings up, we could also restrict this power to cases where the plaintiff is the government (local, state, or federal).
While nuisance suits from private actors can totally be ruinous, the potential for harm from government actors is so much greater.
It's not that obvious. Paul Klemperer (auction theorist) covers a similar question: what happens if the losing party has to pay the prevailing party's legal fees? Answer: the same amount will be spent on legal fees and the same cases will be brought forward.
> ...covers a similar question: what happens if the losing party has to pay the prevailing party's legal fees?
That's not at all a similar question. We're talking about staking the following strategy through the heart:
* Some part of USGov makes an overreaching legal demand using a really shaky (perhaps unsupportable) legal argument.
* They get a magistrate to issue an order in an "emergency" ex parte hearing
Now either:
* USGov presents that court order to a small and/or legally clueless business who says: "This is a court order! I have to comply with it, else I get in trouble!". USGov gets what they wanted and gets to bully another unwary victim with the same bullshit tactic
or
* USGov presents that court order to a larger and/or legally savvy business who examines it and says: "No. This is bullshit."
* That company goes to the court and tells the court why the order is bullshit
* The court quietly mumbles: "USGov... they're right, looks like it's bullshit."
* USGov goes: "Oops! We really didn't need that anyway!", withdraws the request, and retries it at a later day with a less savvy victim
So, completely different situations.
If USGov had to keep pushing such cases through if the defendant demanded that they be pushed through, what you'd get is what we get when Newegg fights patent trolls: evisceration of bullies, thugs, and the chicanery that permits them to operate.
The least that should happen in this case is the courts should ask the FBI exactly how did they found an alternative method to crack the iphones. If they don't, its unfair to Apple since they were potentially about to be ordered by the state to exploit a vulnerability themselves. IANAL of course, this is just my informed view based on existing facts.
In this case, moving party didn't drop it so much as stall for time. But, the judge also stayed the order that Apple had to help the FBI which telegraphs her intent. I think the FBI knows it lost this round and needs to find a face-saving way to get out of it.
There's the 'capable of repetition, yet evading review' exception to the mootness doctrine. But I agree this particular case is probably DoA. Maybe Apple can move for sanctions ...
You will be pleased to know that 1Password for Teams does not use Dropbox for syncing and has what we call Better Than Two-Factor™ through the use of an Account Key. From our "Understanding the Account Key" article (https://support.1password.com/account-key/):
With traditional two-factor authentication, an existing device is used to authorize a new one. But the existing device is only used for authorization. The one-time passwords are not used to harden the encryption.
Your Account Key works in much the same way. It is required to authorize a new device. However, your Account Key is actually used to improve the encryption of your data. Both your Master Password and your Account Key are required to decrypt your data.
Well some of the passwords are safe. Bcrypt doesn't offer much protection if your password is on a list of the 10,000 most-common passwords [1].
Ashley Madison's highest priority should be to tell users to change their password on the Ashley Madison website, and any other website where they have used the same password.
Bcrypt includes a (large) random salt so is not subject to rainbow table attacks. I believe therefore that will protect against identifying passwords contained in a known list.
If I'm wrong about this I'd love someone to explain why to me.
I haven't heard of rainbow table attacks being used much at all anymore. It's completely practical to individually brute force every person's password using their specific salt in parallel.
Let's say they cranked up bcrypt to take 10ms to run (so their system can login 100 people per second). That means it take me 10 seconds to try all 10,000 weakest passwords against an individual hash. If I can do, say, 1000 hashes in parallel, then I can try the top 10,000 passwords against 100 users' hashes a second. If their DB is 100,000,000 passwords then that's only 11 days to try the top 10,000 passwords on everyone, which is super reasonable and will get you tons of low-hanging-fruit.
In practice you can probably try a password faster than this, and massively more parallel. So that's just gravy. Also keep in mind I don't need to try all 10,000 on everyone -- if you have the most common password I can stop right away. Further, if you identify a user who's password you really want to crack, you can redirect all those resources at just that user with the full might of John the Ripper or Hashcat and try 1,000,000,000,000 common passwords and mutations against that user in the same amount of time (using my pessimistic numbers for how fast you can run).
For reference, password cracking rigs are usually talked about in terms of gigahashes/second (billions of hashes per second).
this is not about rainbow tables, just about brute forcing. The only theoretical protection would be a site salt, but that has to be stored somewhere as accessible as the database, so it's fruitless to assume somebody who can get their hands on your db can't get the site salt.
"It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database."
That salt is a public value. The security of salted password schemes is meant not to depend on the secrecy of the salt.
Every time this topic comes up, 15 people chime in with various schemes in which some of the "salt" is derived from the hostname and some of it is stored in an encrypted vault and some of it is inferred from the color of the user's eyes. This is why Coda is making fun of "Himalayan pink salt".
>>It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database<<
simply, it's a false statement. Multiple hashes while adding the same (huge) salt each time decreases the speed even further. Just adding 8MB (larger than L2 cache or any reasonable amount of SRAM to mount) of salt might be better than multiple hashings as well, plus it increases difficulty of mass-parallel processing. Multiple hashes are very L1 cache friendly when the input is tiny.
It does prevent simple rainbow attacks, but it does not prevent a simple bruteforce of the common passwords. It can increase the cost a bit, but still in the realm of feasible.
I am mainly trying to warn against the false sense of security. Salting does not magically make weak passwords secure. It makes certain types of attacks harder, but a bad password is still bad.
That being said the problem is less that we are not asking users to provide strong enough passwords. It is that the industry seems to be completely incapable of protecting their users data. This race to the least crackable hashing algorithm is only adding more lipstick on the pig.
Having seen a major leak pretty much every week if not every day the past 3 years, I am now of the opinion that I should provide zero personal information to anyone. Disposable email addresses, fake names and address will now be my norm.
If they hashed PASSWORD + USER_SPECIFIC_SALT + SITE_SALT, storing USER_SPECIFIC_SALT in the user table and SITE_SALT in the application config, both data and site config would have to be leaked.
>> Astoria also opens multiple avenues for future work such as integrating realtime hijack and interception detection systems (to fully counter RAPTOR [18] attacks)
This is really interesting. I'm curious how that would work.
I wish my company did this when I had a kid. They gave me 2 weeks paid leave. Then I took 6 weeks semi-paid leave from the state. aaaaaand when I returned I was notified that since I "missed" a few weeks of on-call rotation during my leave that I was basically on-call for every day for the next month to "make up" for it. That was pretty awesome considering the production environment would break at least once every day between midnight and 6am. It made taking care of an 8 week old who needed feeding every few hours at night even easier.
Keep in mind that they didn't "tell" you that you'd be on call every night. They asked, and you said OK.
The fact that they didn't include a question mark at the end of the sentence doesn't change the fact. The correct answer is still "No, Of course not." It's then up to them to decide whether it's worth firing you for giving the sensible answer to their silly request.
"Keep in mind that they didn't "tell" you that you'd be on call every night. They asked, and you said OK."
GGP did not suggest in any way that there was a dialogue, he simply said that he was told that he had the bad shift and that was that.
So either JasonKester knows more than is apparent from the comment or I don't understand where he got that knowledge, it's not as if walking out was on the list of viable options for the GGP.
Please indicate why you think I'm hostile, or is asking questions the new hostility?
The second paragraph explains the first. I imagine that's why somebody downvoted your reply.
Repeating though, in case it wasn't clear: When your boss says "Yeah, we're going to need you to come in on Saturday... yeah, we lost some people this week, and now we're gonna have to sorta play catch-up. And yeah, we're going to need you to go ahead and come in on Sunday too". That's a request. It's something you can (and should) say "No" to.
It's entirely possible that there may be ramifications for standing up for yourself in the face of silly demands from management. But there's absolute certainty of bad things happening if you don't. (Namely, the terrible thing you've just been asked to do, as well as dozens of repeat performances now that you've declared yourself as somebody who can be walked over.)
The best course is always to remain professional, stand up for yourself, and ensure that you remain on equal footing with your employer. If they do choose to fire you for working the hours you agreed to work when they hired you, there are worse things than being a skilled developer in the single best market for talent in history.
Right. But the whole point is that if you have just been handed a newborn then your option to 'walk out' is simply non-existent and so any principled stance would have to be postponed until the breadwinner is out of the danger zone. The employer here seems to be engaging in some kind of revenge tactic, as though the leave was to be made up for rather than something that left the balance between employer/employee and employee/co-workers in tact.
So I don't see this as a request at all, a request is something that you practically can say yes to, which doesn't appear to be the case here and does not come in the form of an order.
Again, saying no to a request to sacrifice all your nights and weekends for a month is not the same as quitting your job. It's certainly not a fireable offence.
They do indeed have places where an employer can reasonably ask an employee to sacrifice his entire life for the company. Those places are nearly all called "Japan", and the employer/employee relationship is very different to that in the USA.
Try enslaving your workers here (or firing them for refusing to be enslaved), and you face an unpleasant lawsuit.
