After reading a few Slashdot articles ago about ransomware, and given what can happen via hacking such devices, the last thing I want is more of my home-based devices going online. The last thing I want is for my IoT thermostat (of which many exist already) to get hacked. I can see the thermostat's screen now...
"We turned your thermostat up to 85 degrees and you can't change it. We want $5000 worth of Bitcoins in 72 hours--or we find out if your furnace perpetually on full-blast will burn your house down. Think we're kidding? We also know that you have an [some brand name] WebOS-based TV (it was easy--the IP address was the same as your thermostat) and an [some brand name] Android-based refrigerator that we also pwned. In 24 hours fridge will be set to 50 degrees spoiling your food, and in 48 hours your TV will be permanently stuck showing random videos from Xtube. So, your only options are to pay us or cut off power to your house--but when it comes back on, we still own your pwned devices! Good luck replacing the devices we pwned but didn't mention here... TIMER: 71:59:59...71:59:58...71:59:57......."
Seriously, I'm not for government regulation in a competitive landscape, but such devices, especially given their manufacturers will abandon writing security updates for them--6 months after the new model comes out, are ticking time bombs... I'm not about to replace my oven, furnace, dryer, refrigerator, thermostat, dishwasher, home security system, TV, toaster, and toilets every 3-5 years because someone thinks such devices should be IoT and wants to gather even more "big data" about me...
If you do mean getting a 1099 for the "loss", then you're wrong. Getting 1099'd (1099A or 1099C) is dischargeable in bankruptcy, even if you get the 1099 after you're discharged. All you do is file Form 982 with your taxes and it's gone. (Of course, IANAA - I am not an Accountant...) I filed BK7 in 2011, got discharged in 2012, and had a property foreclosed on that was discharged, and got a 1099-C in 2013. The full amount of the 1099-C was not considered income on my 2013 taxes (filed & payable in 2014...)
And who isn't to say that, as part of the hack, once they found someone high enough with the right credentials, they didn't create a couple of AD accounts? In mid-size organizations, identity management is dealing with thousands of accounts, having to create numerous exceptions for specific people and applications (oh, this Task Scheduler task can't allow for the account to change--and it needs super-duper-Admin rights to these particular servers; this Windows Service that runs on the production CRM server can't change password). So, a hacker could just hide some new accounts with fake descriptions for applications in-house (e.g. "SQL-Salesforce sync"), give them super rights even allowing for password changes, and presto... Or worse, pick such a valid account and start adding servers it has rights to. Security by Obscurity (ironically on the security platform).
The other advantage of the air-gapped network is that you no longer "need" to update the computers within the network with most of the security updates that come across Windows Update. Build them from DVDs & SPs with known hash values, never having connected them. Who cares if those PCs are still stuck on Win7-SP1 or Win8.1 RTM. Their primary attack vector (e.g. the big bad Internet) is unavailable. Even if these machines are built with malware, the worst that could happen is that they get erased, but the data still doesn't go out.
But what about e-mail? IM? Interwebs? Facebooking? Really??? Buy a 2nd, low end PC, wirelessly connect it to the corporate network, and volia! Hell, you could even use a KVM for this purpose, if you'd rather not spring for the expensive $400 laptops. Don't take the easy approach of connecting the networks in a way that only allows for RDP sessions--a determined hacker with unlimited funds (e.g. state sponsors) would figure that one out.
But what about Adobe Cloud or whatever program needs to connect to the Internet? Most such programs have alternative options for air-gapped networks (e.g. a license server), and a company like Adobe could be brow-beat by a company like Sony into disabling phone home. For high-risk applications where you can't talk your vendor out of phone-home, it's time to look for a new vendor...
I wouldn't be surprised if someone at Sony were responsible for sending this email as a false-flag operation.
False-flag operation or not, that's a crime. If someone within Sony (or hired by Sony--e.g. their cybersecurity contractor) sent such an e-mail, that person is doing the equivalent of "screaming 'fire' in a crowded theater, when there is no fire". Not protected by free-speech and that person should be criminally charged with a felony.
Explain how airgapping doesn't make you immune to Windows Updates? If your PC can't talk to Microsoft, and unless you're going old-school sneakernet with flash drives, how is it going to get updates? Most Windows updates solve some sort of security hole, usually caused by the execution of malicious software or some sort of security hole that's exploitable from the Internet. Take away "the Internet" and lock down what people can execute on their PCs within "the island" and problem solved. Yes, you now have a known unpatched security hole--but one that can't be exploited without access to the Internet. No malicious links, attachments, unauthorized software, browser toolbars, etc. Just people using limited specific software & specific versions on (for example) Windows 7-SP1.
As has been proven by Stuxnet and this breach, unlimited state-sponsored funds ALWAYS beats "networks with layered protection". Big-name companies that spend shitloads of money on security still get breached. 15+ years of "breeding a culture of corporate security" also hasn't worked. But if you require the network to have a physical presence, then you've eliminated your primary attack vector.
So how did companies handle such networks 20+ years ago, where employees in "other offices" (cities, other locations in the same city, etc.) could access files, databases, etc., without any vector out to the Internet? Wouldn't be that hard to create a disconnected network island "war room" in each office--disconnect some ports & buy new routers. The real issue ultimately becomes that you now might want to consider multiple such air-gappped networks (e.g. R&D, HR, Finance, etc.)
I have to assume that data breaches are much worse cost... This one has lost sales, lost goodwill, lawsuits, potential government fines (e.g. HR data), network design changes, etc. Even a $10 million air-gapped network would have been a bargain compared to this mess...
I'm still waiting for a massive Salesforce data breach... That'll be interesting when it happens.
With all the state-sponsored corporate & military espionage caused by China & Russia, with the never-ending probes from government agencies like the NSA/DHS/GCHQ/etc., with malware & ransomware attacks that can encrypt data in (generally) unbreakable forms, with criminal hacking organizations making off with millions of credit card numbers from retailers, with apparently no network controls as to how much data leaves company firewalls & where it goes, and so on, why aren't there more internal air-gapped networks in companies???
This has hit the point of absurdity. If you are working on military plane designs, working on your next corporate acquisition, or even making movies or music worth tens of millions of $$$, why would you put your prized, unreleased digital files on computers that have Internet access? What kind of batshit stupidity is that? What, so your employees can browse Facebook & check Outlook e-mail at the same time? Such an air-gapped network would easily become an island--one that doesn't need Windows Updates, can stay on an old service pack, gets no software updates that solves 2 problems and but makes a new one (e.g. we know the bugs), and the like. And if those employees really need their Outlook e-mail, IM, or the Inter-Webs where they work, they can have a 2nd very low-end PC, connected to the main network, with a KVM between the two. Might even increase efficiency, given the mind's inability to multitask well. Or give them freaking iPads on a wireless network that's not connected to their "sensitive" work computer.
It boggles the mind that given all these problems, which are increasing in frequency & cost every day, we still have little more than software firewalls & hardware routers between a company's most highly-sensitive assets (files & computers) and the big-bad-Wild-West-no-holds-barred-Internet.
And you know this, how??? We all know that it should happen this way, but we have no way of knowing for sure whether that's the case. If my IoT thermostat gets hacked & reprogrammed to burn my house down, which is connected to my IoT furnace, how do I know that the IoT furnace a) hasn't also been hacked, b) even has the requisite hardware you speak of?
But you've made your job that much harder... Think about it. Trying to save a few bucks by merging x-number of available jobs into one job post, where you don't make it obvious that you're hiring for multiple people where each needs SOME of the skills (which you probably can't do because of job site ToS--they probably require you to post each job as one post), you're confusing many of your applicants into thinking you're looking for a "batshit crazy" skillset. Look at the other replies above--most people think that a crazy list of skills under one post is for one insane & underpaid job.
Even the best candidates for a specific skillset wonder "what up with this role?", and you don't hear from them...
So, as I've been in the market for a few months, I'm finding that many of the jobs that glossed over me a few months ago are coming across again... Whether it be a recruiter contacting me (I remember applying for this a while back), a new posting on the company's job search portal of choice (they changed 5 words in the job description), or even a new approach (look, now they're recruiting from my MBA school for this position)... Needless to say, it's infuriating.
Sure, I recognize that I only have 85% of what you're looking for in terms of a skillset; or that you want to pay $5000/year less than my absolute salary floor... But if that job has been open for 3-6 months, the damage caused by it being open (presumably because someone left, and now there's a void that everyone else on the team is not really able to fill) has far exceeded whatever small training costs or whatever you would have to spend on me...
Another issue is that too many companies are still thinking it's the financial crisis, when new recruits were happy to accept 50% cuts in salary to avoid foreclosure or vehicle repossession. This was best described to me by one recruiter--"three asses, one seat". While I've seen some absolutely batshit JDs (where 2 people in the country might have all of these skills), I recently saw one that pissed me off... A company wanted someone who was a SQL Server DBA/BI stack/TSQL & reporting guru, an Oracle DBA/PL-SQL programmer, and a Linux server manager in downtown Chicago--for $95k/year. Good luck finding such a person, with competing technologies, for less than double that...
Another problem that I'm finding is that some jobs are sub-sub-contracted out. I recently saw one in Chicago that needed expert experience in Informatica MDM. Max pay was $46/hr W2. Turns out that MegaCorp contracted out to CompanyX who opened up to numerous companies, CompanyY contacted me with this max rate, asking me to be an employee of CompanyY. My convo w/recruiter: "So everybody has their hands in the cookie jar, and there's nothing left for the guy who's actually doing the work?--What do you mean?--Well, someone with that skillset should be in the $75-100/hr range, but since 2 levels above want to keep their 100% profit margin, $50 becomes $100 and $100 becomes $200, which MegaCorp is probably being billed somewhere around there..."
Finally, don't get me started on "the foreigners"... It seems the boiler-room stock antics of the '80s and '90s have moved offshore, where in some cases I get calls from multiple people about the same job from the same company... They're all in a feeding frenzy, just trying to be the first to pass along my authorization to represent--never mind that I may not be qualified for the role in question. (One conversation went like this... "Well, where in Chicagoland is the job?--Let me submit you and I'll tell you.--You mean you won't tell me where the job is until I agree to let you represent me? It could be an impossible commute...--I need to submit you first...--Fuck off...")
And just to add to it, the article's author fucked up, mixing up flashes from red light cams (usually people making a right turn on red without a complete stop), while speaking about the revenue from speed cams.
I live in Chicago... Read TFA--not red light cams, but SPEED CAMERAS!
First off, because of state law, the speed cameras can only issue a ticket for going 6+ over the limit. So, 25 in a 20 school zone, or 35 in a 30 "near a park" zone is OK. Second, the 6-10 MPH over the limit is a $35 ticket. BFD. Only when you do 11+ over the limit (e.g. 41 in a 30), that's when it shoots up to $100. Finally, speed cameras are NOT allowed on Lake Shore Drive, Lower Wacker, and (obviously) Interstates.
On top of that, because of state law, the city had to paint "SAFETY... ZONE" on the street in each lane, along with putting up extra speed limit signs with "PHOTO ENFORCED", by every camera installation, on that street and on all intersecting streets...
Pass a law saying car companies must have recall information easily accessible on the web.
Just looking up Toyota, Ford, and GM (all USA), each allows you to go to their respective websites and type in a VIN to let you know if there's a recall associated with your vehicle... So while there isn't a law to that effect, they already have this. If you're too lazy to go to the manufacturer's site to look up your vehicle by VIN for the 1 or 2 vehicles you may own, either from the government or the manufacturer, then I don't know what else can be done. This is on top of the paper mail and e-mails you are likely getting. And on top of any lawyer ads you might see on TV--"Are you injured? [Automaker] had many recalls... Sue them!"
Seriously, cloud based backup is not the panacea you want to believe that it is. Think about it... With "unlimited storage for $5/mo", how does a company like BackBlaze have any viability? Right now, if you were to store 10TB of data (which has been thrown around in some of the other posts), their ROI is insanely high. Even if they went cheap and bought SATA 3.5" drives, a 4TB drive (on Pricewatch) will run $118, or $28.3167/TB. Let's say they can buy drives in bulk at $25/TB, 10TB would cost them $250 worth of equipment. At $5/month, their break-even point is at 50+ months--and that's assuming NPV is not important...
Now, let's throw in Visa/MC charge fees, bandwidth costs, additional hardware for RAID, office overhead, other equipment, legal / NSA requests / DMCA takedowns, etc., and the simple ROI of 50+ months easily balloons to 100+ months--if not out to infinity. There's no way a company like that is viable at current media prices, especially since your data is available on-demand (e.g. no delays for their tape to transfer to HD media)...
Viability of your backup solution is just as important whether it's longevity of tape & a physical drive you actually buy or the business plan of a cloud-based option.
I can confirm that Windows 8.1 x86 on 2GB RAM runs great--even on a 5-year old netbook. I loaded Win 8.1 Pro on a 2009-era Dell Inspiron Mini 9 (it had a now-unsupported XP) with an x86-only hyperthreaded Atom processor & IDE SSD--and it flies. I even put a new Intel 802.11ac WiFi-Bluetooth miniPCI card in it. I can't use Metro apps (1024x600 screen doesn't meet Metro's 1024x768 requirement, darn it), but after loading Start8, I don't care. I have a very portable little desktop machine that flies with Office 2010, Firefox, etc.
My only complaints are that Chrome actually performs quite poorly on sites with heavy AJAX (specifically Yahoo Mail), and that Flash is better off left not installed (darn). But Firefox appears to be much better optimized for low-end hardware, so I just use Firefox with no Flash.
In addition, the "monthly updates" are generally security fixes that exists to solve a security hole--where proper interaction with the component shouldn't cause problems before or after the applied fix. They generally solve one security problem within the component (e.g. buffer overflow at xxxxxxxxxxxxxx when called by yyyyyyyyyyyyyyy). That's why they've generally been trouble-free. Microsoft has recently gone on-record stating that Patch Tuesday will now be getting more such non-security feature updates, and they won't be optional.
Generally speaking, old-school Service Packs were both the bundling of hotfixes and new kernel-level features (e.g. USB 3.0, 4K drive sectors, UEFI support, etc.). In the world of Win7 and lower, Patch Tuesday was generally limited to security fixes and parameter changes (e.g. daylight savings time changes). Microsoft would also make available optional updates to Windows components (Internet Explorer, Media Player, etc.) that you could apply as desired.
This model isn't true with Win8.x. They're putting out kernel/feature updates every few months, trying to appear more Agile. A few months back, there was a mini-furor over Update 1 in that you had 30 days to test & apply it to your systems, or get no new updates. There was no beta of the release code that administrators could test ahead of time, as was customary with Service Packs. Some users flipped--specifically companies. Microsoft backed down a teeny bit, but only offered to create a branch for those who wanted to hold off on Update 1--for one extra Patch Tuesday cycle (4-5 weeks).
This is a perfect example of why Microsoft should go back to doing Service Packs and not these seemingly random "feature updates" that have become the norm with Windows 8.x and Office 2013 (non-MSI / "click to install"). There's no standard codebase anymore and feature updates are just being installed willy-nilly, with no real support window for delayed installations. (At least with a SP, you had a year to test & work around a problem before MS pulled the support plug). This is another reason why companies don't want Win8.x--kernel-level updates with only a few days warning. (Articles were still talking about "Windows 8.1 Update 2" as recently as 2 weeks prior to August's Patch Tuesday). I'd hate to be an NT administrator fretting over all my 2012R2 installations right now.
Instead of getting a SP for Windows 8, we now have 8.1. Instead of getting SPs for Windows 8.1, we now have 8.1 Update 1 and 8.1 August Update. We have updates that come through the "Store" app. This is one of the reasons (granted, not the primary one) why the uptake of Windows 8.x is now slower than Vista's uptake some ~2 years post-RTM, and why Windows 7 is gaining market share, at the expense of XP and Vista. Companies don't want this model and the headaches that go along with it.
So, for Win9, just go back to a Service Pack model and make everybody happy. Yes, SPs cost a lot of money to put out, and yes MS ends up looking old-school, but the rigor with testing is (presumed to be) significantly higher than some rushed, "little" update. Windows 8.x is broken, and Microsoft keeps pitching a newer, faster cycle of feature updates, but this just proves they are incapable of properly handling such a model... Microsoft: you are not Apple, and you don't have to try to emulate them.
As for myself, so far my two Win8.1 installations (one x86, one x64) and one of 2012R2 in a VM are not showing problems from these updates... But I have only myself to blame for not waiting a few extra days. Of course, now MS will have to come up with an out-of-band fix (with even less testing) within the next ~3 weeks or will have to have 2 sets of patches for September's Patch Tuesday--one for those who haven't uninstalled these updates and one for those who have. Pure stupidity...
Seriously, Microsoft... Internet Explorer has cost the company & its shareholders BILLIONS (wages, lawsuit settlements, DOJ/EU investigations, royalties, partnerships (e.g. AOL), etc.), yet made it $0 in income. If it wasn't for Bill Gates' inflated ego back in the mid-90s against Netscape, and if Microsoft would have partnered with a company like Netscape (back then) or Mozilla/Google/Opera (now), they would be in even better financial shape than they are in...
Sure, one can argue that MSN made a lot of money because it was the default homepage on IE, but MSN would have made the same amount of money if Microsoft bundled Netscape with Windows & set MSN as the default page--and would have pushed off all the R&D and risks onto a 3rd party. But no--almost 20 years later, we're still dealing with the hangover of those decisions. Business students should be doing case studies on the MS-IE debacle...
So, Microsoft, please deprecate IE!!! Do the world, and especially your shareholders, a favor. Stop at IE11. You've proven that you can deprecate things and support them on newer OSes (e.g. Jet/ACE). And since you'll need an HTML engine in future OSes (e.g. HTML Help, etc.), throw some money at Firefox (or Google, Opera, etc.) and force all "newer" internally developed programs (e.g. Visual Studio) to call this engine--while "older" apps stick with the deprecated engine (which still receives security updates) and/or are moved to the newer one over time... IE and its engine becomes a legacy feature and be done with it.
But, alas, the inflated IE ego syndrome still permeates within Microsoft...
Save money on Verizon or save money on things marketers want you to buy? What's the difference--if you're still saving $$$?
Imagine a brave new world where you walk into a Whole Foods and the "VZWAds" app pops-up a coupon for $0.50 off a $4.99 gallon of "365" brand milk, $0.30 off some couscous, and $1 off the pre-made food bar (minimum $15 purchase) for lunch? You needed milk, have no idea how to cook couscous, and you were getting hungry for lunch--but $15 worth of pre-made food is a lot, even at Whole Foods... After using that coupon, and scarfing down your huge lunch, you get another popup that gives you $0.50 off a Starbucks "mocho-choco-latte-cremo-supremo" venti-sized drink--but, HURRY, only if you buy one within the next 30 minutes at the Starbucks right next to Whole Foods! You've never had that type of drink, but the discounted price makes it worth trying! Then, the cloud concludes that you're probably low on cat food, since you last bought 36 cans a few weeks ago, so the app pops up yet another $0.50 coupon, this time for cat food at PetSmart! And all of these places are in the same strip mall...
I agree--I just don't see how this is the case. Sure, one person's Cleartype settings would be different from another's, so are we saying that the exact subpixel rendering is calculated? The article also mentions fonts installed... So, if I add a font, or a font like Arial Unicode gets updated (e.g. install a new version of MS-Office), my CANVAS fingerprint is now different/broken?
The claim of 90% accuracy for PCs is shockingly, quite high... But if tablets & mobile devices have problems with this and PCs don't, something don't smell right. So, is this trick working on a somehow poor implementation of CANVAS--that somehow creates different images on different PCs--but the same image on the same PC? What about a PC running Firefox vs. the same PC running Firefox in a VM (same OS or different OS)?
Slashdot Mirror
After reading a few Slashdot articles ago about ransomware, and given what can happen via hacking such devices, the last thing I want is more of my home-based devices going online. The last thing I want is for my IoT thermostat (of which many exist already) to get hacked. I can see the thermostat's screen now...
"We turned your thermostat up to 85 degrees and you can't change it. We want $5000 worth of Bitcoins in 72 hours--or we find out if your furnace perpetually on full-blast will burn your house down. Think we're kidding? We also know that you have an [some brand name] WebOS-based TV (it was easy--the IP address was the same as your thermostat) and an [some brand name] Android-based refrigerator that we also pwned. In 24 hours fridge will be set to 50 degrees spoiling your food, and in 48 hours your TV will be permanently stuck showing random videos from Xtube. So, your only options are to pay us or cut off power to your house--but when it comes back on, we still own your pwned devices! Good luck replacing the devices we pwned but didn't mention here... TIMER: 71:59:59...71:59:58...71:59:57......."
Seriously, I'm not for government regulation in a competitive landscape, but such devices, especially given their manufacturers will abandon writing security updates for them--6 months after the new model comes out, are ticking time bombs... I'm not about to replace my oven, furnace, dryer, refrigerator, thermostat, dishwasher, home security system, TV, toaster, and toilets every 3-5 years because someone thinks such devices should be IoT and wants to gather even more "big data" about me...
If you do mean getting a 1099 for the "loss", then you're wrong. Getting 1099'd (1099A or 1099C) is dischargeable in bankruptcy, even if you get the 1099 after you're discharged. All you do is file Form 982 with your taxes and it's gone. (Of course, IANAA - I am not an Accountant...) I filed BK7 in 2011, got discharged in 2012, and had a property foreclosed on that was discharged, and got a 1099-C in 2013. The full amount of the 1099-C was not considered income on my 2013 taxes (filed & payable in 2014...)
And who isn't to say that, as part of the hack, once they found someone high enough with the right credentials, they didn't create a couple of AD accounts? In mid-size organizations, identity management is dealing with thousands of accounts, having to create numerous exceptions for specific people and applications (oh, this Task Scheduler task can't allow for the account to change--and it needs super-duper-Admin rights to these particular servers; this Windows Service that runs on the production CRM server can't change password). So, a hacker could just hide some new accounts with fake descriptions for applications in-house (e.g. "SQL-Salesforce sync"), give them super rights even allowing for password changes, and presto... Or worse, pick such a valid account and start adding servers it has rights to. Security by Obscurity (ironically on the security platform).
The other advantage of the air-gapped network is that you no longer "need" to update the computers within the network with most of the security updates that come across Windows Update. Build them from DVDs & SPs with known hash values, never having connected them. Who cares if those PCs are still stuck on Win7-SP1 or Win8.1 RTM. Their primary attack vector (e.g. the big bad Internet) is unavailable. Even if these machines are built with malware, the worst that could happen is that they get erased, but the data still doesn't go out.
But what about e-mail? IM? Interwebs? Facebooking? Really??? Buy a 2nd, low end PC, wirelessly connect it to the corporate network, and volia! Hell, you could even use a KVM for this purpose, if you'd rather not spring for the expensive $400 laptops. Don't take the easy approach of connecting the networks in a way that only allows for RDP sessions--a determined hacker with unlimited funds (e.g. state sponsors) would figure that one out.
But what about Adobe Cloud or whatever program needs to connect to the Internet? Most such programs have alternative options for air-gapped networks (e.g. a license server), and a company like Adobe could be brow-beat by a company like Sony into disabling phone home. For high-risk applications where you can't talk your vendor out of phone-home, it's time to look for a new vendor...
Brian Krebs got one, reported on it, and was kind enough to post it for the world to see Sony for their true colors...
Article: http://krebsonsecurity.com/201...
Demand Letter: http://krebsonsecurity.com/wp-...
I can hear Barbara Streisand's voice now... (Well, what I hear is "her" voice from the Mecha-Streisand "South Park" episode...)
I'm not sure why banks don't, but Craigslist already blocks almost all Tor nodes--despite its comparatively meager resources (vs. banks')...
I wouldn't be surprised if someone at Sony were responsible for sending this email as a false-flag operation.
False-flag operation or not, that's a crime. If someone within Sony (or hired by Sony--e.g. their cybersecurity contractor) sent such an e-mail, that person is doing the equivalent of "screaming 'fire' in a crowded theater, when there is no fire". Not protected by free-speech and that person should be criminally charged with a felony.
Explain how airgapping doesn't make you immune to Windows Updates? If your PC can't talk to Microsoft, and unless you're going old-school sneakernet with flash drives, how is it going to get updates? Most Windows updates solve some sort of security hole, usually caused by the execution of malicious software or some sort of security hole that's exploitable from the Internet. Take away "the Internet" and lock down what people can execute on their PCs within "the island" and problem solved. Yes, you now have a known unpatched security hole--but one that can't be exploited without access to the Internet. No malicious links, attachments, unauthorized software, browser toolbars, etc. Just people using limited specific software & specific versions on (for example) Windows 7-SP1.
As has been proven by Stuxnet and this breach, unlimited state-sponsored funds ALWAYS beats "networks with layered protection". Big-name companies that spend shitloads of money on security still get breached. 15+ years of "breeding a culture of corporate security" also hasn't worked. But if you require the network to have a physical presence, then you've eliminated your primary attack vector.
So how did companies handle such networks 20+ years ago, where employees in "other offices" (cities, other locations in the same city, etc.) could access files, databases, etc., without any vector out to the Internet? Wouldn't be that hard to create a disconnected network island "war room" in each office--disconnect some ports & buy new routers. The real issue ultimately becomes that you now might want to consider multiple such air-gappped networks (e.g. R&D, HR, Finance, etc.)
I have to assume that data breaches are much worse cost... This one has lost sales, lost goodwill, lawsuits, potential government fines (e.g. HR data), network design changes, etc. Even a $10 million air-gapped network would have been a bargain compared to this mess...
I'm still waiting for a massive Salesforce data breach... That'll be interesting when it happens.
With all the state-sponsored corporate & military espionage caused by China & Russia, with the never-ending probes from government agencies like the NSA/DHS/GCHQ/etc., with malware & ransomware attacks that can encrypt data in (generally) unbreakable forms, with criminal hacking organizations making off with millions of credit card numbers from retailers, with apparently no network controls as to how much data leaves company firewalls & where it goes, and so on, why aren't there more internal air-gapped networks in companies???
This has hit the point of absurdity. If you are working on military plane designs, working on your next corporate acquisition, or even making movies or music worth tens of millions of $$$, why would you put your prized, unreleased digital files on computers that have Internet access? What kind of batshit stupidity is that? What, so your employees can browse Facebook & check Outlook e-mail at the same time? Such an air-gapped network would easily become an island--one that doesn't need Windows Updates, can stay on an old service pack, gets no software updates that solves 2 problems and but makes a new one (e.g. we know the bugs), and the like. And if those employees really need their Outlook e-mail, IM, or the Inter-Webs where they work, they can have a 2nd very low-end PC, connected to the main network, with a KVM between the two. Might even increase efficiency, given the mind's inability to multitask well. Or give them freaking iPads on a wireless network that's not connected to their "sensitive" work computer.
It boggles the mind that given all these problems, which are increasing in frequency & cost every day, we still have little more than software firewalls & hardware routers between a company's most highly-sensitive assets (files & computers) and the big-bad-Wild-West-no-holds-barred-Internet.
And you know this, how??? We all know that it should happen this way, but we have no way of knowing for sure whether that's the case. If my IoT thermostat gets hacked & reprogrammed to burn my house down, which is connected to my IoT furnace, how do I know that the IoT furnace a) hasn't also been hacked, b) even has the requisite hardware you speak of?
Read up on the Therac-25 incidents of the 1980s... http://en.wikipedia.org/wiki/T...
But you've made your job that much harder... Think about it. Trying to save a few bucks by merging x-number of available jobs into one job post, where you don't make it obvious that you're hiring for multiple people where each needs SOME of the skills (which you probably can't do because of job site ToS--they probably require you to post each job as one post), you're confusing many of your applicants into thinking you're looking for a "batshit crazy" skillset. Look at the other replies above--most people think that a crazy list of skills under one post is for one insane & underpaid job.
Even the best candidates for a specific skillset wonder "what up with this role?", and you don't hear from them...
So, as I've been in the market for a few months, I'm finding that many of the jobs that glossed over me a few months ago are coming across again... Whether it be a recruiter contacting me (I remember applying for this a while back), a new posting on the company's job search portal of choice (they changed 5 words in the job description), or even a new approach (look, now they're recruiting from my MBA school for this position)... Needless to say, it's infuriating.
Sure, I recognize that I only have 85% of what you're looking for in terms of a skillset; or that you want to pay $5000/year less than my absolute salary floor... But if that job has been open for 3-6 months, the damage caused by it being open (presumably because someone left, and now there's a void that everyone else on the team is not really able to fill) has far exceeded whatever small training costs or whatever you would have to spend on me...
Another issue is that too many companies are still thinking it's the financial crisis, when new recruits were happy to accept 50% cuts in salary to avoid foreclosure or vehicle repossession. This was best described to me by one recruiter--"three asses, one seat". While I've seen some absolutely batshit JDs (where 2 people in the country might have all of these skills), I recently saw one that pissed me off... A company wanted someone who was a SQL Server DBA/BI stack/TSQL & reporting guru, an Oracle DBA/PL-SQL programmer, and a Linux server manager in downtown Chicago--for $95k/year. Good luck finding such a person, with competing technologies, for less than double that...
Another problem that I'm finding is that some jobs are sub-sub-contracted out. I recently saw one in Chicago that needed expert experience in Informatica MDM. Max pay was $46/hr W2. Turns out that MegaCorp contracted out to CompanyX who opened up to numerous companies, CompanyY contacted me with this max rate, asking me to be an employee of CompanyY. My convo w/recruiter: "So everybody has their hands in the cookie jar, and there's nothing left for the guy who's actually doing the work?--What do you mean?--Well, someone with that skillset should be in the $75-100/hr range, but since 2 levels above want to keep their 100% profit margin, $50 becomes $100 and $100 becomes $200, which MegaCorp is probably being billed somewhere around there..."
Finally, don't get me started on "the foreigners"... It seems the boiler-room stock antics of the '80s and '90s have moved offshore, where in some cases I get calls from multiple people about the same job from the same company... They're all in a feeding frenzy, just trying to be the first to pass along my authorization to represent--never mind that I may not be qualified for the role in question. (One conversation went like this... "Well, where in Chicagoland is the job?--Let me submit you and I'll tell you.--You mean you won't tell me where the job is until I agree to let you represent me? It could be an impossible commute...--I need to submit you first...--Fuck off...")
And just to add to it, the article's author fucked up, mixing up flashes from red light cams (usually people making a right turn on red without a complete stop), while speaking about the revenue from speed cams.
First off, because of state law, the speed cameras can only issue a ticket for going 6+ over the limit. So, 25 in a 20 school zone, or 35 in a 30 "near a park" zone is OK. Second, the 6-10 MPH over the limit is a $35 ticket. BFD. Only when you do 11+ over the limit (e.g. 41 in a 30), that's when it shoots up to $100. Finally, speed cameras are NOT allowed on Lake Shore Drive, Lower Wacker, and (obviously) Interstates.
On top of that, because of state law, the city had to paint "SAFETY ... ZONE" on the street in each lane, along with putting up extra speed limit signs with "PHOTO ENFORCED", by every camera installation, on that street and on all intersecting streets...
Pass a law saying car companies must have recall information easily accessible on the web.
Just looking up Toyota, Ford, and GM (all USA), each allows you to go to their respective websites and type in a VIN to let you know if there's a recall associated with your vehicle... So while there isn't a law to that effect, they already have this. If you're too lazy to go to the manufacturer's site to look up your vehicle by VIN for the 1 or 2 vehicles you may own, either from the government or the manufacturer, then I don't know what else can be done. This is on top of the paper mail and e-mails you are likely getting. And on top of any lawyer ads you might see on TV--"Are you injured? [Automaker] had many recalls... Sue them!"
...nobody.
Seriously, cloud based backup is not the panacea you want to believe that it is. Think about it... With "unlimited storage for $5/mo", how does a company like BackBlaze have any viability? Right now, if you were to store 10TB of data (which has been thrown around in some of the other posts), their ROI is insanely high. Even if they went cheap and bought SATA 3.5" drives, a 4TB drive (on Pricewatch) will run $118, or $28.3167/TB. Let's say they can buy drives in bulk at $25/TB, 10TB would cost them $250 worth of equipment. At $5/month, their break-even point is at 50+ months--and that's assuming NPV is not important...
Now, let's throw in Visa/MC charge fees, bandwidth costs, additional hardware for RAID, office overhead, other equipment, legal / NSA requests / DMCA takedowns, etc., and the simple ROI of 50+ months easily balloons to 100+ months--if not out to infinity. There's no way a company like that is viable at current media prices, especially since your data is available on-demand (e.g. no delays for their tape to transfer to HD media)...
Viability of your backup solution is just as important whether it's longevity of tape & a physical drive you actually buy or the business plan of a cloud-based option.
I can confirm that Windows 8.1 x86 on 2GB RAM runs great--even on a 5-year old netbook. I loaded Win 8.1 Pro on a 2009-era Dell Inspiron Mini 9 (it had a now-unsupported XP) with an x86-only hyperthreaded Atom processor & IDE SSD--and it flies. I even put a new Intel 802.11ac WiFi-Bluetooth miniPCI card in it. I can't use Metro apps (1024x600 screen doesn't meet Metro's 1024x768 requirement, darn it), but after loading Start8, I don't care. I have a very portable little desktop machine that flies with Office 2010, Firefox, etc.
My only complaints are that Chrome actually performs quite poorly on sites with heavy AJAX (specifically Yahoo Mail), and that Flash is better off left not installed (darn). But Firefox appears to be much better optimized for low-end hardware, so I just use Firefox with no Flash.
In addition, the "monthly updates" are generally security fixes that exists to solve a security hole--where proper interaction with the component shouldn't cause problems before or after the applied fix. They generally solve one security problem within the component (e.g. buffer overflow at xxxxxxxxxxxxxx when called by yyyyyyyyyyyyyyy). That's why they've generally been trouble-free. Microsoft has recently gone on-record stating that Patch Tuesday will now be getting more such non-security feature updates, and they won't be optional.
Generally speaking, old-school Service Packs were both the bundling of hotfixes and new kernel-level features (e.g. USB 3.0, 4K drive sectors, UEFI support, etc.). In the world of Win7 and lower, Patch Tuesday was generally limited to security fixes and parameter changes (e.g. daylight savings time changes). Microsoft would also make available optional updates to Windows components (Internet Explorer, Media Player, etc.) that you could apply as desired.
This model isn't true with Win8.x. They're putting out kernel/feature updates every few months, trying to appear more Agile. A few months back, there was a mini-furor over Update 1 in that you had 30 days to test & apply it to your systems, or get no new updates. There was no beta of the release code that administrators could test ahead of time, as was customary with Service Packs. Some users flipped--specifically companies. Microsoft backed down a teeny bit, but only offered to create a branch for those who wanted to hold off on Update 1--for one extra Patch Tuesday cycle (4-5 weeks).
This is a perfect example of why Microsoft should go back to doing Service Packs and not these seemingly random "feature updates" that have become the norm with Windows 8.x and Office 2013 (non-MSI / "click to install"). There's no standard codebase anymore and feature updates are just being installed willy-nilly, with no real support window for delayed installations. (At least with a SP, you had a year to test & work around a problem before MS pulled the support plug). This is another reason why companies don't want Win8.x--kernel-level updates with only a few days warning. (Articles were still talking about "Windows 8.1 Update 2" as recently as 2 weeks prior to August's Patch Tuesday). I'd hate to be an NT administrator fretting over all my 2012R2 installations right now.
Instead of getting a SP for Windows 8, we now have 8.1. Instead of getting SPs for Windows 8.1, we now have 8.1 Update 1 and 8.1 August Update. We have updates that come through the "Store" app. This is one of the reasons (granted, not the primary one) why the uptake of Windows 8.x is now slower than Vista's uptake some ~2 years post-RTM, and why Windows 7 is gaining market share, at the expense of XP and Vista. Companies don't want this model and the headaches that go along with it.
So, for Win9, just go back to a Service Pack model and make everybody happy. Yes, SPs cost a lot of money to put out, and yes MS ends up looking old-school, but the rigor with testing is (presumed to be) significantly higher than some rushed, "little" update. Windows 8.x is broken, and Microsoft keeps pitching a newer, faster cycle of feature updates, but this just proves they are incapable of properly handling such a model... Microsoft: you are not Apple, and you don't have to try to emulate them.
As for myself, so far my two Win8.1 installations (one x86, one x64) and one of 2012R2 in a VM are not showing problems from these updates... But I have only myself to blame for not waiting a few extra days. Of course, now MS will have to come up with an out-of-band fix (with even less testing) within the next ~3 weeks or will have to have 2 sets of patches for September's Patch Tuesday--one for those who haven't uninstalled these updates and one for those who have. Pure stupidity...
Seriously, Microsoft... Internet Explorer has cost the company & its shareholders BILLIONS (wages, lawsuit settlements, DOJ/EU investigations, royalties, partnerships (e.g. AOL), etc.), yet made it $0 in income. If it wasn't for Bill Gates' inflated ego back in the mid-90s against Netscape, and if Microsoft would have partnered with a company like Netscape (back then) or Mozilla/Google/Opera (now), they would be in even better financial shape than they are in...
Sure, one can argue that MSN made a lot of money because it was the default homepage on IE, but MSN would have made the same amount of money if Microsoft bundled Netscape with Windows & set MSN as the default page--and would have pushed off all the R&D and risks onto a 3rd party. But no--almost 20 years later, we're still dealing with the hangover of those decisions. Business students should be doing case studies on the MS-IE debacle...
So, Microsoft, please deprecate IE!!! Do the world, and especially your shareholders, a favor. Stop at IE11. You've proven that you can deprecate things and support them on newer OSes (e.g. Jet/ACE). And since you'll need an HTML engine in future OSes (e.g. HTML Help, etc.), throw some money at Firefox (or Google, Opera, etc.) and force all "newer" internally developed programs (e.g. Visual Studio) to call this engine--while "older" apps stick with the deprecated engine (which still receives security updates) and/or are moved to the newer one over time... IE and its engine becomes a legacy feature and be done with it.
But, alas, the inflated IE ego syndrome still permeates within Microsoft...
Save money on Verizon or save money on things marketers want you to buy? What's the difference--if you're still saving $$$?
Imagine a brave new world where you walk into a Whole Foods and the "VZWAds" app pops-up a coupon for $0.50 off a $4.99 gallon of "365" brand milk, $0.30 off some couscous, and $1 off the pre-made food bar (minimum $15 purchase) for lunch? You needed milk, have no idea how to cook couscous, and you were getting hungry for lunch--but $15 worth of pre-made food is a lot, even at Whole Foods... After using that coupon, and scarfing down your huge lunch, you get another popup that gives you $0.50 off a Starbucks "mocho-choco-latte-cremo-supremo" venti-sized drink--but, HURRY, only if you buy one within the next 30 minutes at the Starbucks right next to Whole Foods! You've never had that type of drink, but the discounted price makes it worth trying! Then, the cloud concludes that you're probably low on cat food, since you last bought 36 cans a few weeks ago, so the app pops up yet another $0.50 coupon, this time for cat food at PetSmart! And all of these places are in the same strip mall...
Just thing of the possibilities!
I agree--I just don't see how this is the case. Sure, one person's Cleartype settings would be different from another's, so are we saying that the exact subpixel rendering is calculated? The article also mentions fonts installed... So, if I add a font, or a font like Arial Unicode gets updated (e.g. install a new version of MS-Office), my CANVAS fingerprint is now different/broken?
The claim of 90% accuracy for PCs is shockingly, quite high... But if tablets & mobile devices have problems with this and PCs don't, something don't smell right. So, is this trick working on a somehow poor implementation of CANVAS--that somehow creates different images on different PCs--but the same image on the same PC? What about a PC running Firefox vs. the same PC running Firefox in a VM (same OS or different OS)?