Take away the security and you don't even need "smart" or "poised".

No one is saying that there should not be any security.

Keep security static and you don't need smart people - just enough attempts from dullards until they chance upon a workaround, the way penicillin eventually adapts to an antibiotic.

You might want to review that. And the "dullards" still need a basic level of competence. And that basic level of competence is what is extremely rare.

But not non-existent, as history has shown.

And it will never be "non-existent". Ever. As long as airplanes are still used. So putting "non-existent" as a criteria means that you will always fail.

And you will never know if the money being spent is not being wasted because there incidents are so rare already.

So your point about "reducing risk" is meaningless.

Think in terms of Venn diagrams: start with "people who want to blow up an airplane".

I'd change that to "people anywhere in the world who want to blow up a plane in the USofA". Which is a large number of people.

But then:

Now add "operatives smart and poised enough to carry out the attack but willing to kill themselves in the process".

Another slight change. "Operatives smart and poised enough to carry out the attack in the USofA but willing to ...". This is a very, very, very small number.

You don't need any of the other qualifiers because with just those two criteria you've reduced the number to almost non-existence.

So the problem would be to find someone who fit the "smart and poised" category. Once that person is found, you can teach him/her whatever is needed from a technical standpoint.

It's not insanity - it's all about reducing risk.

I disagree. The risk is already almost non-existent. Causing more difficulties for non-threat people will not reduce the risk any further.

I think you've missed the point.

I think I nailed the point. YOU claim that YOU cannot find people to hire for a position that YOU cannot identify or even characterize. Is it programming? Is it networking?

There is no glut of competent workers.

Any yet YOU cannot characterize the position that YOU claim YOU have open except:

I'm not even looking for particular skills or experience. Just people who are genuinely into technology.

So you will train people who are not currently qualified ... but there isn't anyone who is qualified.

Not all businesses allow you to post jobs to Slashdot, although I suppose I could lobby to change that internally.

If you're running the ad on Dice or someplace then post a LINK to that posting.

You are quick to claim that you cannot find qualified people (even though you'd train someone who was not qualified) but rather reticent to post any information about the opening you claim to have.

That's suspicious.

You're statement about narrowing my search is also part of the problem with this industry. A good engineer can work on almost anything.

No. A good automotive engineer CANNOT design a bridge as well as a good civil engineer. And neither of those are electrical engineers.

And someone looking for a programmer would NOT have any problem stating that AND what language(s).

I've been trying to hire developers for multiple high-compensation positions in NYC.

So post it here.

Truly smart/capable/motivated people are not looking for jobs. They are already employed.

Yes. Usually. So you have to offer them something MORE than they have at their current job to make them willing to take a risk on a new job.

I'm not even looking for particular skills or experience. Just people who are genuinely into technology.

Yeah. You might want to re-evaluate your criteria.

At least narrow it down to whether you're looking for a programmer or a CCIE. Is this about writing drivers? Or programming EPROM chips? Or iPhone games? Or encryption? SatNav?

...(1) the only contributors are employees with time on their hands, who tend to be the drones.

Maybe. They do need extra time to type something up that can be read the way they intended it.

Those employees who actually know someting useful to you are too busy to waste time with crap like this

I'd say it was because the people with the knowledge are busy applying that knowledge to the issues that have arisen that affect X people. Do they have time to type a reply to your question if your question isn't shared by X other people?

We've all had to wade through different forums looking for answers where there are thousands of threads NOT related to what YOU are having a problem with.

And no one thinks about the problem the same way YOU do. I cannot print. Why? Because I changed my password and forgot it and cannot login to get the document to print it. So it is a printing problem.

(2) the only employees who will tell you anything at all are ones you have actually met face to face - otherwise you are not a real person, and they don't trust you, no matter what you say.

I've seen this in action and it annoys me. The people who get their problems addressed are the people who:

a. Have the time to camp out next to someone until that someone fixes their problem.

b. Have a manager who can demand that the other manager re-allocate their workers' time to fix the problem.

c. Have already established a friendship with the person who can fix the problem. I brought cookies for you! Hope you like them. By the way, there's a small problem with the X. Could you look at it sometime?

Employers can read your emails, so having a 'conversation' on a social tool should not be a problem as long as you don't include stuff you wouldn't include in a meeting or email.

But that is the problem. There are already different avenues for that same professional interaction.

If you want a permanent record of something you write it down and submit it to management.

If you want a permanent record of the discussion of something you put it in email.

If you do NOT want a permanent record then you meet in person. Or use a phone that the company does not control (record).

They are really to do work related stuff,explore ideas and share information.

That's too much of mixing the informal with the formal. And leaving a permanent trail. People can already do that at the water-cooler or coffee machine WITHOUT it becoming a permanent record at HR. And if someone is remote you can always include them on speaker-phone.

Think about the things you do and say with your friends AFTER work.

How many of those things would you want to personally document for your boss (and his boss and his boss ...)?

So when those interesting things are absent from the "social" media part it becomes just another boring means for management to distribute work-related material. Just like all those boring "team meetings" that you are forced to attend. Where the exact same material will be covered AGAIN for anyone who did not read the internal site.

"I don't know why it's important for physical sports to have gender segregation, but they do it and people recognize them as legitimate! If we segregate by gender, maybe that's what will make people recognize us as legitimate!"

Just like in programming, this line of thinking clearly translates down to "I have no idea what I'm doing, and I have no idea what the consequences of these choices are, but I'm just going to bang at things until something works or everything breaks."

(Spoiler alert: usually, everything breaks.)

The willful ignorance on display is pretty staggering...

OpenBSD has been designed and built from the ground up to be nearly impervious to malicious intent.

No it hasn't. It gets lots of code audits, which eliminate buffer overflows and the like, but does nothing to prevent properly operating malicious software. You want "trusted" computing for security against internal threats, and OpenBSD doesn't do it. Something like RHEL with SELinux properly configured and working, would offer better resilience to the kinds of attacks in question.

OpenBSD was no more immune to the OpenSSL heartbleed bug than any other platform.

And if you're really paranoid or anal, keyboards are cheap to replace -- or randomly cycle different brands/models/styles of keyboards between a set of PCs at random intervals...

Oh good! Now all I need to do is find a way to insert my hacked keyboard into the bunch from your order, and I can pwn your airgapped network in short order.

Once my malware is in, of course it'll spread over the insecure (no updates for systems on an air-gapped network) private network. From there, it could just cause everything to self-destruct at a prearranged time, or it could start searching for ways to communicate data back to me... be it the disabled wifi on one single machine on the network, or optical, if a machine with a webcam on the internet happens to be facing towards any of the air-gapped systems. Hell, depending on what it controls, you could modulate a tiny amount of information into the power grid output, or similar.

I would have thought some of these should be airgapped for security reasons by design? Is it so hard to go to work these days that you have to hook it up to the outside?

These systems aren't just ignorantly plugged-in to an internet connection. But still, you NEED to be able to input data to them, including software updates, and you NEED to get data out, like real-time status updates sent to grid operators. Having someone typing-in every bit of data won't work, and connecting it to internet-connected systems by any method, such as RS-232 serial or others, or just sneakerneting with USB, DVD-Rs, etc., offers the possibility of hacking.

the CIA once destroyed a gas pipeline in 1982 by hacking malicious controls software into a system purchased by them from canada.

Your summary is just absolutely AWFUL. Obviously, no Canadian pipelines were damaged... Instead the CIA had a Canadian company sabotage their own SCADA software, knowing that the Soviet KGB was going to steal their pipeline control systems, with that software on it.

Secondly, it's a story from a single source, unconfirmed, that has been disputed by others. So it may actually have been shoddy construction, instead of sabotage, which doesn't support your claim:

https://en.wikipedia.org/wiki/...

now the cows have come home. America is finding itself on the receiving end of increasingly sophisticated attacks

Except the attacks were coming in hard and heavy, long before Stuxnet. It's incredibly ridiculous to claim that nobody else would be doing it, if the US didn't participate... It's just too tempting a target for the Chinese and Russians to miss-out on, and the US allowing itself to fall behind would be disastrous and negligent.

http://www.afr.com/p/technolog...