Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment: Developers _are_doing it (Score 4, Insightful) 214

by nut (#49281867) Attached to: The GNU Manifesto Turns Thirty

A lot of software developers are doing what RMS says a lot of time. It's just that almost noone does it all the time.

It's clearly evident from the amount of GNU and GPL software out there that wasn't written by RMS that people are following his ideas. And that those ideas have succeeded, simply by the success of that same software in the marketplace.

It's not a failure of the ideal when developers of open source also write proprietary software to pay the bills.

Comment: Re:But it's still a Chromebook... (Score 1) 139

by nut (#49244643) Attached to: Google's Pricey Pixel Gets USB-C and a Lower Price

I bought a Lenovo X131e Chromebook second hand for exactly that purpose. Went online for the instructions to boot it into developer mode so I could change the OS ... Nothing worked. I emailed Lenovo directly with the serial number for advice, got no reply. As far as I can tell it is a device that does not allow any change to the BIOS.

I now have a device that runs ChromeOS and nothing else. So it's going to get sold on to the next victim. Make sure if you do buy one for this purpose that you really are able to change the OS.

Comment: OWASP and PCI DSS (Score 1) 205

by nut (#49236407) Attached to: Ask Slashdot - Breaking Into Penetration Testing At 30

The Open Web Application Security Project website is a great place to start browsing from, to investigate both pen testing and secure development.

I would also recommend getting some familiarity with the PCI DSS standard. It is aimed at companies involved in online payments (and a bitch if you have to prove compliance.) However when used as a descriptive framework rather than a prescriptive one, it's great foundation for planning a company's IT security aspect.

I'm sure there's a bunch of other security standards for other industries that could be used in much the same way. A good security consultant should at least be able to name check them.

+ - Australian researchers create world's first 3D-printed aircraft engines

Submitted by stephendavion
stephendavion writes: Researchers from the Monash University, CSIRO and Deakin University in Australia have created two 3D-printed aircraft engines. One of the 3D-printed engines is being showcased at the ongoing International Air Show in Avalon, while the other is at Microturbo (Safran) in Toulouse, France. Monash and its subsidiary Amaero Engineering attracted interests from tier one aerospace companies to produce components at the Monash Centre for Additive Manufacturing (MCAM) in Melbourne. Researchers used an old gas turbine engine from Microturbo to scan components and print two versions. The engine is an auxiliary power unit equipped in aircraft such as the Falcon 20 business jet.

+ - Invented here syndrome->

Submitted by edA-qa
edA-qa writes: Are you afraid to write code? Does the thought linger in your brain that somewhere out there somebody has already done this? Do you find yourself trapped in an analysis cycle where nothing is getting done? Is your product mutating to accommodate third party components? If yes, then perhaps you are suffering from invented-here syndrome.

Most of use are aware of not-invented-here syndrome, but the opposite problem is perhaps equally troublesome. We can get stuck in the mindset that there must be a product, library, or code sample, that already does what we want. Instead of just writing the code we need a lot of effort is spent testing out modules and trying to accommodate our own code. At some point we need to just say, “stop!”, and write the code ourselves.

Link to Original Source

Comment: Engineer the economy first (Score 1) 319

by nut (#48769841) Attached to: How Close Are We To Engineering the Climate?

We are already 'engineering the climate' - we're just doing it randomly and without plan.

If the price of oil goes down and everybody starts burning more of it, we're engineering the climate with more CO2.

If we chop down hundreds of square miles of amazon rain forest and replace it with cattle ranches we're engineering the climate with more methane.

If we want to start engineering the climate in a more directed manner, we MUST control these activities as well. Trying to control some of the strings while others are being yanked in a haphazard manner is not a practical approach.

The Kyoto Protocol has many critics - and with reason. It is clumsy, largely ineffectual and tainted by accusations of corruption. But real practical climate engineering will only be achieved by some sort international cooperation along these lines.

Comment: Musical scales based on math, not on culture (Score 1) 80

by nut (#48306945) Attached to: Birds Found Using Human Musical Scales For the First Time

Harmony in music is based almost directly on the simplicity of the ratio of the frequencies of notes in a chord.

Octave = 1/2
Fifth = 2/3
Fourth = 3/4
Major Third = 4/5
Minor Third = 5/6

and so on.

Their are certain cultural anomalies; For example our our preference for three notes in a simple chord (first, third and fifth) means that fourths are generally considered slightly more disharmonious that thirds, due to their relationship to the third and the fifth.

Also the intervals in most instruments are fudged slightly to make the work in any key. This practice started with Bach I believe.

The point, of course, is that it is not that surprising that harmony is more universal that human culture. The mathematics that underlies harmony is more universal than human culture.

+ - Law Lets I.R.S. Seize Accounts on Suspicion, No Crime Required

Submitted by schwit1
schwit1 writes: Theft by government: The IRS admits to seizing hundreds of thousands of dollars of private assets, without any proof of illegal activity, merely because there is a law that lets them do it.

Using a law designed to catch drug traffickers, racketeers and terrorists by tracking their cash, the government has gone after run-of-the-mill business owners and wage earners without so much as an allegation that they have committed serious crimes. The government can take the money without ever filing a criminal complaint, and the owners are left to prove they are innocent. Many give up and settle the case for a portion of their money. “They’re going after people who are really not criminals,” said David Smith, a former federal prosecutor who is now a forfeiture expert and lawyer in Virginia. “They’re middle-class citizens who have never had any trouble with the law.”

The article describes several specific cases, all of which are beyond egregious and are in fact entirely unconstitutional. The Bill of Rights is very clear about this: The federal government cannot take private property without just compensation.

+ - Book review: Measuring and Managing Information Risk: A FAIR Approach

Submitted by benrothke
benrothke writes: Measuring and Managing Information Risk: A FAIR Approach

Author: Jack Freund and Jack Jones

Pages: 408

Publisher: Butterworth-Heinemann

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0124078147

Summary: Superb overview to the powerful FAIR risk management methodology





It's hard to go a day without some sort of data about information security and risk. Researches from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources.



The current panic around Ebola shows how people are ill-informed about risk. While distressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like.



When it comes to information security, is not that much better. With myriad statistics, surveys, data breach reports, cost of data breach: global analyses and the like, there is an overabundance of data, and an under abundance of meaningful data.



In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have written a magnificent book that will change the way (for the better) you think about and deal with IT risk.



The book details the factor analysis of information risk(FAIR) methodology, which is a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity.



An Open Group standard, FAIR is a methodology and a highly effective quantitative analysis tool.



The power of FAIR is immense: it enables the risk practitioner to make well-informed decisions based on meaningful measurements. While that seems obvious, in practicality, it is a challenging endeavor.



FAIR is invaluable in that it helps the risk professional understand the language that the corporate board and senior executives speak. Understanding that and communicating in their language can make it much easier for information security to be perceived as a valued asset, as opposed to using Chicken Little statistics.



FAIR takes the risk professional out of the realm of the dealing with risk via the checklist; which only serves to produce meaningless measurements, into the world of quantitative, defendable results.



For those that are looking for a tool to create pretty executive summary charts with lots of colors, FAIR will sorely disappoint them. For those that are looking for a method to understand how to calculate qualitative risk to support a formal enterprise risk management program, they won't find a better guide than this book.



The book is an incredibly good reference that will force you to look again at how you view risk management.



Jones writes in the preface that the book is not about checklists and formulas, but about critical thinking.



The authors note that information security and operational risk has operated for far too long as an art, with not enough science. This is the gap that FAIR attempts to fill.



The authors write that risk decision making quality boils down to the quality of information decision makers are operating from, and the decision makers themselves. The book does a remarkable job of showing how a person can become a much better decision maker.



A subtle but important point the book makes early on is that many risk professionals confuse risk possibilities with risk probabilities. The FAIR method forces you to focus on probabilities and not to obsess with Ebola like possibilities. Such a quantitative analysis approach is what makes FAIR so beneficial.



The book spends a few chapters on going through FAIR risk ontology and terminology. Inconsistent and poorly defined terminology is one of the most significant challenges the information security and operational risk profession faces. Having a consistent set of logical terms and definitions that make up the FAIR framework significantly improves the quality of risk relations communications within an organization.



The value of having a consistent set of logical terms and definitions is significant. For example, the book notes that many people use the term threat. In the context of risk analysis, it might not be a real threat if there is no resulting loss. In that case, it would be considered a vulnerability event.



The challenge of FAIR is acclimating to its dialect. But once done, it creates an extremely powerful methodology for risk communication and management. And therein lays its power. Setting up a common framework for risk management becomes and invaluable tool to present risk ideas. In addition, it makes the findings much more objective and defendable.



In chapter 5, the authors address the biggest objections to quantitative risk management that it can't be measured or is simply unknowable. They agree that risk can't be measured at the micro level, but it canbe effectively measured to the degree to reduce management's uncertainly about risk.



They also importantly note that risk is a forward-looking statement about what may or come to pass in the future. With that, perfect accuracy is impossible; but effective quantitative risk management is very possible.



The power of FAIR is that is helps add clarity to ambiguous risk situations by giving you the tools to add data points to a situation that is purported to be unknowable.



Chapter 8 is an extremely enlightening chapter in that it provides 11 risk analysis examples. The examples do a great job of reinforcing the key FAIR concepts and methods.



In chapter 10, the authors write that the hardest part of learning FAIR is having to overcome bad habits. For most people, FAIR represents a recalibration of your mental model about what risk is and how it works. The chapter deals with common mistakes and stumbling blocks when performing a FAIR analysis. The 5 high-level categories of mistakes the chapter notes are: checking results, scoping, data, variable confusion and vulnerability analysis.



FAIR is a powerful methodology that can revolutionize risk management. The challenge is that it takes a village to make such a change. Management may be reticent to invest in what is perceived as yet another risk management framework.



But once you start using the language of FAIR and validate your findings, astute management will likely catch on. Over time, FAIR can indeed be a risk management game changer.



The book is flawless in its execution and description of the subject. The only critique is that in that the author's should have been a bit more transparent in the text when (especially in chapter 8) mentioning the FAIR software, in that it is their firm that makes the software.



For those that are willing to put in the time to understanding FAIR, this book it will make their jobs much easier. It will help them earn the trust of senior management, and make them much better risk management professionals in the process.







Reviewed by Ben Rothke

If all else fails, lower your standards.

Working...