I'll answer in the affirmative to satisfy your supposition.

We got your reply, what more can we ask?

But since its quality of development (and the discussion herein) centers in its GDP per capita, it kind of doesn't matter a flying turd if its population is just 1.2 mills, does it?

Oh yes, they can be. Should I provide you with examples? Now, I have no dog in this fight as of who is better or worse, liberals or conservatives. But anyone who thing racism is strictly a non-liberal trait is full of shit.

By the FCPA, they wouldn't even need to claim that the corruption took place on US soils and/or using US banks. All it takes is either a US national or legal resident, or US company or US-based subsidiary of a foreign company (Traffic Sports USA) to engage in bribery of foreign officials, or be bribed by foreign officials. Bribery and being bribed by foreign officials is the hallmark of FIFA, and that organization pretty much screwed itself up the moment it established links with US companies.

The US is not alone in this. Many developed countries have similar provisions with a global scope (fraud/bribery of this type committed anywhere). A lot more have similar provisions only on a local scope (only those committed locally.)

This FIFA thing is a good thing, but unfortunately the penny arcade crowd is going to tear it down in their endless, nihilistic pursuit for yet another reason to be upset or whatever.

The Foreign Corrupt Practices Act of 1977 (FCPA) allows the US to prosecute anyone, anywhere, irregardless of citizenship for specific forms of fraud so long as said person has caused US companies or US-based offices of foreign companies to commit said type of frauds or has used the US banking system to commit said type of frauds. Traffic Sports USA is a company being investigated for that that type of fraud, and so many other businesses tied to either FIFA or CONCACAF.

Now, when I say specific forms of fraud, the law strictly refers to fraud intended to manipulate of foreign politicians or foreign state agencies or to partake in exchange of benefits or gifts with a foreign politician or foreign state agency or representative. The nomination of Qatar for the next World Cup (as a result of a payment under the table to secure those right) falls into that category.

If there were no nationals (or national or US-based business entities) involved at all, then FCPA wouldn't apply at all, and there wouldn't be any news to blather and bloviate about.

You hit it on the nail with this one.

Eng 101. Resources are not infinite. Didn't anyone thought about cycling logs? Or treat it as a circular buffer? What happened to capacity testing? Or better yet, catastrophe testing as is, what happens when the system runs out of space. This does not look like data that is critical to keep. Critical to capture yes, but not critical to keep. Most on board systems, embedded systems and/or systems with minimal resources use a circular buffer to capture control events for these reasons.

This is not a web site project, but an freaking spaceship. I can see clueless developers doing these kind of mistakes in web/enterprisey systems (I know, I've seen). I couldn't have imagine this on a much more critical type of system... but then we have the Ariane 5 incident.

A control system should by default reboot itself and clear its non-critical logs when running out of space, or at worst, keep running without logging the events. This is so trivial to test, did the system and software engineers never saw a use case that capture this scenario.

They don't always work if you don't test for them exhaustively... and they are not hard to test... and their continuous testing should be a priority at every release/test cycle. The engineers in this project are far more intelligent that I am, I'm sure of it. But man, this specific problem, I'm like "dude, wtf?"

The questions I suggested are specific to individual systems and departments, not to be applied to the entire organization as a whole. Then the collection of the results per system or department constitute a global snapshot of how security is handled.

Yes it does. Unless you do a job that requires direct person-to-person interaction (medicine, nursing) or tied to regulation by necessity (law), or that requires hand-on work (utilities), you are going to compete with H1B and and global workforce no matter what.

Deal with it. That has been the norm for, what now, 15 years? For 15 years I've been told that my career is going to go poof because H1B labor or because some guy in Bangalore makes 1/5 of what I make, as if software/IT work can be directly compared to picking up fruits or something. In my first 5 years of work, I doubled my salary, and in the 15 years that followed, I've doubled it again.

And I've also been laid off a couple of times, one time 6 days before my first child was born. Tough shit, such is life. You adapt, you fight, you learn, you re-learn, you borrowed Teddy Roosevelt advise ("“Whenever you are asked if you can do a job, tell 'em, 'Certainly I can!' Then get busy and find out how to do it.")

We have to compete against H1B workers and a global workforce? Yes. End of the world? Yes if you suck.

To compete, you need to build your network, and you need to have specialized skills that are on demand. And that requires a baseline education, CS education or something comparable, or related experience.

This has been a fact like, forever. H1B workers and globalization are just a new constant in the polynomial.

I would disagree with you on this (somewhat). There are well established practices on how to build secure systems, for each major development platform (JEE, .NET, RoR, etc) and also for general decision-making.

Any organization, big or small, needs to be able to come up with scenarios and questions for things that need care, and for which it might need to provide evidence of attention. The important thing is to execute due diligence when it comes to defending your business against attacks, and to demonstrate providing evidence of such due diligence.

If we are in e-business or are bound by PCI, HIPAA and/or SOX compliance, the following questions would come to mind (just an example):

1. Are we addressing the top 10 risks identified by OWASP?
2. 1. If so, can we quickly identify how we address them?
   2. What other risks identified by OWASP do we address and how?
3. How do we address CERT alerts and advisories?
4. Are we on top of security patches?
5. Are the underlying systems security patches up to date?
6. 1. If so, can we quickly provide evidence of this?
7. If we are bound by HIPAA and/or SOX how do we address security concerns that might stem from these regulations?
8. 1. How do we quickly provide evidence (evidence of process and assurance)?
9. Do we have a multi-tiered architecture, or do we run everything co-located?
10. Are back-end databases on their own machines, in their own subnets outsize of a DMZ?
11. Are "mid-tier" services on their own machines, separated from databases?
12. Are they in a DMZ? Are they proxied by a HTTP server in different machines?
13. Do we have firewalls? If so, do we keep an inventory of their rules?
14. Are we up to date with patches for network assets (firewalls, SSL appliances, etc)?
15. Are we still on SSL 3.0 or older versions of TLS?
16. Do we specifically disable anonymous ciphers?
17. If we use LDAP, do we disable anonymous binds?
18. Do we use IPSec to secure all communication channels (even those internally, a requirement for banking in several countries)?
19. If not why? How do we compensate?
20. If we are in E-Commerce, how do we demonstrate that we are PCI-compliant?

In my opinion and experience, these questions present the starting point for a framework to determine the right level of security in a system. More should be piled on this list obviously, but anything less would open a system to preventable vulnerabilities.

And that is the thing. The right level of security is the one that helps you deal with preventable vulnerabilities that you, the generic you, should know well in advance, vulnerabilities that are well documented. How costly the prevention is, that is a different topic, and any business will be hard press to justify to an insurer that they forego to deal with a vulnerability because it was too expense.

Answers to those questions and evidence of such would constitute proof that an organization followed reasonable due diligence in establishing the right level of security. Moreover, it will have a much greater chance to disarm an insurer trying to find a way to avoid covering damages.

Notwithstanding the ongoing abuses done in the Insurance business, insurers have rights also. My general health and life insurance is not going to pay up my family if I kill myself while base jumping with blood alcohol levels up the wazoo.

Tuataras are neither dinosaurs (clade Archosauromorpha), nor lizzards (order Squagmata). They are Rhynchocephalia, distantly related to the Squagmata, both orders being Lepidomorphs. It is almost as comparing Marsumials with Eutherians.

Java in the browser died 15-16 years ago. How is that relevant to any conversation nowadays? This is like saying "dinosaurs are dead" (no shit) while discussing bee colony collapse syndrome (a contemporary phenomenon.)

And apparently you are still stuck in the early days (like 15-16 years ago) because I have not seen anything like that since the late 90's.

OMFG, this tells me you are complete unfamiliar with the concept of "back-end" software, which is where Java/JEE runs supreme. Amazon, Google, a ton of shit that runs on those platforms, that's all Java. And we are not mentioning all the banking stuff that is out there also written in Java.

Seriously, you are stuck in the 90s', and thus, your opinions can (and should) be ignored without any doubt or feeling of guilt.

What does Java has to do with a browser? Oh, let me guess, you are still in late-90's-applet-land?

MySQL is dead? Really? Tell me where you get this information, fanboi?

Uh?

More uh?

Because those two are so mutually exclusive. You people are dumb. If you do not want to be an armed country, that's great, just be open about it as opposed to pretending to have an army with broomsticks in lieu of heavy machine guns.