>> Can we talk about the culture of crime that exists among rich white men in the financial industry?

Oh, shut the fuck up, you weak-minded twat. I'm beyond tired of hearing this useless analogy trotted out as though it's somehow compensatory. I'll tell you "Why is that?": Relatively speaking, I, and I suspect most people, really don't give that much of a shit about white-collar crime. If something happened that affected me personally somehow- and I don't mean in the greater "it costs all of us" sense, like insurance fraud- you bet I'd be pissed.

But I wouldn't be dead. Or worse. Gunshot- or beating-induced paralysis is quite the bitch. I might wind up poor, but I'd still be around to play with my kids, run in the park, that kind of wonderful mundane nonsense.

*That's* what people are concerned about. And *that's* the kind of violent crime perpetrated, vastly disproportionate to their numbers in society, by "brown and black people".

I've been working with Cisco gear since 1992 or so, and I've seen a continuous drive to crap. Once rock solid products are now feature- and bug- bloated, impregnable silos exist between the product lines, support simply sucks on both an account team and TAC level... and every time Chambers puts forth a quarterly report he doesn't seem to have anything good to say. (Mind you, I appreciate honesty, but sometimes as CEO you have to sell the company a little).

Perhaps if they spent a little more time preventing the attrition of decent people they'd see some benefits.

"Your IDS/IPS cannot look inside SSL traffic, either, which could contain exploit code (conveniently packed and encrypted by the SSL container)."

You might want to go read up on SSLStrip before you make that assertion. There are a bunch of other utilities that do basically the same thing, but their names escape me at the moment.

Admittedly, SSLStrip relies (generally) on the target ignoring the bad cert warning, but if you've compromised the target and inserted your root CA into the "trusted" list, well... no more warning. And, as someone else mentioned, if you're a netadmin and control the end nodes, there are lots of companies that will sell you inline appliances that will do exactly the same thing- completely transparently.

WebSense and PaloAlto 6.0- and probably others- will even let you take the cleartext off-box for DLP, or "archiving".

How much you want to bet that one of the trusted root CAs distributed with all browsers (eg, VeriSign) is an NSA plant? Trust no one.

Amusingly, if you go to the Smithsonian Museum of Technology (iirc) there is/was a display of some Bell Labs stuff where they were (until fiber immediately- at the time- made it obsolete) doing *exactly that*. Little 1cm or so tubes, carefully soldered together, to form microwave waveguides.

I bet you could pick that patent up for cheap... er, maybe not any more.

Not debating your points, but I'd like to see people stop regurgitating the bullshit fucking meme about "half the people are below average". Half the people are below the *median*. Half the people are below the *mean* only if the data happen to fall that way, a perfect bell curve being one distribution for which this is true.

Data: 1, 1, 1, 1, 10. (n=5).
Mean: 2.8.
Q: How many points are below the mean? (Hint: it ain't 2.5.)

1. Out of The Inner Circle, Landreth. Read this in 1986 or so when it originally came out. Holy shit, did that change my life. It put me on the vector that, among other things, has me reading Slashdot today.
2. M*A*S*H- Hooker. Besides being ripping funny, introduced me to the concept that if you're really good at what you do, you can get away with a lot. A whole lot.
3. 1980 Signetics Linear IC Databook. Never underestimate the learning capability of a curious kid on a remote farm with no internet access ('cause it didn't exist. Well, not as we know it.)
4. War Games. Yeah, so it's a movie, but life-changing nonetheless. See items 1-3.

No, not really, at least not in my experience. The primary motivation is to be able to peer into SSL/TLS traffic to see if there's malware using it as a transport. Internet caching is... well, I won't say a dead technology, but at least in the enterprises where I've worked bandwidth is sufficiently cheap (and caching proxies tend to break stuff unpredictably) that they typically don't bother.

Consider: if you don't block 443, and you don't decrypt/examine it, that's a wiiiide open hole out of your network for any botnet members to phone home or exfiltrate data... or a host of other things. It's a real problem.

Wrong.

The https proxy server is trusted as a signing CA. It generates server certs real-time for any requested https content, then retrieves the content for you on the other side- via it's own https session- before sending it back to you. Since the proxy is trusted by your browser, it doesn't complain.

Without getting into a protracted discussion about x.509 certs and their completely fucked implementation, suffice to say that while the proxy can effectively decrypt your https traffic, noone else can. There's still a reasonable amount of security there.

Although it depends a great deal on the proxy admin to keep it secure...

You're almost right. There are a number of commercial appliances (Websense makes one, which I've deployed for corporate use) that do exactly this so the corporate powers-that-be can peer into SSL encrypted traffic. This is generally (hopefully) for IDS/IPS purposes.

The key is that:

1. Corporate workstations have to be loaded with a CA cert generated by the appliance so they trust all certs issued by the appliance, and
2. The fake server certs are generated *real time*. Pre-generation isn't necessary.

So the reality is that this happens every day if you're running one of these systems. You raise an interesting point, though, that if a CA with their CA cert already in browser distros did this, it would be pretty much undetectable. However, then anyone with one of those appliances could do this man-in-the-middle attack, rendering the CA's infrastructure/reputation worthless. Additionally, they'd have the CA's private key, which is the crown jewel of a CA- so I doubt that would happen.

Now, if someone maliciously inserted their CA key into a browser distro, well, that opens the door for all kinds of fun...

J-.

Sigh. Not always. You have to look for positive expectation games in casinos, but they can be found. Google "positive expectation video poker" if you don't believe me.

Also, there's card counting at blackjack, of course, but you'll be detected quickly and summarily removed.

That said, if becoming a VP playing drone is your idea of fun, that's your business. I'm there for the free beer and to have fun, and I'm willing to pay a nominal fee to do so. Playing craps, getting loaded, and minimizing that fee are what I enjoy. Did you know that depending on how you play craps, you can make the house advantage asymtotically approach zero?

J-.

I've worked in a number of military-oriented institutions (TLAs, if you get me) and while I have nothing but respect for the warfighter, I rarely found any of them to be technical superstars. Like any population, there were a few, but overwhelmingly they were put-the-square-peg-in-the-square-hole guys. They could memorize a manual and know everything about a piece of equipment (well, on a sysadmin level), but innovation was not their strong suit. At all.

And this is why the government/military has had and will continue to have immense problems attracting really, *really* good people to work in their CyberCorps or whatever they're calling it now. There's too much procedure in those circles; good techies quickly go insane.

One thing I did find, though, was that *usually* the officers had damn good project management skills and knew how to solve problems, support their people, and get the job done. That skillset is really universally applicable to all fields, though, and not just IT.

What are you, twelve? Free speech *especially* protects offensive (ProTip: who decides what is offensive?) speech.

I can't believe people as stupid as you exist. Well, actually, I can. Let me guess: you're in San Francisco, right?

You've never seen those rules? Where do you play? They're all over the place in Vegas and Atlantic City. I've also seen games where you could only double on 7, 8, and 9, no resplits, all kinds of stuff. Wizardofodds.com has a table with all those stupid rules and their impact on the house edge. Interesting reading. And don't just mistrust the CSMs, they help the house too- since there's always the same (many) number of cards in play naturals are less likely. Bastards.

But people still play them... Oddly, I've found- especially in Vegas- that the higher end casinos have the worst rules. You'll almost always find the best rules in the dumpy little off-strip places. Hmm, Fremont St. is calling to me...

With the wealth of information available at your fingertips, you really should have done some research before posting that. I even told you what to look for.

I'm quite serious- and I'm right. You have to read the pay tables and find a video poker terminal that has been configured for positive expectation. Why the casinos do this I have no idea, since yep, they're potentially losing money on that one- but in any decent sized casino you can usually find a couple. I suppose the likelihood of a skilled player wandering by is low enough that they don't care. After all, you still have to play the game in mathematically optimal fashion. There's certainly no shortage of idiots in casinos.

War story- I've seen- more than once- a roulette pit where half the wheels were single zero and half were double zero. Every wheel had players. (Hint: the double zero table has roughly twice the house edge of the single zero game.) I've also seen a 6:5 blackjack table next to a 3:2 table, with identical rules otherwise- both occupied. Sadly, people are, on average, not very bright.