Please create an account to participate in the Slashdot moderation system


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Not necessarily (Score 1) 183

I agree that some pretty routine protection can give you a considerable amount of value.

But it wouldn't stop a concerted attack on you. You'd have been vulnerable to something like Heartbleed for two years, even if you patched every hour of every day of that two years. There have been other examples of obscure vulnerabilities that have been very serious and still missed for all of that. There are definitely things out there that no one knows about, or no one has gotten around to fixing yet. All it takes is for someone to want to devote enough attention to you in order to exploit them.

That's why if you work for a small company, you might do very well with routine patching, but that will not be at all be sufficient for a big bank.

Comment Re:Two words: "Ford Pinto" (Score 1) 183

Well, it is important to point out that no one really thinks their life is less important than tasty food. The real factors are:

There is always a reasonable probability that it won't be what kills you. That bacon triple cheeseburger may eventually kill you, but your smoking habit will probably do that first. You're going to die of something, you're betting you don't live long enough so that all of your bad decisions play out.

Second, people just have really bad perception of relative risk. That's why some people are more afraid of terrorists than they are of driving to work, even though driving to work is probably at least two orders of magnitude more likely to get you killed on any given day than all types of terrorist (Muslim, Christian, Marxist, eco-nuts) put together.

Comment Re:Companies must be embarassed (Score 1) 183

I hope you aren't suggesting the government is going to do a better job of making that happen.

All the government makes you do is a shitload of paperwork and then when you fail because you spent more time on filling out your 400 page system security plan than actually securing anything, they throw the book at you anyway. Or not, if you're golfing partners with your tame congressman.

Comment Re:1% (Score 1) 183

Will we? I seem to recall some rich people who had their nudes posted all over the internet in recent memory. Perhaps you mean the 0.1%?

Security is security. The rich people are just as vulnerable as we are to it, and if you think about it, those are the people who are more likely to ignore their own security because they don't spend any money on it in their professional lives either.

Comment Re:It depends (Score 1) 183

That's why you don't back up servers, you back up data.

Installed server software like the application and OS, especially in this day and age, should be completely disposable. Unless they can cryptolock you somehow from a dump file or an oplog, all they have done is cause a short outage and annoy the shit out of some admins.

Wipe the hardware, reinstall from your golden image and have your configuration management software reconfigure things, and then restore from backup.

Not to mention with any redundant DB, there is a good chance that only one host is crypto locked, so you shut down the primary, and the secondary takes over as if nothing happened because crypto locking one server's disk merely causes your DB cluster to be broken.

Comment Re:Cheaper Until Lawsuit Damages Occur (Score 2) 183

Although lawsuit comes far too late to protect the people who needed to protect their data more than they needed a $30 rebate from a class action suit.

Make no mistake, the article makes this very clear. Most of the downside of not spending on security is on the customers, not on the business that got hacked.

Comment Re:lower infosec budgets will INCREASE hacking dam (Score 1) 183

Security solutions and spending also often includes the security people operating the solutions. And just one of them can easily be almost $200,000 a pop, not necessarily in salary, but in benefits, salary, and even getting a headhunter to find one.

As far as security software, that's pretty expensive too, but varies based on your level of security. I've seen packages that keep the records of every keystroke made on every server that you connect to it. Real Big Brother types of packages. That easily costs more than $200,000 a pop.

Also note that if you work at a smaller company that uses a certain piece of software that isn't very expensive for you because you have few heads and few computers to secure, that same package becomes much, much more expensive for big companies due to their scale, and even with deep discounting. I have to work with Fortune 100 companies in integrating with their security, and while it is not always inspiring to see their level of competence, it is very easy to see that they spend a shitload of money on what they have because they have high visibility and complex environments.

Comment Re:lower infosec budgets will INCREASE hacking dam (Score 1) 183

I don't think his advice is particularly bad, it's more of an admission of reality. Spend the money to make a good solid security program, but let's face it, with all the 0-days out there and the threat sources, it is probably best to understand that successful attacks are inevitable. At least then, you also set aside time, money, and resources to deal with the impacts, and do planning that assumes that since breaches are possible, they need to be taken seriously when they happen.

I'm less concerned that someone stole my password than I am that a password might have been stolen, but I didn't know about it for weeks or months or years. If I at least know about it, I can take action.

Comment Re:Not only that (Score 2) 183

I disagree. There are plenty of people who can use money well. The problem is that the system rewards people who make money for the purpose of making more money. The problem here is that security is not profitable, and the downside seems to be less expensive than not covering that overhead cost.

We need to find a way to properly incentivize security as its own end, because as I have noticed in my career, getting security resources is like pulling teeth, until someone threatens a suit or seriously damages the reputation of the company. Even then, it is usually more for window dressing.

Comment Re:Bottom line... (Score 1) 183

The problem with the extreme libertarian ideal of what would happen is that it assumes that no one can generate a monopoly. Particularly the monopoly of force of a government.

If that was not possible, it is possible that there would be more freedom for that mechanism to work, but as you say, those conditions don't seem to ever actually occur.

The reality is that I think people want something that prevents anarchy, but they don't want it to become oppressive. I think government is okay in moderation, but it is really taking over just about everything these days, and I don't really think people think about what that means for the future... or even if they care. I dislike the idea of a population that is fully dependent on a government, because I don't see it as much different as being dependent on a corporation or some other force that I have almost no serious input into.

Comment Re: The power of a concentrated marketplace (Score 1) 183

Hell, I would have thought the breach at Ashley Madison would have done them completely in on reputation loss alone...

It is not always easy to kill a company dead with just one thing happening to it, even something like this. There are people invested in it, and they have reason enough to work to keep it going. And if you're one of the people who got into business of helping people have affairs, you're already going to be someone who is somewhat impervious to other people's opinion of you. Many of these companies keep going until they must declare bankruptcy, so there's no reason for them to not give it a college try.

That said, this just means that their decline is being retarded by something like perhaps scads of cash that they got their hands on previously, or perhaps they found some investors who think the concept is good and the brand name still has some value if they wait long enough for the smell to dissipate.

Comment Re:maaaan (Score 1) 382

In his defense, he probably didn't think he was doing anything wrong by removing those files, it was probably presented to him as a standard data wipe deal to make sure that the server could be decommissioned. Therefore, he probably didn't think he needed to fully cover his tracks or even that anything illegal was going on.

Granted, alluding to working for a VIP on a public forum is beyond stupid, even if you are totally legit, because then people take interest in you, and it is usually not the people who you were looking to impress.

Slashdot Top Deals

Somebody ought to cross ball point pens with coat hangers so that the pens will multiply instead of disappear.