Domain: slashdot.org
Stories and comments across the archive that link to slashdot.org.
Stories · 37,380
-
C/C++ Back On Top of the Programming Heap?
Drethon writes "On this day in 2008, a submission was posted that C/C++ was losing ground so I decided to check out its current state. It seems that C has returned to the top while Java has dropped by the same amount, VB and PHP have dropped drastically, C++ is holding fast but now in third place and Objective-C and C# have climbed quite a bit. 2008 data thanks to SatanicPuppy: 1. Java (20.5%); 2. C (.14.7%); 3. VB (11.6%); 4. PHP (10.3%); 5. C++ (9.9%); 6. Perl (5.9%); 7. Python (4.5%); 8. C# (.3.8%); 9. Ruby(2.9%); 10. Delphi (2.7%). The other 10 in the top 20 are: JavaScript, D, PL/SQL, SAS, Pascal, Lisp/Scheme, FoxPro/xBase, COBOL, Ada, and ColdFusion." -
Telcos Oppose Bill To Respect 4th Amendment
Fluffeh writes "CTIA (The mobile operators' industry association) is opposing a California law proposing that a court order be required prior to disclosing personal information. The law seems to be in opposition to the federal government's attempts to wash away the last requirements to get at any information about citizens, but CTIA claims (PDF) '... the wireless industry opposes SB 1434 as it could create greater confusion for wireless providers when responding to legitimate law enforcement requests.' The EFF and the ACLU have been arguing strongly for the bill which is to be voted on shortly." A charming quote from CTIA: "For example, the definition of 'location information' is so sweeping that it could implicate information generally considered basic subscriber information under federal law. Since the implications of this definition are unclear, wireless providers will have difficulty figuring out how to respond to requests for such information. It could place providers in the position of requiring warrants for all law enforcement requests." -
Asteroid the 'Size of a Minivan' Exploded Over California
astroengine writes, quoting Discovery: "The source of loud 'booms' accompanied by a bright object traveling through the skies of Nevada and California on Sunday morning has been confirmed: it was a meteor. A big one. It is thought to have been a small asteroid that slammed into the atmosphere at a speed of 15 kilometers per second (33,500 mph), turning into a fireball, delivering an energy of 3.8 kilotons of TNT as it broke up over California's Sierra Nevada mountains. Bill Cooke, head of NASA's Meteoroid Environment Office, classified it as a 'big event.' 'I am not saying there was a 3.8 kiloton explosion on the ground in California,' Cooke told Spaceweather.com. 'I am saying that the meteor possessed this amount of energy before it broke apart in the atmosphere. (The map) shows the location of the atmospheric breakup, not impact with the ground.' Interestingly, this event was bigger than asteroid 2008 TC3 that exploded over the skies of Sudan in 2008 after being detected before it hit." -
Dot-Word TLDs Further Delayed
benfrog writes "The security bug that has been stalling the 'dot-word TLD land grab' might be fixed, but ICANN says it needs another week 'to sift through its mountains of TAS logs, in order to figure out which applicants' data was visible to which other applicants.' Needless to say, some are less than thrilled about the further delay." -
Google Ups Bug Bounty To $20,000
Trailrunner7 writes, quoting Threatpost: "Search giant Google said it is quintupling the top bounty it will pay for information on security holes in its products to $20,000. Google said it was updating its rewards and rules for the bounty program, which is celebrating its first anniversary. In addition to a top prize of $20,000 for vulnerabilities that allow code to be executed on product systems, Google said it would pay $10,000 for SQL injection and equivalent vulnerabilities in its services and for certain vulnerabilities that leak information or allow attackers to bypass authentication or authorization features." -
U.S. Suspends JEEP Aid
gManZboy writes "As noted last week, the USAID's JEEP (Job Enabling English Proficiency) program has been using U.S. taxpayer dollars to train students in the Philippines to work at outsourcing call centers. An update: After Congressman Tim Bishop and a colleague protested to USAID, USAID decided to suspend funding to the effort. 'In response to the concerns you have raised, the Agency is suspending its participation in the English language training project in Mindanao pending further review of the facts,' said USAID deputy assistant administrator Barbara Feinstein, in a letter Monday to Bishop. 'Furthermore, the Agency has established a high-level taskforce to review these matters.' Bishop says that USAID needs to find ways to assist developing regions without compromising the jobs of U.S. call center workers" -
Satellite System Will Speed Up Tsunami Warnings
ananyo writes "NASA and a group of universities known as the READI network have begun testing an earthquake-warning system based on satellite data from the Global Positioning System. The method could have allowed Japanese officials to issue accurate warnings of the deadly March 2011 earthquake and tsunami ten times faster than they did, say scientists. The system is currently being tested using the U.S. Pacific Northwest Geodetic Array: hundreds of GPS receivers placed along the North American coast between Northern California and British Columbia in Canada. While conventional seismometers provide similar information, they run into trouble with earthquakes of magnitude 7 or higher. This is partly because in big quakes, the ground may shake for longer, but not significantly harder. GPS has no such problem, because it directly measures the movement of the ground." -
Software Engineering Is a Dead-End Career, Says Bloomberg
An anonymous reader sends this quote from an opinion piece at Bloomberg: "Many programmers find that their employability starts to decline at about age 35. Employers dismiss them as either lacking in up-to-date technical skills — such as the latest programming-language fad — or 'not suitable for entry level.' In other words, either underqualified or overqualified. That doesn’t leave much, does it? Statistics show that most software developers are out of the field by age 40. Employers have admitted this in unguarded moments. Craig Barrett, a former chief executive officer of Intel Corp., famously remarked that 'the half-life of an engineer, software or hardware, is only a few years,' while Mark Zuckerberg of Facebook has blurted out that young programmers are superior." -
20th IOCCC Source Code Released
An anonymous reader writes "The 20th International Obfuscated C Code Contest apparently has the turbo button pressed, as the source code has been published in only two months, versus almost four years of the 19th contest. As we discussed in February, the judges' verdicts are in: the Best of Show entry comes from Don Yang with a program containing more programs. Some other entries winning this year are a text raytracer (used this year in IOCCC logo), a MOD player, a X11-based dual player tank shooter and a bouncing ball (Amiga-style) with ANSI escape sequences. Remember that every IOCCC entry has a limit of 4 kilobytes, so indeed every one is pretty impresive." -
Facebook Purchases 650 AOL Patents From Microsoft
eldavojohn writes "Not two weeks after Microsoft purchased 925 patents and patent applications plus licenses to AOL's portfolio for $1 billion, Facebook has now acquired 650 of said patents and patent applications for $550 million to which Microsoft retains a license. So, was Microsoft's $450 million worth it? According to their press release: 'Upon closing of this transaction with Facebook, Microsoft will retain ownership of approximately 275 AOL patents and applications; a license to the approximately 650 AOL patents and applications that will now be owned by Facebook; and a license to approximately 300 patents that AOL did not sell in its auction.' Will the patent-go-round continue, or has Facebook loaded up for a good old-fashion Mexican standoff?" -
Facebook Purchases 650 AOL Patents From Microsoft
eldavojohn writes "Not two weeks after Microsoft purchased 925 patents and patent applications plus licenses to AOL's portfolio for $1 billion, Facebook has now acquired 650 of said patents and patent applications for $550 million to which Microsoft retains a license. So, was Microsoft's $450 million worth it? According to their press release: 'Upon closing of this transaction with Facebook, Microsoft will retain ownership of approximately 275 AOL patents and applications; a license to the approximately 650 AOL patents and applications that will now be owned by Facebook; and a license to approximately 300 patents that AOL did not sell in its auction.' Will the patent-go-round continue, or has Facebook loaded up for a good old-fashion Mexican standoff?" -
How Good Are Robo-Graders?
stoolpigeon writes "With a large study showing software grades essays as well as humans, but much faster, it might seem that soon humans will be completely out of the loop when it comes to evaluating standardized tests. But Les Perelman, a writing teacher at MIT, has shown the limits of algorithms used for grading with an essay that got a top score from an automated system but contained no relevant information and many inaccuracies. Mr. Perelman outlined his approach for the NY Times after he was given a month to analyze E-Rater, one of the software packages that grades essays." -
Sinclair ZX Spectrum 30th Anniversary
It's not just the TRS-80; new submitter sebt writes "ZX Spectrum, the microcomputer launched in 1982 by Sinclair Research (Cambridge, UK) turns 30 today. The launch of the machine is seen by many today as the inspiration for a generation of eager young programmers, software and game designers in the UK. The events surrounding its launch, notably Sinclair's well-known rivalry with Acorn, later helped to inspire the design of the ARM architecture and most recently the Raspberry PI (based on ARM), in an effort to reboot the idea of enthusiastic kid programmers first captured by the Spectrum and Acorn's BBC micro. Happy birthday Spec!" -
French Elections Could Affect HADOPI, ACTA
bs0d3 writes "From having a position in the development and support of ACTA, to implementation of HADOPI, to imposing an internet tax to pay for music; France has been at the forefront of anti-piracy legislation. This week, it has been announced that current President and anti-piracy advocate Nicolas Sarkozy is unlikely to win the next election. His leading opponent is a man named Francois Hollande. Hollande has in the past opposed both ACTA and HADOPI (France's 3 strikes law). Hollande believes that ACTA, 'originally intended to combat counterfeiting trade[,] was gradually diverted from its objective, in the utmost discretion and without any democratic process.' At the same time, Hollande is also strongly against piracy. 'Piracy has been costly,' Hollande said, 'but I do not think that law enforcement alone is the answer to the problem.' Will internet issues be of concern to the voters in France? It certainly is to the rest of us internet users." -
Frogger Synchronized To Real-Life Traffic
Cerlyn writes "In order to celebrate 30 years of Frogger, Tyler DeAngelo and his friends created a version of Frogger synchronized to actual vehicles on 5th Avenue in New York City. Unlike a previous (dangerous) attempt at recreating the game, this version fits safely inside of a Frogger arcade cabinet, and pictures and videos of the construction of the game are available as well." (Just scroll down that first link to see the construction details.) -
Facebook, Instagram, Ben Bernanke: Thank You For the New Tech Bubble
pigrabbitbear writes "Those who continue to inflate the tech bubble will be quick to remind us all of how they've learned from the past. That this time, it's simply different. They do have a point. Silicon Valley (and Alley) have matured. Startups these days are focused, driven, and efficient, creating products that people actually use. In a period of less than a year after its launch, Instagram was used by 5 million users, who by August of 2011 had uploaded 150 million photos. But even with these impressive results, it's impossible to ignore the fact that many of the fundamental economic factors that led the first bubble remain." A couple other readers contributed similar articles — Instagram's sale seems to have solidified the idea for many that we're in the midst of another tech bubble, though some are more certain about it than others. -
EU Commissioner: We Cannot Allow ISP Disconnects
Fluffeh writes "The EU Commissioner for the Digital Agenda, Neelie Kroes, has been making some interesting comments about privacy, copyright and many aspects of the digital age. Going so far as to quote the Free Software Foundation and Yochai Benkler, she says: 'Openness is also complex because sometimes it's unclear what it means. ... In the Arab Spring, many brave activists successfully used the open Internet to coordinate peaceful protests. In response, despotic governments sought to control or close down Internet access; and also used ICT tools as a tool of surveillance and repression. We cannot allow democratic voices to be silenced in that way. And I am committed to ensuring "No Disconnect" in countries that struggle for democracy. We must help such activists get around arbitrary disruptions to their basic freedoms.'" -
FBI Seizes Server Providing Anonymous Remailer Service
sunbird writes "At 16:00 ET on April 18, federal agents seized a server located in a New York colocation facility shared by May First / People Link and Riseup.net. The server was operated by the European Counter Network ("ECN"), the oldest independent internet service provider in Europe. The server was seized as a part of the investigation into bomb threats sent via the Mixmaster anonymous remailer received by the University of Pittsburgh that were previously discussed on Slashdot. As a result of the seizure, hundreds of unrelated people and organizations have been disrupted." -
Florian Mueller Outs Himself As Oracle Employee
eldavojohn writes "So you're commenting on your highly visible blog about patent case after patent case that deal with corporations battling over open source stuff, what does it matter if you're taking money from one and not the other? If you don't see any ethical problems with that, you might be Florian Mueller. Groklaw's PJ (who has been suspicious of Florian's ties to other giants like Microsoft for quite sometime) has noticed that Florian Mueller has decided to go full disclosure and admit that all his commentary on the Oracle v Google case might be tainted by his employment by Oracle. It seems he's got a bunch of consulting money coming his way from Oracle but I'm sure that won't undermine any of his assessments like Android licenses violate the GPL or that Oracle will win $6 billion from Google and Google was "at risk" of not settling despite the outcome that the charges later dropped to a small fraction of the $6 billion. Like so many other times, PJ's hunch was right." -
Florian Mueller Outs Himself As Oracle Employee
eldavojohn writes "So you're commenting on your highly visible blog about patent case after patent case that deal with corporations battling over open source stuff, what does it matter if you're taking money from one and not the other? If you don't see any ethical problems with that, you might be Florian Mueller. Groklaw's PJ (who has been suspicious of Florian's ties to other giants like Microsoft for quite sometime) has noticed that Florian Mueller has decided to go full disclosure and admit that all his commentary on the Oracle v Google case might be tainted by his employment by Oracle. It seems he's got a bunch of consulting money coming his way from Oracle but I'm sure that won't undermine any of his assessments like Android licenses violate the GPL or that Oracle will win $6 billion from Google and Google was "at risk" of not settling despite the outcome that the charges later dropped to a small fraction of the $6 billion. Like so many other times, PJ's hunch was right." -
Sun Advice Columnist Advised MPs On UK Porn-Block Plans
nk497 writes "The first official expert witness in an inquiry into network-level filtering of porn was a Sun advice columnist called Dear Deidre. A group of MPs has been pushing to censor the UK web to prevent children from seeing porn, but reading the full report reveals the weakness of the evidence. It also features Dear Deidre defending the topless model on Page 3 of her own newspaper, saying, 'the Editor of The Sun thinks it's okay' and 'nine million people read it.'" -
Judge Grudgingly Awards $3.6 Million In DRM Circumvention Case
Fluffeh writes "The case involves an online game, MapleStory, and some people who set up an alternate server, UMaple, allowing users to play the game with the official game client, but without logging into the official MapleStory servers. In this case, the people behind UMaple apparently ignored the lawsuit, leading to a default judgment. Although annoyed with MapleStory (The Judge knocked down a request for $68,764.23 — in profits made by UMaple — down to just $398.98), the law states a minimum of $200 per infringement. Multiply that by 17,938 users of UMaple... and you get $3.6 million. In fact, it sounds like the court would very much like to decrease the amount, but notes that 'nevertheless, the court is powerless to deviate from the DMCA's statutory minimum.' Eric Goldman also has some further op-ed and information regarding the case and judgement." -
System For Applications For New gTLDs Still Down
itwbennett writes "After almost a week the ICANN system for applications for new generic top-level domains (gTLDs) is still down, and it is unclear when it will reopen, although ICANN said it would provide an update by Friday, according to an IDG News Service report. The system was taken offline after a software glitch was found that 'resulted in some users being able to see some other users' file names and user names.'" -
Federal Court Allows Class-Action Suit Against Apple Over In-App Purchases
suraj.sun writes "An iPhone-owner whose daughter downloaded $200 worth of 'Zombie Toxin' and 'Gems' through in-app purchases on his iPhone has been allowed to pursue a class action suit against Apple for compensation of up to $5m. Garen Meguerian of Pennsylvania launched the class-action case against Apple in April 2011 after he discovered that his nine-year-old daughter had been draining his credit card account through in-app purchases on 'free' games including Zombie Cafe and Treasure Story. This month, Judge Edward J Davila in San Jose District Federal Court has allowed the case to go to trial, rejecting Apple's claim that the case should be dismissed. Meguerian claimed that Apple was unfairly targeting children by allowing games geared at kids to push them to make purchases. He describes games that are free to play but require purchases of virtual goods to progress as 'bait apps' and says they should not be aimed at children." -
Book Review: The CERT Guide To Insider Threats
benrothke writes "While Julius Caesar likely never said 'Et tu, Brute?' the saying associated with his final minutes has come to symbolize the ultimate insider betrayal. In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, authors Dawn Cappelli, Andrew Moore and Randall Trzeciak of the CERT Insider Threat Center provide incontrovertible data and an abundance of empirical evidence, which creates an important resource on the topic of insider threats. There are thousands of companies that have uttered modern day versions of Et tu, Brute due to insidious insider attacks and the book documents many of them." Read on for the rest of Ben's review. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes author Dawn Cappelli, Andrew Moore, Randall Trzeciak pages 432 publisher Addison-Wesley Professional rating 10/10 reviewer Ben Rothke ISBN 978-0321812575 summary Definitive resource on insider threats The book is based on work done at the CERT Insider Threat Center, which has been researching this topic for the last decade. The data the threat center has access to is unparalleled, which in turn makes this the definitive book on the topic. The threat center has investigated nearly 1,000 incidents and their data sets on the topic are unrivaled. With that, the book truly needs to be on the desktop of everyone tasked with data security and intellectual property protection.
The book provides a unique perspective on insider threats as the CERT Insider Threat Center pioneered the study of the topic, and has exceptional and empirical data to back up their findings. While there are many books on important security topics such as firewalls, encryption, identity management and more; The CERT Guide to Insider Threats is the one of the first to formally and effectively tackle the extraordinary devastating problem of trusted insiders who misappropriate data.
In the introduction, the authors write that a common misconception is that insider threat risk management is the responsibility of IT and information security staff members exclusively. The reality is that it is the responsibility of senior management to ensure that there is an overarching program to deal with insider threats at the enterprise level. Surpassingly and shockingly, far too few organizations have insider threat programs in place, and the book has scores of stories and case studies on those organizations that have become victims. While senior management created information security solutions to secure the perimeter; they were oblivious to the data leakage emanating from the interior network.
The authors reiterate that it is critical that all levels of management recognize and acknowledge the threat posed by insiders and take appropriate steps to mitigate malicious insiders. While it is impossible to stop every attack, what management can certainly do is build resiliency into their organizations infrastructure and business processes. This enables the organization to detect the attacks earlier and minimize the financial and operational impact. The book provides the specific details on how an organization can precisely do that.
In 9 detailed chapters and 6 appendices, the book provides a comprehensive and exhaustive analysis of the problem and menace of insider threats. After completing the book, one is well-prepared to initiate an insider threat program. The book provides examples of insider crimes from nearly every industry segment and ample data to share with management to convince them that the threats, both to their intellectual property and corporate profits, are very real.
After a high-level overview of the topic in chapter 1, the next chapter gets into the details of insider IT sabotage. While some think that stopping IT sabotage is next to impossible, the authors detail and have identified distinct patterns in nearly every IT sabotage case. The book details those patterns and also presents mitigation strategies, both technical and non-technical, to deal with those threats.
The chapter provides fascinating insights into how these crimes are carried out. The authors note that by their very nature, these attacks require technical sophistication and privileged access and are usually carried out by sysadmins, DBA's and programmers. A surprising CERT finding is that the majority of the attacks occur after the insider has been terminated or quit the organization. Part of the problem is that many organizations don't have a process in place to immediately terminate access when a worker resigns or is fired. In addition, 25% of the cases were carried out by full-time contractors.
Chapter 3 provides an intriguing look at the issue of insider theft of intellectual property (IP). Any firm that has a sizable amount invested in their IP (i.e., anything you can put on a USB stick) needs to take this chapter to heart. One of the many misconceptions CERT research has uncovered on this topic is that sysadmins are indeed not the biggest threat to IP, even though they have complete access to networks, systems and data.
According to the CERT data, they have not found a single case in which a sysadmin stole IP. Rather the biggest threat to IP is insider theft by scientists, engineers, programmers or salespeople. Also, CERT found that about a third of the IP cases were carried out for the benefit of a foreign government of organization, with China having more cases of IP theft than the other 9 countries combined.
Given the nature of China and its appetite for data theft, the book is surprisingly silent on specific suggestions in which to deal with threats from China. I would have liked to have seen at least a chapter dedicated to this topic.
The chapter continues and provides detailed lists of issues leading to job dissatisfaction that can lead a trusted employee or contractor to commit IP theft, and provides detailed steps on what companies can do to stop it.
Chapter 4 details everything you need to know about insider fraud. A fascinating statistic detailed is that the average insider fraud crime spans about 15 months, with half of the crimes lasting 5 months or more. The authors write that insider fraud is typically a long and ingoing crime. All of this is happening, over the course of months and years, and the organizations being pilfered are oblivious to it.
The book is worth reading for chapter 6 alone, which details best practices for the prevention and detection of insider threats. The best practices in chapter 6 give the reader a framework for establishing an insider threat program. Many of the best practices detailed are elements of a good security program, so they should not be news to anyone. Some of the best practices include: security awareness training, physical security controls, separation of duties, and perhaps the most blatantly obvious suggestion of them all: deactivate access following termination.
Another fascinating fact detailed in the book is that almost all insiders involved in acts of IT sabotage displayed behavioral indicators prior to committing their crimes. Some of those indicators include: conflicts with coworkers or supervisors, improper use of data assets, sanctions and rule violations. Organizations that act on these precursors can prevent the insider crimes from taking place.
Aside from its lack of coverage on how to specifically deal with the China threat, the only other lacking in the book is that in all of the examples and case studies, even those whose breaches are publicly known, organizations are not mentioned by name.
According to author Dawn Cappelli, Technical Manager at the CERT Insider Threat Center, they took that approach based on interviews for approximately 230 of their cases, with prosecutors, investigators, victim organization, or convicted insiders. In those interviews they guaranteed confidentiality of the information they obtained. Therefore, CERT considers the success of their research directly related to their reputation in the community for being trustworthy for maintaining confidentiality. While there reasoning makes sense, anonymous case studies are often unsatisfying
Insider threats are pervasive and indisputable. Organizations such as the CERT Insider Threat Center and individuals like Antonio Rucci provide vital services evangelizing about this critical topic. This entertaining video of Rucci from DEFCON 17 is a great primer on the topic.
Most of the firms who fall victim to insider threats are oblivious to them as they occur. The book details effective and operational security practices which can help every organization create an insider threat program to counterattack the majority of insider attacks.
When it comes to insider threats, the only way to avert them is to have a prevention program in place. In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, the authors have created an invaluable guidebook, with myriad details in which to enable the reader do that. The facts around insider threats speak for themselves. Anyone charged with protection of corporate data should ensure this book is on their required reading list. If not, and they fall victim to an insider attack, they have no one to blame but themselves.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: The CERT Guide To Insider Threats
benrothke writes "While Julius Caesar likely never said 'Et tu, Brute?' the saying associated with his final minutes has come to symbolize the ultimate insider betrayal. In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, authors Dawn Cappelli, Andrew Moore and Randall Trzeciak of the CERT Insider Threat Center provide incontrovertible data and an abundance of empirical evidence, which creates an important resource on the topic of insider threats. There are thousands of companies that have uttered modern day versions of Et tu, Brute due to insidious insider attacks and the book documents many of them." Read on for the rest of Ben's review. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes author Dawn Cappelli, Andrew Moore, Randall Trzeciak pages 432 publisher Addison-Wesley Professional rating 10/10 reviewer Ben Rothke ISBN 978-0321812575 summary Definitive resource on insider threats The book is based on work done at the CERT Insider Threat Center, which has been researching this topic for the last decade. The data the threat center has access to is unparalleled, which in turn makes this the definitive book on the topic. The threat center has investigated nearly 1,000 incidents and their data sets on the topic are unrivaled. With that, the book truly needs to be on the desktop of everyone tasked with data security and intellectual property protection.
The book provides a unique perspective on insider threats as the CERT Insider Threat Center pioneered the study of the topic, and has exceptional and empirical data to back up their findings. While there are many books on important security topics such as firewalls, encryption, identity management and more; The CERT Guide to Insider Threats is the one of the first to formally and effectively tackle the extraordinary devastating problem of trusted insiders who misappropriate data.
In the introduction, the authors write that a common misconception is that insider threat risk management is the responsibility of IT and information security staff members exclusively. The reality is that it is the responsibility of senior management to ensure that there is an overarching program to deal with insider threats at the enterprise level. Surpassingly and shockingly, far too few organizations have insider threat programs in place, and the book has scores of stories and case studies on those organizations that have become victims. While senior management created information security solutions to secure the perimeter; they were oblivious to the data leakage emanating from the interior network.
The authors reiterate that it is critical that all levels of management recognize and acknowledge the threat posed by insiders and take appropriate steps to mitigate malicious insiders. While it is impossible to stop every attack, what management can certainly do is build resiliency into their organizations infrastructure and business processes. This enables the organization to detect the attacks earlier and minimize the financial and operational impact. The book provides the specific details on how an organization can precisely do that.
In 9 detailed chapters and 6 appendices, the book provides a comprehensive and exhaustive analysis of the problem and menace of insider threats. After completing the book, one is well-prepared to initiate an insider threat program. The book provides examples of insider crimes from nearly every industry segment and ample data to share with management to convince them that the threats, both to their intellectual property and corporate profits, are very real.
After a high-level overview of the topic in chapter 1, the next chapter gets into the details of insider IT sabotage. While some think that stopping IT sabotage is next to impossible, the authors detail and have identified distinct patterns in nearly every IT sabotage case. The book details those patterns and also presents mitigation strategies, both technical and non-technical, to deal with those threats.
The chapter provides fascinating insights into how these crimes are carried out. The authors note that by their very nature, these attacks require technical sophistication and privileged access and are usually carried out by sysadmins, DBA's and programmers. A surprising CERT finding is that the majority of the attacks occur after the insider has been terminated or quit the organization. Part of the problem is that many organizations don't have a process in place to immediately terminate access when a worker resigns or is fired. In addition, 25% of the cases were carried out by full-time contractors.
Chapter 3 provides an intriguing look at the issue of insider theft of intellectual property (IP). Any firm that has a sizable amount invested in their IP (i.e., anything you can put on a USB stick) needs to take this chapter to heart. One of the many misconceptions CERT research has uncovered on this topic is that sysadmins are indeed not the biggest threat to IP, even though they have complete access to networks, systems and data.
According to the CERT data, they have not found a single case in which a sysadmin stole IP. Rather the biggest threat to IP is insider theft by scientists, engineers, programmers or salespeople. Also, CERT found that about a third of the IP cases were carried out for the benefit of a foreign government of organization, with China having more cases of IP theft than the other 9 countries combined.
Given the nature of China and its appetite for data theft, the book is surprisingly silent on specific suggestions in which to deal with threats from China. I would have liked to have seen at least a chapter dedicated to this topic.
The chapter continues and provides detailed lists of issues leading to job dissatisfaction that can lead a trusted employee or contractor to commit IP theft, and provides detailed steps on what companies can do to stop it.
Chapter 4 details everything you need to know about insider fraud. A fascinating statistic detailed is that the average insider fraud crime spans about 15 months, with half of the crimes lasting 5 months or more. The authors write that insider fraud is typically a long and ingoing crime. All of this is happening, over the course of months and years, and the organizations being pilfered are oblivious to it.
The book is worth reading for chapter 6 alone, which details best practices for the prevention and detection of insider threats. The best practices in chapter 6 give the reader a framework for establishing an insider threat program. Many of the best practices detailed are elements of a good security program, so they should not be news to anyone. Some of the best practices include: security awareness training, physical security controls, separation of duties, and perhaps the most blatantly obvious suggestion of them all: deactivate access following termination.
Another fascinating fact detailed in the book is that almost all insiders involved in acts of IT sabotage displayed behavioral indicators prior to committing their crimes. Some of those indicators include: conflicts with coworkers or supervisors, improper use of data assets, sanctions and rule violations. Organizations that act on these precursors can prevent the insider crimes from taking place.
Aside from its lack of coverage on how to specifically deal with the China threat, the only other lacking in the book is that in all of the examples and case studies, even those whose breaches are publicly known, organizations are not mentioned by name.
According to author Dawn Cappelli, Technical Manager at the CERT Insider Threat Center, they took that approach based on interviews for approximately 230 of their cases, with prosecutors, investigators, victim organization, or convicted insiders. In those interviews they guaranteed confidentiality of the information they obtained. Therefore, CERT considers the success of their research directly related to their reputation in the community for being trustworthy for maintaining confidentiality. While there reasoning makes sense, anonymous case studies are often unsatisfying
Insider threats are pervasive and indisputable. Organizations such as the CERT Insider Threat Center and individuals like Antonio Rucci provide vital services evangelizing about this critical topic. This entertaining video of Rucci from DEFCON 17 is a great primer on the topic.
Most of the firms who fall victim to insider threats are oblivious to them as they occur. The book details effective and operational security practices which can help every organization create an insider threat program to counterattack the majority of insider attacks.
When it comes to insider threats, the only way to avert them is to have a prevention program in place. In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, the authors have created an invaluable guidebook, with myriad details in which to enable the reader do that. The facts around insider threats speak for themselves. Anyone charged with protection of corporate data should ensure this book is on their required reading list. If not, and they fall victim to an insider attack, they have no one to blame but themselves.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Magician Suing For Copyright Over Magic Trick
Fluffeh writes "Teller, the silent half of the well-known magic duo Penn and Teller, has sued a rival magician for copying one of his most famous illusions. The case promises to test the boundaries of copyright law as it applies to magic tricks. A Dutch magician with the stage name Gerard Bakardy (real name: Gerard Dogge) saw Teller perform the trick in Las Vegas and developed his own version — then started selling a kit — including a fake rose, instructions, and a DVD — for about $3,000. Teller had Bakardy's video removed with a DMCA takedown notice, then called Bakardy to demand that the magician stop using his routine. Teller offered to buy Bakardy out, but they were unable to agree on a price. So Teller sued Bakardy last week in a Nevada federal court." -
Apple: Greenpeace's Cloud Critique Driven By Bogus Numbers
miller60 writes "Apple says Greenpeace has wildly overestimated the amount of power it uses in its data center in North Carolina, and used that bad math to give the company a low grade on sustainability. Apple says it uses 20 megawatts of power at its iDataCenter, a fraction of Greenpeace's estimate of 100 megawatts in a new report on energy use by cloud computing providers. Apple says that its huge solar array and biogas-powered fuel cell will supply 60 percent of the facility's power, not the 10 percent claimed by Greenpeace." -
Macbook Owner With Defective GPU Beats Apple In Court
New submitter RockoW writes "A few years ago, Apple sold defective computers of the MacBook Pro line. They had the defective Nvidia 8600M GT GPU. In this case Apple refused to take the computer back and issue me a refund. Instead, they promised to replace the 8600M GT boards when they failed, up to four years from the date of purchase. Three years later, the MacBook Pro failed and they refused to replace it. This guy took them to the court and won by their own means." -
Avian Flu Researcher Plans to Defy Dutch Ban On Publishing Paper
scibri writes "Ron Fouchier, one of the researchers involved in the controversy over whether to publish research on mutant versions of H5N1 bird flu, has said he plans to submit his paper to Science without applying for an export control license as demanded by the Dutch government. Failing to get the license means he could face penalties including up to six years in prison. Whether the paper falls under export-control laws is unclear. The Netherlands implements European Union (EU) legislation on export controls, which require an export permit for 'dual-use' materials and information — those that could have both legitimate and malicious uses — including those relating to dangerous pathogens. But the EU law allows an exception for 'basic scientific research' that is 'not primarily directed towards a specific practical aim or objective,' which Fouchier says should cover his work." -
Avian Flu Researcher Plans to Defy Dutch Ban On Publishing Paper
scibri writes "Ron Fouchier, one of the researchers involved in the controversy over whether to publish research on mutant versions of H5N1 bird flu, has said he plans to submit his paper to Science without applying for an export control license as demanded by the Dutch government. Failing to get the license means he could face penalties including up to six years in prison. Whether the paper falls under export-control laws is unclear. The Netherlands implements European Union (EU) legislation on export controls, which require an export permit for 'dual-use' materials and information — those that could have both legitimate and malicious uses — including those relating to dangerous pathogens. But the EU law allows an exception for 'basic scientific research' that is 'not primarily directed towards a specific practical aim or objective,' which Fouchier says should cover his work." -
Avian Flu Researcher Plans to Defy Dutch Ban On Publishing Paper
scibri writes "Ron Fouchier, one of the researchers involved in the controversy over whether to publish research on mutant versions of H5N1 bird flu, has said he plans to submit his paper to Science without applying for an export control license as demanded by the Dutch government. Failing to get the license means he could face penalties including up to six years in prison. Whether the paper falls under export-control laws is unclear. The Netherlands implements European Union (EU) legislation on export controls, which require an export permit for 'dual-use' materials and information — those that could have both legitimate and malicious uses — including those relating to dangerous pathogens. But the EU law allows an exception for 'basic scientific research' that is 'not primarily directed towards a specific practical aim or objective,' which Fouchier says should cover his work." -
British MPs Propose Censoring Internet By Default
judgecorp writes "An all-party inquiry by British MPs has proposed the Internet should be censored to prevent children seeing 'adult' content. Users would have to opt in to see adult content. The proposal is similar to that already used by mobile operators." From the article: "The move, first suggested in 2010, has been firmed up , after a cross-party Parliamentary inquiry examined the state of online child protection. The current proposal is a 'network-level "Opt-In" system,' going beyond the 'active choice' model launched by ISPs ... last October. ... They also want the Government to 'consider a new regulatory structure for online content, with one regulator given a lead role in the oversight and monitoring of Internet content distribution and the promotion of Internet safety initiatives.'" -
British MPs Propose Censoring Internet By Default
judgecorp writes "An all-party inquiry by British MPs has proposed the Internet should be censored to prevent children seeing 'adult' content. Users would have to opt in to see adult content. The proposal is similar to that already used by mobile operators." From the article: "The move, first suggested in 2010, has been firmed up , after a cross-party Parliamentary inquiry examined the state of online child protection. The current proposal is a 'network-level "Opt-In" system,' going beyond the 'active choice' model launched by ISPs ... last October. ... They also want the Government to 'consider a new regulatory structure for online content, with one regulator given a lead role in the oversight and monitoring of Internet content distribution and the promotion of Internet safety initiatives.'" -
Apple and Samsung Agree To Settlement Talks
tlhIngan writes "It looks like the Apple v. Samsung war might be over soon. Both parties have agreed to meet to attempt to reach a settlement. While they are not required to settle (Google and Oracle recently went through the same process), it could be a positive signal that Apple might be willing to license the patents under Tim Cook, versus fight it out in court under the late Steve Jobs." -
Judge Rules Takedown of Pirate Party General Proxy Illegal
CAPSLOCK2000 writes "The Dutch Pirate Party (PPNL) just won a court-case against BREIN. Last week BREIN got a court to issue an emergency order to take down a reverse-proxy to The Pirate Bay. The next day BREIN claimed the court order also included a generic proxy also ran by PPNL and any other service that might lead to TPB (aka hyperlinks). PPNL responded with an emergency lawsuit of their own, asking for a literal interpretation of the verdict instead of BREIN's broad reading. The judge acknowledged the narrow interpretation of the verdict. proxy.piratenpartij.nl stays up and tpb.piratenpartij.nl now sports a list of other ways to reach The Pirate Bay. Due to the Streisand effect this list has grown to a considerable length. Noteworthy is that The Pirate Party got favorable verdict in a single day, a first in Dutch law." Full verdict (in Dutch). This is only a temporary order by the judge to keep the general-purpose proxy run by the Pirate Party and the list of alternative proxies to the Pirate Bay online. A full case hearing is expected on April 24th. -
Twitter: 'We Promise To Not Be a Patent Troll'
Fluffeh writes "Twitter today unveiled a bold new commitment that will be made in writing to its employees — the company will not use any patents derived from employee inventions in offensive lawsuits without the inventor's permission. Twitter has written up a draft of what it calls the 'Innovator's Patent Agreement,' or IPA, which encourages its developers to invent without the fear that their inventions will be used for nefarious purposes. 'The IPA is a new way to do patent assignment that keeps control in the hands of engineers and designers. It is a commitment from Twitter to our employees that patents can only be used for defensive purposes,' Messinger wrote. 'We will not use the patents from employees' inventions in offensive litigation without their permission. What's more, this control flows with the patents, so if we sold them to others, they could only use them as the inventor intended.'" -
GIMP Core Mostly Ported to GEGL
A longstanding task for the GIMP has been porting the core graphics code from the ancient implementation (dating back to version 1.2) to GEGL. Progress has been hampered by the amount of code relying on details of the implementation of image data: tiles are directly accessed instead of linear buffers, and changing that detail would break the entire core and all plugins. A few weeks ago, two GIMP hackers got together to do some general hacking, and inadvertedly ported the core graphics code to GEGL. They work around the mismatch between GEGL buffers and GIMP tiles by implementing a storage backend for GEGL using the legacy GIMP tiles; to their surprise things Just Worked (tm), and their code branch will become the 2.9 development series once 2.8 is released. With this, 2.10 will finally feature higher bit depth images, additional color spaces (CMYK for one), and hardware accelerated image operations. There's still work to be done: to take advantage of the new features, plugins need to be ported to access GEGL buffers instead of GIMP tiles, but the conversion work is straightforward and current plugins will continue working as well as they do now in the meantime. -
GIMP Core Mostly Ported to GEGL
A longstanding task for the GIMP has been porting the core graphics code from the ancient implementation (dating back to version 1.2) to GEGL. Progress has been hampered by the amount of code relying on details of the implementation of image data: tiles are directly accessed instead of linear buffers, and changing that detail would break the entire core and all plugins. A few weeks ago, two GIMP hackers got together to do some general hacking, and inadvertedly ported the core graphics code to GEGL. They work around the mismatch between GEGL buffers and GIMP tiles by implementing a storage backend for GEGL using the legacy GIMP tiles; to their surprise things Just Worked (tm), and their code branch will become the 2.9 development series once 2.8 is released. With this, 2.10 will finally feature higher bit depth images, additional color spaces (CMYK for one), and hardware accelerated image operations. There's still work to be done: to take advantage of the new features, plugins need to be ported to access GEGL buffers instead of GIMP tiles, but the conversion work is straightforward and current plugins will continue working as well as they do now in the meantime. -
Feds Shut Down Tor-Using Narcotics Store
Fluffeh writes "Federal authorities have arrested eight men accused of distributing more than $1 million worth of LSD, ecstasy, and other narcotics with an online storefront called 'The Farmer's Market' that used the Tor anonymity service to mask their Internet addresses. Prosecutors said in a press release that the charges were the result of a two-year investigation led by agents of the Drug Enforcement Administration's Los Angeles field division. 'Operation Adam Bomb, ' as the investigation was dubbed, also involved law enforcement agents from several U.S. states and several countries, including Colombia, the Netherlands, and Scotland. The arrests come about a year after Gawker documented the existence of Silk Road, an online narcotics storefront that was available only to Tor users. The site sold LSD, Afghani hashish, tar heroin and other controlled substances and allowed customers to pay using the virtual currency known as Bitcoin." -
Aussie Case Unlikely To Solve Piracy Riddle In Fast Broadband World
An anonymous reader writes "When some of Hollywood's biggest movie and TV studios took Australian ISP iiNet to court in 2008 — accusing it of facilitating piracy — it focused the eyes of the world downunder. Internet users and media companies alike were keen to see if the courts could figure out how to resolve the ongoing battle caused by easy, and essentially illegal, access to copyrighted material. After three and a half years and a number of appeals the high court judgement comes down on Friday, but it already looks like a failed attempt to solve an impossible riddle." -
Aussie Case Unlikely To Solve Piracy Riddle In Fast Broadband World
An anonymous reader writes "When some of Hollywood's biggest movie and TV studios took Australian ISP iiNet to court in 2008 — accusing it of facilitating piracy — it focused the eyes of the world downunder. Internet users and media companies alike were keen to see if the courts could figure out how to resolve the ongoing battle caused by easy, and essentially illegal, access to copyrighted material. After three and a half years and a number of appeals the high court judgement comes down on Friday, but it already looks like a failed attempt to solve an impossible riddle." -
Aussie Case Unlikely To Solve Piracy Riddle In Fast Broadband World
An anonymous reader writes "When some of Hollywood's biggest movie and TV studios took Australian ISP iiNet to court in 2008 — accusing it of facilitating piracy — it focused the eyes of the world downunder. Internet users and media companies alike were keen to see if the courts could figure out how to resolve the ongoing battle caused by easy, and essentially illegal, access to copyrighted material. After three and a half years and a number of appeals the high court judgement comes down on Friday, but it already looks like a failed attempt to solve an impossible riddle." -
Aussie Case Unlikely To Solve Piracy Riddle In Fast Broadband World
An anonymous reader writes "When some of Hollywood's biggest movie and TV studios took Australian ISP iiNet to court in 2008 — accusing it of facilitating piracy — it focused the eyes of the world downunder. Internet users and media companies alike were keen to see if the courts could figure out how to resolve the ongoing battle caused by easy, and essentially illegal, access to copyrighted material. After three and a half years and a number of appeals the high court judgement comes down on Friday, but it already looks like a failed attempt to solve an impossible riddle." -
Why Drones Could Be the Future of Missile Defense
An anonymous reader writes "With North Korea's failed missile launch Friday, it is clear many nations around the globe are attempting to acquire missiles that can carry larger payloads and go further. Such moves have made the United States and its allies very nervous. Missile defense has been debated since the 1980's with such debate back once again the headlines. Most missile defense platforms have technical issues and are very expensive. One idea: use drones instead. '... a high-speed (~3.5 to 5.0 km/s), two-stage, hit-to-kill interceptor missile, launched from a Predator-type UAV can defeat many of these ballistic missile threats in their boost phase.' Could a Drone really take down a North Korea missile? 'A physics-based simulator can estimate the capabilities of a high-altitude, long endurance UAV-launched boost-phase interceptor (HALE BPI) launched from an altitude of approximately 60,000 feet. Enabled by the revolution in UAVs, this proposed boost-phase interceptor, based on off-the-shelf technology, can be deployed in operationally feasible stations on the periphery of North Korea.'" -
Paramount Claims Louis CK "Didn't Monetize"
Weezul writes "Paramount's 'Worldwide VP of Content Protection and Outreach' Al Perry has insinuated that Louis CK making $1 million in 12 days means he isn't monetizing. Al Perry asserted that 'copyright law gives creators the right to monetize their creations, and that even if people like Louis C.K. decide not to do so, that's a choice and not a requirement.' Bonus, Slashdot favorite Jonathan Coulton apparently grossed almost half a million last year." -
Print Your Own Labware, Catalysts Included
scibri writes "Chemists have found a way to make reaction vessels perfectly suited to their needs, with 3D printers. From the article: 'Armed with a three-dimensional printer and the type of silicone-based sealant typically used for bathrooms, researchers have demonstrated a novel way to control chemical reactions ... One vessel was printed with catalyst-laced "ink," enabling the container walls to drive chemical reactions. Another container included built-in electrodes, made from skinny strips of polymer printed with a conductive carbon-based additive. The strips carried currents that stimulated an electrochemical reaction within the vessel.'" -
Dutch Pirate Party Dragging BREIN To Court
An anonymous reader writes "Last week the Dutch Pirate Party refused to take down their proxy. Then, avoiding the Pirate Party in court, the entertainment industry organization BREIN obtained an injunction against the party's The Pirate Bay proxy (now a list of alternative proxies). After receiving additional demands from BREIN on Saturday night, including one to censor their generic proxy, the Dutch Pirate Party decided to take them to court, to strike the order and convince the judge of the need for due process and the freedom to inform." From the press release: "The penalties imposed by the court are 4 times higher than those ordered upon the large commercial ISPs XS4ALL and Ziggo..." -
Light Table: A New Spin on the IDE
New submitter omar.sahal writes "Bret Victor demoed the idea of instant feedback on your code. ... Allowing the programmer to instantly see what his program is doing. Chris Granger has turned this novel idea into Light Table — a new IDE designed to make use of Victor's insights." The screenshots make this look like it could be genuinely useful — like a much fancier and more functional combination of features from SLIME and Speedbar. There's a Google group for those wanting to track development. There's no code yet, but source is promised: "I can guarantee you that Light Table will be built on top of the technologies that are freely available to us today. As such, I believe it only fair that the core of Light Table be open sourced once it is launched, while some of the plugins may remained closed source." -
Oracle and Google To Finally Enter Courtroom
Fluffeh writes "After around 900 motions and filings, not to mention a timeline of two years, Google and Oracle are finally putting their case before a jury which will be selected on Monday. While Oracle originally sued for billions, the possible damages have come down to a more reasonable $30-something million (the details vary depending on if you ask Google or Oracle). However, the sides are still far apart. Oracle's proposal was a minimum, not a maximum, and Oracle has asked for a tripling of damages because of the 'willful and deliberate nature of Google's infringement.' For ongoing royalties from future sales, Google has proposed payment of just over one-half of one percent of revenue if patent infringement is proven, but Oracle wants more. Beyond financial damages, Oracle has asked for a permanent order preventing Google from continuing to infringe the patents and copyrights. The case is planned to start on Monday afternoon, after jury selection or Tuesday at the latest."