Sigh. Maybe we -- or I, at least -- just need a new 'ism.
Your -ism is wrong.
Sigh. Maybe we -- or I, at least -- just need a new 'ism.
Your -ism is wrong.
NSA's Information Assurance Division (not the spooks) works hard to help and to convince Big Corp to clean up their act. They recognize that financial IT security is fundamental to national security. Also, the FBI has a group that works to help companies improve security. So you might reach out to one of them.
The fundamental problem is typified by Home Depot's management - as a Redditor noted, when IT asked for budget to implement essential security, their upper management said, "We sell nails and hammers. We don't need that." Now it may well cost them $1 billion.
Here are a couple of rules of thumb you can tell your management. These are straight from web security and biometrics people I work with. A website breach (e.g. Target, Ebay, Home Depot, JPM) costs the company an average of $178 per customer (not website user - _customer_). That is a number that should invoke heart palpitations in the CFO - multiplied by the number of customers, it's probably more than the value of the company.
In the healthcare industry, a single lost or misplaced laptop will cost a minimum of $2.5 million in fines (HIPAA violations), liability, paying for patients to get identity theft insurance, etc. - even if no data is actually compromised and the laptop is recovered! If data actually makes it into the black hat world, the price goes up by multiples.
JPM's audits have been "qualified" by PWC for the last couple of years, because (despite inhouse reports) the CIO has refused to implement proper controls. People in JPM who have reported these problems have been fired - from what I've heard, three heads of Risk Management have been fired in the last three years, each time after telling the CIO that he needs to fix these before their pension fund clients have to take action.
... then nothing comes out the back.
When I went back to school in 2003, the CS department had a grand total of zero (0) US women in the graduate program. There may have been one woman in the undergrad program. This despite the following: the department head was a woman; almost 1/2 of the instructors were women; about 1/4 of the foreign students were women; and the _founder_ of the department in the 1970s was a woman. There weren't that many US men either - probably 3/4 of the grad program were foreign students. These folks were there, paying full tuition and working hard, because coming from other countries they knew that for them this was the difference between a comfortable middle class life, and dirt poverty. The plain fact is that engineering, if taught correctly, is hard, and many people don't feel the need to work hard for a distant goal, especially when that work involves technical knowledge and analysis. Plus, not everyone has the analytical bent, and that's OK. We need other talents as well.
It's easy for me to think / assume that part of the problem lies in the way education is done. If a real engineering and analytics approach with the self-discipline to think the hard thoughts were imbued into students early - primary grades, at least - perhaps the pipeline would have something going in the front. I'm hoping that our future robotic/AI childhood learning specialists that will be replacing much of the education system will be able to make a difference.
3. Panic and hysteria,
4. Hunt for the guilty,
5. Punishment of the innocent, and
6. Reward for the uninvolved.
I like this!
I'd like to see both awarded a minimum number of flights (say 1/4 or 1/3 of total planned) at a fixed maximum price, and the price of all additional flights negotiated down from that maximum price, relatively close to the date when the hardware has to be built - say a year before flight. This would also leave an opening for other competitors to come in later. It would probably be beneficial to allocate in lots of, say, three or four up to 10 at a time. I would also require all vendors / vehicles to use the same interfaces - mount points, power, fluid, and data connections, etc. so any vehicle could be swapped out for any other on short notice. Of course, some vehicles are going to have to have special equipment, but that could also be handled using a modular system.
The net result of this would be a continuing reduction in the design, manufacturing, and launch costs, as more components become commoditized to fit all vehicles - all vehicle vendors will benefit. Soon any launch vehicle could be used to launch any 'standard' vehicle. The result of this would be an increase in the economic feasibility of space launches for both NASA and others private and public, making the market larger. Outcome: boom in space development. Boeing and SpaceX would both benefit from this approach in the long term, and possibly others as well. The key to economic space development is just this kind of commoditization, repeatability and increased reliability that long production runs with continuing improvements can provide.
[shameless plug, but apropros] - my company's Kaje Picture Passwords for the Web would have prevented these attacks almost completely. (I say "almost" because, well, "never say never".) We published a press release about this two weeks ago: Bright Plaza offers “Kaje” Website Security Solution to Russian Hacker Password Breach. Using Kaje, the password is no longer stored on the website so these breaches could not have exposed the passwords. Kaje never knows anything about the user other than the anonymous ID sent by the website.
Had all those websites been using Kaje, these breaches would not have resulted in the huge potential liability and recovery costs that so many businesses will be facing. From Sony a few years ago to Target and EBay recently, and now this Russian thing, password breaches are causing billions of dollars in damages, often borne by website owners - in some cases thousands of dollars per user. Health care and financial services websites are particularly subject to financial penalties from regulatory bodies as well as civil litigation. In comparison, the Kaje service costs fractions of a cent per use for large users.
A Picture Password, which was demonstrated to be easier to use and more secure than text passwords by NIST as early as 2003 (using an earlier, less secure methodology), is more difficult to crack as well as resistant to man-in-the-middle attacks. The Kaje service has an HTTPS RESTful API, is compatible with OpenID, SAML, and other SSO systems, and plugins are available for Drupal and WordPress with others coming soon. Using Kaje basically requires SSL, one or two additional columns for the anonymous ID sent to Kaje by the website The first 10,000 uses are free, so smaller websites can use it for years without paying anything, while larger ones can try it out, do testing and prototyping with no cost or obligation.
If anyone is interested, check out Kaje or contact me through the website. We're looking for both website (customers) and web services (hosting, CMS vendors, developers), who can apply to be Kaje Affiliates and receive a commission from us by offering discounts to their customers.
Given the speed with which politics grinds, is to my mind why the Executive Order was signed a few years later, to provide some legal cover.
A friend of my sister's worked for NSA for eight years in the 1960s. At that time the fact of its existence was classified - insiders said the acronym stood for "No Such Agency". He spent most of those eight years in a shack on a hill in Japan, listening and recording phone calls and telegraphs in and out of Japan. He came out of those eight years imbued with an extreme level of paranoia that he never did shake off. It cost him his marriage among other things.
So 1981 wasn't the beginning. I would be more likely to think that the directive in question was created to paper over and legalize what had been going on for decades before. The agency was founded by Harry Truman in 1952 based on signals intelligence units from WWI, per Wikipedia. I saw an article recently which asserted that spying on foreign (and some domestic) entities really came out of the period before and after World War I, and it made sense.
Having said all that, I recently learned that the NSA is not just "spooks peeking into our bedrooms" and getting everyone upset. That is just one of three branches.
- Signals Intelligence Directorate is the one that has been upsetting people, and may in fact be as crazy as people think they are;
- Information Assurance Directorate one might consider the "good guys" - they are working with US industry and agencies to prevent security breaches - one might consider this the "anti-spy" group, and you'll see guys from IAD at conferences regarding improvement of the security infrastructure of the net, to prevent spying and other problems. By all accounts the Information Assurance Directorate is working very hard to protect us, and has had some successes preventing or stopping serious hacking and other incidents against both public and private organizations in recent years that they, of course, can't ever tell anyone.
- Technical Directorate, which I assume is the people inventing the HW and SW the rest of the gang uses.
TL;DR - don't paint the whole of NSA with the same tar and feathers. Some, at least, are out there actively helping with things like Tor as we read recently - spy agencies including NSA have regularly helped Tor find and fix bugs, even while other groups in the same agency are trying to exploit them.
In Massachusetts, the State (IIRC) took Toyota to court to require them to release the codes to independent mechanics so they could fix the cars and do warranty work. I think the State won, but I'm not sure, and it was tied pretty closely to existing MA law.
Would a password, or an item code that had to be entered in an instruction, such as "Enter 'F2-ABC' to select the proper module" - would the use of "F2-ABC" be a violation? IDK. It might even be trademarked, and trademarks never expire as long as they are maintained.
An older example: Back in the day, IBM sold two card punch/readers, IIRC the 620 and 630. One was much faster and more expensive than the other. According to what I was told back then, the difference was that the slower cheaper one had an extra circuit board that slowed it down. Remove the extra, and voila! faster - plus loss of warranty, no field service, etc. of course.
It's quite common on most cars to have a single wiring harness that includes all the plugs for the extra features, possibly for all models of the car. E.g. you might even fit wiring for a station wagon feature in a sedan. This allows a single inventory item to cover all versions of the car (i.e. cheaper), simplifies documentation, and avoids problems with the wrong harness being used, shipped for a car repair, etc. It would also be either impossible or overly expensive for dealers to install dealer add-ons otherwise. The cost of the wire and connectors is so low as to be in the noise.
Everybody picks on PHP. Like every language it's not perfect, by far. But by several orders of magnitude (my estimate), the vast majority of all vulnerabilities regardless of operating system have directly resulted from design flaws in C (and C++) - buffer overflows, pointer issues, assignment instead of evaluation in conditionals due to missing equals, etc. Even many/most of the vulnerabilities in PHP have been the result of these same C design flaws. While _some_ of those flaws can be argued to be necessary for writing at the bare metal level - device drivers and such, they are completely unnecessary for application programming.
The standard counter argument is that "C programmers (must) learn better programming habits, and deal with those things." To which I merely append, "Some
It's enough to make one yearn for Haskell, or Erlang, or something.
Just for clarity, I have no idea what the "Electric Universe" is, and not much curiosity to find out. As for the last bit, it was just a reminder to the parent that "what we know to be true" ain't necessarily so.
A language that doesn't have everything is actually easier to program in than some that do. -- Dennis M. Ritchie