The Federal numbers are an average for cars that cost $500,000 to $25,000 my 2007 civic will lose less than $3.00 for the 3000 miles added to it, it's already at the bottom of the curve and even adding 10,000 miles will not change it's "resale value" that has no real meaning as I dont intend to sell it.

And "major repairs" don't come from miles, they come from abuse and lack of proper maintenance.

Now my Ferrari F40, that would have a much higher depreciation for those miles.

From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.

And one of the aspects where I disagree with him:

Low-focus attacks are easier to defend against: If Home Depot's systems had been better protected, the hackers would have just moved on to an easier target.

He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.

And 100% agreement with your air gap recommendation.

With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company's security is superior to the attacker's skills, not just to the security measures of other companies.

He's got it right there. Once you are online you can be attacked by anyone anywhere. The only advantage you have is that you control the wire in your organization. Wireless is more of a pain. But you can see every packet moving on the wire.

It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personnel information won't end up posted online somewhere, but Sony clearly failed here.

In my experience, the problem is not money. The problem is EGO. Someone is always convinced that what they are doing is more important than following what the IT nerds say and they have the political clout within the company to force exceptions be made.

It is the exceptions that damage your security.

It is the exceptions that allow the easy-to-prevent attacks to get a foothold on your network. THEN the more advanced attacks are unleashed.

Well if you look at what has been "common knowledge" in SF in years past ...

And she gets her terms wrong.

Knowing that we are not alone in the universe would be a profound realization, and contact with an alien civilization could produce amazing technological innovations and cultural insights.

The universe includes all the galaxies. Our sun will probably burn out before we get a message from another galaxy. Stick to your own galaxy. That is difficult enough.

Which brings up the next error:

Even if I am wrong -- even if the majority of alien civilizations turn out to be biological -- it may be that the most intelligent alien civilizations will be ones in which the inhabitants are SAI.

SAI is her term for "superintelligent artificial intelligence". So she has just written a tautology. Unless you want to get into super-superintelligent or ultra-superintelligent.

And the rest is more of the same.

How much coding was involved? I'm not aware of the mechanics of the break-in. It could have been pure social engineering. It could have been a mole. That doesn't involve any coding. It could have been spotting a vulnerability. People who do that usually do some coding, but such attacks involve a lot of analysis of existing code as opposed to creating new code. The actual attack may require code; but it's usually not a lot. So. "Coding" as the "super-power" behind the attack? Meh.

They're computer crackers. What are they going to do? Why all the fear?

Guys fron San Quentin once attempted an escape with a makeshift canoe painted with the legend "Rub a Dub Dub, Marin Yacht Club!". It sunk and they were re-imprisoned.

Not really, just keep a low profile long enough to make it to Mexico.u.

Yup, and they survived so they said "plausible" but if you read the after notes they both firmly believe they absolutely survived.

It's not as expensive to spend the money to properly maintain your security than it is to have it massively breached and all your data stolen.

Not as expensive if you only count money.

But in my experience, the problem is the upper executives and their insistence on special exceptions for them and their people who are doing work that is just so important that they cannot be burdened with following the security that applies to non-important people.

And I hope Sony, and all other Big Companies (tm), learn a lesson.

I think that this reinforces the wrong lesson. Everything is okay as long as you can find someone else to blame. Whether it's an employee or a hacker group or a country. The focus will be more on THEM rather than Sony executives who broke security so that they could feel more important than the nerds in IT.

I recently moved from hand-written HTML for my personal site to Jekyll, which is the engine that powers GitHub pages. It does exactly what I want from a CMS:

• Cleanly separate content and presentation.
• Provide easy-to-edit templates.
• Allows all of the content to be stored in a VCS.
• Generates entirely static content, so none of its code is in the TCB for the site.

The one thing that it doesn't provide is a comment system, but I'd be quite happy for that to be provided by a separate package if I need one. In particular, it means that even if the comment system is hacked, it won't have access to the source for the site so it's easy to restore.

How is your LAN secured? If it's wired, then I assume that you know about ARP poisoning attacks. If it's wireless, then I assume that your post was intended as a joke.

That's the best way of securing a connection, but it doesn't scale. You need some out-of-band mechanism for distributing the certificate hash. It's trivial for your own site if you're the only user (but even then, the right thing for the browser to do is warn the first time it sees the cert), but it's much harder if you have even a dozen or so clients.

The 'brought to you by' box on that site lists Mozilla, Akamai, Cisco, EFF, and IdenTrust. I don't see Google pushing it. They're not listed as a sponsor.

That said, it is pushing Certificate Transparency, which is something that is largely led by Ben Laurie at Google and is a very good idea (it aims to use a distributed Merkel Tree to let you track what certificates other people are seeing for a site and what certs are offered for a site, so that servers can tell if someone is issuing bad certs and clients can see if they're the only one getting a different cert).

It depends on your adversary model. Encryption without authentication is good protection against passive adversaries, no protection against active adversaries. If someone can get traffic logs, or sits on the same network as you and gets your packets broadcast, then encryption protects you. If they're in control of one of your routers and are willing to modify traffic, then it doesn't.

The thing that's changed recently is that the global passive adversary has been shown to really exist. Various intelligence agencies really are scooping up all traffic and scanning it. Even a self-signed cert makes this hard, because the overhead of sitting in the middle of every SSL negotiation and doing a separate negotiation with the client and server is huge, especially as you can't tell which clients are using certificate pinning and so will spot it.