As a protocol, IPv6 seems to have so many glaring omissions or just bad engineering issues.
The first one... no use of firewalls or NAT devices. Hello here... firewalls are critically needed on the Internet, and many laws and regulations specify use of one.
Now this...
Guess most companies which value their reputations will be sticking with v4 until Doomsday.
I do agree, we are losing skilled people, mainly because of the bad perception the workplace is for CS and IT people. The image of a CS person once they get their degree is someone working endless hours for low wages, trying to fight for their jobs against cheap offshore labor. This is becoming a self-fulfilling prophecy. Good people who would go into CS, who know what software engineering is end up heading into other fields because they hear the horror stories and head to other places. I looked at statistics of a local liberal arts college which offers a CS plan, and enrollment is down 90-95% in the past several years.
What is important is that the US NEEDS to have a solid CS/IT worker foundation. This will become increasingly more important as more of our life ends up dealing with the Internet.
This case shows that a county can take property from one landowner and give/sell to another landowner at will. You live in the property you "own" only at the whim of the county and state.
I live in an "at will" state. People can be fired for anything, provided its not a race, religion, or sex matter. Where I work, they have an HR department, but higher ranks of supervisors can easily fire on the spot. Legally its 100% legit, and most people end up signing their right to sue away in return for a couple weeks of severance anyway. I'd rather work at a place that I know, and have some job security, than some place where I have to play king of the hill in employee coffee klatches to keep my job. I don't care to play office politics.
This guy was fired unjustifiably in my book (as he was one of the smartest people I know), but under the state laws, its perfectly legal. Its sad in one way that I have a plain vanilla car for work, but I get paid well, and it sure beats living at the Salvation Army, or telling people, "would you like fries with that?"
As for being aloof from co-workers, other than the IT staff, I am paid to do my job, not tell my innermost psychological ramblings to some ditz in Marketing so she has grist for the rumor mill. Should I goof up on my job, I go to prison for violating SOX and other regulations, and my company gets shut down. I'm not paid to share my personal life with people who have no right to know what I do on my own time, and who will take any advantage they can. This doesn't mean not to be professional and polite by any means, but not to open your closet and show everyone in the company all your skeletons.
I earn enough that I don't mind putting on my work "face", hopping into a boring car, doing my job and going home. Other workplaces can be far worse, and pay far less. The trick is just to shut up, and not bare your soul to would-be attackers.
Never mix work and home, EVER. This is something I learned hard, because when you let co-workers find out what you do for fun, when they know what friends and acquaintances you hang out with, what music you listen to, then that is ammo that your peers and your office politics rivals will use to get you fired should some bad thing happen, and they have a chance at it.
For example, I've seen a co-worker (who was EXTREMELY talented) fired at a previous job I was at because he listened to heavy metal/goth, and during a major emergency on a Saturday night when servers melted (UPS failure), he ran into work in full club gear in order to get servers back up and running. Even though he got the servers up in an hour, he got fired a week later, not because of performance, but because his boss was a country music type of guy and didn't like anyone who didn't drive a pickup truck and attend rodeos in the first place, and him finding an underling who listened to something totally different caused him to dig up anything to fire the guy by. At the time, it wasn't a big deal, the guy just hopped to a different place and made more money, but these days with jobs being outsourced or handed to I-9 thralls, it may end up causing someone to have their next home for their family be a homeless shelter or park bench.
It seems easy to mix the two, but don't. You don't want co-workers who are potential enemies when it comes raise/promotion time to have knowledge on how to sabotage you.
Personally, I leave work and home totally separate. Even, my work car (a bland, boring vehicle that stays clean and personal-item free) is different from the car I use in other things. If asked about family or whatnot, I give a bland reply back. It sounds bad, but come raise/promotion time, issues that people can bring against me are only work-related... they can't dig up skeletons out of the rest of my daily existence to use.
Due to being a thrall subject to corporate regs like SOX and others, I have to lock down user PCs, and restrict them behind a Draconian firewall, allowing access to only what they need to work.
However with Terminal Services clients, I enable it to be used in a client window, and make sure that "Turn off clipboard redirection" is off in group policy. All employees can connect to a cluster of Terminal Servers which is securely in a DMZ, isolated from the rest of the network. Only a few people have administrative rights to these machines, and the only connection the Terminal Server machines have to the internal network is a port to a dedicated domain controller. To further separate the employee "free for all" TS machines from the corporate network, they even are connected to the Internet on a different link. Of course, the TS machines have a few outgoing ports blocked at the router (port 25, duh), but its nowhere near as locked down as the internal corporate network.
Now, desktops can be locked down, but users can do pretty much what they want on their account on the terminal server (Webmail, IM, etc.) If a user gets malware, it can only affect their user accounts (assuming the malware gets past the AV scanner resident on the machine.) There is no known way the internal PCs can be infected by a compromised terminal server (if by chance something like this occurs), and confidential corporate material can't get out by accident via the clipboard (if someone wanted to get it out, they could manually type it, but that is a different story altogether.)
In the abstract world of ethics, reporting security issues is a main thing. So was being taught to take blame for a friend's actions as a noble act. However in the real world, all that does is land a person jobless, with a bad work record, and possibly with criminal charges. (Its VERY trivial to assemble stuff that looks like evidence to put someone away for "cybercrimes"). At the very least, it means management will audit and scrutinize every single thing you do forevermore, every second at the job from when pulling onto their property until you drive off, and if you drop the ball *once*, there will be zero tolerance for mistakes. Stuff that may result in a polite "word to the wise" E-mail fired from a manager normally, will be grounds for immediate termination.
There is a difference between ensuring security as part of the job, versus calling attention to oneself in such a way that one will forever be considered a "security risk", which will be a career ending move. If I were writing a paper for a university ethics class, maybe I would state something different, but in the real world, someone perceived to be a whistleblower will get the boot to the head fast, and it will forever be on their record somehow. Yes, there are anti-revenge laws... but most companies will sit there over a period of months or years, gather evidence slowly but surely (or just overtly make fake evidence) to get the whistleblower fired or jailed. Its trivial for someone to make up some "secret" data, and have it sent out with that person's username forged to a "plant" in return for money. Or, a mysterious bag of illegal substances may appear in the person's desk, just when there is a security search going on. Whistleblowers don't last long anywhere, no matter how stiff the anti-retaliation laws are. At best, it means a "window seat" office, and a position which leads to nowhere in a company.
This is not a case of ethics, but of basic self-preservation. In most cases, being "honest" in this case will only land a person unemployed, with a nice gaping hole in their resume and only bad remarks like "works well when closely supervised... WELL away from anything sensitive" data forever on their work record, if the company doesn't lie and just say that the person never worked there. At worst, it can mean jail or prison time.
To sum up: You won't lose an eighth for keeping your mouth shut, and going about your business.
The first knee-jerk reaction a manager will do to someone who points out security flaws is fire the person, and possibly find some way to press criminal charges. Barring that, from the time you tell them about the flaw, for the rest of the time you work at that place (as well as subsequent places if people know each other), if *anything* happens to breach security, you will be called in front of management (and possibly police) to explain yourself why you did not do the break-in, even though its brain-dead obvious you have nothing to do with the breach.
Its just not worth it. I have had friends fired at jobs on the spot (as in the mgr calling for security and having two guards escort the person out, then calling for a "forensics" expert to go through the person's comp to find anything to have him arrested for) because they pointed to management that the place had wide-open wireless, or wireless with brain-dead security settings.
This is assuming its not your field of responsibility to watch that data, so when (not if) its stolen, its not you being roasted by the various corporate regulations, but the people have the data left exposed, who are failing in their basic job duties.
I know I sound cruel and heartless, but business is business, and its better to shut up and let people take the fall than try to be "honest" and point out holes which results in you being the next guy who gets the axe (and bad character/job references) come "rightsizing" time.
If you *have* to alert people, find a way to do it anonymously, but securely. Don't just send anonymous E-mail or a SMS message to them (as it can be read by people who could take advantage of the issue.) Remember, ethics are important in the work world, but you are not trying to make an eighth in Honesty to complete your Ultima IV Avatar-hood.
This is something I am trying to get people to do, to little avail.
In the old PGP documentation (and I'm mangling the wording), it stated that one should encrypt even trivial E-mail. Its just the same as putting something in an envelope rather than writing all your personal stuff on a postcard and sending it.
Signing and encrypting E-mail is easy these days. You use a S/MIME compatible E-mail client (Thunderbird, Mail.app, Outlook, Pegasus Mail, Eudora, mutt, even elm and pine have ways of being able to understand S/MIME certs.) You then either use a self-signed cert, grab one from StartCom or Comodo, or if you desire the Verisign check, plop your $19 down. Pretty much a four-step process... enroll, wait for the confirmation E-mail, browse to the URL, type in the confirmation code, then backup your certificate and private key to a secure place.
Now, you have signing and encryption. S/MIME has some small issues(always check the certificate because E-mail from addresses is trivial to fake a sender,) but its a very easy way to keep what should be private E-mail that way.
Instant messaging is the same or similar. You can use PGP Professional as a wrapper or use certificates in a number of IM clients similar to how its used in secured E-mail.
For web pages, I try to have the websites I run use SSL whenever possible, even when a user is just doing a search of content on the site.
The more encrypted traffic is generated, the better. Most people don't want everything they do on their computers to be an open book, but don't bother to take any steps to batten down hatches.
Disclaimer: I am a Mac fanatic, so my opinions are biased. However, working in IT, Apple's biggest hurdle is that their OS isn't FIPS compliant, and doesn't have the other certifications that Windows does. FIPS doesn't equal security, but it means that the hardware or software module has seen review and meets the standards. The vendor paid the ticket of admission.
Where I work, I have to supply assurances and justifications for pretty much everything to legal and management. We all have a number of corporate regulations (SOX for example) that if violated will kill my company and land a lot of people in prison. If I install and use Windows, in the eyes of the law, I have done my "due diligence", so if there is a security breach, I can point and blame it on some Windows security flaw. Assuming the third-party firewalls and intrusion software doesn't catch it first. If I use Macs, I can't state to management that I am using "due diligence" -- Macs don't have the certifications which seem meaningless in one area, but are 100% critical in other areas. A security breach (and databases of peoples' info copied) in what would be arguably a more secure environment using a Mac and MySQL would land me in a Federal prison because I didn't follow legal processes and didn't use use an OS that has the pretty colored seals on the box.
An analogy is like a lock on a security door. One is less secure, but certified by the US government, one is more secure, but doesn't sport those pretty colored logos. Then comes a time that both locks are broken into. If I'm using the one certified, I can just say "blame the maker -- I did my part to adhere to standards" -- my rear is covered. The one that isn't certified means I breached policy, and thus am liable for the intrusion personally, and my company is liable as well.
So, until Apple gets the certifications (FIPS 140-2, level 1 for example) that can assure the attorneys I work with that the OS is secure from the CYA perspective, I will be running a Windows installation. I love Macs, but I don't want to spend the rest of my life in a 5x7 because I did "The Switch" at work, and run afoul of US law because of it.
I know two steps that are FAR better antipiracy measures than putting in malicious code that can cause you to wind up in a prison:
First step is simple. Update your program, and update it often. Add small new features, fix bugs, fix typos, and try to update every week or two. Have a facility to autoupdate in your program, even if its just grabbing a text file from a web server. Updates make users feel that the program is well maintained by a responsive author or development team.
Second step. If you use Java or.NET, use an obfuscater. A basic one is included with Visual Studio.NET, and you can download "community"/free versions of others. As a side effect, most code runs faster after being passed through one. Now, the pirate groups are forever in catchup mode. When they have a patch for version 1.2.1, 1.2.3 is available for download and fixes a number of bugs.
Yes, pirates can work on a keygen, but if you do the algorithm correctly, they most likely will be forced to patch your code, rather just than a keygen. Of course, you can take the step of online activation like Sunbelt does.
The above AC is right. On one hand, I have to be anal retentive about GPOs, mandatory roaming profiles, lack of USB ports, and smart card access to machines. This is not something I like. I get zero pleasure out of locking users out. However, I have to factor in not just user morale, but the fact that there is a lot of data sitting on hard drives of servers that if it made its way even 100 feet from where its sitting physically, I would be facing prison time, and the company may be facing bankruptcy.
Solutions can be worked out. I made a DMZ, put a couple terminal servers there, and the only contact they have inward facing is a hole punched out from the internal network to port 3389 so users can RDP in, with limited user accounts, and a GPOs set to keep clipboard data from propagating to and from the terminal server. Now, they have pretty much unfettered Web access, with a filter in place for obvious pornographic websites (so the company doesn't get sued due to sexual harassment charges.)
Most users understand this, and are happy that they can alt-tab to an external browser that is isolated from sensitive internal data. Those that make a fuss about it are happy to contact management... the CEO's door is always open.
I think thin clients will be likely to take off this time around. First it was VT100s/3270s, then X stations, then Java stations, but in none of those times was data security so important. These days, its hardcore prison time if data gets divulged, so a firm with sensitive data would be almost foolish to use standalone PCs compared to a cluster of terminal servers. Thin clients can't get malware on them (for the most part), and its easier to maintain licenses because everything is on a cluster of machines.
What is going to sell thin clients is not the tech, but what happens if one doesn't have them... punishment if SOX, HIPAA, or other laws if they are breached.
In most companies, a capable IT team won't be dropping "page 12" references unless there is a good reason. Usually if a user complains that IT won't "let them do their job" because they can't hook their iPod to a corporate network and wants to play hardball with IT, I can play hardball back and question why the user is so intent on getting around security policies for protection of corporate data. Usually the user is sent back to his/her work area with the lines of page 12 highlighted by a manager so the user can review them.
As an IT worker myself, I don't let things escalate. I keep a log of how a user goes around protections, then I get the user, his first and second line manager into the boardroom with a pile of printouts of how the user is trying to dodge corporate policy. This is clearly stated in the employee manual, if someone is trying to hack around IT's policies, they become an ex-employee.
I don't like being forced to lock everything down, but I have to, and almost all employees realize this and do not attempt to bypass these restrictions. Those who find it a challenge, will be having to explain about their SSH tunnel to management, and possibly the local police if they are doing something which impacts company security as a whole.
Licenses need to be kept track of. When the BSA comes knocking, they want to see invoices, and will be already assuming the company is in violation and will be demanding a multi-thousand dollar "settlement". Every couple days, I run a check to see what programs are installed on what computers, so I can when it comes audit time show that my company pays its dues.
An IT department isn't there just to make users happy. Its a factor, but IT has to guard assets that can go in the millions, billions, or even trillions if its a large bank. So, keeping some Joe who wants to post about how they pwned some rogue in a World of Warcraft battleground happy is pretty much last on the list.
In a number of cases, a decent IT department can allow personal Web browsing without killing security. I lock down the computers on the desktops, but its understandable that people need to visit sites outside the Web, so there is a secured Terminal Server box that any user can remote desktop to and browse the web on. Of course, they are prohibited from installing software, run as normal users and not administrators, access is blocked to obvious porn sites, and EFS is disabled, but this is far better than the alternative, nothing.
With the pic of the youngest child as wallpaper someone copied onto their workstation, came a screensaver with a keylogger. HIPAA or SOX compliance? Well, the workplace will be seeing big fines, and likely IT people will be seeing prison time.
Work is work, laws are laws, and they apply 24/7. An IT worker telling the SEC or a Federal judge that the breach happened off-hours so the company was lax, won't get any mercy from the courts.
Lazy IT departments will end up dead on the side of the road sooner or later. Its not lack of a clue that forces them to make sure you don't plug your iPod into your workstation, its not wanting to face Federal prison charges if data escapes.
Being a geek is OK... but if you work in various industries, there are more laws to follow because its the industry's nature.
Please learn about the medical industry, and what bad things happen when people violate SOX, HIPAA, and other regulations.
Sales isn't the only revenue generating mechanism in a company. When people forget this, this is like cutting all but one leg off a prize-winning race horse.
Sales just brings in new accounts. Customer service keeps the accounts happy, so they buy more. Manufacturing and shipping make sure that the product is shipped on time. Development ensures the product is updated with new features and older bugs fixed.
I have seen what happens with marketing, and when they start ruling the roost. Dev is forced to push out buggy crap, which means customer service gets punched in the face by angry customers, and all your good developers will start abandoning ship. Happy fun death spiral.
Sales/Marketing is important, but they need to keep as reined in as the big-egoed developers who refuse to ship any code unless they think its perfect, who cares about release dates and the fact that competition has support for feature "X" that all the customer base is going to jump ship for. Good management can do this, bad management sits around and wonders why their stock is tanking while their sales people who appear to make the income stop having leads on new customers.
Much agreed. The iPhone is going to change cellular telephony on a fundamental scale, just like CDMA/TDMA/PCS in the late 1990s changed it from analog calling to high quality digital calls.
There is absolutely nothing that even comes close to this phone on the market. This is pretty much exactly like how iPods pushed everyone else out. In a couple years, there will be iPhones, and the iPhone wannabees forever trying to play catch up.
iPhone articles do belong on Slashdot. They are an important new technology, one which will eventually be pretty much in everyone's (well, everyone but the would-be Luddites who stick with last year's stuff because they hate Apple) pocket in a year or two as soon as their existing cellular operator contracts expire.
No tech gadget since the iPod deserves as much coverage as the iPhone. Give this phone a year or two, and people will be doing like they did with MP3 players -- calling any MP3 player an iPod because iPods are so universal.
I'm beginning to think these anti-DRM people are bordering on Ludditism, or just imitating the old guy on the porch cursing out "dem new-fangled contraptions" driving the roads. DRM is a fact of life, stops piracy, and ensures more music will be coming out. Without it, Apple's store might have 1/1000 the selection it has now, if they were lucky. To boot, most people never even bump into FairPlay DRM limits.
DRM is a necessary evil of modern society, just like red lights, searches at airports, and traffic jams. Deal with it.
What is so bad about that? Its not like a company is required to give its competition all its secrets. To boot, its not like Apple's DRM is as bad as the other stuff out there, where one can't even burn the tracks to CD. If you don't like FairPlay, grab a nearby CD-RW, make and rip a playlist, import back in as MP3 or whatever, and jam out.
Apparently the previous poster has bad or defective hardware.
Comparing a Mac to a HP laptop is comparing two different things. Even though the Mac is running on an x86 platform, it is not a PC. The premium that one pays is the hardware support to run a solid and time-tested OS which is virtually immune to malware or websites.
Yes, PC clones cost $800-$1000 less, but I don't mind the premium... can you put a price on data security and safety?
It appears the previous poster is uninformed, or just has plain never used a Mac, which is pretty common when the Microsofties descend to battle the latest and greatest from Apple. "I am a Mac Expert, but I prefer Windows... now where is the button to open the DVD-ROM drive tray?"
OSX is far more stable than Windows because its based on a tried and true UNIX architecture. Security threats? I am willing to risk my job and say that for my intents and use, MacOS is pretty much 100% secure. Of course, nothing is 100% secure, but I'm almost willing to eat my LCD screen should someone be able to root my Mac from malformed CSS on a website. I have never seen an exploit for it in the wild, and any exploits found are patched within hours.
Slashdot Mirror
As a protocol, IPv6 seems to have so many glaring omissions or just bad engineering issues. The first one... no use of firewalls or NAT devices. Hello here... firewalls are critically needed on the Internet, and many laws and regulations specify use of one. Now this... Guess most companies which value their reputations will be sticking with v4 until Doomsday.
I do agree, we are losing skilled people, mainly because of the bad perception the workplace is for CS and IT people. The image of a CS person once they get their degree is someone working endless hours for low wages, trying to fight for their jobs against cheap offshore labor. This is becoming a self-fulfilling prophecy. Good people who would go into CS, who know what software engineering is end up heading into other fields because they hear the horror stories and head to other places. I looked at statistics of a local liberal arts college which offers a CS plan, and enrollment is down 90-95% in the past several years.
What is important is that the US NEEDS to have a solid CS/IT worker foundation. This will become increasingly more important as more of our life ends up dealing with the Internet.
Wrong. The US Supreme Court made a decision that anyone's property can be condemned and be made part of a private business at anytime.
L ondon
http://en.wikipedia.org/wiki/Kelo_v._City_of_New_
This case shows that a county can take property from one landowner and give/sell to another landowner at will. You live in the property you "own" only at the whim of the county and state.
I live in an "at will" state. People can be fired for anything, provided its not a race, religion, or sex matter. Where I work, they have an HR department, but higher ranks of supervisors can easily fire on the spot. Legally its 100% legit, and most people end up signing their right to sue away in return for a couple weeks of severance anyway. I'd rather work at a place that I know, and have some job security, than some place where I have to play king of the hill in employee coffee klatches to keep my job. I don't care to play office politics.
This guy was fired unjustifiably in my book (as he was one of the smartest people I know), but under the state laws, its perfectly legal. Its sad in one way that I have a plain vanilla car for work, but I get paid well, and it sure beats living at the Salvation Army, or telling people, "would you like fries with that?"
As for being aloof from co-workers, other than the IT staff, I am paid to do my job, not tell my innermost psychological ramblings to some ditz in Marketing so she has grist for the rumor mill. Should I goof up on my job, I go to prison for violating SOX and other regulations, and my company gets shut down. I'm not paid to share my personal life with people who have no right to know what I do on my own time, and who will take any advantage they can. This doesn't mean not to be professional and polite by any means, but not to open your closet and show everyone in the company all your skeletons.
I earn enough that I don't mind putting on my work "face", hopping into a boring car, doing my job and going home. Other workplaces can be far worse, and pay far less. The trick is just to shut up, and not bare your soul to would-be attackers.
Never mix work and home, EVER. This is something I learned hard, because when you let co-workers find out what you do for fun, when they know what friends and acquaintances you hang out with, what music you listen to, then that is ammo that your peers and your office politics rivals will use to get you fired should some bad thing happen, and they have a chance at it.
For example, I've seen a co-worker (who was EXTREMELY talented) fired at a previous job I was at because he listened to heavy metal/goth, and during a major emergency on a Saturday night when servers melted (UPS failure), he ran into work in full club gear in order to get servers back up and running. Even though he got the servers up in an hour, he got fired a week later, not because of performance, but because his boss was a country music type of guy and didn't like anyone who didn't drive a pickup truck and attend rodeos in the first place, and him finding an underling who listened to something totally different caused him to dig up anything to fire the guy by. At the time, it wasn't a big deal, the guy just hopped to a different place and made more money, but these days with jobs being outsourced or handed to I-9 thralls, it may end up causing someone to have their next home for their family be a homeless shelter or park bench.
It seems easy to mix the two, but don't. You don't want co-workers who are potential enemies when it comes raise/promotion time to have knowledge on how to sabotage you.
Personally, I leave work and home totally separate. Even, my work car (a bland, boring vehicle that stays clean and personal-item free) is different from the car I use in other things. If asked about family or whatnot, I give a bland reply back. It sounds bad, but come raise/promotion time, issues that people can bring against me are only work-related... they can't dig up skeletons out of the rest of my daily existence to use.
Due to being a thrall subject to corporate regs like SOX and others, I have to lock down user PCs, and restrict them behind a Draconian firewall, allowing access to only what they need to work.
However with Terminal Services clients, I enable it to be used in a client window, and make sure that "Turn off clipboard redirection" is off in group policy. All employees can connect to a cluster of Terminal Servers which is securely in a DMZ, isolated from the rest of the network. Only a few people have administrative rights to these machines, and the only connection the Terminal Server machines have to the internal network is a port to a dedicated domain controller. To further separate the employee "free for all" TS machines from the corporate network, they even are connected to the Internet on a different link. Of course, the TS machines have a few outgoing ports blocked at the router (port 25, duh), but its nowhere near as locked down as the internal corporate network.
Now, desktops can be locked down, but users can do pretty much what they want on their account on the terminal server (Webmail, IM, etc.) If a user gets malware, it can only affect their user accounts (assuming the malware gets past the AV scanner resident on the machine.) There is no known way the internal PCs can be infected by a compromised terminal server (if by chance something like this occurs), and confidential corporate material can't get out by accident via the clipboard (if someone wanted to get it out, they could manually type it, but that is a different story altogether.)
In the abstract world of ethics, reporting security issues is a main thing. So was being taught to take blame for a friend's actions as a noble act. However in the real world, all that does is land a person jobless, with a bad work record, and possibly with criminal charges. (Its VERY trivial to assemble stuff that looks like evidence to put someone away for "cybercrimes"). At the very least, it means management will audit and scrutinize every single thing you do forevermore, every second at the job from when pulling onto their property until you drive off, and if you drop the ball *once*, there will be zero tolerance for mistakes. Stuff that may result in a polite "word to the wise" E-mail fired from a manager normally, will be grounds for immediate termination.
There is a difference between ensuring security as part of the job, versus calling attention to oneself in such a way that one will forever be considered a "security risk", which will be a career ending move. If I were writing a paper for a university ethics class, maybe I would state something different, but in the real world, someone perceived to be a whistleblower will get the boot to the head fast, and it will forever be on their record somehow. Yes, there are anti-revenge laws... but most companies will sit there over a period of months or years, gather evidence slowly but surely (or just overtly make fake evidence) to get the whistleblower fired or jailed. Its trivial for someone to make up some "secret" data, and have it sent out with that person's username forged to a "plant" in return for money. Or, a mysterious bag of illegal substances may appear in the person's desk, just when there is a security search going on. Whistleblowers don't last long anywhere, no matter how stiff the anti-retaliation laws are. At best, it means a "window seat" office, and a position which leads to nowhere in a company.
This is not a case of ethics, but of basic self-preservation. In most cases, being "honest" in this case will only land a person unemployed, with a nice gaping hole in their resume and only bad remarks like "works well when closely supervised... WELL away from anything sensitive" data forever on their work record, if the company doesn't lie and just say that the person never worked there. At worst, it can mean jail or prison time.
To sum up: You won't lose an eighth for keeping your mouth shut, and going about your business.
The first knee-jerk reaction a manager will do to someone who points out security flaws is fire the person, and possibly find some way to press criminal charges. Barring that, from the time you tell them about the flaw, for the rest of the time you work at that place (as well as subsequent places if people know each other), if *anything* happens to breach security, you will be called in front of management (and possibly police) to explain yourself why you did not do the break-in, even though its brain-dead obvious you have nothing to do with the breach.
Its just not worth it. I have had friends fired at jobs on the spot (as in the mgr calling for security and having two guards escort the person out, then calling for a "forensics" expert to go through the person's comp to find anything to have him arrested for) because they pointed to management that the place had wide-open wireless, or wireless with brain-dead security settings.
This is assuming its not your field of responsibility to watch that data, so when (not if) its stolen, its not you being roasted by the various corporate regulations, but the people have the data left exposed, who are failing in their basic job duties.
I know I sound cruel and heartless, but business is business, and its better to shut up and let people take the fall than try to be "honest" and point out holes which results in you being the next guy who gets the axe (and bad character/job references) come "rightsizing" time.
If you *have* to alert people, find a way to do it anonymously, but securely. Don't just send anonymous E-mail or a SMS message to them (as it can be read by people who could take advantage of the issue.) Remember, ethics are important in the work world, but you are not trying to make an eighth in Honesty to complete your Ultima IV Avatar-hood.
This is something I am trying to get people to do, to little avail.
In the old PGP documentation (and I'm mangling the wording), it stated that one should encrypt even trivial E-mail. Its just the same as putting something in an envelope rather than writing all your personal stuff on a postcard and sending it.
Signing and encrypting E-mail is easy these days. You use a S/MIME compatible E-mail client (Thunderbird, Mail.app, Outlook, Pegasus Mail, Eudora, mutt, even elm and pine have ways of being able to understand S/MIME certs.) You then either use a self-signed cert, grab one from StartCom or Comodo, or if you desire the Verisign check, plop your $19 down. Pretty much a four-step process... enroll, wait for the confirmation E-mail, browse to the URL, type in the confirmation code, then backup your certificate and private key to a secure place.
Now, you have signing and encryption. S/MIME has some small issues(always check the certificate because E-mail from addresses is trivial to fake a sender,) but its a very easy way to keep what should be private E-mail that way.
Instant messaging is the same or similar. You can use PGP Professional as a wrapper or use certificates in a number of IM clients similar to how its used in secured E-mail.
For web pages, I try to have the websites I run use SSL whenever possible, even when a user is just doing a search of content on the site.
The more encrypted traffic is generated, the better. Most people don't want everything they do on their computers to be an open book, but don't bother to take any steps to batten down hatches.
Disclaimer: I am a Mac fanatic, so my opinions are biased. However, working in IT, Apple's biggest hurdle is that their OS isn't FIPS compliant, and doesn't have the other certifications that Windows does. FIPS doesn't equal security, but it means that the hardware or software module has seen review and meets the standards. The vendor paid the ticket of admission.
Where I work, I have to supply assurances and justifications for pretty much everything to legal and management. We all have a number of corporate regulations (SOX for example) that if violated will kill my company and land a lot of people in prison. If I install and use Windows, in the eyes of the law, I have done my "due diligence", so if there is a security breach, I can point and blame it on some Windows security flaw. Assuming the third-party firewalls and intrusion software doesn't catch it first. If I use Macs, I can't state to management that I am using "due diligence" -- Macs don't have the certifications which seem meaningless in one area, but are 100% critical in other areas. A security breach (and databases of peoples' info copied) in what would be arguably a more secure environment using a Mac and MySQL would land me in a Federal prison because I didn't follow legal processes and didn't use use an OS that has the pretty colored seals on the box.
An analogy is like a lock on a security door. One is less secure, but certified by the US government, one is more secure, but doesn't sport those pretty colored logos. Then comes a time that both locks are broken into. If I'm using the one certified, I can just say "blame the maker -- I did my part to adhere to standards" -- my rear is covered. The one that isn't certified means I breached policy, and thus am liable for the intrusion personally, and my company is liable as well.
So, until Apple gets the certifications (FIPS 140-2, level 1 for example) that can assure the attorneys I work with that the OS is secure from the CYA perspective, I will be running a Windows installation. I love Macs, but I don't want to spend the rest of my life in a 5x7 because I did "The Switch" at work, and run afoul of US law because of it.
I know two steps that are FAR better antipiracy measures than putting in malicious code that can cause you to wind up in a prison:
.NET, use an obfuscater. A basic one is included with Visual Studio .NET, and you can download "community"/free versions of others. As a side effect, most code runs faster after being passed through one.
First step is simple. Update your program, and update it often. Add small new features, fix bugs, fix typos, and try to update every week or two. Have a facility to autoupdate in your program, even if its just grabbing a text file from a web server. Updates make users feel that the program is well maintained by a responsive author or development team.
Second step. If you use Java or
Now, the pirate groups are forever in catchup mode. When they have a patch for version 1.2.1, 1.2.3 is available for download and fixes a number of bugs.
Yes, pirates can work on a keygen, but if you do the algorithm correctly, they most likely will be forced to patch your code, rather just than a keygen. Of course, you can take the step of online activation like Sunbelt does.
The above AC is right. On one hand, I have to be anal retentive about GPOs, mandatory roaming profiles, lack of USB ports, and smart card access to machines. This is not something I like. I get zero pleasure out of locking users out. However, I have to factor in not just user morale, but the fact that there is a lot of data sitting on hard drives of servers that if it made its way even 100 feet from where its sitting physically, I would be facing prison time, and the company may be facing bankruptcy.
Solutions can be worked out. I made a DMZ, put a couple terminal servers there, and the only contact they have inward facing is a hole punched out from the internal network to port 3389 so users can RDP in, with limited user accounts, and a GPOs set to keep clipboard data from propagating to and from the terminal server. Now, they have pretty much unfettered Web access, with a filter in place for obvious pornographic websites (so the company doesn't get sued due to sexual harassment charges.)
Most users understand this, and are happy that they can alt-tab to an external browser that is isolated from sensitive internal data. Those that make a fuss about it are happy to contact management... the CEO's door is always open.
I think thin clients will be likely to take off this time around. First it was VT100s/3270s, then X stations, then Java stations, but in none of those times was data security so important. These days, its hardcore prison time if data gets divulged, so a firm with sensitive data would be almost foolish to use standalone PCs compared to a cluster of terminal servers. Thin clients can't get malware on them (for the most part), and its easier to maintain licenses because everything is on a cluster of machines. What is going to sell thin clients is not the tech, but what happens if one doesn't have them... punishment if SOX, HIPAA, or other laws if they are breached.
Unfortunately if it came down to that, that is what security cameras and criminal complaints are for.
In most companies, a capable IT team won't be dropping "page 12" references unless there is a good reason. Usually if a user complains that IT won't "let them do their job" because they can't hook their iPod to a corporate network and wants to play hardball with IT, I can play hardball back and question why the user is so intent on getting around security policies for protection of corporate data. Usually the user is sent back to his/her work area with the lines of page 12 highlighted by a manager so the user can review them.
As an IT worker myself, I don't let things escalate. I keep a log of how a user goes around protections, then I get the user, his first and second line manager into the boardroom with a pile of printouts of how the user is trying to dodge corporate policy. This is clearly stated in the employee manual, if someone is trying to hack around IT's policies, they become an ex-employee. I don't like being forced to lock everything down, but I have to, and almost all employees realize this and do not attempt to bypass these restrictions. Those who find it a challenge, will be having to explain about their SSH tunnel to management, and possibly the local police if they are doing something which impacts company security as a whole. Licenses need to be kept track of. When the BSA comes knocking, they want to see invoices, and will be already assuming the company is in violation and will be demanding a multi-thousand dollar "settlement". Every couple days, I run a check to see what programs are installed on what computers, so I can when it comes audit time show that my company pays its dues. An IT department isn't there just to make users happy. Its a factor, but IT has to guard assets that can go in the millions, billions, or even trillions if its a large bank. So, keeping some Joe who wants to post about how they pwned some rogue in a World of Warcraft battleground happy is pretty much last on the list. In a number of cases, a decent IT department can allow personal Web browsing without killing security. I lock down the computers on the desktops, but its understandable that people need to visit sites outside the Web, so there is a secured Terminal Server box that any user can remote desktop to and browse the web on. Of course, they are prohibited from installing software, run as normal users and not administrators, access is blocked to obvious porn sites, and EFS is disabled, but this is far better than the alternative, nothing.
Great:
With the pic of the youngest child as wallpaper someone copied onto their workstation, came a screensaver with a keylogger. HIPAA or SOX compliance? Well, the workplace will be seeing big fines, and likely IT people will be seeing prison time.
Work is work, laws are laws, and they apply 24/7. An IT worker telling the SEC or a Federal judge that the breach happened off-hours so the company was lax, won't get any mercy from the courts.
Lazy IT departments will end up dead on the side of the road sooner or later. Its not lack of a clue that forces them to make sure you don't plug your iPod into your workstation, its not wanting to face Federal prison charges if data escapes.
Being a geek is OK... but if you work in various industries, there are more laws to follow because its the industry's nature.
Please learn about the medical industry, and what bad things happen when people violate SOX, HIPAA, and other regulations.
Sales isn't the only revenue generating mechanism in a company. When people forget this, this is like cutting all but one leg off a prize-winning race horse.
Sales just brings in new accounts. Customer service keeps the accounts happy, so they buy more. Manufacturing and shipping make sure that the product is shipped on time. Development ensures the product is updated with new features and older bugs fixed.
I have seen what happens with marketing, and when they start ruling the roost. Dev is forced to push out buggy crap, which means customer service gets punched in the face by angry customers, and all your good developers will start abandoning ship. Happy fun death spiral.
Sales/Marketing is important, but they need to keep as reined in as the big-egoed developers who refuse to ship any code unless they think its perfect, who cares about release dates and the fact that competition has support for feature "X" that all the customer base is going to jump ship for. Good management can do this, bad management sits around and wonders why their stock is tanking while their sales people who appear to make the income stop having leads on new customers.
Much agreed. The iPhone is going to change cellular telephony on a fundamental scale, just like CDMA/TDMA/PCS in the late 1990s changed it from analog calling to high quality digital calls.
There is absolutely nothing that even comes close to this phone on the market. This is pretty much exactly like how iPods pushed everyone else out. In a couple years, there will be iPhones, and the iPhone wannabees forever trying to play catch up.
iPhone articles do belong on Slashdot. They are an important new technology, one which will eventually be pretty much in everyone's (well, everyone but the would-be Luddites who stick with last year's stuff because they hate Apple) pocket in a year or two as soon as their existing cellular operator contracts expire. No tech gadget since the iPod deserves as much coverage as the iPhone. Give this phone a year or two, and people will be doing like they did with MP3 players -- calling any MP3 player an iPod because iPods are so universal.
I'm beginning to think these anti-DRM people are bordering on Ludditism, or just imitating the old guy on the porch cursing out "dem new-fangled contraptions" driving the roads. DRM is a fact of life, stops piracy, and ensures more music will be coming out. Without it, Apple's store might have 1/1000 the selection it has now, if they were lucky. To boot, most people never even bump into FairPlay DRM limits.
DRM is a necessary evil of modern society, just like red lights, searches at airports, and traffic jams. Deal with it.
What is so bad about that? Its not like a company is required to give its competition all its secrets. To boot, its not like Apple's DRM is as bad as the other stuff out there, where one can't even burn the tracks to CD. If you don't like FairPlay, grab a nearby CD-RW, make and rip a playlist, import back in as MP3 or whatever, and jam out.
Apparently the previous poster has bad or defective hardware.
Comparing a Mac to a HP laptop is comparing two different things. Even though the Mac is running on an x86 platform, it is not a PC. The premium that one pays is the hardware support to run a solid and time-tested OS which is virtually immune to malware or websites.
Yes, PC clones cost $800-$1000 less, but I don't mind the premium... can you put a price on data security and safety?
It appears the previous poster is uninformed, or just has plain never used a Mac, which is pretty common when the Microsofties descend to battle the latest and greatest from Apple. "I am a Mac Expert, but I prefer Windows... now where is the button to open the DVD-ROM drive tray?"
OSX is far more stable than Windows because its based on a tried and true UNIX architecture. Security threats? I am willing to risk my job and say that for my intents and use, MacOS is pretty much 100% secure. Of course, nothing is 100% secure, but I'm almost willing to eat my LCD screen should someone be able to root my Mac from malformed CSS on a website. I have never seen an exploit for it in the wild, and any exploits found are patched within hours.