Comment Re:Demographics (Score 1) 256
At least in Israel, parent meetings are always late afternoon, going well into the evening, and even the night.
And, no, our education system isn't in a wonderful shape.
Shachar
At least in Israel, parent meetings are always late afternoon, going well into the evening, and even the night.
And, no, our education system isn't in a wonderful shape.
Shachar
You have to follow the money.
User doesn't update. User gets hacked. How much did user cost Samsung? Nothing.
Use updates. Drivers stop working. User calls Samsung tech-sup. Possibly, user gets told to restore machine, costing user all of their data. User posts bad reviews.
The economy of the matter is that sometimes the drivers mismatch (I'm not sure why this happens) or otherwise fail to work properly. Samsung has very little influence over what drivers get pushed through the update mechanism. When the drivers don't work, it costs Samsung money.
When I worked at Check Point, someone there used to joke that Check Point is in the connectivity business. People know you cannot connect to the Internet without a firewall.....
The truth of the matter is that there is no trade-off between security and usability. An unusable security device will get turned off by the user, resulting in less security. Usability is as important a driver to security as avoiding buffer overruns. Obviously, at least as far as Samsung is concerned, MS isn't doing a good enough job on that front.
Shachar
Wow! That's probably the lamest troll I've seen in ages.
Was I supposed to get mad over this? Man (woman?), you should really step up your act.
Shachar
This is not malicious. It is stupid and ignorant, but not malicious.
This reminds me of when someone got Verisign to issue a signed certificate saying "microsoft.com". Clearly Verisign, and not MS's, fault.
It turned out Microsoft could not issue a revocation, because Internet explorer does not check CRLs. MS's fault, right? Wrong. They were not testing CRLs because verisign would not bring up the web server that issues them, causing each and every SSL connection to time out. MS preferred, reasonably IMHO, to be insecure over not working.
Shachar
Or is it slander? I'm not a lawyer.
In essence, these sites claim that your site is maleware/spam. This seems to me to be an actionable claim.
Furthermore, winning such a court case would also result in companies not automatically listening to those falsly reporting, or placing a proper appeal process into their blocking procedures.
Shachar
You are given nude female workers and beer, and it's the beer you choose to fuck?
I question your self identity as a sexist.
Shachar
It does have a domestic function, but I suspect that's not what you meant. I thought it was implicit in my reply, but here it is explicitly: The NSA does not have any domestic spying function, charter or legitimacy.
Shachar
* By "spying", I mean data collection. Analysis of otherwise legally obtained domestic data is where I'm not sure where I stand. On the one hand, letting a military oriented organization perform police work (and vice versa, e.g. SWAT teams) leads to exactly the sort of bad behaviour we are all glad might soon be over. On the other hand, developing this huge organization specializing with data analysis, and then not using it when you need to seems like a waste.
Where things stand today, where the overstepping is so huge, I understand people's reaction in saying "no, do not let it do anything domestically". Then again, if we were to start from scratch, I could see a function for it as an operational arm carrying out search and computer related eavesdropping warrants for the FBI.
Like I said, I'm not sure where I stand on this.
No. It does not all die.
First, please remember that the NSA is a spy agency. So long that their targets are legitimate (more on that in a second), they are expected to do everything within their powers to get to it.
Subverting the standards was a low blow, but as the ol' Tennessee saying goes "fool me once.... shame on... you?". Of course, by the time those standards were drafted, the standards body should have already known better (selling Enigma based encryption devices to foreign countries well into the 70's, anyone?). I'm hopeful, however, that we'll get spared "third time a fool".
As for the other activities, well, this is how spying gets done. That is how you spy on people in this day and age. With all of the justified criticism of the NSA, it would still be bad if they couldn't spy at all. They do, in fact, have a function to fulfill, and it is a function that needs fulfilling.
Circling back to who the targets should be. Spying against friendly foreign country leaders is not against the the law, or even, as far as I understand it, against the NSA's charter. It is an extremely foolish thing to do, but I don't think changing the law is the way to handle it.
Shachar
100s more storys on this
Why don't you pick ONE that is actually about an actual Israeli company actually backdooring its own products for the Israeli government (or whatever)?
Because that was and is your claim, and neither of the two stories you linked discuss that. The first discusses Skype setting a backdoor, but does not mention Israel in any way or form (and even if it did, Skype is not, and has never been, an Israeli company). The second talks about how the NSA is cooperating with Israeli intelligence, and uses Israeli produced technology. Again, no mention of products shipping to either individual or governmental users being backdoored.
If there are, as you said, 100's of stories, I'm sure you can do better than these two.
still no reason to trust israeli companys.. when it comes to safe software packages
Still bullshit FUD.
Shachar
Spreading FUD all over, aren't we?
First, Skype is not, and has never been, Israeli. ICQ hasn't been Israeli for ages and ages (sold to AOL, that's America Online) in 1998. That's 17 years ago. Either way, a search for "ICQ snowden backdoor" shows nothing relevant in any of the first 10 results, causing me to question the validity of trusting you as a source. If I'm wrong, by all means, please do provide sources.
Second, I used to be in charge of Check Point's product security (late 2000 to early 2003). If any Israeli product is backdoored, you'd expect Check Point's Firewall-1 to be it. In order for that to work, I'd need to know about it, or I might accidentally close the back door. I give you my word as a non-anonymous long time user of this site that no such intentional back doors exist in the product. I have never been asked to not fix a problem I've found, or to not look for certain types of security problems.
During my time there, a few security problems were found in FW-1. If memory serves me right, most were in the management and not in the actual enforcement unit. Either way, I have never seen such a problem and thought "this seems intentional". They always seemed like no more nor less than the usual sloppy programming creating security holes.
Israel has a notorious "cypher law". I actually did produce an encryption product. I only registered it after several years in which it was freely available through sourceforge. The registration process included me sending a request with links to the web site, and a reply saying it was approved as a "free encryption device" (i.e. - I do not need to re-validate it unless I change the crypto).
Now, I know the usual FUD about rsyncrypto, and I know people will say that that's because rsyncrypto's encryption sucks to begin with. All I can say about that is that the cypher law makes it legal to use freely available encryption from the internet without restriction (i.e. - gpg, ssh etc.). They also list the number of applications they processed and denied, and the last time they denied any application was around 2002 (I cannot find the page right now, sorry).
So, all in all, I think this:
i never seen anything come out of israel that wasnt backdoored.. Icq skype etc
i think showden files had things about this also
is concentrated bullshit.
Shachar
Started a new job about eight months ago. Asked for a Unicomp keyboard, but said I'd bring my own first so people have a chance to object before money is spent.
In a room with two other people, one didn't mind and the other did object. Went with a MS ergonomic 4000 or something.
Moved to another room. Room mate said he also owned a unicomp. Next room over had people sensitive to noise. We decided to both bring our buckling spring on April 1st and see what people say. March 31st, one of the next door programmers talks to me how another programmer in his room has noisy keyboard (membrane with keys not going up all the way, nothing on the order of magnitude of a buckling spring). Asks if he can move to our room. I put on a straight face and say "sure, come by tomorrow and see how things work out for you".
Due to unrelated circumstances, I am away from work for the next week. When I come back, to my surprise, next door programer has not moved in. It appears that, despite repeated assurances from my room mate that this is all just an April Fools joke, the mere fact that the keyboard is on my desk, unused, has deterred him from moving.
Shachar
Just to add to your comment, there are beginning of studies that claim they can distinguish between those who can from those who can't as early as first day of school.
Shachar
Reported a zero day used to attack my site two weeks ago. Attached tcpdump of attack.
Have not heard back. Not even a simple "We've received your report and will get around to it whenever".
Shachar
Let's tone down the ad-hominem, please.
I brought forward the period of time the data was published as indication of intent. It does imply that the publication was unintended.
There is a Hebrew proverb, "the law will puncture the mountain". It means strict adherence to the letter of the law, regardless of circumstances (or common sense).
If you say "that's the agreement, and he violated it, however brief and however unintentional", then you still have to account to the 30 other vulnerabilities, for which Groupon is also refusing to pay, for no good reason at all.
Shachar
Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.
You mean "thing", right? Only one, only by mistake, only for a short period of time.
I'm with the researcher on this one.
Shachar
Without life, Biology itself would be impossible.