>Stuxnet infected a PC, causing it to change the signals it was sending to
>motor speed controllers, thus fouling up a process. Which is why you keep
>your SCADA PCs as far away from the Internet as you possibly can.
Stuxnet actually reprogrammed the PLCs, too. See the analysis at
The article says it is worth $400 as scrap. Assuming all the value is in the copper, at $3/pound (based on what a local metal recycling center was paying during a recent visit), that means there's about 133 pounds of copper (61 kilos) in the Copper Man. The Copper Man has a thick skin.
I work for a company where data is subject to HIPAA (United States' Health Insurance Portability and Accountability Act - a law whose provisions also address the security and privacy of health data). Our data has been encrypted -- at rest and in transit -- for years. The loss of private health information, like what Blue Cross did, is a serious crime under HIPAA and subject to major fines (in this case, at least tens of millions of dollars, probably, given how large the breach was). The initial cost to encrypt and any ongoing expenses will be pocket change compared to the fines that Blue Cross is potentially facing, with increased fines for repeat offenses.
In practice, once you have disk-level encryption set up for data at rest, and network encryption for transmitted data, your on-going costs are pretty minimal. There's some central administration and IT support to administer and maintain the tools, and your ISO needs to do some compliance reviews and risk assessments to make sure that things stay encrypted, but after installation they are pretty transparent.
Blue Cross should have been doing this all along. Nothing like a large fine to focus the mind.
Children and adolescents? Heck, I suspect that one could run a test of children and adolescents working under UV lights in asbestos mines who eat nothing but saccharine, and there still wouldn't be any sign of a cancer connection. Cancers generally take years to show up.
>Scale makes all the difference in many things.
The argument against Google's streetview seems to be a variant of the "secretive government agency phone book problem", In that example, the entire phone book is classified but individual numbers are not.
Similarly, Google is right that it is taking pictures of public streets, which people are generally free to do (sensitive locations notwithstanding), but the objection is to the compendium of pictures as a whole. This seems to many to be a security problem, possibly because of how easy it makes it for someone to do reconnaissance without actually visiting and taking their own photos, the act of which, presumably, could be detected.
...it is definitely possible to write secure software if you just simply follow sound and smart development methods and practices... and don't write half-assed, slipshod, thrown-together-in-a-hurry code.
Proof? I don't see any proof in the article that the NSA produces secure software, or even a claim that they do. Instead, the NSA Technical Director quoted in the article said "even within the NSA, the problems of application security remain maddeningly difficult to solve." That doesn't sound like they have solved the problem, but that they, too, are grappling with a fundamental issue in software development.
Firewalls, anti-virus, and URL blockers are not legacy systems at all. They are the state of the art in security precisely because they have to protect legacy operating systems and applications, or new systems built to be backward compatible with legacy systems, which are the real "legacy" problem.
People use all sorts of old software because they have such a huge investment in systems and applications that are built on them. But that old software keeps needing to be patched. For example, there's Windows, of course, 'nuf said, and applications like Adobe Reader. Adobe has to come out with a new patch every week to fix another critical flaw, but they can't simply drop it and start from scratch to fix fundamental flaws - it's not economically feasible. And large numbers of businesses still use IE6, for crying out loud, because of all the infrastructure they've built around it. You can put all the security system armor you want around that soft, chewy center, but there will always be gaps.
As critics like Bruce Schneier have been pointing out for a long time, on the other hand, we've known how to prevent whole classes of attacks for many years, but no one seriously expects these fixes to be implemented because of the economics.
That said, there's no protection when administrators and users do stupid things with passwords and the like. Phishing will always work, no matter how hardened we make our systems. At best, we can put bounds on the damage.
That's "Reid".
Wow, I had no idea he had that kind of background. Google does hire really smart people. If they had fired him a few days after the IPO, instead of a few days before, he probably would never have complained. But, under the circumstances, more power to him.
"Thanks to BP, for the first 3 years of operation, the desalination plant will actually produce Kraft Cajun-Style Salad Dressing."
And, thanks to desalination, it will be low sodium!
Money is the root of all evil, and man needs roots.
