Forgot your password?

Comment: Re:Surprise! (Score 2) 137

by dave562 (#47523949) Attached to: Internet Explorer Vulnerabilities Increase 100%

Good points. The first thing that I thought when I read the summary was that the only way there could be a 100% increase is if the number of previous vulnerabilities was very small. Finding two vulnerabilities in the same period of time in which one was previously found is a 100% increase. Just like finding 60 when the previous amount was 30 is also a 100% increase.

Comment: Re:Slashvertisement? (Score 1) 92

by dave562 (#47510677) Attached to: Buying New Commercial IT Hardware Isn't Always Worthwhile (Video)

What are you talking about? USB 3.0 is significantly faster than USB 2.0. I work in a business where we have to transfer data on physical media due to the volumes involved. We ship hundreds of drives a month. Our clients refuse to accept anything other than USB 3.0 anymore because the previous generation is too slow.

Comment: Re:Why is it always developers? (Score 1) 89

by dave562 (#47509915) Attached to: Researchers Test Developer Biometrics To Predict Buggy Code

Of course they get measured. In the long term if they deliver too many screwed up projects, their superiors stop giving them projects.

Ultimately it is the developer's responsibility to push back against stupid managers and give them honest feedback about what can and cannot be done.

Comment: Re:what environments allow USB boot? (Score 5, Insightful) 132

by dave562 (#47508785) Attached to: Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS

The kind of environment where the attacker is a sysadmin with access to the box and the ability to do whatever they feel like with BIOS, including enabling USB boot.

The default security posture of most organizations these days is to assume that a trusted insider will exploit the system at some point. Therefore everyone is implementing damage mitigation techniques so that they can respond quickly and understand the scope of the inevitable breach when it does occur.

Everyone is watching everyone else. The security guys get access to the firewalls and the IDS, but cannot touch the servers. The server guys cannot touch the backups. The backup team cannot initiate a restore without two levels of change control approval. It is a serious PITA for everyone involved and a gross inefficiency.

The first time an auditor told me that they cannot trust me, my knee jerk reaction was to tell them to go fuck themselves. Eventually I realized that I am in a very risky position with access to a lot of sensitive information. The key is not that they do not trust me, it is that they CANNOT trust me. While I may be trustworthy, who is to say that someone else in my same position, with my same level of access, is also trustworthy? Just like I have to assume that any executable downloaded from the internet is potentially full of malicious code, the risk management folks have to assume that every sysadmin in the organization is potentially full of malicious intent.

Comment: A whole lot of whine (Score 1) 217

I read the article and while one might question why data is being stored that is almost a decade old, the data itself is not that big of a deal. Basically the airlines store all the information about how he bought the ticket and what his preferences were (seat assignments, meal choices, etc.) The call center agents kept notes on why he called.

All of the information is benign. They kept his credit card information in plain text which is lame, but I have yet to see a story about a CBP breach that led to a bunch of fraud. It could happen, and they should probably encrypt the data in the future, but it is not a massive, conspiracy re-enforcing revelation.

The only disconcerting thing is the length of the data retention. Once it is obvious that the plane did not go down and nobody flying was involved in any subsequent terrorist activities, the data should be purged.

The universe does not have laws -- it has habits, and habits can be broken.