Hacker Newsnew | comments | show | ask | jobs | submit | samd's comments login

Implicit in your comments is the idea that you can't work with women without the risk of lawsuits. This is classic victim-blaming.

The problem is not the lawsuits. The problem is harassment, and further, the men who are so incapable of not harassing women that they segregate their workplaces.

We should recognize that the number of lawsuits pales in comparison to the incidence of actual harassment. We should be blaming the perpetrators of this harassment, and the men who would avoid working with women rather than change their behavior. We should not be blaming the women who raise these suits, or decrying their nature, as there is a very real and serious problem of sexual harassment in our industry.

-----


Allegations of victim blaming tend to be used to shut down conversastion rather then contribute to it. There are times when mentioning victim blaming is appropriate, but you have to be extra careful with this concept.

If anything, this case is system-blaming. More importantly, it is looking at how the system works, and what unintended effects are attempts to improve have. Specifically, observing that the increase is lawsuits leads to the creating of single gender environments, harming other metrics of gender equality. There is no concept of blame in this observation. It is merely a conjecture about cause and effect which can be used to make more informed choices.

Having recognized this we may decide that sexual harrasment lawsuits are not worth it, in which case I may leave the country. Or we could look for ways to conduct these lawsuits in a way that is less damaging. Or we may decide to use/develop other responses to sexual harrasment before going to a lawsuit.

This is a discussion that needs to be had, and your response preculudes it.

-----


Nothing of that nature was implied; rather, you read misogyny into the comment due to your own biases.

The original post was very careful not to put either sex in either role. It even went so far as to not exclude homosexual relations by suggesting that you'd want three people in the room despite a segregated workplace.

Your post, in contrast, insists that harassment suits are always filed by woman against men. It goes so far as to suggest these hypothetical employers must be men and that their motivation is an inability to control themselves.

The implication was simply that as sexual harassment cases become more costly, it may be pragmatic to take more drastic measures to prevent them. I'm very disgusted by your post.

-----


Allegations of "Victim blaming" are a classic tactic to shut down discussion by implying that anyone who steps out of the appropriate mental box will be deemed an accomplice.

-----


You can invent whatever descriptions you wish, but it is victim-blaming. Vague threats of a public backlash against sexual harassment lawsuits is an attempt to blame women for filing them and attach implicit suspicions to their claims. Reminder that Tinder has confirmed the inappropriate messages.

-----


Discussion about what, exactly? That women are not trusted enough to not bring false allegations, therefore men should always have witnesses to make sure that men are not victims of even false allegations?

Seriously, if you are the victim of a false allegation that is later proven to be false, then your reputation is not destroyed. If you are the victim of one instance of a false allegation that later reveals a pattern of bad behavior, then you should not have behaved badly in the first place.

-----


N's tend to be big-picture, conceptual thinkers, whereas S's are detail-oriented and concrete.

J's are to-do list sorts of people, they enjoy finishing tasks, tend to "get a lot of stuff done", but can be stressed if there isn't a plan. P's prefer starting projects to finishing them, they tend to work off-the-cuff, probably appear to get less done, but are more capable of dealing with changing circumstances and priorities.

-----


I'd say the premise is that people who work in SF should have a right to live in SF.

-----


... because it's such a great idea for your housing to be tied to your employment, and for your employer to have direct control over your housing situation...

I can see it now, "Johnson, if you don't work the next 3 weekends I'll fire your ass, and per city law you'll have one week to get the fuck out of town to make room for the next SF-employee".

I cannot see any way in which "everyone who works in SF deserves to live in SF" can be implemented that won't make it even more inhumane and tyrannical than the free market it's replacing.

-----


On what grounds?

-----


In case anyone hasn't already seen it: http://codahale.com/how-to-safely-store-a-password/

tl;dr

Use bcrypt.

-----


In case anyone hasn't already seen it: http://www.tarsnap.com/scrypt/scrypt.pdf

tl;dr

Use scrypt.

-----


Use scrypt if you can. But don't get too hung up on this. All the modern KDFs are fine; use PBKDF2, bcrypt, scrypt, whatever you have available. Just stop "salting hashes". Attackers laugh at salted hashes.

-----


I'm sorry if I'm misunderstanding, but are you saying that application developers should not use salts at all?

-----


I'd interpret the GP as "Application developers should not create Key Derivation Functions (KDFs)." They should choose an existing, well reviewed KDF and read up to understand its relevant best practices.

For example, PBKDF2 does require a salt (as does scrypt, which relies on PBKDF2 for its implementation). It also comes with specific recommendations on the salt's minimum length. Salting an MD5 hash is pointless in the face of modern attack methods -- rice paper against a tiger.

-----


Wouldn't individually salting MD5 still help with large databases? With a database of 1,000 users the individual salt should slow down attackers by a factor of around 1,000.

If they are targeting a single user it doesn't help though.

-----


It falls in line with running you ssh on an obscure port or putting your password database in .hidden/. Most likely it is just a false sense of security and security though obscurity. You are doing X,Y,Z and W and in the end you could have just used a KDF.

If anything the false sense of security plays tricks on you psychologically "oh look we have put our database in a .hidden directory. Nobody we'll find it here" and that makes you not pay attention at the weakest vulnerability -- a weak algorithm or parameters of the encryption.

-----


Yes, salting has a role to play. That is not the point. The point is that use of a weak underlying Key Derivation Function makes the benefits of salting nearly moot.

To fully spell it out: MD5 is a very weak KDF.

I would recommend looking into the KDFs mentioned in the comments here as alternatives: PBKDF2, bcrypt, scrypt.

-----


Not enough to matter. Attackers haven't been dependent on rainbow tables for a while now. As discussed in the article, they're using GPUs to hash guesses individually for each account.

More to the point, using MD5 for password hashes isn't acceptable, at all. Not even with any extra layers of security. Not with salts, not with extra rounds of MD5, not when combined with SHA1, etc.. With reasonable options (like bcrypt) available in every major programming language, there's no reason to use something provably ineffective like MD5.

-----


I understand MD5 should never be used. But I'm not talking about rainbow tables. The 1000x benefit comes even when crackers are using GPUs.

-----


Sure, salting definitely helps. A little.

It's like telling someone being shot at to stand sideways, because their profile is smaller that way. The right thing to tell them is to get the hell off the firing range.

The problem with salting is that people feel they're safe, and stop thinking about security there.

-----


No they should stand head on so the bullet will take a shorter path through their body should they be hit.

-----


This table of hash functions should show you why MD5 is never to be used when privacy/security is a concern...

http://valerieaurora.org/hash.html

MD5 first started coming under pressure in 1994 and was cracked in 2004.

-----


He's saying that rolling your own with functions designed to run as fast as possible, with or without salt, is not going to give you much security.

What you want is functions that run slowly, thus increasing attack cost.

-----


Moreover, unless you are Schneier or tptacek don't create your own obscure slow function, use a well known one like scrypt.

-----


unless you are Schneier or tptacek

ahem...

-----


/cough cough ... or cperciva

-----


He's saying that if you can't use bcrypt or something like it, you should store passwords in plain text.

Like a broken record people like him/her chant "no security at all is better than security by obscurity".

-----


I do not believe that this is what he is trying to say. He does not mean "use plaintext" when he says "don't salt hashes." He means "use a key derivation function."

-----


> if you can't use bcrypt or something like it, you should store passwords in plain text

No, he's saying that if you can't use an acceptable hashing function, you shouldn't store passwords at all.

But, why would you be unable to use at least one of the suggested hashing functions, anyway? It's hard for me to imagine a language or platform where none of those functions is available, excluding very simple, special-purpose systems like PLCs.

-----


Have you heard of Google App Engine?

You can't use any python module that runs C, which rules out bcrypt and its ilk.

-----


Or even better dont't even store them at all.

If its an internal app use LDAP, Active Directory, or whatever other centralized ID system your company has. If it's a public app then consider using a federated approach like OpenID. It doesn't make sense for everything but if you can avoid storing passwords entirely then it's one less thing that can go wrong[1].

Course if you do store them then yes:

scrypt > bcrypt > PBKDF2 > ... If you get to here then you've got a problem!

Just make sure you choose a same number of rounds. PBDKF2 is fine for most folks if you have a large enough number of rounds. The old recommended default of 1K is not large enough. Ditto for bcrypt with a work factor less than 10 (or better yet 12). Your bet bet is to either use scrypt (who's defaults are paranoid enough) or choose a work factor for bcrypt/PBKDF2 that's has a decent CPU time (say .5 to 1s).

[1]: Though you do have to worry about the risk of compromise of the party your delegating too. For apps where this makes sense (say Google+ login to a Grouppn knockoff) that's a fair enough trade off for you an your users.

-----


Not sure why you're downvoted, but the idea of actually not storing passwords seemed intriguing to me, if it was actually possible.

I did a little bit of research and I found the Secure Remote Password protocol [1]. Interestingly, this protocol does appear to protect against the case of a stolen password database. If true, that would mean that when site X loses control of the password database, that would be OK as this is designed to be secure against that attack.

I wonder why it's not been implemented anywhere widely. Anyone more knowledgeable about the security field care to comment.

[1] - http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

-----


Yeah I'm not sure either about the down vote. By not storing passwords I meant delegating to an external authority for authentication services. Whether that's OpenID, Persona, Facebook login, direct OAuth integration with a limited number of parties (ex: GitHub and Google Plus) can be decided on a per app basis. The important thing is the if your app use case allows you to delegate out authentication to an external party (again it's a non-trivial "if" to decide this) then you don't have to store or deal with passwords at all (and by extension don't need to worry about handling password DB leaks or hashing algos).

-----


OpenID is a horrible idea. I have like a bunch of them, and I never remember if I signed up with Yahoo for this site or Google or whatever.

With Persona at least I know which email I use to sign up for random websites. I hope it succeeds.

-----


Is there any reason why you wouldn't use bcrypt + random, individual salt? Am I right in assuming that bcrypt would protect against brute-force attacks and salt protects against pre-computed bcrypt rainbow tables? Or is the salt basically useless?

-----


bcrypt is already randomized, as is every other modern KDF. There is no such thing as a bcrypt rainbow table. Rainbow tables have never really mattered. Stop thinking about rainbow tables.

You need to be using real KDFs to store passwords. Salted hashes are not real KDFs.

-----


Thanks very much for that explanation. I'm not a computer expert, but I'm endlessly fascinated by passwords and cracking.

When it comes to picking passwords that humans can remember, what's your opinion on Diceware? Do five or six word passwords still stand up with the increases in computational power? http://world.std.com/~reinhold/diceware.html

-----


I think it's important to pick a password that isn't in a list, or likely to be 1-2 transformations away from being in a list, and it's important to use a longer password, but apart from that it shouldn't matter as long as you use a different password for each service, and as long as the apps you use use bcrypt or some other real KDF.

-----


Would it be useful to check password hashes against well-known lists of passwords? If so, it sounds like a service would be doing pretty good if they:

1. Required >7 character passwords

2. That don't appear on (constantly updating) lists

3. Using a reasonable KDF (b/scrypt)

Sound right?

-----


That sounds fine to me.

-----


$300/hr also buys a lot of $5 wrenches.

-----


Remember: you'll be hard pressed to buy a quality wrench for 5 dollars, and - perhaps more importantly - why are you breaking them in the process?!

I suspect your process should use the wrench on lower wear items than computers, for example the desk (if plastic or wood) and things sitting around it.

-----


60 $5 wrenches doesn't help the attacker if I'm not physically on the same continent. Attacker needs to know where you are and have physical access... and as we all know, once you have physical access, it's game over :)

-----


"This weekend I was in front of a TV and people were watching Randy To The Rescue."

Funny use of language there, especially given he goes on to explain the episode and quote from it. I think that means you were watching television. Which is ok! Don't worry! You're allowed to watch television, even shows like Randy to the Rescue. I won't think less of you for it.

-----


The supervisor must endorse the analyst's "reasonable belief," defined as 51 percent confidence, that the specified target is a foreign national who is overseas at the time of collection.

US citizens make up less than 50% of the world population. So given any target I can be more than 51% confident that they are not a US citizen, knowing nothing about the particular target whatsoever.

-----


The United States makes up 4.46% of the world population [1], so there might be reason to believe that 95% of communications in transit are foreign. If you look at the users of facebook, there are more who are foreign (non-US) that US citizens [2].

[1] http://en.wikipedia.org/wiki/List_of_countries_by_population

[2] http://en.wikipedia.org/wiki/Facebook_statistics

-----


The 51% threshold sounds to me like something set by some manager(s) who didn't actually know anything about statistics or probability.

-----


Yep. If all analysts would target addresses with exactly 51% confidence and no higher, and their confidence is the exact statistical probability they're foreign, that would mean 49% of targets are US citizens.

-----


Am I missing does something, or does "threshold of 51%" sound awfully like "false positive rate of 49%"? Imagine that with a spam filter. Just wow.

The only way that makes sense is that they whitelist the people they like, and simply don't give a flying fuck about anyone else, American or otherwise. Spy first, deny it later.

-----


Only if you have no prior information. However, since the target has to be a specific person, and you have to have some reason to want to monitor them, you would have to have a good deal of prior information. At the very least, you know the networks on which they can be monitored, which already introduces a much more informative prior than "is-a human". The ratio of Americans to other people in your belief network would tend to be dominated by that other prior information.

-----


Yes, the more you know about your target the more confident you become about their nationality. Though I don't think the target needs to be a specific person, it could just be an email address couldn't it? Given just an email address you could be more than 51% certain it belonged to a foreign national and start collecting their data.

Sure, you might have to tortuously stretch the legal wording here to justify collection of any particular target, but if there's one thing this Administration has proven adept at it's tortuous stretching of the law.

-----


You are right on the topic of an email address, but even for that there has to be some context that would cause you to want to collect its information. I guess if that is a single post that states violent intentions, then if you studiously avoid any further information, you could easily hit that 51% number. Then again, once you open the email, presumably you'll quickly derive the person's location and nationality, and you might then have to close it again.

I don't know if that "tortuous reading" thing is really specific to this administration. And anyway, I'm still having trouble figuring out how this whole PRISM thing was unexpected given the laws that congress passed. It seems like a rather straightforward reading of the law to me.

-----


You are assuming a representative distribution of users of whichever service they select. That may not be true.

-----


These numbers can't possibly work for interceptions within the US telecom network. The fraction of Americans using the US telecom network approaches 100%, while the fraction of Liberians using it is probably much smaller.

-----


Who supervises the supervisors?

-----


This is the introduction and conclusion to what could be an interesting blog post on how to present and "sell" new technology to people using Go and Ruby as examples. Unfortunately, the entire body of that blog post is missing. Kudos for getting me interested in the topic, but go back and finish the post, even just talking about what you didn't like about Go and what they could've done better to sell you would be interesting.

-----


Every American has to ask themselves, "Is this worth it?" Are the plots stopped and the lives saved worth the loss of privacy, the loss of trust and good will internationally, and most frightening of all, the unprecedented power this gives the government?

I don't think anyone can reasonably say that it is.

-----


How about the loss of creativity? I feel that one of the long-term consequences of being constantly watched is that you learn to act in less experimental ways. You take fewer risks, and reduce your actions to what's "safe".

Ask yourself - how easy would it be to do your job if somebody you didn't know or trust was sitting behind you evaluating every decision you made.

In my opinion, the financial and societal implications of a populous that behaves strictly to conform for fear of consequence, translates to slower innovation, less technological advancement, and will have a long term negative economic impact.

-----


It's not every American, it's every human being. This isn't just happening in US but most likely in every democratic country as well. We're not special or unique in this area, yes we should be leading the world in terms of how to protect our privacy but we haven't led in that area for decades. So I'm not surprised about this.

Now, as for the question. The problem is after 9/11, everything changed. People did task the government to prevent further 9/11 attacks and sadly, they can only do that by doing what they're doing now. IMO, 9/11 wasn't the point of what the terrorists were doing, but the aftermath of it.

I'm the man who believes that we don't deserve security if we use it to justify the loss of our rights. However, that belief is easily shaken when and if my family are harmed in an attack that could've been foiled, and my first reaction would be, why didn't the government stop it? So, you can see the problem right here.

Nothing is worth losing our rights over, we fought so many wars to protect it, suffered so many loss as the result of the wars, and yet, we're giving them up easily for terrorism.

-----


> Now, as for the question. The problem is after 9/11, everything changed.

I'm not from the US, and this sort of statement really baffles me every time I hear it. There's nothing remarkable about the events really, probably more people get killed by fridges falling on them than by a terrorist attack, yet nobody seems to modify their lifestyle to avoid standing in front of them.

Can you explain to me what actually changed about the American lifestyle? I genuinely have no idea.

-----


Don't be obtuse. Of course it's remarkable, the only other reason you ever hear of 3000+ people being killed in the space of a few hours is when there's some large natural disaster like an earthquake.

Now, if you can't work out how the largest terrorist attack in history might have change the stance of the world's largest military superpower, with a knock-on effect on everyone else, then you're not trying. When I saw the events of 9-11 happening on TV I immediately knew it was going to result in years of war, just like the collapse of the Soviet Union obviously led to a de-escalation of military posture.

probably more people get killed by fridges falling on them than by a terrorist attack

Not at the same time, and crucially, not at someone else's pleasure. I'm not American either but the notion that people wouldn't or shouldn't react to something like this is just asinine. Frankly, I'm surprised it didn't lead to greater change in the US than it actually has.

-----


Not wanting to sound like an ahole but...

http://en.wikipedia.org/wiki/Atomic_bombings_of_Hiroshima_an...

As for the parent comment, I know it changed everything. But beyond the initial years, how has it changed your life over, say the past 2 years. Is everything back to normal? How long do you continue changing your behaviour and living in fear? (I realise you're not American, just asking)

-----


Your argument is that Hiroshima didn't change anything?

-----


No, your first point. The US has been just as responsible mass death. And of course it changes a lot.

Don't be obtuse. Of course it's remarkable, the only other reason you ever hear of 3000+ people being killed in the space of a few hours is when there's some large natural disaster like an earthquake.

-----


Oh for heaven's sake. It was obvious that I meant during peacetime.

-----


I agree. I think after 9/11, Americans were emotionally shocked into agreeing to all of this, not thinking what they were giving up. I get that, but it's been over 10 years. We need to snap out of it

-----


> The problem is after 9/11, everything changed. People did task the government to prevent further 9/11 attacks and sadly, they can only do that by doing what they're doing now.

There are many ways they can do it. I hate argument from lack of imagination. That's why SCOTUS allows DUI checkpoints: supposedly the police can't do their job without them and they need them for public safety.

-----


The scary thing is that citizens don't know how many plots these privacy invasions have stopped and therefore can't have an informed opinion on the matter and can't decide to fight back against these invasions of privacy. I'm sure plenty of plots have been stopped but would they still have been stopped without this information?

-----


The scary thing is that it's possible. Personally I don't care of what they collect because I don't fear the present government. However I fear that any big entities can do the same or that any malicious group could infiltrate the government to get access to these data (or collect more).

The fact that we consider our online privacy as granted is the scary part.

-----


There is a fundamental difference between expecting privacy on the Internet, and the government actively collecting all data on all people and compiling a massive database linking all of this data together.

No one should expect privacy. There are sketchy ISPs, sketchy mail providers, hosting providers, etc.

But a few hackers collecting email from a few individuals is not the same as a massive database that links everything in entire world in one nice package. A few random hackers in Russia do not have the political machinery or military machinery of the US government. They generally don't care that you're pro-gay rights (or whatever). They aren't going to try to punish you for your political views. They probably just want money or to defraud you in someway.

The US government, however, wants to control you.

-----


> ...a massive database that links everything in entire world in one nice package.

Are you on facebook? Were you ever on facebook?

-----


Since when could facebook crush dissent and political movements with military force?

-----


Glad you saw my point. Unfortunate you chose to ignore it.

-----


The US government, however, wants to control you.

[Citation needed]

-----


I also fear that the availability of such extensive records on all citizens makes it more likely that an abusive government might come to power. I.e. what Snowden referred to as 'turnkey totalitarianism'.

-----


> The fact that we consider our online privacy as granted is the scary part.

Ignorant, actually.

'Privacy on the internet' is an oxymoron.

-----


The only reason you don't fear them is because you don't value your freedom enough.

-----


What's really important is this line:

"For that reason, we wanted to let you guys, loyal Cutting Edge readers and Knife Depot fans, know that you might not being seeing Knife Depot ads peppered across the Internet."

If you don't get to advertise with Google you basically don't get to advertise on the Internet. That's a powerful monopoly, one they've had for years, and that's the real story here. You have to deal with Google and all their idiosyncratic/evil/whatever behavior because there's no alternative.

-----


People were criticizing the infrastructure analogy made for Google Reader recently; so you can imagine how amused I was, while reading Levy's _In The Plex_, to read this bit:

> While some Googlers felt singled out unfairly for the attention, the more measured among them understood it as a natural consequence of Google’s increasing power, especially in regard to distributing and storing massive amounts of information. “It’s as if Google took over the water supply for the entire United States,” says Mike Jones, who handled some of Google’s policy issues. “It’s only fair that society slaps us around a little bit to make sure we’re doing the right thing.”

(In a part generally about advertising, fittingly enough.)

-----


Indeed- and now they are building internet infrastructure, cars, and eyeware.

-----


Bingo.

-----


Don't read this article either. Instead read the actual Agile manifesto. It's really short, but very insightful. After you've read it stop and think (we're programmers, we're supposed to be good at that) about how your current process, or a potential process matches the principles laid out.

http://agilemanifesto.org/

http://agilemanifesto.org/principles.html

-----


The problem is that the manifesto doesn't give you a concrete way of doing things; Scrum does, and it can be really as simple as this article says.

Basically, the article is a backlash to things like http://programming-motherfucker.com/ , which is a backlash to people doing Scrum, XP, etc. so wrong that it seems no better than the beaurocratic monstrosities that the agile manifesto was a backlash to.

-----


Alright, read the manifesto first, understand it, then go read about Scrum.

-----

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: