Re:"extensive measures" taken...
on
NVIDIA Breached
·
· Score: 2
Proper security requires a lot of factors, and as you said, this is no walk in the park. You are right that IT can't do everything. However, technical solutions are 90%-99% of what can be done and done right with minimal user inconvenience.
However, from how the successful hacks were described, there are four things that would have slowed, if not stopped almost all of them:
1: IDS/IPS. This shouldn't be something that a user should know/care about, unless they decide to run nmap from their PC and wonder why their box's port got dropped from the internal network. However, an IDS is like the ZoneAlarm of yore. Unless one knows what to set to have alert on the spot, and what to stuff a ball-gag in, it will be quite yappy. But there are plenty of books on this subject as well as Internet based documentation.
2: Logging and responding to logs. For example, the Sony hack would have been mitigated by a tool like SolarWinds, SCOM, or Splunk that was configured to have thresholds, and if too many bad passwords happen, alert an admin. If AD locked a user out due to too many bad PW guesses, even if the lockout period is 1-5 seconds [1], it should generate an alert.
3: 2FA. SecurID isn't cheap, but for a large business, it isn't that large an expense. It also provides good management, and is decently flexible. It also works with virtually anything.
4: Measures to limit malware's influence. I brought up Citrix because a RAT could snap screenshots and capture keystrokes, but through a Citrix session, files would be a lot harder to steal, and if a user was using 2FA, as soon as the user logged out and the session key deactivated, there would be nothing a remote attacker could really do other than hope the user logs again, get screenshots, or maybe seize active control of the session (which likely will panic the user.)
I have met some people in my field who had the mentality that they were the COs and users were the inmates. However, effective security can come without penalizing users. It just takes some common sense.
[1]: AD's default is 20 minutes, but I've found reducing it to 3-5 minutes decent enough to not lock legit users out, but only provide an attacker 288 chances every 24 hour period to get into an account, once the lockout activates. With a sane password system (again, the default AD settings come to mind), guessing a PW of a user isn't going to be easy.
Re:"extensive measures" taken...
on
NVIDIA Breached
·
· Score: 2
The best thing they can do with signing keys is use HSMs.
This limits the intruder to only being able to access and use the key if the HSM's users and roles are AD linked. With proper logging, it can be told what packages were signed, and when, and if the key or package IDs needs to be actively revoked.
This happened to a Linux distro vendor, and they managed to do an effective job at limiting the damage.
If nVidia isn't using HSMs for the key signing, they better start, as virtually every blackhat knows that getting their code to run under the signed nVidia flag is obtaining the key to the city, virtually everywhere.
My hopes are that it means ensuring anyone on the outside is coming in via 2FA, internal and DMZ networks have a proper IDS/IPS in place that is tailored to the division in question (i.e. a bunch of point of sale terminals would sound an alarm if one of them decides to start making random connections to a site in Elbonia), there is an internal detection process so someone trying to brute force an account will make an audit trail and get a curious admin looking at why the events are happening.
My hopes also include isolation of DMZ boxes so that unless they are intended to communicate with each other, they can't. Isolation between departments would be nice as well.
Finally, my hopes include having remote access being more of using Citrix or RDP and having the remote machine be more of a dumb terminal, as opposed to an active VPN, making the remote machine a part of the corporate network.
Of course, my fear is that "extensive measures" will be a domain admin logging on, popping up a command shell, typing in:
dsquery user | dsmod user -mustchpwd yes
and calling it a wrap.
I'm hoping nVidia does more of the "hopes" portion.
Google knows Google Glass was a fairly niche technology, and that there would be some pushback against it. However, Google are true pioneers in this area, and pioneers are the ones with the arrows sticking out of their wagons.
The problem is that traffic isn't going away. Google's autonomous vehicles solve the problem in an effective way that few other modes of transport can, especially of one factors the inconsistent densities in US cities. Traffic is a problem that needs to be addressed, and most cities can't (or in Austin's case, won't) deal with the problem. So, the only real party that can do anything about it is an innovative corporation.
This isn't something that will pay off next quarter. However, this is a major infrastructure change, and it will affect positively the quality of life for all involved.
There are many benefits:
Roads can be designed a lot simpler because they wouldn't have to be as idiot proof as they are now. In fact, highways can intersect each other with a four-way, unmarked intersection, with car computers timing each car to go through and slowing down/speeding up traffic as needed.
Roads will be safer. Press the crosswalk button, cars will stop, and pedestrians can cross. Cyclists won't be victim to the "right hook" even though they might be on the sidewalk, going opposite of traffic, or otherwise technically not riding legally.
With smaller distances between cars (a computer can stop a hell of a lot faster than a person), a road can almost double its carrying capacity.
With destinations known, cars can be moved to proper lanes to make traffic flow as optimal as possible, where cars going on a road a longer distance go to the left-most lanes, while vehicles exiting go to the right.
DWI and distracted driving will be a thing of the past.
Vehicles can be optimized for usefulness. If someone has a long commute, they can buy a van [1] and sleep during the commute. Or read. Or use that time for something productive.
When a vehicle needs maintenance, it can go to the shop at night, and be ready for the road in the morning. This cuts down a lot of hassle.
Vehicles can be used for unmanned deliveries. Have a list of groceries, the vehicle can take that, head down to the store, the stuff gets loaded, and the vehicle back, all in time for breakfast in the morning.
Self-driving cars are not just an invention. They are an ecosystem, just like electricity, and can improve daily life by a large amount.
[1]: A Dodge ProMaster van (the US equivalent of the Fiat Ducato) diesel can get 30MPG in real numbers. The Mercedes Sprinter with the four-banger OM651 is just as good.
The Surface Pro is a unique case. It isn't just a tablet running a tablet OS which makes it a media consumption device. It is a full PC that can drop into a docking station and take the role of a desktop machine.
The issue with tablets is that they make great devices to watch videos, read the paper, or otherwise consume media. Because of this, a faster CPU isn't going to attract customers, similar with more RAM.
This is just market saturation. This exact thing happened with the iPod when the larger capacity of devices started petering out as a sales point.
As for phones, this is an expanding market, just because a phone tends to be the one stop shop for virtually everything. One thing Apple and other companies have not even scratched the surface of is using a smartphone for a home server (storing documents, or perhaps even entire virtual machines), making desktops into essentially compute nodes. Yes, there will need to be a faster I/O bus before this happens, but this is definitely doable, especially if Thunderbolt expands outside of the Apple ecosystem.
Kodak had some very cool technologies. In the late 1980s, they had an optical autochanger using 14 inch, pseudo CAV media (where the disks had zones and depending on what part of the disk the head was at, the drive would speed up or slow down), and one could get up to 1.5 TB in a library. This isn't much now, but back then, 6+ gig per optical drive was a pretty good amount.
However, there are a lot of firms that have a lot of cool technologies, but really need to dig them up and market them:
EA, for example. They need to split off an "indie" company with all their cool IP from Origin, Bioware, Maxis and other shops, and keep a firm that just does the latest Call of Duty or (IMHO) other mainstream schlock console games that brings home the bacon come release day. For example, take Neverwinter Nights (with the single player modules, multi-player, and the ability for people to run persistant worlds), use Pathfinder rules, and one could have a game with an extremely long tail, focusing on content, not reinventing graphics every so often.
Symantec is another example of a company with a lot of extremely cool, useful IP. They should sell a version of antivirus, PGP Desktop, and a scaled down version of Backup Exec/NetBackup, and that would be a hit for home users who need that functionality, because it would cover encryption of E-mails and such, as well as backups. Maybe even a small scaled version of a NetBackup appliance. The software would sell at $49-$99, and the appliance would definitely sell.
EMC also comes to mind. With OpenStack, Xen and OSS virtual fabric starting to eat its lunch, EMC might be well off working working on combining their technologies. For example, putting deduplication in VMFS or making a scaled down Isilon that is aimed at SMBs, where when expansion is needed, additional nodes can be added. Since NAS appliances are popular, EMC could score a core spot in that market by dropping into that market, and Isilon clusters are easily expandable, so if they did make a 1-2 node cluster, the sky is the limit when it comes to scaling (well, up to the 16 node limit...) Especially if EMC offered deduplication and their SmartLock technology (which prevents snapshots from being deleted even from the root prompt or web UI... it requires a local session on the console.) SmartLock would be good for law firms since records would be guarenteed to be present, barring RAID failure or physical compromise, and using it would be as simple as just shoving files into a SMB share.
Then there is IBM. IBM is the motherlode of all computing goodies. AIX PS/2 was a joke, but porting AIX and PowerVM to the x86 platform might just be a very lucrative idea. Customers would get a "one stop shop" for a good chunk of their stack, perhaps even their DB and application. IBM has almost anything and everything. They even have backup devices which use microfiche-like cards to store data, which has a very long lifetime (assuming the negatives are not left in the sun.) UPS devices that use flywheels instead of batteries? Check. Geographically separate mainframes running VMs in lockstep for less than a second downtime if one site fails? Check. Deduplication technology on all levels? Check. Just like Symantec, IBM selling a scaled down version of TSM for SMB users would make a mint.
Once the electrons are out of the gate, the data is -gone-. No amount of recovery is going to do the job, ever.
This is my biggest concern with SSDs. Yes, they can have a longer MTBF, but when they go, they take your data with it, making backups more imperative.
The ironic thing? Since SSDs make the need for backups that much more urgent [1] We have far fewer tools for backup than we did on PCs 20 years ago (when an average user could get a desktop tape drive, a ZIP drive, removable SCSI hard disk, or other media.) For non-enterprise backups, we have external hard disks, USB flash drives, and offsite file servers [2]. Even optical drives are becoming uncommon. External hard disks and USB flash drives are not archival media. They -might- hold their data, but are not warrantied for it.
It would be nice if some company could make an appliance that did a disk-to-disk-to-removable-media appliance. The backup program would copy data to the device, and data would stay on a set of RAID protected HDDs, as well as eventually copied to removable media [3]. A bare metal restore would be easy -- if the appliance is connected via USB, have it present a DVD-ROM with the OS or recovery software. If on a LAN, have a USB flash drive or image that would get a machine booted enough to find the appliance and start a restore.
[1]: With HDDs, a recovery from a format isn't too difficult. SSDs usually follow up a format with a TRIM command, zeroing (or more exactly, writing 1s) to all the blocks, either right then, or as the drive feels like it. "Unformatting" a SSD is pretty much impossible with a modern OS that does proper TRIM commands. Add a decently smart encryption system like BitLocker that zeroes out the sectors with master volume keys multiple times, and it can almost be assured that a delete or a format results in data forever gone.
[2]: Cloud storage seems like a working idea, but it can take a good while to fetch lost documents and rebuild the entire OS and machine. With a local backup solution, most backup programs offer a simple bare-metal restore, no Internet access needed. There is also the fact that a machine needs to have the OS, updates, and the cloud provider's software loaded and logged in before a restore can happen. Having the OS local means a complete bare metal restore is a "press 'restore' and walk off" action.
[3]: Tape comes to mind. The main advantage of tape (or offline media in general) is that some hacker who gets access to the SAN controller can't just purge all media with a single command. A lot of companies have excellent replication of SAN data, but that replication will happily replicate the "delete everything, including all snapshots" as well. Plus, tapes can be physically set read-only where only a reflash of the tape drive could allow the cartridge to be written to. I wish someone could make a consumer level tape drive, perhaps using a SSD as a buffer to prevent shoe-shining. There is a Thunderbolt based tape drive for Macs by mTape for $3699. If someone made a product like this (but a price more palatable to consumers) that could tolerate USB 3 (or maybe even USB 2), and work well under Windows, Linux, and other operating systems, they might have a best seller. Especially with the fact that intruders now have moved from just accessing data to actively modifying and destroying it, so backups are even more crucial than they were before this year.
In fact, I'd say that with the ease data is permanently destroyed, a consumer level backup appliance might be quite a seller.
With how slow drives are, relative to their capacity, RAID-6 or RAID-Z2 are a must, not just for handling a disk failure during the time where the array is degraded and rebuilding from a hot spare, but for finding and fixing bit rot. Bit rot is not related to parity checking, and ideally, should be looked for at the filesystem level.
There are already encrypted chats available. I've not used it in years, but AIM supported/supports S/MIME key encryption for end to end protection, similar with MSN.
If one wants an independent solution, Symantec's PGP Desktop (now called Endpoint Encryption) also has the ability to encrypt/decrypt on the fly.
Another encrypted chat option is fine, but there are a lot of solutions out there that do the job just fine. One doesn't really have to search far... Apple has iMessage built in, for example. ChatSecure also comes to mind (OTR over XMPP.) It is figuring out how much one trusts (or doesn't) the provider and the software.
OSS utilities also have the ability that in a pinch, someone can git clone the source tree, then throw some money at it, and do a complete audit of the entire shebang. With closed source code, the only assurance we have is from the vendor, and with the ways EULA/TOS agreements are written, the vendor is not required to lift a finger to fix anything.
For example, finding out if it is easier to just pull one color and have everything drop in an assorted bin versus sorting everything out by known colors and having a reject bin for something that the machine can't figure out. After that, maybe have the machine do another sort operation, so if it sorts correctly 99% of the time, a few sorts later will reduce the occurrence of the wrong color to an acceptably small margin.
This is the stuff that engineering is made of, and would be a good way to get kids started down that path.
All and all, it is interesting watching the 3D printer market evolve. Other than the issue of currency copying when color inkjets became cheap, there has been no DRM or demand for it linked to documents. Ink cartridges, yes, but not actual preventing of documents being copied.
Other markets, not so lucky. For example, all the fighting and wrangling about MP3s, which resulted in casualties (for example, Diamond won... but that was a Pyrrhic victory.) Video pretty much was a victory for the DRM brigade [1].
3D printing looks like it is going the way of 2D printing, except for this "OMG, GUNS!" drivel [2]. I don't see an RIAA-like entity pushing a SDMI initiative for 3D printing, nor do I see an interest by the Powers That Be in forcing signed documents (which is actually astounding... I would have been almost certain that there would be some type of standardized DRM system by now, similar to how CarveWright DRM protects their software from computer to encrypted memory cartridge to the actual device.)
Now, when 3D metal printing gets widespread and inexpensive, the ability to make sintered Iconel items will be quite useful, as opposed to plastic pieces which have limited uses. For example, one make of RV door handle has had issues with breaking. If just the part that breaks is replaced with a high grade sintered Iconel, it would help immensely.
[1]: A victory as in one in the US either has DRM encumbered tracks, DRM encumbered media, or technically violates the DMCA in de-DRMing stuff like DVDs.
[2]: I have never understood the insane overreaction about 3D printed guns. One could carve out the same thing out of a chunk of plastic, mold something out of clay and fire it in a kiln, whittle it out of wood, or many other ways to make a unsafe, unstable zip-gun, that it is pointless. In countries where guns are banned, ammo is banned as well, so making a.22 LR firearm in Japan or England is pointless... because there are no.22 rounds to be found in that neck of the woods [3]. Of course, there is the fact that in other areas of the world, real guns are likely less trouble to find and procure than a computer, a 3D printer, a good amount of filament, and trying to cobble together a prototype which likely will go kaboom in the hand, rather than bang, out the barrel.
[3]: Technically, there are no.22 rounds to be found in this part of Texas either... but that is due to the insatiable demand, not a ban.
Actually, it has been a good month for the US, other than the DPRK fiasco:
1: Cuba opening up (assuming Congress lifts the trade embargo) is only going to improve the economy of both places. The Cold War-era foreign policies that were in place in the US past had to get tossed. This isn't a defeat... it is a move forward. Calling it a "defeat" would be calling the fact that a good number of nukes were removed from service as part of a treaty, a "defeat".
2: The CIA torture reports were a festering boil, and it had to be lanced sooner or later, and now was probably one of the better times. The fact that it was made public and made known that this is not how the US handles itself these days is quite important. It only goes up from here. The days of torture are behind now.
As for Russia, they are down, but definitely not out. If push came to shove and China didn't lend money, the US would. The reason is that Putin is nowhere near a saint, but a power vacuum in the largest country in the world is the stuff of nightmares. If Russia collapsed, every single country in the world would either be going for a part of that carcass or jumping in the fray to keep their enemies from doing that.
Overall, Russia will emerge stronger. The low oil/gas prices are quite temporary. The profit may be less this quarter... but give it six months to a year, plus one incident in the Middle East... and oil will be back up to $150 a barrel and stay there for good. People know this, and nobody here in the US is going out and buying SUVs due to these temporary low prices. Solar might have slowed down slightly, but it is still progressing, mainly because virtually everyone knows that high gas prices will be back eventually.
IIRC, answering machines have been around since the 1980s, where one would have to set a mode between record, then flip a dial to play... with a machine that had two tapes, one a special outgoing message tape configured in an endless loop with a metal foil piece joining the ends. Then the next generation of machines came around using micro cassettes and storing the outgoing message at the beginning of the tape. Then in the early to mid 1990s, flash based messages with multiple voice mail boxes so everyone in the family got their own blinking light. After a while, people just started using the VM product offered by the telco because it was less hassle than having a dedicated answering machine.
All and all, voice mail isn't going anywhere. If it is a way for a company to leave their ads, there is no way that will be stopped in today's economy.
The best VM system I have seen was one tied to Exchange that not just sent the WAV attachment of the caller, but a transcript of their message. There was the old fashioned way of dialing in, punching in a PIN and grabbing messages, but having them ready to go in an E-mail and listenable on a device made things easy. I sure don't miss the old VM setups that required a person to listen to an entire message before being able to delete or do anything with it.
The worst of the lot are people who call and leave an urgent voicemail... then you call them back, and they are busy on the phone or not answering.
Until recently (where I use a voice mail to text service so I don't have to wade through someone like the parent poster mentions who drones on 3-4 minutes about random stuff), I've just let the voice mailbox get full, and if someone wants an answer, they can text or E-mail, which they usually do. The most notorious are third tier headhunting places who will call and say they have a job requiring (as an example) five years of Swift programming experience [1], then will send an E-mail with those exact details.
+1 on communication != talking. There is a difference between "spraying and praying" versus having a dialog.
[1]: Yes, crazily enough, some places actually ask for five years of Swift for positions. Guess they want the Apple guys who designed the language or something along those lines.
I also like Youmail, for this exact reason, and the fact that it auto-ditches spammers and other junk calls (after the phone doesn't answer). Plus, it works with both iOS and Android, so if I feel like changing out my phone, I don't need to worry if visual voicemail with the telco will work or not.
Reading a text is a lot faster than sitting through someone's long-winded speech and the time saved is worth the nominal charge.
The best system I've seen, in theory, was IBM's ZTIC. You can make a bank transaction, but it wouldn't go through until you confirmed it on the keyfob, and the keyfob used an independent link to obtain the amount of cash, and where it was going to, to protect against a compromised browser.
The downside was that the device required special drivers, so it only functioned in Windows.
With 3G radios so cheap, why not a relatively cheap device that not jut works as a SecurID dongle, but is used with a layer of encryption between the bank's computers and the device itself (so if 3G is compromised, data is still protected) to confirm the amount and allow/deny it on the device? The reason for an independent 3G connection is a separate, secure channel that can't be attacked by a compromised computer. Done right, this would be a major security boost, as it would require the device not just to log on, but to perform transactions. The device by itself would be useless without password/PIN access to the bank account.
It also raises the question, assuming the systems were UNIX based, why not just use RSA keys with SSH? The downside of this is if the bad guy grabs the private key from a compromised machine, game over... but without access to a client and private keys, this will stop a brute force password attack cold, since the attacker wouldn't get past the initial handshake, and with a utility like Fail2Ban or SSHGuard, repeated attempts can be blocked or throttled.
Two factor authentication is more geared for the edge, be it allowing someone to log in from home, or perform a transaction across the Internet.
On the corporate LAN/WAN [1], 2FA shouldn't be needed. Instead, RSA keys for SSH, IPSec with AD, an internal PKI with SSL/TLS, or other means should be in use. There are too many diminishing returns having it in the core of a company unless there is a good reason (different division, etc.)
The one exception might be having 2FA to be used when accessing a VDI or a Citrix server so that internal data has a layer of protection, and a compromised desktop means that an attacker is limited to using screenshots or a remote access tool to seize access, as opposed to having full unfettered access to the files themselves.
I will differ there. The general population may not trust banks on one level, but they will keep their money in them. If the population truly didn't trust banks, precious metal prices would be spiking, and various ways of securing physical assets would be hawked from every street corner, the more amusing will be the ones, saying "just store your stash with me".
The population gripes about banks, but when the rubber meets the road, the money still gets deposited in the checking account come payday.
Google Authenticator is based on an open protocol. I can use Google's app, Amazon's, a number of various third parties, both open source and commercial available on the store/repo.
Server-side, I can use the protocol on most Linux distros, there are ways to use it with Windows, even ESXi nodes can have this added in as protection.
Yes, it might be Google code, but it is open source.
Now, RSA's SecurID is a different beast. It is a closed source system, with special servers and seed codes requires. Its advantage is that it is time tested, virtually everything supports it (MS has had hooks for ACE servers since Windows Server 2000), and it has the FIPS/Common Criteria/etc. certifications which help when audit time comes around. However, it doesn't come cheap.
My 2011-era RV fridge is similar (no moving parts except for the fluid going around), except that instead of using a pilot light, it uses electronic ignition (which means it not just needs propane, but battery power to keep your stuff cooled.) I would prefer the 1975-era style of a pilot light, but I guess times change.
It has two disadvantages: It does cool, but relatively slowly, because the refrigerator part doesn't have any air circulating in it. A small fan in there (Valterra sells on that runs 4-6 weeks on two "D" cells) works wonders. The second is as described above. The newer fridge requires being within three degrees of level when stopped as well.
For a house, with fridge prices going up, it used to be that a gas fridge was just too expensive unless someone just had no access to power, such as a backwoods cabin and a propane tank. Now, one can buy a decent gas fridge which uses no electric (except for the option of having the light inside the fridge come on) for a decent price. It may not have a TV on the front or allow one to Twitter what veggies are stashed in the crisper, but it keeps stuff cold regardless if the power is on or not.
Same with HVAC and refrigerators. There is a big difference in overall power used if a device has a 100% duty cycle than one that only comes on 10% of the time. Power supplies as well. An 800 watt power supply can actually be running at 10-20 watts fairly often.
Slashdot Mirror
Proper security requires a lot of factors, and as you said, this is no walk in the park. You are right that IT can't do everything. However, technical solutions are 90%-99% of what can be done and done right with minimal user inconvenience.
However, from how the successful hacks were described, there are four things that would have slowed, if not stopped almost all of them:
1: IDS/IPS. This shouldn't be something that a user should know/care about, unless they decide to run nmap from their PC and wonder why their box's port got dropped from the internal network. However, an IDS is like the ZoneAlarm of yore. Unless one knows what to set to have alert on the spot, and what to stuff a ball-gag in, it will be quite yappy. But there are plenty of books on this subject as well as Internet based documentation.
2: Logging and responding to logs. For example, the Sony hack would have been mitigated by a tool like SolarWinds, SCOM, or Splunk that was configured to have thresholds, and if too many bad passwords happen, alert an admin. If AD locked a user out due to too many bad PW guesses, even if the lockout period is 1-5 seconds [1], it should generate an alert.
3: 2FA. SecurID isn't cheap, but for a large business, it isn't that large an expense. It also provides good management, and is decently flexible. It also works with virtually anything.
4: Measures to limit malware's influence. I brought up Citrix because a RAT could snap screenshots and capture keystrokes, but through a Citrix session, files would be a lot harder to steal, and if a user was using 2FA, as soon as the user logged out and the session key deactivated, there would be nothing a remote attacker could really do other than hope the user logs again, get screenshots, or maybe seize active control of the session (which likely will panic the user.)
I have met some people in my field who had the mentality that they were the COs and users were the inmates. However, effective security can come without penalizing users. It just takes some common sense.
[1]: AD's default is 20 minutes, but I've found reducing it to 3-5 minutes decent enough to not lock legit users out, but only provide an attacker 288 chances every 24 hour period to get into an account, once the lockout activates. With a sane password system (again, the default AD settings come to mind), guessing a PW of a user isn't going to be easy.
The best thing they can do with signing keys is use HSMs.
This limits the intruder to only being able to access and use the key if the HSM's users and roles are AD linked. With proper logging, it can be told what packages were signed, and when, and if the key or package IDs needs to be actively revoked.
This happened to a Linux distro vendor, and they managed to do an effective job at limiting the damage.
If nVidia isn't using HSMs for the key signing, they better start, as virtually every blackhat knows that getting their code to run under the signed nVidia flag is obtaining the key to the city, virtually everywhere.
I wonder what that means, exactly.
My hopes are that it means ensuring anyone on the outside is coming in via 2FA, internal and DMZ networks have a proper IDS/IPS in place that is tailored to the division in question (i.e. a bunch of point of sale terminals would sound an alarm if one of them decides to start making random connections to a site in Elbonia), there is an internal detection process so someone trying to brute force an account will make an audit trail and get a curious admin looking at why the events are happening.
My hopes also include isolation of DMZ boxes so that unless they are intended to communicate with each other, they can't. Isolation between departments would be nice as well.
Finally, my hopes include having remote access being more of using Citrix or RDP and having the remote machine be more of a dumb terminal, as opposed to an active VPN, making the remote machine a part of the corporate network.
Of course, my fear is that "extensive measures" will be a domain admin logging on, popping up a command shell, typing in:
dsquery user | dsmod user -mustchpwd yes
and calling it a wrap.
I'm hoping nVidia does more of the "hopes" portion.
Google knows Google Glass was a fairly niche technology, and that there would be some pushback against it. However, Google are true pioneers in this area, and pioneers are the ones with the arrows sticking out of their wagons.
The problem is that traffic isn't going away. Google's autonomous vehicles solve the problem in an effective way that few other modes of transport can, especially of one factors the inconsistent densities in US cities. Traffic is a problem that needs to be addressed, and most cities can't (or in Austin's case, won't) deal with the problem. So, the only real party that can do anything about it is an innovative corporation.
This isn't something that will pay off next quarter. However, this is a major infrastructure change, and it will affect positively the quality of life for all involved.
There are many benefits:
Roads can be designed a lot simpler because they wouldn't have to be as idiot proof as they are now. In fact, highways can intersect each other with a four-way, unmarked intersection, with car computers timing each car to go through and slowing down/speeding up traffic as needed.
Roads will be safer. Press the crosswalk button, cars will stop, and pedestrians can cross. Cyclists won't be victim to the "right hook" even though they might be on the sidewalk, going opposite of traffic, or otherwise technically not riding legally.
With smaller distances between cars (a computer can stop a hell of a lot faster than a person), a road can almost double its carrying capacity.
With destinations known, cars can be moved to proper lanes to make traffic flow as optimal as possible, where cars going on a road a longer distance go to the left-most lanes, while vehicles exiting go to the right.
DWI and distracted driving will be a thing of the past.
Vehicles can be optimized for usefulness. If someone has a long commute, they can buy a van [1] and sleep during the commute. Or read. Or use that time for something productive.
When a vehicle needs maintenance, it can go to the shop at night, and be ready for the road in the morning. This cuts down a lot of hassle.
Vehicles can be used for unmanned deliveries. Have a list of groceries, the vehicle can take that, head down to the store, the stuff gets loaded, and the vehicle back, all in time for breakfast in the morning.
Self-driving cars are not just an invention. They are an ecosystem, just like electricity, and can improve daily life by a large amount.
[1]: A Dodge ProMaster van (the US equivalent of the Fiat Ducato) diesel can get 30MPG in real numbers. The Mercedes Sprinter with the four-banger OM651 is just as good.
The Surface Pro is a unique case. It isn't just a tablet running a tablet OS which makes it a media consumption device. It is a full PC that can drop into a docking station and take the role of a desktop machine.
The issue with tablets is that they make great devices to watch videos, read the paper, or otherwise consume media. Because of this, a faster CPU isn't going to attract customers, similar with more RAM.
This is just market saturation. This exact thing happened with the iPod when the larger capacity of devices started petering out as a sales point.
As for phones, this is an expanding market, just because a phone tends to be the one stop shop for virtually everything. One thing Apple and other companies have not even scratched the surface of is using a smartphone for a home server (storing documents, or perhaps even entire virtual machines), making desktops into essentially compute nodes. Yes, there will need to be a faster I/O bus before this happens, but this is definitely doable, especially if Thunderbolt expands outside of the Apple ecosystem.
Kodak had some very cool technologies. In the late 1980s, they had an optical autochanger using 14 inch, pseudo CAV media (where the disks had zones and depending on what part of the disk the head was at, the drive would speed up or slow down), and one could get up to 1.5 TB in a library. This isn't much now, but back then, 6+ gig per optical drive was a pretty good amount.
However, there are a lot of firms that have a lot of cool technologies, but really need to dig them up and market them:
EA, for example. They need to split off an "indie" company with all their cool IP from Origin, Bioware, Maxis and other shops, and keep a firm that just does the latest Call of Duty or (IMHO) other mainstream schlock console games that brings home the bacon come release day. For example, take Neverwinter Nights (with the single player modules, multi-player, and the ability for people to run persistant worlds), use Pathfinder rules, and one could have a game with an extremely long tail, focusing on content, not reinventing graphics every so often.
Symantec is another example of a company with a lot of extremely cool, useful IP. They should sell a version of antivirus, PGP Desktop, and a scaled down version of Backup Exec/NetBackup, and that would be a hit for home users who need that functionality, because it would cover encryption of E-mails and such, as well as backups. Maybe even a small scaled version of a NetBackup appliance. The software would sell at $49-$99, and the appliance would definitely sell.
EMC also comes to mind. With OpenStack, Xen and OSS virtual fabric starting to eat its lunch, EMC might be well off working working on combining their technologies. For example, putting deduplication in VMFS or making a scaled down Isilon that is aimed at SMBs, where when expansion is needed, additional nodes can be added. Since NAS appliances are popular, EMC could score a core spot in that market by dropping into that market, and Isilon clusters are easily expandable, so if they did make a 1-2 node cluster, the sky is the limit when it comes to scaling (well, up to the 16 node limit...) Especially if EMC offered deduplication and their SmartLock technology (which prevents snapshots from being deleted even from the root prompt or web UI... it requires a local session on the console.) SmartLock would be good for law firms since records would be guarenteed to be present, barring RAID failure or physical compromise, and using it would be as simple as just shoving files into a SMB share.
Then there is IBM. IBM is the motherlode of all computing goodies. AIX PS/2 was a joke, but porting AIX and PowerVM to the x86 platform might just be a very lucrative idea. Customers would get a "one stop shop" for a good chunk of their stack, perhaps even their DB and application. IBM has almost anything and everything. They even have backup devices which use microfiche-like cards to store data, which has a very long lifetime (assuming the negatives are not left in the sun.) UPS devices that use flywheels instead of batteries? Check. Geographically separate mainframes running VMs in lockstep for less than a second downtime if one site fails? Check. Deduplication technology on all levels? Check. Just like Symantec, IBM selling a scaled down version of TSM for SMB users would make a mint.
Once the electrons are out of the gate, the data is -gone-. No amount of recovery is going to do the job, ever.
This is my biggest concern with SSDs. Yes, they can have a longer MTBF, but when they go, they take your data with it, making backups more imperative.
The ironic thing? Since SSDs make the need for backups that much more urgent [1] We have far fewer tools for backup than we did on PCs 20 years ago (when an average user could get a desktop tape drive, a ZIP drive, removable SCSI hard disk, or other media.) For non-enterprise backups, we have external hard disks, USB flash drives, and offsite file servers [2]. Even optical drives are becoming uncommon. External hard disks and USB flash drives are not archival media. They -might- hold their data, but are not warrantied for it.
It would be nice if some company could make an appliance that did a disk-to-disk-to-removable-media appliance. The backup program would copy data to the device, and data would stay on a set of RAID protected HDDs, as well as eventually copied to removable media [3]. A bare metal restore would be easy -- if the appliance is connected via USB, have it present a DVD-ROM with the OS or recovery software. If on a LAN, have a USB flash drive or image that would get a machine booted enough to find the appliance and start a restore.
[1]: With HDDs, a recovery from a format isn't too difficult. SSDs usually follow up a format with a TRIM command, zeroing (or more exactly, writing 1s) to all the blocks, either right then, or as the drive feels like it. "Unformatting" a SSD is pretty much impossible with a modern OS that does proper TRIM commands. Add a decently smart encryption system like BitLocker that zeroes out the sectors with master volume keys multiple times, and it can almost be assured that a delete or a format results in data forever gone.
[2]: Cloud storage seems like a working idea, but it can take a good while to fetch lost documents and rebuild the entire OS and machine. With a local backup solution, most backup programs offer a simple bare-metal restore, no Internet access needed. There is also the fact that a machine needs to have the OS, updates, and the cloud provider's software loaded and logged in before a restore can happen. Having the OS local means a complete bare metal restore is a "press 'restore' and walk off" action.
[3]: Tape comes to mind. The main advantage of tape (or offline media in general) is that some hacker who gets access to the SAN controller can't just purge all media with a single command. A lot of companies have excellent replication of SAN data, but that replication will happily replicate the "delete everything, including all snapshots" as well. Plus, tapes can be physically set read-only where only a reflash of the tape drive could allow the cartridge to be written to. I wish someone could make a consumer level tape drive, perhaps using a SSD as a buffer to prevent shoe-shining. There is a Thunderbolt based tape drive for Macs by mTape for $3699. If someone made a product like this (but a price more palatable to consumers) that could tolerate USB 3 (or maybe even USB 2), and work well under Windows, Linux, and other operating systems, they might have a best seller. Especially with the fact that intruders now have moved from just accessing data to actively modifying and destroying it, so backups are even more crucial than they were before this year.
In fact, I'd say that with the ease data is permanently destroyed, a consumer level backup appliance might be quite a seller.
With how slow drives are, relative to their capacity, RAID-6 or RAID-Z2 are a must, not just for handling a disk failure during the time where the array is degraded and rebuilding from a hot spare, but for finding and fixing bit rot. Bit rot is not related to parity checking, and ideally, should be looked for at the filesystem level.
There are already encrypted chats available. I've not used it in years, but AIM supported/supports S/MIME key encryption for end to end protection, similar with MSN.
If one wants an independent solution, Symantec's PGP Desktop (now called Endpoint Encryption) also has the ability to encrypt/decrypt on the fly.
Another encrypted chat option is fine, but there are a lot of solutions out there that do the job just fine. One doesn't really have to search far... Apple has iMessage built in, for example. ChatSecure also comes to mind (OTR over XMPP.) It is figuring out how much one trusts (or doesn't) the provider and the software.
OSS utilities also have the ability that in a pinch, someone can git clone the source tree, then throw some money at it, and do a complete audit of the entire shebang. With closed source code, the only assurance we have is from the vendor, and with the ways EULA/TOS agreements are written, the vendor is not required to lift a finger to fix anything.
This is overall a good exercise.
For example, finding out if it is easier to just pull one color and have everything drop in an assorted bin versus sorting everything out by known colors and having a reject bin for something that the machine can't figure out. After that, maybe have the machine do another sort operation, so if it sorts correctly 99% of the time, a few sorts later will reduce the occurrence of the wrong color to an acceptably small margin.
This is the stuff that engineering is made of, and would be a good way to get kids started down that path.
All and all, it is interesting watching the 3D printer market evolve. Other than the issue of currency copying when color inkjets became cheap, there has been no DRM or demand for it linked to documents. Ink cartridges, yes, but not actual preventing of documents being copied.
Other markets, not so lucky. For example, all the fighting and wrangling about MP3s, which resulted in casualties (for example, Diamond won... but that was a Pyrrhic victory.) Video pretty much was a victory for the DRM brigade [1].
3D printing looks like it is going the way of 2D printing, except for this "OMG, GUNS!" drivel [2]. I don't see an RIAA-like entity pushing a SDMI initiative for 3D printing, nor do I see an interest by the Powers That Be in forcing signed documents (which is actually astounding... I would have been almost certain that there would be some type of standardized DRM system by now, similar to how CarveWright DRM protects their software from computer to encrypted memory cartridge to the actual device.)
Now, when 3D metal printing gets widespread and inexpensive, the ability to make sintered Iconel items will be quite useful, as opposed to plastic pieces which have limited uses. For example, one make of RV door handle has had issues with breaking. If just the part that breaks is replaced with a high grade sintered Iconel, it would help immensely.
[1]: A victory as in one in the US either has DRM encumbered tracks, DRM encumbered media, or technically violates the DMCA in de-DRMing stuff like DVDs.
[2]: I have never understood the insane overreaction about 3D printed guns. One could carve out the same thing out of a chunk of plastic, mold something out of clay and fire it in a kiln, whittle it out of wood, or many other ways to make a unsafe, unstable zip-gun, that it is pointless. In countries where guns are banned, ammo is banned as well, so making a .22 LR firearm in Japan or England is pointless... because there are no .22 rounds to be found in that neck of the woods [3]. Of course, there is the fact that in other areas of the world, real guns are likely less trouble to find and procure than a computer, a 3D printer, a good amount of filament, and trying to cobble together a prototype which likely will go kaboom in the hand, rather than bang, out the barrel.
[3]: Technically, there are no .22 rounds to be found in this part of Texas either... but that is due to the insatiable demand, not a ban.
Actually, it has been a good month for the US, other than the DPRK fiasco:
1: Cuba opening up (assuming Congress lifts the trade embargo) is only going to improve the economy of both places. The Cold War-era foreign policies that were in place in the US past had to get tossed. This isn't a defeat... it is a move forward. Calling it a "defeat" would be calling the fact that a good number of nukes were removed from service as part of a treaty, a "defeat".
2: The CIA torture reports were a festering boil, and it had to be lanced sooner or later, and now was probably one of the better times. The fact that it was made public and made known that this is not how the US handles itself these days is quite important. It only goes up from here. The days of torture are behind now.
As for Russia, they are down, but definitely not out. If push came to shove and China didn't lend money, the US would. The reason is that Putin is nowhere near a saint, but a power vacuum in the largest country in the world is the stuff of nightmares. If Russia collapsed, every single country in the world would either be going for a part of that carcass or jumping in the fray to keep their enemies from doing that.
Overall, Russia will emerge stronger. The low oil/gas prices are quite temporary. The profit may be less this quarter... but give it six months to a year, plus one incident in the Middle East... and oil will be back up to $150 a barrel and stay there for good. People know this, and nobody here in the US is going out and buying SUVs due to these temporary low prices. Solar might have slowed down slightly, but it is still progressing, mainly because virtually everyone knows that high gas prices will be back eventually.
IIRC, answering machines have been around since the 1980s, where one would have to set a mode between record, then flip a dial to play... with a machine that had two tapes, one a special outgoing message tape configured in an endless loop with a metal foil piece joining the ends. Then the next generation of machines came around using micro cassettes and storing the outgoing message at the beginning of the tape. Then in the early to mid 1990s, flash based messages with multiple voice mail boxes so everyone in the family got their own blinking light. After a while, people just started using the VM product offered by the telco because it was less hassle than having a dedicated answering machine.
All and all, voice mail isn't going anywhere. If it is a way for a company to leave their ads, there is no way that will be stopped in today's economy.
The best VM system I have seen was one tied to Exchange that not just sent the WAV attachment of the caller, but a transcript of their message. There was the old fashioned way of dialing in, punching in a PIN and grabbing messages, but having them ready to go in an E-mail and listenable on a device made things easy. I sure don't miss the old VM setups that required a person to listen to an entire message before being able to delete or do anything with it.
The worst of the lot are people who call and leave an urgent voicemail... then you call them back, and they are busy on the phone or not answering.
Until recently (where I use a voice mail to text service so I don't have to wade through someone like the parent poster mentions who drones on 3-4 minutes about random stuff), I've just let the voice mailbox get full, and if someone wants an answer, they can text or E-mail, which they usually do. The most notorious are third tier headhunting places who will call and say they have a job requiring (as an example) five years of Swift programming experience [1], then will send an E-mail with those exact details.
+1 on communication != talking. There is a difference between "spraying and praying" versus having a dialog.
[1]: Yes, crazily enough, some places actually ask for five years of Swift for positions. Guess they want the Apple guys who designed the language or something along those lines.
I also like Youmail, for this exact reason, and the fact that it auto-ditches spammers and other junk calls (after the phone doesn't answer). Plus, it works with both iOS and Android, so if I feel like changing out my phone, I don't need to worry if visual voicemail with the telco will work or not.
Reading a text is a lot faster than sitting through someone's long-winded speech and the time saved is worth the nominal charge.
https://github.com/google/goog...
These are the PAM modules that one can build and configure for any OS that uses this mechanism for authentication.
The best system I've seen, in theory, was IBM's ZTIC. You can make a bank transaction, but it wouldn't go through until you confirmed it on the keyfob, and the keyfob used an independent link to obtain the amount of cash, and where it was going to, to protect against a compromised browser.
The downside was that the device required special drivers, so it only functioned in Windows.
With 3G radios so cheap, why not a relatively cheap device that not jut works as a SecurID dongle, but is used with a layer of encryption between the bank's computers and the device itself (so if 3G is compromised, data is still protected) to confirm the amount and allow/deny it on the device? The reason for an independent 3G connection is a separate, secure channel that can't be attacked by a compromised computer. Done right, this would be a major security boost, as it would require the device not just to log on, but to perform transactions. The device by itself would be useless without password/PIN access to the bank account.
It also raises the question, assuming the systems were UNIX based, why not just use RSA keys with SSH? The downside of this is if the bad guy grabs the private key from a compromised machine, game over... but without access to a client and private keys, this will stop a brute force password attack cold, since the attacker wouldn't get past the initial handshake, and with a utility like Fail2Ban or SSHGuard, repeated attempts can be blocked or throttled.
Two factor authentication is more geared for the edge, be it allowing someone to log in from home, or perform a transaction across the Internet.
On the corporate LAN/WAN [1], 2FA shouldn't be needed. Instead, RSA keys for SSH, IPSec with AD, an internal PKI with SSL/TLS, or other means should be in use. There are too many diminishing returns having it in the core of a company unless there is a good reason (different division, etc.)
The one exception might be having 2FA to be used when accessing a VDI or a Citrix server so that internal data has a layer of protection, and a compromised desktop means that an attacker is limited to using screenshots or a remote access tool to seize access, as opposed to having full unfettered access to the files themselves.
[1]: Assuming a private VPLS
I will differ there. The general population may not trust banks on one level, but they will keep their money in them. If the population truly didn't trust banks, precious metal prices would be spiking, and various ways of securing physical assets would be hawked from every street corner, the more amusing will be the ones, saying "just store your stash with me".
The population gripes about banks, but when the rubber meets the road, the money still gets deposited in the checking account come payday.
Google Authenticator is based on an open protocol. I can use Google's app, Amazon's, a number of various third parties, both open source and commercial available on the store/repo.
Server-side, I can use the protocol on most Linux distros, there are ways to use it with Windows, even ESXi nodes can have this added in as protection.
Yes, it might be Google code, but it is open source.
Now, RSA's SecurID is a different beast. It is a closed source system, with special servers and seed codes requires. Its advantage is that it is time tested, virtually everything supports it (MS has had hooks for ACE servers since Windows Server 2000), and it has the FIPS/Common Criteria/etc. certifications which help when audit time comes around. However, it doesn't come cheap.
My 2011-era RV fridge is similar (no moving parts except for the fluid going around), except that instead of using a pilot light, it uses electronic ignition (which means it not just needs propane, but battery power to keep your stuff cooled.) I would prefer the 1975-era style of a pilot light, but I guess times change.
It has two disadvantages: It does cool, but relatively slowly, because the refrigerator part doesn't have any air circulating in it. A small fan in there (Valterra sells on that runs 4-6 weeks on two "D" cells) works wonders. The second is as described above. The newer fridge requires being within three degrees of level when stopped as well.
For a house, with fridge prices going up, it used to be that a gas fridge was just too expensive unless someone just had no access to power, such as a backwoods cabin and a propane tank. Now, one can buy a decent gas fridge which uses no electric (except for the option of having the light inside the fridge come on) for a decent price. It may not have a TV on the front or allow one to Twitter what veggies are stashed in the crisper, but it keeps stuff cold regardless if the power is on or not.
Same with HVAC and refrigerators. There is a big difference in overall power used if a device has a 100% duty cycle than one that only comes on 10% of the time. Power supplies as well. An 800 watt power supply can actually be running at 10-20 watts fairly often.