Meh. Each killbot comes with a preset kill limit. The tactic is to send wave after wave of men against them until they shut down.

The Westgate mall attack wasn't a bomb. It was armed gunmen, and 67 people ended up dead with over 175 wounded.

[anyoldlameexcuse] will void the warranty if they can get away with it.

These are claims; a judge would require proof of this. The hack and calls will be hard to prove (unless she recorded the calls), but presumably there is proof of the fraudulent purchase. Even so, she'd have to prove that the thieves got the CC details from the St. Joseph leak and not from elsewhere.

However I'd think that the bar for such proof wouldn't be all that high when the judge is merely determining if the plaintiff has standing; that definitive proof should wait until the case is actually tried. Then again I don;t know all that much about how this would work in courts in the US.

You would expect organisations like these to be held to a higher level accountability than us mere mortals, but sadly that is often not the case. Try tell an Internal Revenue inspector: "I am sorry but I have lost those records of my offshore savings account due to pressing a wrong button" and see what answer you get. Hell, as a kid I never got away with "the dog ate my homework". Yet what consequences will follow from losing hundreds of important police records during an investigation into police conduct?

If any one person, under orders, acting on their own initiative or simply making a mistake, is capable of irrevocably wiping important records like these, then there is something seriously wrong with your organisation. Someone is responsible for managing IT and keeping information/records at the police, start with them.

I have dark confession, I own gold-plated HDMI cable. Now before you judge me...

... you judged me anyways! But I got it on Going Out of Business Sale! For 5$ out of a bin! I had to! You too would buy one for $5. They sell them for hundreds to fools!

What a great idea, they should branch out Untrusted Computing to add to FedCoin. This will be a welcome addition to custom disk firmware, specialized random number generators, data duplication and retention services and so on.

These are two different assumptions. What if FTL-using civilizations exists, and What if these civilizations also moved to world-constructing stage of technology.

What I'd ask you in turn - what a civilization that can construct and move planetoids hundred miles across would want with our dirtball?

First, there is no such thing as perfectly secure information system. The best we could do is mitigate identified risks. The best any standard could do is specify how to mitigate specific risks.

In case of NIST CAVP (part of FIPS testing most people are familiar with), the risk they are mitigating is that cryptographic algorithm you are using is flawed in some way. This certification program is hugely successful, there are robust standards and specs, and hardly anyone these days end up with bad algorithms because free certified reference implementations and free testing vectors were made available.

Second, different aspects of FIPS program focus on different risks. For example, at higher certification levels (e.g. CMVP FIPS 140-2 Level 3 or 4) the program provides very robust and comprehensive assurance that both algorithm and methods of use of these algorithms within cryptographic module is secure. I am too lazy to dig through the specs, but I am positive that at level 3 it explicitly examines key storage. The flaw with FIPS is actually opposite of what you state - the level of scrutiny ramps up so rapidly that it is impossible to satisfy it only with a software implementation at above level 2. As a result, overwhelming majority of certifications are against lowest tiers that are limited in scope.

Now, people look at CAVP certification (algorithm testing for software product) and make ignorant statement that the ENTIRE FIPS PROGRAM is ineffective. Even when it is very evident that it accomplishes exactly what it promised to do. To leave you with an example - PCI (payment transactions) requirements cap at FIPS 140-2 level 3. This is stuff that touches MONEY! FIPS 140-2 level 4 is spook-level robust, they even have a requirement to trip zeroization if you attempt to freeze or x-ray the chip.

Cryptography knowledge in software development is very shallow. Most only know to integrate OpenSSL (without FIPS module). Ask them about entropy, and they start talking about the heat death of the universe. Even Linux kernel guys, who otherwise tend to be knowledgeable, would tell you that /dev/urandom is a desirable and secure choice.

/rant

There are already programs in place. One example, NIST certifies private security testing laboratories to test according to FIPS standards. It just nobody asking for certified products outside of the government procurement.

FIPS is not a joke - it ensures that that your cryptographic algorithms are implemented correctly and meet the standard. So you don't generate matching private/public keys or all 0 keys and other preventable but non-obvious to people outside of crypto mistakes. FIPS does not guarantee that you use these algorithms intelligently, there are other certifications that do that.

I assume they have cert-only authentication enabled, in such case this would be not unlike having management interface with 'admin/admin' facing the world.

Yes, clearly what John Matherly did was by far more harmful than idiotic design decisions that resulted in such unforgivable "barn doors open" security holes. Because if he didn't disclose this vulnerability, nobody else would have found it and everyone would still be perfectly safe.

/sarcasm

Government already demands product certification (e.g. FIPS), it is time corporate and individual consumers started doing the same. We expect our power supplies to not electrocute us, there is a certification program to ensure that is the case, why is when it comes to data security we are so lax?