Comment Re:Argue w/ the numbers (Score 1) 298
A guy whose evidence is "I've seen stats", without linking to them shouldn't be lecturing about hard evidence.
A guy whose evidence is "I've seen stats", without linking to them shouldn't be lecturing about hard evidence.
On PC platforms perhaps. Not on server platforms.
Dominance where exactly? A helluva lot of Windows development is still done in C/C++. Java still has massive penetration in the enterprise. I'll admit that
Platter technology will end up being pushed to the NAS/SAN, which is why WD is making their red line of drives.
Perhaps HDDs, now that speed and capacity are secondary, they will start evolving down the path of reliability, perhaps replacing tape as an archival medium.
NAS drives are going to be a big market, especially with devices like Apple's new MacBook with limited expansion capability, so people will use WiFi Direct hard drives as their main backup source, as opposed to USB drives. In this use, capacity is limited on the MacBook, and speed is limited, so drive makers (hopefully) will end up working on leapfrogging each other for reliability and security.
I have a third option: An admin passphrase that is a lot longer than my user passphrase, but had more retry attempts. That way, if the short passphrase gets typoed, I can still unlock the device with the admin one.
You are right about backups... that is why I have three of the USB tokens, just in case.
Had a similar choice when giving a laptop to a relative. I went SSD instead of SSHD because SSDs are physically more resistant to shock.
However, if given the choice with a desktop... I'd probably still use SSD, just because when I delete a file and fstrim the drive, the file is -gone- for good, since the drive controller will come around, write "1"s to all the pages that file used and call it done. Of course, keeping good backups when using SSDs is wise, just due to this exact thing.
I wonder if the ideal password manager would be one that would use a typed in password as a seed/IV (hash a seed and the sitename), with exceptions stored for sites which don't allow passwords generated with that tool to work. Some sites require a number, a capital letter, lower case letter, a symbol (well, not all symbols work), or some other random, annoying combination of the above.
Of course, the ideal password manager would store the password database with a master volume key, then each device accessing it would have the MVK encrypted to its public key. This way, if someone wants to add a device, they just allow access on another device. If someone wants to remove access, it is doable, but it would be wise to re-encrypt the DB to a new key for security. This is how PGPDisk did its encryption, and it completely deters brute-forcing, should someone get access to the data stored on the cloud, since there is no password, so the attacker has to deal with the entire key's keyspace.
Since the private key is on the device, the user just needs a PIN to unlock (with a timeout after too many wrong attempts), rather than a longer passphrase. Both iOS and Android have secure storage (KeyChain for example) which makes this easy to implement securely.
I prefer 2FA when possible. Even a very tough password means nothing if by some means, it gets sniffed by some keylogger, or the password database on a cloud provider gets brute-forced.
For storage where one is using a passphrase for encryption, as opposed to authentication, I like using cryptographic tokens. TrueCrypt used to work with a PKCS#11 library so I could store a keyfile on a set of Aladdin/SafeNet eTokens. This not just made the key immune to brute force guessing... someone who physically possesses the token has three guesses of my unlocking passphrase before the token locks itself forever and zeroes out the stored keyfile. This also works with Symantec's PGP version, except that generates a public/private keypair, the private keypair always remaining on the token, while the public part is used for the file/drive encryption.
If 2FA isn't possible, then as above, some mechanism to help with password reuse is very wise. This is useful just in case some website decides to store passwords in plain text, so a person's secure "correct horse battery staple" is now compromised and added to every blackhat's brute forcing library.
All consumer level ones are that shitty. Time Machine does have some OS level protection, but most just dump data to an external drive. Overwriting the files or just a format of the filesystem can easily destroy that backup.
Windows Server Essentials 2012 R2 has "pull" functionality to grab data from desktops. Another utility is Retrospect which can have a client installed on desktops.
Of course, the ideal would be a backup appliance like an EMC Avamar that deduplicated. Think Time Capsule, except that the appliance initiated the backups, stored them securely, and did the deduplication. Add decent disk encryption (perhaps a startup password or PIN entered on the appliance's webpage to mount the backup drives), and this would help versus malware.
Most backups would be erased or encrypted by the ransomware. The problem is that people think in terms of disk failures or hardware failures, so have their backup solution based around this. Just this in mind, going with two SANs that replicate with each other asynchronously is the best thing to do, since the data is always available.
However, this doesn't factor in software designed to corrupt/encrypt backups over a long haul. This is going to take a dedicated backup server that pulls backups and stores them in a place where a machine cannot access (and thus tamper) with stored data. It also takes a long data retention policy, just in case.
However, in a lot of places, backups are like security -- they are viewed as having no ROI, so at best, you might get some mechanism to stash stuff on disk, but if a machine can back up to the disk directly, it likely can erase/modify stored data.
The fact that no attack occured gives the talking heads leeway to claim there was no "terrorist attack."
A terrorist is a person who attempts to bring about political change by "illegitimate" (i.e., non-state) violence.
Mass murder is only terrorism if it is an attack on a political entity, or is an attempt to scare a nation's population into something.
Unless someone says, "We're going to keep crash your planes until you do such-and-such", this isn't terrorism. There's no attempt to bring about political change involved, only murder, motive unknown.
As long as that's all you're using it for!
One scenario that I worry about with cloud providers is exactly this. The provider goes bankrupt, sells all data to someone else, and they now have all the servers and can use the container information, free, clear, with nothing the clients of the former cloud provider able to do about it legally, barring copyright violations.
Both Borders and RS both show a lesson -- yes, there is a privacy policy with company "A", but when the servers get under the ownership of a new company, that policy is out the window, and the data can be used for anything that the new owners desire. Multi-TB torrent? Perfectly legal.
If a cloud provider changes hands, I can see a new company digging through data just to extort people. Say they find a sex toy maker's customer list on a server. They can then send out a note that all customers of this maker will have their named published unless they "buy into" a privacy policy (removing the name from the list) for the low price of $99.99. Since the new company 100% owns the data, free and clear, this is perfectly legal.
I bought lots of stuff off of RadioShack back in ye olden days. Two computers (an MC-10 and a CoCo3), several game ROMs, two printers, a one-sided floppy drive, OS/9 level 2, and dozens of doo-dads for various projects.
So yeah, if RadioShack wants to sell the fact that I bought a TP-10 thermal printer back in 1983, then go to town!
2.4 statute miles of surgical tubing at Yale U. = 1 I.V.League