There is no reason they can't give you a list of any IP addresses used to pen test your network. As long as you don't block those addresses, that would make absolutely no difference in their security audits, PLUS you would know who it was and avoid panic.
In my opinion, their failure to do so was rather unprofessional.
"They're not auditing their security. They're auditing somebody else's security. "Independent private medical practice" means a separate corporation that happens to have a network link. Not "within their rights", and not legal, either."
I hate to have to tell you this, but no.
If they are "connected to the hospital network", then the hospital network's security IS their security, and vice versa. You cannot separate the two, because lax security in one can enable entry into the other.
Having said that: I do think it would have been more professional to at least have informed them that security audits would be carried out, and not to worry about apparent attacks coming from IP addresses X, Y, and Z. As long as they did not pre-block those addresses, that would not affect any of the security audits in the slightest, and would ease any anxiety on the part of these people.
"Probably not the best idea in a pentest, some of them might think they actually got through and that will be hard to explain later."
Not really, if it's a halfway well-designed honeypot. All you need to do is keep records that you deliberately left fake records there.
Much harder than "explaining it later" is making it look real in the first place. Of course, you can always play "April Fool" and make the records obviously fake, with names like Lesions R. Us and maladies like "covered in enormous pustules at extremely high pressure". But the categorizing of illnesses by number these days might preclude doing the latter.
"How do you prevent an user from trivially modifying the Javascript in the app to not require payment?"
I was wondering this myself, and I don't think any of the replies so far actually address this issue. In Mozilla's example, they are using JavaScript to create a "JWT", but this is necessarily exposed in user-accessible code, and I do not see how it can be called "secure". They give lip-service to two-part authentication but don't then go on to explain where the other part comes in, which leaves me dubious.
Further, what is to prevent someone from modifying the JS at the "postback" URL to capture the return response? It would seem to me that this alone could compromise security, if it isn't being addressed.
Maybe it *IS* being addressed... but if so, their brief description certainly does not hint at how.
"If Google does what you say, well, that's like government but done right. I'm not sure that'd be a bad thing."
Say what?
You need to keep in mind: one of Google's founders has stated loudly and publicly that YOU are not the customer. Their customers are the people who pay them for data.
Google isn't standing up for YOU in regard to National Security Letters. It's standing up for its own bottom line. These government data requests are expensive and a hassle.
This is one of those rare instances lately where Google has indeed chosen to not "be evil". But they aren't doing it for your sake, their doing it for their own.
"Feinstein also thought it was legal to hunt humans."
Fainstein wants gun control. She wants video game control. (Both of which have consistently proved to be ineffective in doing what she claims, to justify her actions, she wants to accomplish.)
Let's face it. It's not about either guns or video games. It's all about control.
"In this case I think the takedown notices are not for the removal of the pirate websites, but the removal of their URLs from Google's results. If the URLs remain in Google's takedown notice database, and the sites themselves are still up, people can just comb Google's database for pirate links."
I see. I misread OP. I was thinking this was about YouTube (owned by Google), not about Google searches.
"For now, you're apparently unable to admit you're simply wrong on this, and have declined to provide a substantive response to my last post. I assume you're writing that letter to the board; please let me know when you receive their reply."
Sorry, but a "substantive response" requires more than just your say-so. Of course, I haven't presented any evidence on my side of the argument either.
So if you really want to call this anything more than a pissing contest, be my guest. But all that would get you is a bigger puddle.
I'd just like to see regular old benchmarks done, like Tom's Hardware and other sites routinely do.
The old 7200 RPM hybrid Momentus XT was even faster (write times, not just read) than some of the SSDs it was compared to. Of course I doubt very much that a 5400 RPM will keep up, regardless of their caching technology.
Spin latency is spin latency. It's one of the few things you simply can't do anything about on a spinning platter, no matter how good your electronics and head seek are *. And all other things being equal, it's just plain lower on a disk that spins faster. Period.
(* If your head seek is insanely fast, your latency may go down a bit because it takes fewer revolutions for the disk to come up to the right sector. But we're talking about consumer drives here. They aren't that kind of insanely fast.)
"Higher density at constant speed means higher signalling rates now vs before. We're already reading more off the disk per second at 7200 rpm than we were at 7200 rpm back when 200GB was big. Power requirements have taken a bigger position, and also at the higher densities tolerances need to be more exact and even more so at higher speeds. Going to lower spinning speeds allows you to get better results without tightening tolerances as much."
"Perhaps Seagate's manufacturing decision to use 5400 is better informed than it appears."
In an era where users expect new hardware to consistently outperform the older models, no, 5400 RPM is not "better informed".
Backwards is backwards. Before they announced this decision, I was going to get a Momentus to replace the drive I have. Now, there is no way in hell I'll spend that money. My existing drive probably performs better. I'll just get an SSD instead. More money, but it's actually BETTER.
There was a discussion of this decision of Seagate's, back when it was announced. As much as I hate to say "I told you so"... I told you so. Going back to 5400 RPM was a bonehead move.
"Did they really need to create a $7800 (not including license fees) RFP review system when there were only 100 applicants? And now the company that was paid to create it is selling it to other agencies."
My thought too. Looks like Washington is not immune from the typical State bureaucracy syndrome. My guess would be that at least 80% of the responses would weed themselves out in the first couple of paragraphs, which might take maybe a day to go through.
The rest might need more thorough vetting, but hell, that's only 20.
There is no reason they can't give you a list of any IP addresses used to pen test your network. As long as you don't block those addresses, that would make absolutely no difference in their security audits, PLUS you would know who it was and avoid panic.
In my opinion, their failure to do so was rather unprofessional.
"They're not auditing their security. They're auditing somebody else's security. "Independent private medical practice" means a separate corporation that happens to have a network link. Not "within their rights", and not legal, either."
I hate to have to tell you this, but no.
If they are "connected to the hospital network", then the hospital network's security IS their security, and vice versa. You cannot separate the two, because lax security in one can enable entry into the other.
Having said that: I do think it would have been more professional to at least have informed them that security audits would be carried out, and not to worry about apparent attacks coming from IP addresses X, Y, and Z. As long as they did not pre-block those addresses, that would not affect any of the security audits in the slightest, and would ease any anxiety on the part of these people.
"Probably not the best idea in a pentest, some of them might think they actually got through and that will be hard to explain later."
Not really, if it's a halfway well-designed honeypot. All you need to do is keep records that you deliberately left fake records there.
Much harder than "explaining it later" is making it look real in the first place. Of course, you can always play "April Fool" and make the records obviously fake, with names like Lesions R. Us and maladies like "covered in enormous pustules at extremely high pressure". But the categorizing of illnesses by number these days might preclude doing the latter.
"How do you prevent an user from trivially modifying the Javascript in the app to not require payment?"
I was wondering this myself, and I don't think any of the replies so far actually address this issue. In Mozilla's example, they are using JavaScript to create a "JWT", but this is necessarily exposed in user-accessible code, and I do not see how it can be called "secure". They give lip-service to two-part authentication but don't then go on to explain where the other part comes in, which leaves me dubious.
Further, what is to prevent someone from modifying the JS at the "postback" URL to capture the return response? It would seem to me that this alone could compromise security, if it isn't being addressed.
Maybe it *IS* being addressed... but if so, their brief description certainly does not hint at how.
Our discussion was specifically about consumer-grade drives.
"If Google does what you say, well, that's like government but done right. I'm not sure that'd be a bad thing."
Say what?
You need to keep in mind: one of Google's founders has stated loudly and publicly that YOU are not the customer. Their customers are the people who pay them for data.
Google isn't standing up for YOU in regard to National Security Letters. It's standing up for its own bottom line. These government data requests are expensive and a hassle.
This is one of those rare instances lately where Google has indeed chosen to not "be evil". But they aren't doing it for your sake, their doing it for their own.
"Feinstein also thought it was legal to hunt humans."
Fainstein wants gun control. She wants video game control. (Both of which have consistently proved to be ineffective in doing what she claims, to justify her actions, she wants to accomplish.)
Let's face it. It's not about either guns or video games. It's all about control.
"I think the reason why they don't mention Linux is simply because the thing isn't meant to run Linux software."
I think even more to the point is that Google doesn't mention Linux for the simple reason that they only want the Google name to be on it.
It's not so much of a Linux "branding" issue as it is simply a Google branding issue.
I could be wrong, but I'm pretty sure that's POSIX certified.
"In this case I think the takedown notices are not for the removal of the pirate websites, but the removal of their URLs from Google's results. If the URLs remain in Google's takedown notice database, and the sites themselves are still up, people can just comb Google's database for pirate links."
I see. I misread OP. I was thinking this was about YouTube (owned by Google), not about Google searches.
"For now, you're apparently unable to admit you're simply wrong on this, and have declined to provide a substantive response to my last post. I assume you're writing that letter to the board; please let me know when you receive their reply."
Sorry, but a "substantive response" requires more than just your say-so. Of course, I haven't presented any evidence on my side of the argument either.
So if you really want to call this anything more than a pissing contest, be my guest. But all that would get you is a bigger puddle.
"Round and round we go..."
There's something here I don't understand.
If the material has been taken down, then the links should not function.
If the links have not been taken down, then the material is (most likely) not infringing.
So the "problem" would appear to be nothing but a fiction.
I'd just like to see regular old benchmarks done, like Tom's Hardware and other sites routinely do.
The old 7200 RPM hybrid Momentus XT was even faster (write times, not just read) than some of the SSDs it was compared to. Of course I doubt very much that a 5400 RPM will keep up, regardless of their caching technology.
Spin latency is spin latency. It's one of the few things you simply can't do anything about on a spinning platter, no matter how good your electronics and head seek are *. And all other things being equal, it's just plain lower on a disk that spins faster. Period.
(* If your head seek is insanely fast, your latency may go down a bit because it takes fewer revolutions for the disk to come up to the right sector. But we're talking about consumer drives here. They aren't that kind of insanely fast.)
No, I'm not missing the point.
The board of the local credit union is not the Federal government.
Actually, WD had some consumer 10k drives out... probably still does.
"Higher density at constant speed means higher signalling rates now vs before. We're already reading more off the disk per second at 7200 rpm than we were at 7200 rpm back when 200GB was big. Power requirements have taken a bigger position, and also at the higher densities tolerances need to be more exact and even more so at higher speeds. Going to lower spinning speeds allows you to get better results without tightening tolerances as much."
You might as well have just said: $$$.
"Perhaps Seagate's manufacturing decision to use 5400 is better informed than it appears."
In an era where users expect new hardware to consistently outperform the older models, no, 5400 RPM is not "better informed".
Backwards is backwards. Before they announced this decision, I was going to get a Momentus to replace the drive I have. Now, there is no way in hell I'll spend that money. My existing drive probably performs better. I'll just get an SSD instead. More money, but it's actually BETTER.
There was a discussion of this decision of Seagate's, back when it was announced. As much as I hate to say "I told you so"... I told you so. Going back to 5400 RPM was a bonehead move.
I did not claim they weren't under Federal control. But my point was that it is a different level of control. They aren't BANKS.
Then they should use Credit Unions. Those are local businesses, not banks, and most Federal bank rules do not apply.
They stated publicly that the lawsuit did not affect their current business.
"Indeed. A friend of mine interviewed with a local dispensary (Colorado) a couple of weeks ago, she would be doing the books."
Haha. I meant the internet, but I didn't make that very clear. But this, too, for sure. I won't argue with you there.
Feynman said that?
Haha. Sadly, the bureaucracy outlasted them.
As of a few years ago, a few of them were still producing comedy recordings. But they are not as easy to find as they once were.
"Did they really need to create a $7800 (not including license fees) RFP review system when there were only 100 applicants? And now the company that was paid to create it is selling it to other agencies."
My thought too. Looks like Washington is not immune from the typical State bureaucracy syndrome. My guess would be that at least 80% of the responses would weed themselves out in the first couple of paragraphs, which might take maybe a day to go through.
The rest might need more thorough vetting, but hell, that's only 20.