Forgot your password?

Comment: Re:So much unnecessary trouble (Score 1) 283

by Tom (#47547927) Attached to: Satellite Images Show Russians Shelling Ukraine

The last thing Putin wants is a country with a lot of relatives of Russians getting the EU treatment and finding out how nice it is to be out of their largely lawless, virtual dictatorship of a state.

You should update your propaganda-driven beliefs. I've got a russian girlfriend and I've been to Russia myself. At least for where I was (St. Petersburg), it looks much like any european city, except more beautiful (but that's a St. Petersburg special, they made very sure to keep all the old palaces and buildings in shape).

Crime was horrible in the 1990s, my girlfriend says, but here's why most russians actually love Putin: Since he became the top dog, things have been continuously improving. Crime is low, economy is good, of course nothing is perfect, but compared to previous times, they're pretty great.

From what I've seen in daily life, I don't see anything that would make them jealous of a random EU member country. Supermarkets are full of basically the same products I can buy here, everyone has a car, public transport is better than in some european cities, the streets are in good condition and clean, I felt safe both at day and at night.

Of course Putin doesn't want Ukraine to join the EU. But that they will all be able to suddenly buy bananas and thus run away from communism is 1990s stuff and long since outdated.

Comment: Re:Institutional hypocrisy (Score 1) 152

My understanding is that this (Separation of Powers) is explicitly defined and codified in the USA. In the rest of the world, that may be the intent, but there can often be some overlap.

You mean like the typically politically motivated appointment of the judges of the supreme court? Oh wait, that's in the USA...

who were serving members of the House of Lords (one of the houses of Parliament). [...]some degree of agency between the executive and the judiciary.

Legislative. Get your facts straight before you argue.

Comment: Re:Institutional hypocrisy (Score 1) 152

And the best response that could be given would be to blackhole everything EU. They want to be forgotten, then let's forget them.

Let me guess, you're american and you didn't pay attention in school, so you think "Europe" is some small country somewhere on the other side of the Atlantic Ocean, yes?

The EU is larger than the USA in people, economic power and basically every other metric except prison population. Blackhole the EU if you want. We may or may not come over to save the sorry remains of your economy in a couple years.

The EU wants to be forgotten, let's see how the EU economy survives that.

The trade volume between the USA and the EU is about 60 billion US$ monthly . However, the USA imports a lot more, while the import/export balance of the EU is almost balanced ( Make a guess who would suffer more.

Comment: Re: What about my right to search? (Score 1) 152

So is there a right to search, which is really a form of free speech?

Searching and speaking are really not the same thing. Once again, you can say they are related and one requires the other and so on, but all of that only means that yes, there really is no "right to search", you can only construct it from other rights.

Comment: Re:What about my right to search? (Score 1) 152

Nice hyperbole, but entirely beside the point. I already explained in my original posting what the legal situation actually is, I don't see why I should repeat it.

Of course, you can refute me easily. Find the correct EU law that contains the phrase "right to search" and post a link. I will apologize if you do.

Comment: Re:Slippery Slope (Score 1) 152

So, Europe would like to be able to affect what everyone sees,

You are jumping to conclusion there.

Europe would like its laws to be honoured by corporations doing business in the EU. If Google was ordered to remove X, but it is still present if I simply go to instead of, then Google has not complied with the removal order.

It is absolutely technically possible to filter based on source IP address country. They can do it for advertisement, so there's absolutely no excuse for not doing it for legal compliance.

Comment: Re:Not a Slippery Slope (Score 1) 152

Second, it will have to grow up as individuals and realize, when you put it out there, you put it out there. And no nanny state can fix it.

It is mostly not about stuff people put out there themselves. There are people out there who can't get a job because they were wrongfully accused of molesting a child 10 years ago, and the searches turn up the accusations, but not the acquittal (mostly because press rarely writes about it).

Of course, Merkel gets to put on her show and dance about being outraged her phone is tapped, but she says nothing about how complicit she is in tapping everyone elses phones in her country.

While you are right on this, I doubt it has much to do with this law. This law has been in the works since 1995 and was passed in 2012 if I recall correctly (many EU laws go into effect delayed, or require national laws to be passed to implement them). It was on the table long before anyone knew the name Snowden, and if at all then the NSA scandal only affected some final touches.

Comment: Re:Institutional hypocrisy (Score 1) 152

The EU regulators don't want to appear as "censors"

Legally speaking, they not only don't appear, they are not. The legal definition of censorship (at least here in Germany, YMMV) means pre-publication, government-agency control. Having a court (as opposed to a government agency) found something illegal and removing it has never been considered censorship in the legal sense.

so they don't go after the source

Actually, the reason they don't is that if the source is outside the EU, it is a very lengthy and uncertain process. Now while you hail Internet anarchy, consider what options the lawmakers have:

  1. They could sit on their thumbs doing nothing. While this option pleases the anarchist in us, you cannot expect a lawmaker to ignore lawbreakers - in fact, in most other instances of such an event, we would complain very loudly that they're lazy, corrupt bastards.
  2. They can filter at the ISP level - welcome Internet censorship infrastructure. I'm pretty sure you don't want this alternative.
  3. They understand that for 90% of the users, Google et al is The Internet, and if it can't be found in a search, it doesn't exist.

For all the whining here, the option they've taken is actually the least intrusive.

Comment: Re:What about my right to search? (Score 1) 152

What about my right to search?

There is no such right, except in your imagination. There is a right (at least in my country, probably similar ones in the EU as a whole) to get information from publicly available sources. So the government cannot stop you from searching at all. But it can intervene in the information available if that information breaks laws. For example, copyrighted content, state secrets, but also information a court has found to be libel or slander.

And quite frankly speaking, for the cases this law is intended for (let's not focus only on the abuses, as most idiot journalists do because it makes for better headlines), the right of an individual to not have their life ruined by, say, completely made-up allegations of child abuse and rape quite clearly trumps your right of finding false and misleading information.

Comment: Re:well (Score 1) 126

by Tom (#47537637) Attached to: The Psychology of Phishing

I gave an example of ensuring it's not.

And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.

There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.

That means spending a considerable amount of time and effort on everyone. Scale that up to a 3,000 people company. Now get approval for the budget for this. Not many companies are going to spend this amount of money.

Writing policy is not the same as educating people.

That is true. But you missed the point I was making. Of course you need in-depth technical documents when you actually secure a somewhat complicated system. But the policy - the document that you expect every employee in the company to read and know - should not contain those details.

Same with almost every security awareness training I've personally seen. Half of its contents can be thrown out with no loss of vital information, and if the people who run the trainings don't do it (because if they did, they'd only get half as much money for it), then the recipients will do it via filtering. The end result is the same.

Because everyone is exposed to and knows as much about security as you do right?

No, because the wrong problems are addressed. I've given a keynote not long ago about these things as my contribution to improving the status quo. One of the points I keep repeating is that most password policies actually make passwords less secure, not more. (they follow predictable patterns because most people will build the most simple password the policy allows, for example).

What I mean is that we replace actual security with trainings and think it's a solution. Basically, instead of putting belts and airbags into cars, we tell people to not crash into each other - as if they did it intentionally, as if crashes only happened because nobody told people to not crash their cars. Yes, there's a good reason to tell people to drive carefully, but just like those roadside signs, it doesn't give any measurable gain to hammer the message in. Simple messages and time-spaced reminders work better than extensive training. In fact, if you train people too much, you can get the opposite effect, as they become annoyed by being told the same thing they already know for the 100th time.

Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.

Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.
I don't consider it a psychological problem, it's a simple fact of life. If your life experience is different, you'll have different expectations. By exchanging them here, we can both widen our horizon, which at least for me is the main reason I'm posting.

Comment: Re:well (Score 1) 126

by Tom (#47535431) Attached to: The Psychology of Phishing

Ahh, so you work at one of those places with horrible culture.

I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.

It's not a problem of IT security. Fire security trainings are quite similar, except that they have evolved thanks to decades of experience - in a modern company, those responsible know that the fire drill is primarily to drain the assigned helpers and floor supervisors, not the employees.

Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.

I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large. Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.

I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.

I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.

Comment: Re:name and location tweeted... (Score 1) 860

You're a really sorry loser, posting ad hominem attacks against people you know nothing about as an AC. 20 years of online experience tell me one thing: There's a 95% chance that you are in fact the exact opposite of the man you pretend to be if you act like that.

Comment: Re:name and location tweeted... (Score 0, Troll) 860

Men really need to start to stand up for equal rights.

While I agree with your main point, equal rights is not the problem. Equal treatment is. We have the same rights, feminism has won long ago. But in many areas men and women are still treated very differently. Sometimes the women are treated badly, and there are many feminists making a big scandal of it, and sometimes the men are treated badly, and almost never anyone says a word.

"Someone's been mean to you! Tell me who it is, so I can punch him tastefully." -- Ralph Bakshi's Mighty Mouse