Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment No reason to trust (Score 5, Insightful) 196

I see no reason to trust Apple or any similar companies whatsoever. They have betrayed consumers' trust in the past, have cooperated with illegal surveillance programs, etc. If a given company has cleaned up its act, great, but independent verification, open standards, etc. are the only way to gain assurance. Trust is irrelevant.

Comment Seems Accurate (Score 1) 637

It amazes me how true this is. Discussing climate change, I've often been presented with the argument that the idea that humans could alter the climate of the earth is prima facie ridiculous. I just don't understand how someone can think that way, given the massive changes in our society (and the emissions we produce) since the industrial revolution. The inability to accept that there are conflicts of interest in a lot of the politics and even some of the, "science" surrounding climate change is true on both sides and hardly surprising. What I do find surprising is that people would discount the idea out of hand based solely on, "common sense".

Comment Were to begin... (Score 1) 117

So, is the implication here that Windows 2003 boxes are not, already, the subject of numerous attacks? Because, y'know, they definitely are and stuff. The main difference being that when they're out of support they won't have patches for all those attacks.

XP boxes are often somewhat protected, as they're usually behind a firewall. Alas, phishing, worms, viruses, and other malware float around on internal networks all the time. If you've worked in security ops and have decent network instrumentation you know that these boxes get infected all the time when they are not patched whether they're in support or not. So...when they're out of support...you do the math.

Any box on your network that is out of support is a risk because it represents an easy target for an attacker to gain a foothold on your network. It also represents a business risk because if whatever crucial piece of software the box is hosting, which absolutely cannot run on 08, shits the bed...there's no support. If the 03 box is hosting something that isn't critical, just turn it off. The fact that it needs to stay on is enough of a reason to get it on a supported OS.

Comment Pretty Obvious (Score 1) 308

Pretty obvious that intentionally destroying evidence of a crime is considered destroying evidence of a crime. Were you to clear your cache when you have no reasonable basis to suspect it might become the subject of legal proceedings I doubt this would apply.

You could also establish a precedent of clearing your cache on a set frequency. If something happens you could make the case that you were following your standard procedure.

Comment It's already a problem (Score 2) 692

So many of our modern problems come down to the fact that we mitigate our expanding ability to provide food and other resources by reproducing at faster and faster rates. Solving world hunger would be trivial at this point, if we could slow the growth of our population. You see declining birth rates in developed countries, but it's not even close to enough.

We also actively exacerbate these problems with aid. The standard of living in parts of Africa has been an ongoing tragedy, but rather than finding a sustainable way to provide resources for a population that is stabilized, we just keep putting more and more bandaids on the problem that, in the end, just make the situation worse. This is another area where we've made some progress, with better charities popping up, but it's not even close to enough.

Humans just have this sense of entitlement when it comes to breeding and the consumption of resources. It's a primal urge that we just don't seem to be able to manage/overcome. Add in longer lifespans and, oh my god...age reversal...and you have a recipe for disaster. We need our social norms to start catching up with the technology we have.

Comment Re:Blasting my ears (Score 1) 158

That's a great point about sound quality, actually, I think you're on to something there. Some of the harsher music gets tamed by poor quality playback equipment and encoding. The listener loses a lot of the dynamic aspects of the music, so add tons of compression and nuclear-computer-tones to overcome those limitations. People who listen with better setups have their ears melted off, but it doesn't sound too terrible on what 99% of people are listening to it on.

Comment Blasting my ears (Score 1) 158

What amazes me is that the more technology and information we get, the more the music seems to become harsh and random to listen to. All the pop music that has flowed down from dubstep is so jarring...just random ear-raping sounds firing at the listener. This is to say nothing of lyrics which seem to be getting more and more repetitive and less and less creative/sonically flowing.

I'm not saying this to necessarily criticize pop as being simple and vapid, which has been the case since pop has existed and is totally understandable/fine, but just from a sonic perspective popular music just seems...I guess, "not what I would expect people to find appealing to listen to" is what I mean.

Popular rap would be a good example - it used to be about finding creative ways of saying something...that was the whole joy of it. You could talk about having money or cars or partying, but you would flip it in a unique way and with a unique flow. Now popular rap is becoming so unbelievably basic. It's not the subject that's changed, but the way of communicating it has just gotten so incredibly stripped down.

Comment Questions which are not sexy... (Score 1) 160

Were all developers of the system required to complete training and pass a knowledge check prior to beginning work?
Has the application had manual/dynamic penetration testing performed against it?
Are there any critical/high/medium findings?
What is the timeline to address pen test findings?
How is access authenticated?
Is the application segmented housed in a dedicated DMZ?
Is there firewalling within the application stack?
Are Web Application Firewalls used?
What intrusion detection systems are in place?
What logs are generated and how are logs monitored?

The usual stuff...you know...before we have a shitstorm in congress about the vulnerability of our critical infrastructure which somehow requires billions of dollars to be paid to defense contractors (like Lockheed Martin...hmmmmm) to mitigate.

Comment Let's be honest here... (Score 1) 37

I'm all for accurate information not driven by hype/politics/marketing, but the state of U.S. cybersecurity is pretty dismal. Whatever you want to believe about the number and sophistication of the attacks, the preparedness in both the private and public sectors has a long way to go.

Comment Ugh! (Score 4, Informative) 609

She's saying its secure when we know it was using self signed certs, exposed OWA, and I saw something this morning that said Qualys scanned it and it was riddled with vulnerabilities. She says there were no breaches, but does she have the extensive instrumentation required to detect a breach, especially one perpetrated by government sponsored entities who would absolutely have an interest in the contents of her email?

It's just so frustrating to see the ignorance, and then to read comments from people defending her. You can say the timing is politically motivated. I personally think this is the State Department's fault much moreso than hers...but don't tell me that it was a.) legal, b.) a good idea, c.) secure, d.) in any way, shape or form compliant with even the most basic security frameworks out there.

I wish I could just not see anything else about this issue, but it's like a magnet for my eyes.

Comment I don't agree (Score 1) 114

The sad fact is that most companies aren't even implementing basic controls that everyone knew were important 10 years ago. If you look at a lot of the high profile breaches, they're due to fundamental stuff, not a lack of super high end ultra-expensive security appliances. Its something consumers reasonably expect companies to be doing, but they aren't doing.

I believe it is possible to have companies manage things and have good security. You could accomplish this by having individual consumers take more responsibility for their information, but its more likely and more effective that "we" would take more responsibility for our information through market pressure, standards, etc.

The most likely form for this to take right now is through standards and compliance. The improvements in the situation are being driven by this now. We're not there yet, but its improving.

The area where I do agree, though, is that it will be difficult to have effective security and privacy without legal support. The government is completely full of shit when it comes to information security, as they are full of shit when it comes to so many things. The NSA's efforts to compromise encryption and product security are a great example of this.

On the other hand there are laws like HIPAA. HIPAA is so vague, and yet it has been effective in driving change in the healthcare industry. Again we're not, "there" yet, but things are changing at a relatively rapid pace. HIPAA is actually a good example of where the government was not overly prescriptive, but does enforce substantive penalties for noncompliance with very general common sense requirements. On the other hand you have industry regs like PCI which are extremely prescriptive and have had a similar effect. Consequences are the only reason why PCI is having an effect as well...

Comment Wow! (Score 2) 347

Engineers think project managers and deadlines are a waste of time and a pain in the ass, while project managers think they are essential. Now that's what I call news! Whodathunkit!

This is business. Management wants to quantify everything to manage resources, manage spend, control cost, maximize profit, etc. It makes perfect sense at the same time that it doesn't really jive with how engineering works a lot of time. One thing for developers to keep in mind, though, is that *doing* something is never as important as *telling people* about how you did it. Metrics mean way more to the people who sign your paycheck than the code you write does and you should design your metrics accordingly.

The other component is PMs themselves. How many really good PMs have you worked with in your life? Grand total of 1 for me. Most PMs are people who don't really understand technology and have created a whole system of super-important metadata to "add value" to the process. When it's done properly a PM can help a lot, but mostly its just blustering and wasting everyone's time. These people want to protect their jobs, and their jobs are defined by timelines and metrics.

God doesn't play dice. -- Albert Einstein

Working...