Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:FFS (Score 1) 398

Recent studies seem to support that among some individuals, there may be genetic predispositions which pot may effectively set off. IT seems that pot may be a trigger for an underlying situation that already exists. I also had a friend that went from straight A's to dropout. However, pot was only a part of a much larger issue. It took him 10 years to eventually come to realize that it wasn't 'just the pot'. It was a combination of some genetic and social (home life) factors... pot was a part of the problem, but not the cause.

Comment: Re:FFS (Score 3, Informative) 398

Later studies (2013) debunked the older studies (2011 and before) that marijuana causes schizophrenia in teens. A Harvard study which included pot smokers and their families (both with and without psychotic illness). The data indicates that if you're genetically predisposed to psychotic illness, you're likely to have psychotic illness and marijuana may have an effect on onset age. If you're not genetically predisposed to psychotic illness, then you're not likely to have a psychotic illness, even if you're a teenage stoner. It appears that young people with genetic predisposition to psychotic illness may seek out self-medication with marijuana, but the numbers show a very strong correlation with family traits and no statistically significant correlation with Marijuana use.

http://www.schres-journal.com/...

That's not to say that Marijuana is completely without risks, especially in adolescents with a predisposition to genetic or psychological issues. However, most recent studies do seem to indicate that without the predisposition, 'harm' is relatively limited. In adults, most recent studies indicate no long term effects at all.

Its a shame that the government shut down research on marijuana for so many decades. Who knows how many people could have been helped if doctors had accurate information.

Comment: Re: Better quality (Score 1) 54

by dclydew (#49037827) Attached to: Something Resembling 'The Wheel of Time' Aired Last Night On FXX

There are tons of references to modern things, existing myths, historical events etc. Many of the main character's names are derivations on famous characters from legends, many of the locations are similarly related to other locations. Rand is very much part of the Dying God/Jesus type myth (Crown of Swords, spear in the side, must die and live again to save man, will fight in the final battle). There are even references to John Glenn and the Moon Landing in one of their myths. :D

Comment: Re:That's why nobody sensible wants them (Score 1) 223

by dclydew (#48997131) Attached to: US Health Insurer Anthem Suffers Massive Data Breach

A number of data protection solutions today (including the company I work for) actually prevent admin access. Basically, a policy can be defined by a security administrator on a Management server. The policy is deployed to the database as an encrypted package. The database has an agent which queries the policy. Only users listed in the policy have permission to decrypt/detokenise the data. If admin, root, dba, sa etc are not in the policy, they will only see the protected data. If they try to change their account to a privileged user, that action should generate an alert.

There are solutions like this implemented in many companies and they actually work.

I also agree with your additional point. Security event monitoring, intrusion detction, audits etc should all be in place, no matter what data protection method you're using.

Comment: Re:That's why nobody sensible wants them (Score 1) 223

by dclydew (#48997119) Attached to: US Health Insurer Anthem Suffers Massive Data Breach

In a properly implemented tokenization scheme, your solution is actually less secure. For example, lets say we have a value of 123-45-6789. We tokenize this value using proper randomization and get 4968-34-6789. There is no mathematical connection between the token value and the original value meaning that there are ~10^5 possible combinations and ANY of them could be valid.

When the ciphertext is stored alongside some of the plaintext, you open up the possibility of a known plaintext attack. Since tokens are not mathematically connected to the plaintext, partial text doesn't necessarily reduce the security of the scheme.

That being said, SSN isn't the best example. A credit card stored as 1234 56TT TTTT 9876 (where the T represents a tokenized digit) is equally secure as 1234 56** **** 9876 (difficulty of 10^5 and no verification to determine which of the 10^5 possible values are correct).

Also, having the encrypted data stored 'somewhere' is part of the older token design, where there is a vault that stores both the encrypted value and a token paired with it. Newer tokenization solutions do away with the valut completely.

Comment: Re:That's why nobody sensible wants them (Score 1) 223

by dclydew (#48997049) Attached to: US Health Insurer Anthem Suffers Massive Data Breach

Yes, SSN isn't the best example because that data could be manipulated. Another example would be exposing the first 6 and last 4 digits of a credit card. This provides the same security as 123456******1234 and is considered secure by the PCI standard. Properly implemented tokenization would mean that there is a 10^6 possible values (10^5 if you do luhn check verification) and that there is no way to mathematically verify which of the 10^5 values it is.

Comment: Re:income data? (Score 1) 223

by dclydew (#48989361) Attached to: US Health Insurer Anthem Suffers Massive Data Breach

Monetization of data. All big companies do it. They collect as much data as possible and then sell subsets of data (perhaps anonymized) to 3rd parties, or they may provide roll-up analytic reports to third parties... Stuff like:

I want to build a for profit practice that specializes in cancer treatments. What part of the country am I most likely to find a high number of cancer patients who make enough money to afford what I want to charge for my services?

I buy a service from a data analytics company, they have deals with some insurance companies, medical research labs, big pharma groups etc. They submit the request to these companies. The companies do some research on their huge data sets and return their best results. The data analytics company makes a nice report and gives it to me. I know know that Somerich City, Alabama is totally where I want to build my practice.

In this scenario, no individual private data was provided... but its available at the source companies. This makes them prime attack destinations if the PII data isn't protected.

In some European countries though, the laws are strong enough that this kind of behavior is extremely limited and under heavy audit.

Comment: Re:That's why nobody sensible wants them (Score 2) 223

by dclydew (#48989213) Attached to: US Health Insurer Anthem Suffers Massive Data Breach

There are a number of solutions to the problem. There are data protection appliances that can be integrated to databases or applications (via API) where encrypted data is sent to for decryption and available only in the result set; never written to disk in the clear. In this scenario, even root or dba don't have access to the sensitive data, unless authorized by the appliance. Another option, (becoming more popular) is tokenization. The sensitive data is replaced by consistent non-sensitive token values. This often allows for many business analytic processes to operate on non-sensitive data. In many scenarios, all of the work in the main application/database can be done with tokens and then a secure 'detokenize' app is provided to specific users that may need the real data. Tokens can also retain some of the original data. So if we tokenized SSN 123-45-6789, we could generate a token that kept the same last 4 digits, 541-30-6789. If customer support uses the last four digits of SSN to verify customers on the phone, they can now do it without being exposed to the real sensitive data.

(Disclaimer: I work for a data protection company that does this kind of stuff)

Comment: Re:unlikely (Score 1) 196

by dclydew (#47907197) Attached to: The Future According To Stanislaw Lem

I don't think its terribly unreasonable to postulate that a sufficiently advanced society may be world bound and following their bliss.

A sufficiently advanced society may actually have come to the realization that FTL travel/communication is impossible and that travelling to the nearest inhabited planet would be a centuries long one way expedition with little or no return on investment. So, if an advanced civilization figures out that they are forever trapped in a single solar system, with one or two habitable planets... why would they keep wasting effort on something they know is impossible? If you solve the problems on your planet and you know you'll never leave your planet... then why wouldn't you pursue pleasure instead?

Imagine if our society evolved beyond the primitive philosophies of religions, so we no longer had people worrying about what the invisible guy in the sky wanted. Imagine if we found cheap energy, ways to reduce scarcity etc. and assume that we also evolved beyond some of our basic primate programming of alpha and territorial dominance. In such a society, following one's bliss may well be the most logical choice.

Comment: Re:Risk = likelihood x consequence (Score 1) 348

The example provided here is a very high level Slashdot comment ;-) There are several different risk models that can be used, either qualitative or quantitative. The right model depends heavily on the type of organization you're working with.

The one I mentioned is from the InfoSec Handbook. Others cover the value of the asset instead of Impact (Threat x Vulnerability x Asset) and some include accounting for mitigation and countermeasures like TIK (threat*vulnerability/countermeasure * Impact or Asset). I've worked for companies that have their own internal models, companies that want very complex models and companies that use very simple models which every variable is ranked 1 - 5 (1&2 Low, 3&4 Medium, 5 High).

The core thing here is not the specific model. As long as a consistent model is used to rank vulnerabilities and threats and can define a useful value for determining the cost of the event versus the cost of the protection method, then its useful (and may be sufficient, depending on the situation).

Comment: Risk Assessment!! (Score 3, Insightful) 348

There are lots of different risks that must be considered when securing a network or system. In my many years of securiy architecture, I've found it make the most sense to create a risk assessment.

Threat x Vulnerability x Impact = Risk

Once you have defined the risks, you can define the best protection method to reduce each risk.

Application firewalls may not be the best protection method depending on the rest of your network security controls. If you have strong network firewalls and every device that connects to the network must be authenticated (and scanned for viruses) before its given an IP address, an application firewall may not reduce much risk. If it doesn't reduce much risk, it may not be necessary.

In business, security is like insurance. You have to justify how much to spend, based on how it will protect us if something bad happens. Further, you have to make sure that whatever the security control is, it doesn't interfere with what the business needs to function. If the database cannot function with a firewall, a firewall is not the best protection method and other options should be considered (Network Intrusion Prevention systems, Data Protection [encryption/tokenization/hashing], Anti-Virus, File Integrity Monitoring, etc). There are many tools available to security professionals today. A firewall is a good tool, but not the only tool... depending on the situation, it may not even be the right tool.

Comment: Re:You're right, but confused (Score 1) 567

I grew up in the country in Ohio, lived in Columbus and NYC for awhile, moved to a fishing village in Turkey for a couple years and currently live in the countryside in the UK. Politically, I don't agree with either side of the American political false dichotomy (aka the Two Man Con).

What I do understand, however, is that looking at personal observations or eyewitness testimony is a really bad way to do science, criminal investigation or any sort of objective work. Individuals process objective data through the neurological system, which includes lots and lots of personal beliefs, bias and filters. Climate models may be wrong (I am not a scientist), but personal observation from "country folk" is certainly no more reliable and likely less so... particularly if they are part of a political party which denies global climate change as part of its tribal identifier.

See Also the 23 Enigma or the Law of Fives.

IF I HAD A MINE SHAFT, I don't think I would just abandon it. There's got to be a better way. -- Jack Handley, The New Mexican, 1988.

Working...