I recall reading around 2012, Japanese researchers getting similar results on this study. It is good it is confirmed... but not groundbreaking research by any means.

I do agree that it isn't a remote root shell hole, but it can be combined with something like the SSH brute force vulnerability or another attack that can execute shell commands as an unfettered user... and then the box is compromised.

The good thing is that Macs have functionality similar to SELinux as well as sandbox capabilities via the App Sandbox. This should be something used by all programs whenever possible, since it allows the OS to isolate the program from the rest of the filesystem and OS, helping mitigate a compromised program.

Hopefully Apple can issue a fix in a short amount of time, because this is an easy exploit to use, and combined with something like a broken Java variant, could be used via the Web browser to hijack the entire box.

Websites existed well before ads came around. There are other models to make revenue, be it subscriptions, microtransaction based clearinghouses [1], grants, or other ways.

People are inventive. The Internet as we know it would survive if all the third party behavioral monitoring, tracking, ad-slinging, and shovelware/malware companies took a powder.

[1]: None of these solutions are perfect, but the current ad model can be abused as well.

The ad industry is a bubble. Look at the clickbait ads pushed at you constantly. Obama's HARP, reverse mortgages, asking how much your car is worth, "free" [1] $100 Amazon gift cards. Programs that are dodgy at best. "criminal background checks" that demand a ton of your info... then want $35-50 for the check. Yes, there are a few relevant items, but most presented are at best dodgy.

What they are selling are not ads. They are selling the data that gets slurped off your phone or computer, which is why browser fingerprinting, supercookies, add-ons galore, and other stuff are the norm. The ads are secondary to watching what the person is doing, 24/7.

[1]: TANSTAAFL. I read the T&C on a "free" offer, and it required subscribing to three different things on a gold/silver/bronze level, as well as many other hoops to jump through before you would even be considered for the card.

You pretty much nailed it. The good thing is that we have plenty of tools to help with compartmentalizing info, to the point where it is almost surprising to see them not used.

If it comes to a pissing contest of users versus IT security, the users will eventually win, either by cunning, or just telling PHBs they can't do their jobs... and if it is a guy out of sales who is making the numbers, the PHBs will listen to that guy almost certainly, since they view security has having no ROI, but the "quarterback" making the "touchdowns" is earning real money for the company. In the past, one could scare management by pointing out Sarbanes-Oxley laws, but those are pretty much not enforced (well, unless one is fishing over their bag limit and decides to hide their caught grouper), so that argument tends not to have teeth these days.

Realistically, IT needs to do like plumbers, electricians, and HVAC tradespeople: They need licensing across the board with a vendor independent group doing the licensing.

Certs in plumbing would be like a PVC company having tests to see how good a plumber is at gluing their pipes together. Does it matter in plumbing overall, such as selecting the rise and tilt of pipes so poop runs downhill? Nope.

Similar if certs were similar for electricians. Square D could make certs for their circuit breakers and boxes, but does that mean an electrician knows not to run 440 three-phase through a set of nipple clamps? Nope.

They are not really worthless. They get you in the door and past HR, as "CCIE ID #12345" is a lot better on a resume than "Cisco fabric experience". Similar with RHCE ID "111-1111" as opposed to "I know Linux". From there, you now have access to the tech people, which without the certs, you wouldn't even been allowed near them.

There are also jobs that require certs on the job. I worked at one place that had auditors that did spot checks, and one's certs lapsed, the IT person would be fired on the spot and escorted off the premises for something along the lines of "failure to maintain proper training for the equipment used."

No, certs don't substitute for experience, but a cert gets you in the door, far more than "gee, I learn quick."

The article didn't describe what type of spirits, so I'm assuming the type that most sysadmins are familiar with... and I am pretty sure that dropping a high ABV drink down a computer's vent or on top of a printer will do bad things to it.

My recommendation to protect computer stuff from spirits: Put a tray outside the server room and stick up a "no open alcoholic containers" sign on the door. This way, if someone needs to tipple at work, they can still leave their bottle of vodka in the incoming cold air duct, but at least don't spill it on any items inside.

Have to agree here. Lot of people appreciate /. being up and going.

One can armchair quarterback and talk about how corruption wouldn't happen with this filesystem or this SAN, but corruption and problems happen no matter what the platform.

I will add another voice into this list in agreement. The problem is that what is needed is so vague.

There is just no way to recommend hardware. Do you need a lord-king-God-Almighty interconnect backbone switch between all nodes so they can push 40 gigs/sec between each other? A blade/enclosure is a must. Do you need I/O performance above all else, or CPU performance? It might be cheaper to buy a ton of 1U ProLiant G7s with HBAs[1] and 10GigE cards.

Oracle RAC? Again, need a hefty SAN connection, perhaps with a beefy HBA that has up to a terabyte of temporary storage which can help deal with heavy I/O for the active/active needs.

What is your SAN topology like, or do you even have a SAN, as Windows Server 2016 Storage Spaces Direct is being readied as a SAN alternative, provided the links between each of the machines is fast. (The ideal would be InfiniBand... but for the fastest speed, it may wind up being 10GigE.)

Then comes software. Throwing ESXi on the entire cluster will make life a lot easier than spinning up, updating, and wiping bare metal OS installs. However, virtualization does come at a slight performance price and a hefty licensing price.

If I had to recommend hardware for the OP's project, there is no way I can even point in a usable direction, and one mistake can be disasterous when it comes to time/money.

[1]: HBA as in fiber channel or Ethernet CNA. Whatever your heart desires. If you have fiber channel switches, even old 8G fiber channel will handle more than most operating systems can chug out.

With all the Android phones out, why can't we get one that is actually worth the cost, and not just a run of the mill device? For example:

A vape stick + a phone. Since the vape battery has a lot of amp-hours, might as well have a phone built in.

A phone made by a musical instrument company should be up to snuff for musicians. For example, it would have a beefed up DAC, at least 128-256 gigs of storage (or at the minimum, two MicroSDxC ports with 16-128 GB of base internal storage), FLAC, and bundled with some high-quality, name-brand apps for basic mixing/mastering/recording. Maybe even have more than one USB slot so the phone can function with a breakout box as a decent recorder, with the breakout box having a tube or two as well as a good DAC/ADC pair.

Commodore's smartphone should not just have some apps to emulate the PET, but perhaps come with a breakout box that can actually allow for a monitor and keyboard. Even better would be functionality like the Atrix, a docking station and a Linux distro for better desktop emulation.

There are ways to have a generic Android phone and build on it. Vertu makes money hand over fist selling smartphones for insane prices, and bundling concierge service at the press of a button.

It can be done. For every firm that hits the news, there are plenty that thwart attacks, but attacks repelled don't make the news.

Take one large, recent breach as an example. If they had any type of lockout or alerting protection on their Active Directory service accounts, the brute force on their AD accounts would have been stopped in its tracks. In fact, the AD default is a 20 minute lockout every few bad guesses.

Target and others would have the attacks stopped cold by an IDS/IPS. No, these are not cheap, but neither are losses due to stolen credit cards, and an IDS/IPS is part of the PCI-DSS3 spec, so not having one can get a business's merchant account yanked. This is the cost of doing business.

Security isn't rocket science. Physical security is well tested and does a decent job from all but armed robbers, and it just takes the same mindset of setting the alarm to go off when the last authorized employee leaves the store at night, having this apply to network protection.

There are also advances in the server room which can make it attractive to focus on moving data in-house. Denser blade/enclosure chassis come to mind. I won't be surprised to see variants on HP's Moonshot with 45 blades in a 5U chassis, future models perhaps sporting liquid cooling, with a dedicated radiator/fan/heat exchanger. Even though Moore's Law has slowed, it still is going fairly strong, and the computers that we will be stuffing in racks in five years will have at least 4-8 times the transistors as the ones we have now.

VDI and remote access isn't standing still either. By allowing for -access- to the data via an application, but blocking access to the machines, this creates another security barrier. Again, not a 100% thing, but it is significant enough to reduce attacks, since sensitive data would be fenced in.

Cloud computing isn't going to disappear. It has its place. However, a business pays for servers, either by buying the physical machines and stuffing them in the data center, or renting usage via a cloud provider. Another downside is that cloud computing (or more specifically cloud storage) requires high bandwidth WAN connections, which can get expensive. A data center can rely mainly on LAN bandwidth which can be a lot cheaper. Smaller businesses can be better off with cloud solutions, but larger businesses may benefit by keeping everything in-house.

[1]: Going on the security tangent, I will toss one thing out that just might help security in general which might be added on in the next few years: Add a time value. A restaurant doesn't need the same physical protection at 12:00 noon as they do at 12:00 AM when nobody is in the store. Same with stores and businesses and their network connections. If a store is closed for the night, their subnets should be isolated from the Internet for everything but security patches, alarms/traps, and other essential communication.

Take a law firm. Unless there is an exception, their individual partner offices, floor, and entire building is locked at night. This should be the same with networks. If nobody is needing access, and exceptions are in place for remote use, then why should there be any Internet access (in/out) when nobody is there? Assuming the blackhats are attacking evenly 24/7, by cutting network access to say, 0700 to 1900, it means that half the attacks mounted against the network would fail.

I wonder if we will see a swing from cloud computing back to a central managed system, similar to the mainframe concept (first go around), XStations (second go around), JavaSations (third go around), except using VDI and a remote desktop protocol, where the computer on the desk mainly is there to run remote apps, and instead of the apps being on the cloud, they would be moved back to the central datacenter for security reasons.

I have a feeling we will be seeing some major breaches, perhaps a cloud provider getting nailed, divulging a lot of personal and private info. Because of this, I wouldn't be surprised to see a return to having a core data center and all assets going behind the glass walls, especially if insurance companies start dropping coverage if a company doesn't toe the line on regulations, or regulators start doing more than slap-on-the-wrist fines.

Will a move back to keeping the data in one place, and using the next generation of terminals be a mainstay in IT? Not 100%, but a possibility.

I was wondering that too. A cashless economy only makes one more dependent on banks because if the card doesn't work, one is SOL.

BitCoin is another alternative... but it requires Internet access or else one is at risk of being the victim of double-spending, and to be really sure, one needs the entire blockchain (going on 40+ gigs.)

Were I worried about banks, I'd be doing what our ancestors did almost a century ago -- getting cash out and stashing the currency in mattresses. However, no currencies today are backed by precious metals, so even with this, it might mean one has a bunch of wads of toilet paper instead of a currency that is usable.

DES did serve its purpose, and I'm surprised it has lasted as long as it has without a real break. 3DES is still usable and secure, although the world is slowly moving to 256 bit encryption algos from 128 bit ones.

These days, if one was wanting to be sure about encrypted data, it might be best to use a cascade, similar to what TrueCrypt does. AES, Threefish, and Serpent would be ideal, since Threefish doesn't use S-Boxes, Serpent has the best security margin of all the former AES candidates, and AES is... well, the standard for the market.