Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Comment Re:How Does Apple Control This? (Score 1) 451

What else can they do? Should I be encrypting all my disk partitions?

If you run the software; then you trust the vendor. Full stop.

If you don't trust a software vendor, don't run their software, and especially not their operating system.

Java was blocked by an update to Apple XProtect Definitions.

Software update is responsible for providing the updated definitions.

Comment Re:Good for them. (Score 1) 451

Uh this was a zero day active exploit. Are you saying you WANT to deal with that? Apple did you a favor. Are you so confident in your staff's ability to avoid getting owned. That's a lot of very sensitive info you would be compromising.

Sometimes being able to work, AND being vulnerable: is not as bad as a complete work stoppage.

There is a risk that you might be targetted by a zero day exploit, that might be successful. Say that risk is 1%; and the cost of a breach is 15 million$; mostly spent in legal fees, compliance fees -- sending letters to customers about the data breach, settling any legal complaints, etc.

Now let's say you rely on Java for many critical business functions, and you have a 50% work stoppage, if your workers can't start Java -- they can't access CRM, ERP, customer support systems, billing, Order taking, etc.

The work stoppage for 1 hour costs $3 million.

Now: What is worse: A 1% risk of losing $15 million, OR a 100% risk of losing $3 million, due to shuttering of the business applications, not being able to take orders, and losing customers, due to CSR unable to provide satisfaction, without working CSR applications?

Let's try a bank analogy....

A new zero-day vulnerability has just been discovered in a certain vendor's ATM; that allows a criminal to possibly use a simple technique to enumerate account numbers of other bank customers, and withdraw arbitrary amounts of money from their account without entering a PIN number.

Upon discovering this, does the bank immediately shut down all their ATMs, for fear, a thief will abuse it? [Despite angering all their customers, denying everyone access to their money, and losing 20+ millions of dollars a day due to account closures -- versus the 2 or 3 million in expected losses due to thievery]

or do they begin discretely working with the software vendor to develop a patch, while putting in place monitoring to search for signs of abuse?

Comment Re:Good for them. (Score 1) 451

with 30 years of prior use its not so simple to just move on - yes we may be foolish, but what can one do at this point?

Since Java was not commercially available until 1995; it's not possible that there is 30 years of prior use.

Although the point is well taken that Apple broke for some users a business line application with its security policy decision .

For consumer devices it's the right choice. IT needs to override Apple's policy decision, for their businesses; and not allow vendors to make configuration changes like blacklisting software -- without IT validating the change.

Apple's security policies should always be what will keep the greatest number of users in the safest situation -- even while inconveniencing the few who are using an uncommon functionality.

Change control 101. The proper response was for IT to disable blacklisting in the first place, and carefully monitor any blacklisting activity by the software vendor, to determine if they need to do anything for their Enterprise environment.

It's just one of the risks you take, if you allow an outside vendors to define patterns, version, or identity of applications that are not allowed to run, or patterns that are deemed risks; and change those patterns without review.

Comment Re:Good for them. (Score 4, Insightful) 451

Apple hasn't told me how to do it. Yes, some hackers figured it out.

Did you call Apple Enterprise support? Does your organization have the proper agreements in place with Apple, for them to support use of OS X by a business (instead of ordinary consumer use) ?

Did you voice the concerns with your Apple rep?

Comment Re:Hmmmmm..... (Score 1) 330

It is up to you to gauge how much time is left on the yellow and whether to stop or not.

This is impossible to do reliably, unless you are a repeat visitor to that specific traffic light, and it has not been changed since -- because different signals have different yellow light durations; it is frequently different at each light, and there is often less than 2 seconds to make that decision.

They should display something that allows drivers to at a glance see how long is remaining before red.

Possibly red LEDs that light up on the center line of the road itself, starting a distance out, representing time at speed limit to red, and approaching the light, as the remaining green time decreases....

Comment Re:"fan guards in the system" (Score 2) 371

That law exists to prevent products that don't include appropiate safety measures which would reduce the profit margin to harm someone.

But here we have a good example, of a bullshit safety measure requirement causing a product to go off the market entirely: apparently, because it will no longer be worth selling.

As neither of us knows exactly how dangerous those fans are, what the new requirements actually are and why there was a consensus for raising them....

We know that they pose absolutely no danger to the end user: except one that did some very stupid things, and specifically ignored directions, to unplug before unscrewing and opening up the computer case.

There are high voltages in the power supply and capacitors too, of most computer systems; I suppose someone could stick their fingers in there, and die from electrocution, after popping open the power supply....

Comment Re:Hmmmmm..... (Score 1) 330

(This is a rule to prevent blocking traffic, not a rule for safety.)

The rule also has safety ramifications. If you are partially blocking part of an intersection which crosses a 4 lane highway, during a time when traffic is low on the highway: a vehicle on a conflicting path, may see the green light, and be approaching the intersection at the speed limit (E.g. 45, 50 Mph)

If you got a red light at 20% through the intersection, and cannot clear the intersection, then you may not be able to see the approaching vehicle on a conflicting path: and the vehicle may not be able to see you within their stopping distance, due to a line of cars in the left lane limiting their view of the intersection, to just the light itself, and no visible cars in the intersection....

Comment Re:Hmmmmm..... (Score 2) 330

Also, if your front wheels are over the line before the light turns red, I'm pretty sure you're legally good to go in most places.

If your front wheels are over the line: you are already in the intersection. Other cars in the conflicting direction are required to not proceed and enter the intersection until you clear, even if their light turns green.

And you are required to clear out, or risk being ticketed for blocking the intersection.

You may also be ticketed for being in the intersection during a red light.

Comment Re:Hmmmmm..... (Score 1) 330

Yes, red+amber is a great idea. But not for the reason you think. And it wouldn't work here in the US, because it requires alert and active drivers, not slugs.

How about police monitored intersections tickets, for a car, that sits idle for more than 1 second at a green light, when it is safe to proceed? (Whether first car or not...)

Comment Where there are 50 found... (Score 3, Insightful) 270

There are probably 500 unaddressed.. you know...

Oracle's you know... rearranging the deck chairs on the Titanic. plugging a few of the small leaks here in there. Doesn't mean the ship is saved:)

Recall Cisco just released this big 2013 annual security report the other day, showing Java exploit as a #1 infection vector for malware.... :)

Comment Re:Before the libertarians start preaching... (Score 1) 330

I can think of a big one. In five to ten years we would have ads with the slogan "Take Fakitol, it won't cure your cancer, but will make sure you don't give a shit about it".

Then regulate the marketing of it; like the marketing of cigarettes is regulated.

And require a license to possess, sell, purchase, or use it, that requires paying a fee and passing a multiple-choice test, demonstrating knowledge of the risks: and someone underage must have consent of a guardian, plus a minimum of two additional adults that may be related, and a third adult reviewer who may not be related or know them, to interview them, and vouch for their character + ability to understand the drugs' effects, and understand and comply with their obligations under the law (such as amount allowed to be in possession at any point in time, not using or possessing unsealed or uncovered drug packages in a public or social setting, not driving for sufficient time after using, and not transferring drug person to person, except through a lawfully licensed intermediary).

Comment Re:Before the libertarians start preaching... (Score 1) 330

Alcohol is fully legal - and yet there are quite a few moonshiners out there.

This is because, to fund the wars, the federal government decided to create some very tyrannical taxes on alcohol and regulation on the operation of distilleries.

The so-called moonshiners were previously legal small-time distillers.

Due to the legal regulations and taxation regime, there can be no such thing as a "small" distiller; I believe the government-imposed starting cost to be a legal operator is a few million $$$ cash up front.

Comment Re:Sign in to keep vs destroy on command (Score 1) 163

If you want the authorized user to be the one to determine when the gear should (and should not) be sacrificed, it has to be "destroy on command".

Who says the authorized user should? If the equipment needs protection because it can give an enemy an advantage, and it falls into enemy hands, then it should be rendered useless.

That would hand The Enemy an easy method of sabotage. All he would need to do to cripple your gear is to try to use it

Or destroy it with explosives...

It IS in the hands of your enemy; therefore, they could do whatever they like with it, including hiding it somewhere you won't ever find it.

Or if it's based on time elapsed since the authorized user was using it, just keep you away from it for that long.

Your enemy separated you from your equipment... that means the enemy is in control, what more could be said?

There are really two risks, that would cause you to want to block access to equipment:

1. An enemy can pick it up and start using it -- for these situations, a password, or login makes the most sense. A self-destroy mechanism doesn't really provide meaningful assistance against this threat, because an access restriction is good enough, as long as it can resist attacks that don't involve days with a logic analyzer. And for this situation; if the authorized user doesn't think it needs destroyed, then fine.... keep intact, but deny access.

2. An enemy can pick it up and bring it home -- bring it to a lab to analyze; analysis of the electronics might reveal information the enemy could use. This risk warrants the implementation of destruct mechanisms. Because denying access on the field doesn't prevent analysis. Moreover, if the destruct isn't timely, the enemy might learn how to disable the destruct mechanism, SO the forces cannot afford to let the authorized user make a decision (the authorized user may be incapacitated); the destruct should be automatic, and designed to occur in a way and at a time, which will ensure that the risk of the destruct being disabled, or analysis has already started, will be minimal.

A start, would be to place electronics in rugged tamper-resistant outer and inner cases, which would be opened during normal use without a second thought -- and if the outer case is open, an authentication timer starts counting down....

Comment Extreme temp already destroys electronics (Score 1) 163

placing the device within certain conditions e.g. extreme heat or cold, that triggers the rapid destruction process.

Extreme heat already destroys electronics

A little bonfire or some thermite or black powder should be very effective, unless the electronics were intentionally designed to withstand extreme heat....

Comment Re:It's the stigma (Score 1) 366

To do that requires finding inspectors who will not take bribes and are not intimidated by threats.

Not necessarily. Remove the assumption of compliance. Guilty until proven compliant.

Require industry players to provide proof of compliance by 3rd party auditors, including detailed documentation, floor plans, photographs and videos showing every square inch of the facilities; including photographic and video evidence, showing sufficient exit paths, and no escape paths capable of being locked in a way that would prevent exit.

Validate the findings of auditors via inspection; inspectors also required to gather photographic and video evidence.

Include very large fines for non-compliance. Include very stiff penalties for both the factory, and the individual auditors on the audit team that provided fraudulent results.

Give inspectors a large commission, in excess of any likely bribe, if fraud is uncovered as a result of their inspection.

Slashdot Top Deals

"It may be that our role on this planet is not to worship God but to create him." -Arthur C. Clarke

Working...