As always, security is not a line-item. You cannot purchase "security".

I prefer to measure "security" as "how many people can successfully attack X".

If fewer people can successfully attack X after a change then that change has made X more secure.

If more people can successfully attack X after a change then that change has made X less secure.

So moving anything to "the cloud" will result in it being less secure. In almost every instance.

I think more and more IT is becoming a manager of services, instead of a manager of servers.

Services run on servers.

Users access services that are running on servers.

When there are companies out there making the basics easy to manage, then you can afford the time to get the Like buttons running.

I keep getting marketing literature from companies promising that. But it never seems that they can deliver on their claims. Instead, it's just another service that needs to be maintained.

Just PATCHING systems includes identifying/testing/deploying:
firmware
drivers
OS
apps
for every server / workstation / switch / router / firewall / wireless connected to your network.

The main problem is that most of the people making "IT decisions" do not understand the full impact of those decisions (or believe that they will not be held responsible).

Moving anything "to the cloud" simply means moving it "to someone else's computer". How do you judge their security?

What happens when one of their other clients is arrested for something illegal and the "cloud" computers get confiscated?

Anyway, from TFA:

If IT wants to stay relevant, weâ(TM)re going to have to find a way to leverage our deep understanding of technology to a new environment, working with other parts of the organization and relying on influence and expertise instead of gatekeeping and rigid rules.

Which will NEVER work. Spend some time reading up on the latest cracks that leaked credit card info. If you have to rely on "influence" you should look for another job. There will always be someone with more "influence" than you.

If I were President and I felt that X was necessary then I would document why I thought X was necessary and that I was solely responsible for X.

Afterwards, I'd release that to the media.

There wouldn't be any of these rolling revelations. Everyone would know that I thought it was necessary to torture persons A, B and C (and no one else) and that they were tortured and (redacted) information was collected and that the people who did so did so under my DIRECT ORDERS. No one else tortured anyone other than A, B and C.

Instead, we have denials, euphamisms, "extraordinary rendition", "black sites" and unsubstantiated claims.

I prefer this memo:
http://www.theatlantic.com/daily-dish/archive/2007/05/-versch-auml-rfte-vernehmung/228158/

Part of being the "good guys" means NOT being the "bad guys".

More people die in traffic accidents EVERY YEAR than the "terrorists" have ever killed here. So why give up a morally superior position to "fight" people who pose almost no threat to anyone outside their own countries?

So 1,800 "cyber-warriors" crash 48,000 machines. Or ... each "cyber-warrior" crashes 27 machines. Yeah. Big threat there.

And crashing 48,000 machines? What is "elite" about that?

This sounds less like "a sophisticated cyber-warfare cell" and more like a few script-kiddies. If you want to cause damage then you search for Excel files and you make a few, random changes to the numbers. Do the same with any database files you can find.

And, lastly, you NEVER crash a machine. You want to maintain control for as long as possible.

So, yeah, it reads like bullshit propaganda. It probably is.

First rule of crowd moderation: flagging as abusive/trolling/offtopic will be used as 'I don't agree'.

Yep. Which is why /. should require that every down-mod be accompanied by a short explanation of WHY it fit "abusive/trolling/offtopic".

Up-mods don't matter. If you want to mod something up then no explanation is necessary since they don't "bury" unpopular opinions.

What kind of people are those going to be who volunteer to do a corporation's job?

That would be those people who already have an agenda that they believe could be furthered by restricting other people's accounts.

Tyranny of the majority.

And that isn't counting hiring people to do that. For just $X a day, you can down-vote post opposing Y and up-vote posts supporting Y. Think about whatever political position you don't like and imagine those people doing that.

Bennett Haselton is an idiot. That's okay.

The fact that Bennett Haselton's idiotic ideas get front page posting on /. is a problem. Why did samzenpus feel that this was worth posting?

Since the AI will probably be a computer ... doesn't the exact nature of the threat come down to what that computer is connected to?

AI + tank is a different issue than AI + colour printer.

You had me at rich.

Know what you want and then go after it.

If you want "rich" then tech probably is not the career path for you.

But seriously...if they got rich by knowing enough tech to found and build a startup, what's your beef with them?

Some did get rich through their technical skills. But more did it through business skills, relationships and such.

So what if it is a rich white frat guy.

Because the rich, white, frat guy will hire his frat brothers instead of you. One of them will be named CTO/CIO and that person will hire a manager and that manager will hire you. They get the stock options and you get a salary.

If you want to be part of that group then you go to that school and you join that frat.

Learn to deal with them and it might get you in the circles of people that are getting wealthier and help you do the same.

And that is the core problem. You see the tech person as lacking something that needs to be improved in order to join the frat brothers.

What do the frat brothers bring to the company?

You are disposable. There will always be another one just like you that they can hire. They can get a dozen resumes with a single call. That's if they don't just get someone on a H1B visa.

I'm more interested in how the crackers collected the passwords for the INTERNAL email systems at these companies.

Or had those companies outsourced their email?

Because the crackers would have to, repeatedly, craft emails that were convincing enough to persuade their victims to submit their INTERNAL email passwords to an EXTERNAL site. Without anyone becoming suspicious enough to look into it.

Dear Alice, please go to this website and enter your email password and do not ask me why the next time you see me in person because it is a secret.
Sincerely, Bob

The bit of 'spreading life' doesn't make sense.

That's what I thought, also. Even if they were dragging planets with them (is it possible for planets to orbit that fast?) wouldn't the planets have been sterilized by the conditions at the center of whatever galaxies they came from?

Just finding one of them should be cool enough. There's no need to postulate about "life".

I'm beginning to think that many corporations establish online systems without ever doing a serious 3rd party security audit and then penetration testing, plus using whatever real time monitoring tools they can to detect and stop intrusions.

I worked with a company that used TrustWave for their 3rd party pen test. The TrustWave person was ... okay ... but he was only allowed to "test" for 5 work days (Mon-Fri) not counting travel time (no Mon morning or Fri afternoon). Or evenings/nights (take his laptop to his hotel). So, in total, less than 40 hours before declaring the system "secure" enough.

A real cracker could rack up double that in a 3 day weekend. Even with only one compromised machine.

And the "real time monitoring tools" usually only detect the script kiddies. Which is a positive step. Just not enough of one.

I think that the core problem is that "computer security" as a concept is way beyond the cognitive capability of most management types.

It really comes down to YOUR skills in PROTECTING the systems
v
the skills of EVERYONE in the world who can script automatic ATTACKS against those systems.

So right from the beginning YOU are at a disadvantage. Then YOU also have to COMMUNICATE the risks and requirements and costs to management. Every single day that you are NOT cracked (or the crack detected) means that YOU were wrong AGAIN about the risk of not spending $X on sub-system Y.

And management types do understand the concept of "inflating" your budget/status by overstating the real risks/rewards.

I thought we argued on all the downloading stories that an IP is not an identifier?

It is not sufficient for prosecution.

First off, an IP address can be re-assigned. So you'd need an IP address and date/time to be able to link it to a specific ISP account.

Each account can have multiple machines behind it that may or may not belong to that account (depending upon the security of their wireless network for example or whether any have been cracked already).

So an IP address is not sufficient for prosecution BUT it can be a personal privacy issue.

Bennett Haselton spends 1341 words on what should be a 3 sentence summary.

If you want to know whether X accessed the mayor's dropbox (why is the mayor using dropbox in the first place) then you need to
a. get the IP addresses & times that they were used to access it
b. match the IP addresses to ISP user accounts at those times

Now, if the judge does not support you, personally, having access to the IP addresses then the judge can appoint a disinterested 3rd party do handle it. You are only interested in the ISP user accounts and whether those belong to lobbyists.

There! Done! And no need for Bennett Haselton's weird tangent on cracking via web browsers.