OK, asshole, what would you do with it? Please, don't be selfish. Share your brilliance with us lowly peasants.
From eyeglasses to large windows in your home, I can think of a few applications where a product is considerably more expensive to repair, and you keep a hell of a lot longer than 2-3 years.
a device that gets thrown away and replaced every other year.
You obviously haven't used a mobile phone recently, if at all. In the early days of smartphones, yearly replacements were quite common because this was a period of rapid development with next year's phones being far better the previous years. In the last 4 years things have stabilized. My last phone lasted 3.5 years. You're out of touch, grandpa.
Speaking of out of touch, phones 4 years ago used to have this concept of a replaceable battery. Also known as the main component driving replacement.
Product support usually comes secondary to this fact, and that assumes the average user gives a shit about being secure with relevant patches and updates (hint: they don't).
Sure, you gotta bootstrap your user base with fake stuff to make it look popular. But, is it standard practice to lie to investors too?
No, of course not. Everyone knows you bootstrap your user base with fake stuff in order to throw those numbers in the garbage and tell investors the truth.
Give me a fucking break. The entire action of bullshitting statistics is to feed a very specific purpose 99% of the time, public or private.
...Where there is a "business license," it can't be "pulled" to punish somebody because you think they're an asshole.
And yet, a form of harsh punishment was exactly what the manufacturer took against a customer, because they thought they're an asshole.
You don't have to "tolerate" anything, and nobody is asking you to. If you choose not be his customer, then there isn't even anything for you to tolerate. And if you are his customer, and he wronged you, you can sue him. No reason to "tolerate" it.
A form of punishment is exactly what I called for as a way to not tolerate it. Lawsuits often serve to make lawyers rich. And when it's a megacorp like Verizon or Google doing this to customers, you don't stand a chance in hell of winning jack shit. If a class-action lawsuit is raised, you might win a $5 coupon a few years from now. Lawsuits have become a slap-on-the-wrist form of punishment, and we fucking know how banking institutions act today (e.g. Wells Fargo) after being "punished" by the global financial meltdown a decade ago. A deterrent has to be effective in order to work.
You can whine and cry all you like, but Big Brother isn't going to come to save you from assholes. Assholes have the same rights and freedoms as everybody else. Luckily for both of us, right?
Consumer protection laws were created for a reason. If corporate arrogance like this continues to fuck over consumers, then either enforce the fucking laws, or get rid of them. The vendor got a poor rating from a customer. He sure as shit didn't "whine and cry" about it; he retaliated. This is akin to taking the law into your own hands and avenging a loved one who was killed. Acts of retaliation should not be tolerated in business. It tends to escalate into shitty situations, and offers little benefit to anyone involved.
Scientists invent an amazing material that can easily repair itself, and the best application we can think of, is on a device that gets thrown away and replaced every other year.
This is like finding a cure for cancer and choosing to cure cows with it, just so we can turn them into hamburger.
I guess there is an upside. Snow Flake won't have to worry about a scratch on her precious cell phone marring her narcissistic shell.
Apply this to glasses as an alternative scratch coating, and use 2-part metal frames. Supply a simple "healing" cradle to put the glasses on at night.
Never have scratched lenses again.
Fuck the damn iphone. This would be fantastic in eye-wear.
Not a paid shill by any means, but I opted for Crizal coating on my glasses many years ago. I've never had a scratch on my lenses since, and like the usual eyeglass wearer, that's 2-3 years of use and abuse per pair.
I think you're missing the point. Or perhaps you're only seeing half of it.
You wouldn't happen to be an arts major, would you?
For the entitled ones who strive to obtain a Masters in bong design or basket weaving, those just-for-the-fuck-of-it degrees should not qualify for any type of federally-backed loan. You want to do it so bad, fund it yourself.
The customer had an opinion, and voiced it, based on his personal experience with the product.
What was truly wrong here is a manufacturer who chose to retaliate in the worst possible way.
To which I say fuck that shit. Asshat vendor deserves to have his business license pulled for that, especially after criticizing a customer about impulse control.
As consumers, we cannot tolerate this bullshit. I promise you manufacturer arrogance will spread far and wide if you do.
...I know an easy fix: Make it possible to go bankrupt on these loans just like any other unsecured loan. If you do that, watch how basically overnight, lenders will start scrutinizing borrowers more, and borrowers will be thinking harder about borrowing to begin with in light of higher interest and/or collateral.
Let's review the "easy" fix for a moment.
Given the age at which young adults are expected to seek loan-enhanced education, care to tell me how borrowers are going to scrutinize an 18-year old kid who probably doesn't have jack shit established in the way of credit history, and whose "collateral" consists of a 1994 Chevy shitwagon to secure against a $75,000 loan?
Perhaps we should just go the route of the housing market and increase the cost of college another 500%. That way, only those rich kids who can afford to pay cash will attend, solving this whole pesky loan problem...
Ironically it was a financial audit that initiated the requirement
With the greatest possible respect, sometimes the quality assurance weenies need to be questioned when they mandate things that are beyond their level of understanding. It is supposed to be a process and not an edict.
I don't make the rules. I do have to ensure we follow mandates to ensure compliance.
talk about the "crown jewels"
Context. Not all data is equal thus "crown jewels" is supposed to indicate the stuff that you do not want anyone to get hold of. Treating everything as if it is the "crown jewels" is IMHO counterproductive because you have two modes of access - everything or nothing. When you need to give an outsider access they should not be able to get to the stuff that is of critical importance unless that is what they are working on.
Remember we're talking about the information that you back up, not how one might segregate and compartmentalize data or access within a network, which is a different conversation. I don't know how others do it, but if I'm spending the resources and effort to perform backups, my tapes aren't exactly filled with pointless shit. They tend to contain the "crown jewels" that an organization cannot afford to lose due to a disaster or compromise. If someone has the IT resources to cherry pick the file server to only back up the valuable data, great. Most don't have that luxury, so you back up the entire file server by default.
and you will be up shit creek of you inadvertently leak that kind of data
And I'm in a far worse place if I do something that loses or even endangers the existance of most of the types of data on the premises as are many others.
What you seem to think of as the universal situation of the consequences of a leak being vastly greater than the consequences of loss is the exact opposite in a lot of places. Your "one size fits all" suggestion doesn't fit a lot of places.
I stated before that one should build solutions that fit the business requirement. I didn't run encrypted backups prior to the mandate. I do now because of it. Plain and simple. If you or others don't feel the risk is high enough to warrant the complexity, then do whatever you want. The "one size fits all" argument is really only justified around commonalities such as PII, which as I stated before, almost every business maintains. If your employees suffer identity theft as a result of backup tapes being stolen, and 50% of them choose to work elsewhere as a result, then the impact is considerable. Don't want to run anti-virus because it slows system performance? Fine. Don't want to run a SPAM filter because it costs too much? Fine. Businesses that are not encumbered by mandates are able to mitigate risk however they want to.
Also what's with the lectures? Since they are based on a premise that's not as universal as you seem to think they are someone pointless. If the consequence of a third party stealing those tapes of unencrypted system backups are limited to having to buy more tape it's not really a huge deal. You do not have to encrypt everything and IMHO it's asking for many sorts of trouble if you do.
If someone steals a backup tape, corporate smartphone, or a laptop, the last thing I'm worried about is the cost of replacing the asset itself. Data loss is far more of a priority. If a company values their information at no more than $100 worth of backup tapes, I would question why they're even bothering running backups.
"...Trump's policy of bringing back coal may mean that micro-babies are back in fashion."
Politics aside for a moment, this kind of wording makes me wonder how the fuck humans ever succeeded in procreating before nuclear power was invented, as if incubators were some kind of fashion trend.
Yes, perhaps we should get back to the "healthy" standard of macro babies, especially with c-sections being all the rage in the spring lineup for 2017...
That's the only point I'm trying to make. Above it was suggested as if it was mandatory instead of situations where the consequences of unencrypted data escaping are far greater than that of losing all of the data on that media forever.
The consequences are
For your system backups? No. For other things? Very little information in a typical business is of the sort where it would be a problem if it was published on the front page of a newspaper. That stuff that would be a problem should be treated differently to what is needed for a bare metal restore, which IMHO should be easy enough that a contractor from outside can do it in a hurry without having to wait around for a time window to bother someone for keys. In disaster situations the people who have the keys are probably going to be very busy if they can get on site at all.
Personally I think a policy of treating everything as top secret is a security risk on it's own. You only want to trust a contractor with general information instead of giving them the key to the crown jewels.
Look, I fully understand and grasp the value of K.I.S.S methodology. Ironically it was a financial audit that initiated the requirement of encrypted media that is sent offsite. Today, I have multiple security standards that mandate encrypted backups on top of the financial requirement. Honestly, I'm struggling to justify your complexity argument here. SSL on web servers increases complexity. Running IDS/IPS, and anti-malware services increases complexity. Complexity is not always a bad thing. Hell, in many ways it justifies needing IT staff, because systems are rather complex, and cannot be built or maintained by just any idiot with a keyboard and mouse.
There is risk inherent with handing unencrypted backup tapes (talk about the "crown jewels") to a 3rd party to be transported offsite, and out of the direct control of an organization. This is why you DO encrypt. Do you add complexity? Sure. Can you mitigate against that with multiple encryption schemas, two-party integrity with key control, onsite and offsite backups, and other measures? Sure.
When evaluating risk, you must also take into account frequency. The risk for activity that happens very frequently (offsite transport) is likely a lot higher than the insider threat of key manipulation or destruction. With key destruction, you risk not being able to run backups or restores. With leaked or stolen data, you may not have any IP to protect anymore. And that's on top of the lawsuits and fines for failing to protect PII, which damn near every company holds, and you will be up shit creek of you inadvertently leak that kind of data.
Making the brain work in ways other than our nature intends will yield a crop of disabled and troubled Seals.
Give me a break. The FDA has probably done more to regulate around the way "nature intends" our minds and bodies to work more than any other single factor. The most popular preservatives and additives in our food supply today aren't natural or healthy.
As far as boosting the attention span of SEALs who are put in situations that mandate intense concentration and alertness, I'd say this is more of a survival tactic than anything else.
Clearly you've never worked in a highly regulated environment that is restricted by mandate to encrypt backups when shipping data offsite
Ah yes, you are very important obviously, at least in your own mind if nowhere else, and are attempting to rub that in but it appears you think the policy of where you are is how it should be done everywhere.
Clearly most people do not because it's as fucking stupid as letting people you do not trust have possession of your backup tapes. If you can't trust who has your tapes then why are you letting them have them?
I've used an offsite storage vendor for almost 20 years across multiple companies without a single mishap. The requirement to encrypt is to mitigate risk at all times (including theft or loss), as well as protecting data with any offsite storage vendor. In a nutshell, you encrypt because shit happens.
The only policy I'm recommending here is whatever one fits the business requirement, and has been tested and proven to work. My model isn't necessary for everyone, so go do whatever you want to do to meet the business need for DR/BCP. Complexity is only necessary when justified.
Disaster recovery should be simple and adding potential show-stoppers to the process is not a good idea unless the consequences of unencrypted data escaping are far greater than that of losing all of the data on that media forever.
The consequences are, hence the reason for the encryption mandate, imposed by multiple security standards. I don't do encrypted backups with multiple streams because I have some weird love affair with algorithms. And there are all sorts of ways one can mitigate the complexity risk. Store keys in multiple locations. Store them with 3rd parties to help bolster a two-person integrity model. Test your backups frequently. Multiple copies of backups can be stored both onsite and offsite, each with their own encryption schema. Monitor changes to backup systems. Assign competent SysAdmins to manage.
And quite frankly, if you cannot trust those who manage your security, you've got far larger problems than someone losing encryption keys to backup tapes.
Please note the context of where I used the word pointless. On other systems there are different mechanisms which do indeed make it just pointless overhead to run a VM instead of doing separation in other ways.
The "real world" has systems other than MS Windows in it.
encrypted snapshot backups
Ah - the "real world" bit should have given me a clue - you are a student aren't you? Encrypting your backups in a vastly stupid idea since when the backups are required in the future it can never be certain that someone with the passphrase or whatever is available...
Clearly you've never worked in a highly regulated environment that is restricted by mandate to encrypt backups when shipping data offsite. And since offsite and offline is the safest place for data in the ransomware-riddled world we live in today, the strategy fits.
Keys are stored in multiple locations to protect against the inevitable unavailability of someone as well. Two is one; One is none. Hope that clears up any ignorant assumptions.
...a company that is dumb enough to run it's entire business applications from a single server. http://www.kvia.com/crime/fbi-...
"Investigators learned that the server controlled the company's production line, warehouse, distribution center and its ability to take orders."
Uh, a company "dumb enough"? This "single server" is also known as an ERP system. And a shitload of large companies around the world run ERP systems. The dumb part is not protecting them with a valid DR strategy.
That's a very 1990 way of looking at things in server space (IBM etc was doing it then). Zones (AKA containers) are a less wasteful way separate things and unlike recent VMs there is some consideration of security.
"Everything" is a bad word to use when describing something outside of your own workplace in terms of what applies inside yours.
In the MS world VMs are the bandaid solution to poor resource management by an OS. Outside of the MS world there is less need and very frequently you want a piece of hardware (or a cluster) to be dedicated to a single task - so a VM is pointless in that situation apart from convenience of backups (which once again outside of the MS world is trivially easy).
A VM, is pointless?
In the real world you properly assess risk and impact, define an SLA, virtualize all critical servers in VMWare, and run encrypted snapshot backups multiple times a day, written to tape nightly and kept offline as well as offsite, away from any risk of "rouge" attack. Proper snapshots capture the entire server (including those pesky "core system files"). Had they used and protected VMs properly, it would have likely resulted in little more than getting admin rights back and restoring the entire environment within a day.
While the rogue admin deserves punishment, the real crime was this clusterfuck of a DR strategy. Whoever signed off on that shit should also be fired.
Oh, that DR solution is too expensive? I wonder how much weeks of backlog and lost business cost. Maybe they should have invested more in IT instead of their Polo team...
As long as it's the victim that's at fault it makes sense.
But modern cars requires less and less attention to drive which forces the driver to keep the mind occupied on other things to not fall into a vegetative state.
Cars still have a steering wheel. And pedals. The last feature that changed those basic pay-attention-dumbass requirements was the advent of cruise control, which came out decades ago, long before the smartphone.
Drivers today are still obligated to take the same driving test as their parents did, because shit hasn't changed.
And cars today also have a lot of touch screens, which also requires the driver to look away from the traffic.
And many of those touchscreen features are disabled when the car is in motion, or are extended with controls that are on the steering wheel, minimizing the risk.
I think we can dispel with the ain't-like-it-used-to-be bullshit excuses. People today think they can do anything behind the wheel, including operating a smartphone. Let's not defend moronic behavior.
I've seen so many security disasters caused by "IT professionals" who are just focused on enforcing security policies. My favourite example was a major client who spent months trying to get their IT security division to play ball on a project, but every effort proved fruitless - the firewalls and network security policies were there for a good reason, dammit, and they weren't prepared to compromise on security.
Faced with pressure to get the project completed, the project team ended up plugging in heaps of 3g modems all over the site, to allow network connectivity to the systems they needed external access to. This access went in with no network-level access controls or firewall, and to the best of my knowledge they're still there, years later.
Would I have done that? No. I would have resigned first. But these people had jobs and liked keeping them, and faced with the certainty of a failed project, or the possibility of someone (probably not them) taking a fall over breaching security policy, they went with whatever got the job done. The project manager met his KPI, the team got to move on to other projects, and security got to feel smug because they kept their network security policies intact.
I saw the whole debacle happen (and I've seen plenty of similar situations over the years), and in my opinion it's been a failure of the security team just about every time. Facing a choice between:
a) Enabling engineers to solve business requirements while ensuring there are effective and well-managed security controls, or
b) Enforcing security as a top priority, with little regard for the requirements of other business divisions,
security teams often just go with option b. They pretend the inevitable workarounds aren't their fault.
Every time they say "yes" to something which increases security risk, the security team risks something going wrong - but every time they say "no" they risk people coming up with their own work-around instead. Security teams should be enablers - finding ways to secure what needs to be done. Once they become known as deniers, they'll just end up fighting an adversarial battle with their own colleagues. That doesn't result in effective security.
Security should always be treated as a balancing act. The first thing any good InfoSec professional does after creating a security policy is create a process to request for a waiver or exception to security policy, so that it is fully vetted and justified. This is also a good CYA move for when an exception creates a vulnerability that gets hacked.
While the bullshit pulled in your scenario above may have "gotten the job done", it created massive risk that is likely "still there, years later", with little or no controls in place to detect intrusions or attacks into systems that went around security protocol designed to protect the corporate enterprise. When security is supported from the top of the organization as a priority, it gets the respect it deserves. Those organizations who treat security as a bothersome burden are the ones filled with holes and usually end up getting hacked. Security teams ARE enablers; they enable the business to maintain IP and value in order to continue being a viable business. Attitudes that dictate otherwise are ignorant to the reason security teams, policies, procedures, and mandates are a necessary component of business today.
And those that pull bullshit end-around games should be disciplined for violating security policy. There is no valid excuse if you have a process in place to request and justify exceptions. Above all, every employee should understand and respect the fact that everyone has a job to do in an organization.
How is this different than advertising? Coke and Pepsi for example both try to convince you should buy their product over the other's. They attack from multiple fronts, pay for commercials and product placement, sponsor major sporting events, are active on multiple forms of social media, etc. All with the goal of swaying public opinion and convincing you that you should so something that you probably should not (drink stuff that generally isn't health for you).
Swaying public opinion between soft drinks is not exactly on the same scale of impact as swaying public opinion to influence an election.
And if you wanted to attack an entity that truly causes an impact selling a product, then question why governments allow tobacco to remain a legal product as it kills millions of humans every year. The overwhelming majority of other "deadly" issues can't even hold a fucking candle to this.
Slashdot Mirror
"...Asian women earn 63 percent, black women earn 55 percent and Hispanic women just 46 percent."
Reading this, it seems that racial discrimination is a larger problem than gender discrimination.
Unfortunately, it's no easier to hide skin color than it is gender. Regardless, all forms of discrimination should end.
OK, asshole, what would you do with it? Please, don't be selfish. Share your brilliance with us lowly peasants.
From eyeglasses to large windows in your home, I can think of a few applications where a product is considerably more expensive to repair, and you keep a hell of a lot longer than 2-3 years.
a device that gets thrown away and replaced every other year.
You obviously haven't used a mobile phone recently, if at all. In the early days of smartphones, yearly replacements were quite common because this was a period of rapid development with next year's phones being far better the previous years. In the last 4 years things have stabilized. My last phone lasted 3.5 years. You're out of touch, grandpa.
Speaking of out of touch, phones 4 years ago used to have this concept of a replaceable battery. Also known as the main component driving replacement.
Product support usually comes secondary to this fact, and that assumes the average user gives a shit about being secure with relevant patches and updates (hint: they don't).
Sure, you gotta bootstrap your user base with fake stuff to make it look popular. But, is it standard practice to lie to investors too?
No, of course not. Everyone knows you bootstrap your user base with fake stuff in order to throw those numbers in the garbage and tell investors the truth.
Give me a fucking break. The entire action of bullshitting statistics is to feed a very specific purpose 99% of the time, public or private.
...Where there is a "business license," it can't be "pulled" to punish somebody because you think they're an asshole.
And yet, a form of harsh punishment was exactly what the manufacturer took against a customer, because they thought they're an asshole.
You don't have to "tolerate" anything, and nobody is asking you to. If you choose not be his customer, then there isn't even anything for you to tolerate. And if you are his customer, and he wronged you, you can sue him. No reason to "tolerate" it.
A form of punishment is exactly what I called for as a way to not tolerate it. Lawsuits often serve to make lawyers rich. And when it's a megacorp like Verizon or Google doing this to customers, you don't stand a chance in hell of winning jack shit. If a class-action lawsuit is raised, you might win a $5 coupon a few years from now. Lawsuits have become a slap-on-the-wrist form of punishment, and we fucking know how banking institutions act today (e.g. Wells Fargo) after being "punished" by the global financial meltdown a decade ago. A deterrent has to be effective in order to work.
You can whine and cry all you like, but Big Brother isn't going to come to save you from assholes. Assholes have the same rights and freedoms as everybody else. Luckily for both of us, right?
Consumer protection laws were created for a reason. If corporate arrogance like this continues to fuck over consumers, then either enforce the fucking laws, or get rid of them. The vendor got a poor rating from a customer. He sure as shit didn't "whine and cry" about it; he retaliated. This is akin to taking the law into your own hands and avenging a loved one who was killed. Acts of retaliation should not be tolerated in business. It tends to escalate into shitty situations, and offers little benefit to anyone involved.
Scientists invent an amazing material that can easily repair itself, and the best application we can think of, is on a device that gets thrown away and replaced every other year.
This is like finding a cure for cancer and choosing to cure cows with it, just so we can turn them into hamburger.
I guess there is an upside. Snow Flake won't have to worry about a scratch on her precious cell phone marring her narcissistic shell.
Apply this to glasses as an alternative scratch coating, and use 2-part metal frames. Supply a simple "healing" cradle to put the glasses on at night.
Never have scratched lenses again.
Fuck the damn iphone. This would be fantastic in eye-wear.
Not a paid shill by any means, but I opted for Crizal coating on my glasses many years ago. I've never had a scratch on my lenses since, and like the usual eyeglass wearer, that's 2-3 years of use and abuse per pair.
I think you're missing the point. Or perhaps you're only seeing half of it.
You wouldn't happen to be an arts major, would you?
For the entitled ones who strive to obtain a Masters in bong design or basket weaving, those just-for-the-fuck-of-it degrees should not qualify for any type of federally-backed loan. You want to do it so bad, fund it yourself.
Sometimes the customer is wrong
The customer had an opinion, and voiced it, based on his personal experience with the product.
What was truly wrong here is a manufacturer who chose to retaliate in the worst possible way.
To which I say fuck that shit. Asshat vendor deserves to have his business license pulled for that, especially after criticizing a customer about impulse control.
As consumers, we cannot tolerate this bullshit. I promise you manufacturer arrogance will spread far and wide if you do.
...Then the novelty wore off...
Sums up the entire value-add right there.
Also sounds a lot like 99.9% of smartphone apps in existence today that get downloaded and used once...
...I know an easy fix: Make it possible to go bankrupt on these loans just like any other unsecured loan. If you do that, watch how basically overnight, lenders will start scrutinizing borrowers more, and borrowers will be thinking harder about borrowing to begin with in light of higher interest and/or collateral.
Let's review the "easy" fix for a moment.
Given the age at which young adults are expected to seek loan-enhanced education, care to tell me how borrowers are going to scrutinize an 18-year old kid who probably doesn't have jack shit established in the way of credit history, and whose "collateral" consists of a 1994 Chevy shitwagon to secure against a $75,000 loan?
Perhaps we should just go the route of the housing market and increase the cost of college another 500%. That way, only those rich kids who can afford to pay cash will attend, solving this whole pesky loan problem...
...Moln Labé. At least pronounce it properly.
Misspellings can often be a burden on pronunciation, unless your vocabulary includes frequent use of y'all...
With the greatest possible respect, sometimes the quality assurance weenies need to be questioned when they mandate things that are beyond their level of understanding. It is supposed to be a process and not an edict.
I don't make the rules. I do have to ensure we follow mandates to ensure compliance.
Context. Not all data is equal thus "crown jewels" is supposed to indicate the stuff that you do not want anyone to get hold of. Treating everything as if it is the "crown jewels" is IMHO counterproductive because you have two modes of access - everything or nothing. When you need to give an outsider access they should not be able to get to the stuff that is of critical importance unless that is what they are working on.
Remember we're talking about the information that you back up, not how one might segregate and compartmentalize data or access within a network, which is a different conversation. I don't know how others do it, but if I'm spending the resources and effort to perform backups, my tapes aren't exactly filled with pointless shit. They tend to contain the "crown jewels" that an organization cannot afford to lose due to a disaster or compromise. If someone has the IT resources to cherry pick the file server to only back up the valuable data, great. Most don't have that luxury, so you back up the entire file server by default.
And I'm in a far worse place if I do something that loses or even endangers the existance of most of the types of data on the premises as are many others. What you seem to think of as the universal situation of the consequences of a leak being vastly greater than the consequences of loss is the exact opposite in a lot of places. Your "one size fits all" suggestion doesn't fit a lot of places.
I stated before that one should build solutions that fit the business requirement. I didn't run encrypted backups prior to the mandate. I do now because of it. Plain and simple. If you or others don't feel the risk is high enough to warrant the complexity, then do whatever you want. The "one size fits all" argument is really only justified around commonalities such as PII, which as I stated before, almost every business maintains. If your employees suffer identity theft as a result of backup tapes being stolen, and 50% of them choose to work elsewhere as a result, then the impact is considerable. Don't want to run anti-virus because it slows system performance? Fine. Don't want to run a SPAM filter because it costs too much? Fine. Businesses that are not encumbered by mandates are able to mitigate risk however they want to.
Also what's with the lectures? Since they are based on a premise that's not as universal as you seem to think they are someone pointless. If the consequence of a third party stealing those tapes of unencrypted system backups are limited to having to buy more tape it's not really a huge deal. You do not have to encrypt everything and IMHO it's asking for many sorts of trouble if you do.
If someone steals a backup tape, corporate smartphone, or a laptop, the last thing I'm worried about is the cost of replacing the asset itself. Data loss is far more of a priority. If a company values their information at no more than $100 worth of backup tapes, I would question why they're even bothering running backups.
"...Trump's policy of bringing back coal may mean that micro-babies are back in fashion."
Politics aside for a moment, this kind of wording makes me wonder how the fuck humans ever succeeded in procreating before nuclear power was invented, as if incubators were some kind of fashion trend.
Yes, perhaps we should get back to the "healthy" standard of macro babies, especially with c-sections being all the rage in the spring lineup for 2017...
That's the only point I'm trying to make. Above it was suggested as if it was mandatory instead of situations where the consequences of unencrypted data escaping are far greater than that of losing all of the data on that media forever.
For your system backups? No. For other things? Very little information in a typical business is of the sort where it would be a problem if it was published on the front page of a newspaper. That stuff that would be a problem should be treated differently to what is needed for a bare metal restore, which IMHO should be easy enough that a contractor from outside can do it in a hurry without having to wait around for a time window to bother someone for keys. In disaster situations the people who have the keys are probably going to be very busy if they can get on site at all. Personally I think a policy of treating everything as top secret is a security risk on it's own. You only want to trust a contractor with general information instead of giving them the key to the crown jewels.
Look, I fully understand and grasp the value of K.I.S.S methodology. Ironically it was a financial audit that initiated the requirement of encrypted media that is sent offsite. Today, I have multiple security standards that mandate encrypted backups on top of the financial requirement. Honestly, I'm struggling to justify your complexity argument here. SSL on web servers increases complexity. Running IDS/IPS, and anti-malware services increases complexity. Complexity is not always a bad thing. Hell, in many ways it justifies needing IT staff, because systems are rather complex, and cannot be built or maintained by just any idiot with a keyboard and mouse.
There is risk inherent with handing unencrypted backup tapes (talk about the "crown jewels") to a 3rd party to be transported offsite, and out of the direct control of an organization. This is why you DO encrypt. Do you add complexity? Sure. Can you mitigate against that with multiple encryption schemas, two-party integrity with key control, onsite and offsite backups, and other measures? Sure.
When evaluating risk, you must also take into account frequency. The risk for activity that happens very frequently (offsite transport) is likely a lot higher than the insider threat of key manipulation or destruction. With key destruction, you risk not being able to run backups or restores. With leaked or stolen data, you may not have any IP to protect anymore. And that's on top of the lawsuits and fines for failing to protect PII, which damn near every company holds, and you will be up shit creek of you inadvertently leak that kind of data.
Making the brain work in ways other than our nature intends will yield a crop of disabled and troubled Seals.
Give me a break. The FDA has probably done more to regulate around the way "nature intends" our minds and bodies to work more than any other single factor. The most popular preservatives and additives in our food supply today aren't natural or healthy.
As far as boosting the attention span of SEALs who are put in situations that mandate intense concentration and alertness, I'd say this is more of a survival tactic than anything else.
Ah yes, you are very important obviously, at least in your own mind if nowhere else, and are attempting to rub that in but it appears you think the policy of where you are is how it should be done everywhere. Clearly most people do not because it's as fucking stupid as letting people you do not trust have possession of your backup tapes. If you can't trust who has your tapes then why are you letting them have them?
I've used an offsite storage vendor for almost 20 years across multiple companies without a single mishap. The requirement to encrypt is to mitigate risk at all times (including theft or loss), as well as protecting data with any offsite storage vendor. In a nutshell, you encrypt because shit happens.
The only policy I'm recommending here is whatever one fits the business requirement, and has been tested and proven to work. My model isn't necessary for everyone, so go do whatever you want to do to meet the business need for DR/BCP. Complexity is only necessary when justified.
Disaster recovery should be simple and adding potential show-stoppers to the process is not a good idea unless the consequences of unencrypted data escaping are far greater than that of losing all of the data on that media forever.
The consequences are, hence the reason for the encryption mandate, imposed by multiple security standards. I don't do encrypted backups with multiple streams because I have some weird love affair with algorithms. And there are all sorts of ways one can mitigate the complexity risk. Store keys in multiple locations. Store them with 3rd parties to help bolster a two-person integrity model. Test your backups frequently. Multiple copies of backups can be stored both onsite and offsite, each with their own encryption schema. Monitor changes to backup systems. Assign competent SysAdmins to manage.
And quite frankly, if you cannot trust those who manage your security, you've got far larger problems than someone losing encryption keys to backup tapes.
Please note the context of where I used the word pointless. On other systems there are different mechanisms which do indeed make it just pointless overhead to run a VM instead of doing separation in other ways. The "real world" has systems other than MS Windows in it.
Ah - the "real world" bit should have given me a clue - you are a student aren't you? Encrypting your backups in a vastly stupid idea since when the backups are required in the future it can never be certain that someone with the passphrase or whatever is available...
Clearly you've never worked in a highly regulated environment that is restricted by mandate to encrypt backups when shipping data offsite. And since offsite and offline is the safest place for data in the ransomware-riddled world we live in today, the strategy fits.
Keys are stored in multiple locations to protect against the inevitable unavailability of someone as well. Two is one; One is none. Hope that clears up any ignorant assumptions.
You know, it's bad enough observing events that happened a few billion light years ago.
Did we really think the give-a-shit factor was going to somehow improve waiting over two years to report on it?
Fucking hell...
...a company that is dumb enough to run it's entire business applications from a single server. http://www.kvia.com/crime/fbi-... "Investigators learned that the server controlled the company's production line, warehouse, distribution center and its ability to take orders."
Uh, a company "dumb enough"? This "single server" is also known as an ERP system. And a shitload of large companies around the world run ERP systems. The dumb part is not protecting them with a valid DR strategy.
That's a very 1990 way of looking at things in server space (IBM etc was doing it then). Zones (AKA containers) are a less wasteful way separate things and unlike recent VMs there is some consideration of security. "Everything" is a bad word to use when describing something outside of your own workplace in terms of what applies inside yours. In the MS world VMs are the bandaid solution to poor resource management by an OS. Outside of the MS world there is less need and very frequently you want a piece of hardware (or a cluster) to be dedicated to a single task - so a VM is pointless in that situation apart from convenience of backups (which once again outside of the MS world is trivially easy).
A VM, is pointless?
In the real world you properly assess risk and impact, define an SLA, virtualize all critical servers in VMWare, and run encrypted snapshot backups multiple times a day, written to tape nightly and kept offline as well as offsite, away from any risk of "rouge" attack. Proper snapshots capture the entire server (including those pesky "core system files"). Had they used and protected VMs properly, it would have likely resulted in little more than getting admin rights back and restoring the entire environment within a day.
While the rogue admin deserves punishment, the real crime was this clusterfuck of a DR strategy. Whoever signed off on that shit should also be fired.
Oh, that DR solution is too expensive? I wonder how much weeks of backlog and lost business cost. Maybe they should have invested more in IT instead of their Polo team...
As long as it's the victim that's at fault it makes sense.
But modern cars requires less and less attention to drive which forces the driver to keep the mind occupied on other things to not fall into a vegetative state.
Cars still have a steering wheel. And pedals. The last feature that changed those basic pay-attention-dumbass requirements was the advent of cruise control, which came out decades ago, long before the smartphone.
Drivers today are still obligated to take the same driving test as their parents did, because shit hasn't changed.
And cars today also have a lot of touch screens, which also requires the driver to look away from the traffic.
And many of those touchscreen features are disabled when the car is in motion, or are extended with controls that are on the steering wheel, minimizing the risk.
I think we can dispel with the ain't-like-it-used-to-be bullshit excuses. People today think they can do anything behind the wheel, including operating a smartphone. Let's not defend moronic behavior.
Let Darwin do his work... ;-)
Well, it's not like we Award this behavior or anything.
Oh, wait...
I've seen so many security disasters caused by "IT professionals" who are just focused on enforcing security policies. My favourite example was a major client who spent months trying to get their IT security division to play ball on a project, but every effort proved fruitless - the firewalls and network security policies were there for a good reason, dammit, and they weren't prepared to compromise on security.
Faced with pressure to get the project completed, the project team ended up plugging in heaps of 3g modems all over the site, to allow network connectivity to the systems they needed external access to. This access went in with no network-level access controls or firewall, and to the best of my knowledge they're still there, years later.
Would I have done that? No. I would have resigned first. But these people had jobs and liked keeping them, and faced with the certainty of a failed project, or the possibility of someone (probably not them) taking a fall over breaching security policy, they went with whatever got the job done. The project manager met his KPI, the team got to move on to other projects, and security got to feel smug because they kept their network security policies intact.
I saw the whole debacle happen (and I've seen plenty of similar situations over the years), and in my opinion it's been a failure of the security team just about every time. Facing a choice between: a) Enabling engineers to solve business requirements while ensuring there are effective and well-managed security controls, or b) Enforcing security as a top priority, with little regard for the requirements of other business divisions, security teams often just go with option b. They pretend the inevitable workarounds aren't their fault.
Every time they say "yes" to something which increases security risk, the security team risks something going wrong - but every time they say "no" they risk people coming up with their own work-around instead. Security teams should be enablers - finding ways to secure what needs to be done. Once they become known as deniers, they'll just end up fighting an adversarial battle with their own colleagues. That doesn't result in effective security.
Security should always be treated as a balancing act. The first thing any good InfoSec professional does after creating a security policy is create a process to request for a waiver or exception to security policy, so that it is fully vetted and justified. This is also a good CYA move for when an exception creates a vulnerability that gets hacked.
While the bullshit pulled in your scenario above may have "gotten the job done", it created massive risk that is likely "still there, years later", with little or no controls in place to detect intrusions or attacks into systems that went around security protocol designed to protect the corporate enterprise. When security is supported from the top of the organization as a priority, it gets the respect it deserves. Those organizations who treat security as a bothersome burden are the ones filled with holes and usually end up getting hacked. Security teams ARE enablers; they enable the business to maintain IP and value in order to continue being a viable business. Attitudes that dictate otherwise are ignorant to the reason security teams, policies, procedures, and mandates are a necessary component of business today.
And those that pull bullshit end-around games should be disciplined for violating security policy. There is no valid excuse if you have a process in place to request and justify exceptions. Above all, every employee should understand and respect the fact that everyone has a job to do in an organization.
How is this different than advertising? Coke and Pepsi for example both try to convince you should buy their product over the other's. They attack from multiple fronts, pay for commercials and product placement, sponsor major sporting events, are active on multiple forms of social media, etc. All with the goal of swaying public opinion and convincing you that you should so something that you probably should not (drink stuff that generally isn't health for you).
Swaying public opinion between soft drinks is not exactly on the same scale of impact as swaying public opinion to influence an election.
And if you wanted to attack an entity that truly causes an impact selling a product, then question why governments allow tobacco to remain a legal product as it kills millions of humans every year. The overwhelming majority of other "deadly" issues can't even hold a fucking candle to this.