1. No client talks to any other client directly: managed routers.
2. Servers run A/V.
3. IDS, e.g. snort (free)
4. Firewall departments as well as outside world
5. Patch users machines regularly for the major exploit targets: IE, Firefox, Adobe Acrobat, Flash
6. A $299 netbook, in a safe, that is the only machine used to admin salesforce and other online services.

There are two ways that your organization can be infected before you can react to it:

1. A local network worm, i.e a TCP/UDP from one client to another.
2. An email worm, i.e. Outlook.

Either of these can and will bypass *any* security solution implemented on the client.

Most attacks are neither: they are attacks intended to compromise a single machine. 80% of these are things like Adobe PDF exploits.

Stopping a local network worm is simple: Clients do not talk to each other. All it takes is a managed router. Clients talk to servers. Specifically their own servers.

Stopping an Outlook worm is more complex, unless you want to piss people off. Its pretty easy to strip everything but plain text out of email. But there are other methods. First email spamming the whole company gets quarantined, and the user told (automatically) that mail doesnt work like that. Second, any email to a distribution list is refused if it has an attachment. Use an in-house equivalent of sendthisfile.com, or sharepoint (!), or something like that. That may take some getting used to, so an alternative may be that such email is distributed slowly, e.g. after 30 seconds. Or the user has to confirm it with a second email. There are good reasons not to have users passing around documents in email but instead to have some kind of centralized document management system. There are also good reasons to allow them to. So you are going to have to use your judgment on this. Any solution that *you* write, is going to be immune to automated worms (unless someone with inside knowledge targets you deliberately).

Why NAC/NAP/SEM is a waste of money:

1. The chance of anyone being infected in an organization is fairly small.
2. The chance of the whole organization being infected if just one is infected: very high.
3. When running things like NAC/NAP/SEM, users' machines get pretty slow.
4. NAC/NAP/SEM simply don't offer complete protection against attacks.
5. Running NAC/NAP/SEM etc reduces users productivity when there are no attacks.
6. NAC/NAP/SEM cost a lot of money.

You should read this: End Users Buck Security Advice For Economic Reasons

All that other bullshit adds huge costs to your company, and doesn't stop bots. I worked at a company that used SEM or something like it. We got a worm. Still had to bring routers down. Still lost days of network while it was cleaned up. Here's the *big* question: if it works, why is it not guaranteed? If you pay for something like this, and you get a worm, Semantec should come to your building and clean up all your computers for free. Why don't they offer that? Because they would go bankrupt in a month.

Increasingly, small business use things like Salesforce and online services. Online attacks are going to be aimed at stealing users passwords. So the most important thing is getting it into the bosses head that his day-to-day account should not be the one that has full control, i.e. add/delete users, etc. But most successful businessmen are rational, and when you explain that there are viruses that do nothing other than steal salesforce passwords, as you type them, then he/she will get it. Try to persuade him/her to have one machine that is for admin only. It can be a $299 netbook. Tell him to keep it in his safe at home.

There are plenty of root escalation attacks, on plenty of operating systems, including linux.

That's one way, if you want to spend a ton of money on software that can be easily bypassed. Question for you: why are you windows machines all talking to each other? Question 2: *how* are they talking to each other?

Ok, yes, a firewall might be a good idea.

Policeman: Hello, are you a thief?
Thief: No.
Policeman: On your way then.

Here is the bottom line: Client machines cannot be trusted. If you think installing anything on the client machine will improve security then you've already failed. You think Semantec can do a better job the Microsoft?

What to do about that?

1. Clients only talk to servers. Share C$ all you like, but other windows machines can't see it. How? Managed routers.
2. Servers run anti-virus, especially on the email side.
3. Intrusion Detection, e.g. Snort.

If an adversary corrupts stage 1, there is no stage 2, just a fake stage 2.

Holy shit. Seriously. Did this guy also certify the DRM for Ass Creed 2?

I visited a meditation garden with my family. It was a very beautiful place. Our children were excited and making quite a bit of noise. A polite lady asked us if we could keep our children quiet because people were meditating. We agreed. It had walls, this garden. And a gate. We will be going back.

Read More http://www.wired.com/gadgetlab/2010/03/android-version-confusion/#ixzz0iJv1DstU

The carriers have been fucking us for years. Half the talk on forums is how to uninstall the shitty bloatware that carriers install on the android phones. Hey, at least with an android phone you *can* do it, unlike every other motorola, nokia slow-fest.

The iphone is the best phone i've ever had. It has an alarm that works, and I can set for only weekdays. How hard is that???? It has a battery life of more than a few hours (I'm looking at you, my Samsung windows mobile phone). It has a headset with a NORMAL HEADSET JACK. It charges by plugging into my USB. How is it that such simple pleasures make this the best phone ever? Because all the others are corrupted bloatware pocket fillers, courtesy of the "carriers".

The iPhone works because Apple took on the carriers. The various Droid market is failing because carriers are worse than M$. Between you and google is a carrier. Good luck with that!

Apple is a business. It is legally required to stand for its shareholders. I'm not sure where you get this "supposed to" bit. It may be what Woz used to stand for. I doubt its ever what Steve stood for. You seem quite upset or disappointed by this.

Do you find this form of communication to be effective? I think you might feel better if you just let go. The openness that you describe as the Apple ][ is alive and well. Its called Linux. Be happy.

Really? We don't need cars anymore? Or railroads? Or food? Or houses? Or TVs?

The fact is that those jobs could very easily "come back". Why is it that we can protect "Intellectual Property" with draconian international treaties, but we can't protect jobs?

And before you laugh at me for "basic international economics", I advise you to go and, say, spend a year at a university actually studying it, maybe a good one, like Cambridge, like I have.

These "basic international economics" that we all hold to be true and self evident, are simply the repeated recipes of the international rich for making money while your country goes to shit. Closing our borders to international trade stifles growth, they will tell you. I see. Is that a good argument? How is that housing growth 2001-2008 working out for you?

We live in a country where 15% (15%!!!!) of houses are EMPTY. 18.7 MILLION HOUSES are empty. And I can't afford to buy a house.

So the next time someone tells you that closing borders stifles growth, that does not *automatically* mean that it is bad. Ok?

Here is the key question: In a *democracy*, do you believe that:

a) the poor masses will vote for increasing social benefits, that rely on increasing taxation, and increased payments to "social partnership" industries (i.e. for profit beneficiaries of government programs), or
b) the USA will roll back social programs, thereby holding tax levels in check, and deal with the multiplying poor by some other means (e.g. churches, riot police) etc.

For years we have heard of the benefits of offshoring, and indeed there are benefits. But the downside is that your entire country either ends up with 70% taxation, or class war, or both. The UK is about 30 years ahead of the US in this regard.

Very simply, we are funding China into the 21st century. We are paying them to make us things, and paying ourselves unemployment benefits. Instead, we should be paying *our* unemployed to make things, and let China deal with 4 billion unemployed.

But that isn't as profitable for our super rich.

Frankly, the only good thing I see coming out of this is when the ultra rich of European ancestry attempt to move to the next world empire, they'll discover that the Chinese have got hundreds of years of white peoples racism to pay back. It was easy for the rich to ditch the British Empire (remember that?) to move to the US Empire. Would love to be a fly on the wall when they go to China.

It would appear that most people have responded with knee jerk "my language is better than yours" without actually reading the question, or the referenced material. Well done, all of you have just failed your job/contractors interview.

Short answer: Use C. Teach them it well. Teach them about data. Teach them about "restrict". Challenge them to win.

Long answer:

First observation: This is not a "programming" competition. Its a mathematical computing competition.

Second: There are winners and losers. Therefor not everyone gets 100%. Either contestants write code that fails to do the job, or contestants write code that doesn't do it fast enough. Finally, in the event of a tie, the judges may select winners based on other criteria (than just pass or fail) and therefor they could conceivable use execution time as a decided. Do you know if they have done so?

But:

Well, that sounds completely and utterly arbitrary. When dealing with C-like java, which is what you will use for the problems you'll face in the competition, java is not much slower than C if its compiled, but it may not be. And VB.NET (NOT VB6) can be as fast as C. Python is always interpreted.

How will the judges increase the limits?

Its likely that the judges will they will benchmark their ideal solutions against each other. If the java version of the same solution in C takes 20% extra, then that is the extra time they allow. So it should be safe to write in java or python if you want to.

But why?

I assume from your choice of competition that you are teaching students to go on to mathematical and scientific endeavours, not programming. This is an important difference. For example, until "recently", you were better of programming large data sets in FORTRAN, because C was unable to optimize properly thanks to pointer aliasing. However, the GNU C++ compiler that they are using will support the restrict keyword, so it can handle large data sets. Java, python, etc are languages for the web, not for scientists. (Ok, unless you are using java as a scripting language to drive something like Mathematica, but this is NOT what we are discussing here).

Teach them C. The competition specifies GCC/C++ 3.4.4 or later, which means you can use the __restrict__ keyword also, if they get the hang of writing algorithms.

Here are some more of the rules, for my peers whose internet connections cannot reach Australia.

And such things cannot be done by newbies in java and python? I suppose it takes real experts to code up a massive memory leak in java (*cough* meta data not unloaded in apache *cough*).

Further assume that this detection algorithm, running in kernel mode, must be loaded into memory itself.
Then further assume that the compromised kernel on which it is running has not modified the detection algorithm. (Because noone writes kernel malware)
Then further further assume that no one will spot this really obvious flaw before publishing it.

Except the FDA's job is to make sure that big pharma can maintain its patents. If any doctor can just cure you, where will Athersys and their "stem cell derived drug", be? Hell no. You will get your cure from a properly paid up lobbying company, not a couple of geniuses who have the nerve to avoid indentured service and signing away their ideas.

The Autodesk decision has nothing to do with this. The author is willing to give them the finished binary. Just not the source code. The Autodesk judgement did not require Autodesk to give the *source code* away along with the binary copy.

You forgot to add IANAL, though perhaps that would be redundant.

You bring up the idea of "industry practice" and existing law.

At best, after a fun time in court, the client could hope to get the binary, functioning application and costs. More likely, since US copyright law and industry practice is unarguably on the side of the developer, the client would be counter sued for non-payment, lost profits and legal costs, and lose. Except no lawyer would take the client's case without a hefty retainer (knowing they'd lose), so its moot.

BTW, IANAL either. But I do do this for a living, so I have consulted one.