Troll or not, there's probably a reason he's being detained in Kuwait instead of one of our fine Federal cities in the U.S. I'll give you a hint - it isn't the great sand and sun they want him in Kuwait for.
Ok, first, he's probably being held in Kuwait because he was stationed in Iraq at the time he was taken into custody. I really don't think it's for the reasons you think it is.
More importantly the OP asked why he was held without charge, not held in Kuwait, ok?
Because they're doing a proper investigation first. This isn't a civilian under the jurisdiction of normal criminal laws.
Would you not agree that given the nature of the actions he is believed to have committed it was important to get him out of circulation ASAP?
Seriously though- what do you expect to happen to a traitor guilty of espionage while in uniform? We're not talking about prison sentences here- shouldn't caution be the word?
I'm sure nobody but us is reading this, heh, but anyways...
If you go and reread the original post by amanicdroid, my reply to him, and your reply yo me, I think you'll see the relevance.
The biggest point of correction that I'll make is that we're not talking about correcting an externality but the "cross elasticity of demand" between regular and clean energy.
Economist humor abounds! Taken in that context I am in fact arguing that there is an externality and you against it (you'll gladly pay plenty for clean energy).
However I really wasn't talking about externalities, I was trying to talk to the fact that amanicdroid and you were both saying "I'll pay shitloads more" to which I was trying to point out that you will not get fit to the curve;)
I'm sorry even Austin is more expensive than that. Are you sure you're the entire household? Living in an unsubsidized house or apartment? Paying your actual and FULL living expenses?
(Full market rent, making the full car payment, or the repairs if it's an old car, your own gas and tolls, your insurance (don't forget medical! That costs like $500/mo and your $11k/yr employer won't provide it in the real world), clothing, full price for groceries and food, your phone, and on and on.)
Yeah, I didn't think so.
Hopefully by now you've realized your experience isn't that relevant to the real world and actual working people/families. Don't be naive and think they aren't the vast majority of the people who would be paying your $0.50/kw(h) surcharge.
Because in the REAL world people can barely survive on $11k/yr... They definitely don't have things like medical care which would definitely be a priority over paying triple the electric bill, wouldn't it?
You're the one that chooses to live in Hawaii buddy (or some other country, but HI is the only state in the US with those kind of rates). I pay about $0.20, but that is really high for the US.
Actually this isn't even true- when you initially submit it to the first MTA that connection always was from 'you.' That server would be (in the worst case) the first one that used DNS to the receiving domain. It would also be a host trying to directly connect to the MX.
I can't think of a single protocol this isn't true for, so how would anyone except whomever you choosen as your LDNS provider and parties authoritative for your destination ever be seeing this information?
Because the organization that runs the authoritative DNS isn't going to see your source IP in a fraction of a second when you make the connection to their (in this case) web server?
Ok so by "shoddy CDN companies" you mean every CDN anyone here has ever heard of? And the vast majority of enterprises that have hot/hot (public) datacenters?
Using anycast for serving content is a guarantee of fail. Great for DNS, less than ideal for HTTP. How serious a failure depends on important reliable and consistent end user experience is. Using geolocation based on the actual source address for content within the pages is a very intelligent thing to do in addition to doing it at the LDNS level initially.
On the innertubes anycast is good for things for which UDP is appropriate (even if they use other transports), and it can be acceptable for HA between a hot and a warm datacenter, but it's just not robust enough for a "CDN".
So not only did Russia intentionally cause the crash, but NATO cooked up this volcano ash story and grounded almost all flights in European airspace just so they wouldn't have to go to the Funeral?
Heck I was at a small IT security trade event yesterday and like a quarter of the attendees had to cancel because they were dealing with the aftermath...
McAfee had almost a 50% corporate AV market share, and nearly all of those companies still run many XP SP3 boxes. If 10% pulled the DAT before it was yanked, that's a metric buttload of machines...
Well, you're either naive and misinformed, or you're trying to be dense.
First of all we're talking about a specific use case for a WAF- not WAFs as the panacea of network or application security. I don't think I ever stated that simply adding another "security appliance" necessarily increased security overall. I did say that with a WAF you can patch holes like this yourself. Do you really disagree with that?
That said:
Nothing you posted is an inherent problem with WAFs (over firewalls, routers, managed switches, IPS', etc.) besides them needing to decyrpt SSL. (Which BTW if you send your traffic encrypted through your IPS, good luck with that!) On the SSL front- It's far more secure to centrally manage your public certs on a hardened device than have it on every backend you own. Terminating SSL (full strenght, public cert) is an insecure and inefficient practice that most sane shops abandoned years ago. If you have physical security concerns you can always re-encrypt your traffic, and do it with certs that are not signed by a public CA. [Though I would suggest that if someone could create a span port or plug something in inline with an uplink, you have far larger problems then a WAF to worry about. If you are mandated to encrypt on the wire, sorry.]
Like anything else it's about selecting the correct one and using it properly. You need to size if for how you're going to use it: If you want to run RegEx matches (inherently very expensive things) against all your traffic in both directions, hell yeah it's going to need to be a bigger solution. However your thinking that a WAF primarily relies on RegEx's shows either that you don't know what you're talking about, or you're just throwing FUD. A WAF is not just a fancy IPS. Most of what they do, including most of the things we'd be talking about for patching an auth based security hole in an application, don't involve pattern matching, none the less full RegEx matching, at all.
And it's not for going beyond the marketing blather it's for spouting off about mostly non-concerns, blowing others out of proportion, and acting like it's really some different beast to adding a router, managed switch, IPS, or Firewall- any of which need to be sized properly, evaluated for potential security vulnerabilities, and intelligently architected.
However the point remains valid: If the OP had a WAF, he could almost assuredly fix this problem himself in a few minutes. Unless you are proposing that I'm incorrect and you have a better solutions, what are we talking about here?
There is plenty to argue against your FUD*, but in reality though I wasn't recommending a WAF in the traditional preemptive protective capacity.
If you have a good WAF then when you, the person responsible for security, discover a vulnerability you, the person responsible for security, can patch it in minutes.
Even if your applications are completely in-house developed it still takes time to get the vulnerability fixed and it's not within your control how long that process takes! With a WAF you take all of that process which you cannot control and move it out of your critical path.
Even if you use an app firewall for nothing else it is a security tool well worth having.
*Actually good ones do a lot more than that, and can do a lot of what you claim without manual configuration. Additionally they provide layers of protection that no existing security device can offer even without customized policies. I've heard arguments like yours before, and I apologize for generalizing, but only from OSS zealots. This is one market where the commercial offerings are leaps and bounds better. This is because of a PCI DSS 6.6- The organizations that had to comply were the ones who could afford to purchase a commercial solution, but not the luxury of time to wait for an OSS to develop. As a side effect the commercial market has matured a lot over the past 24 months.
Frankly the web app firewall idea is the most appropriate solution to this entire category of problem for your organization. You should want one, and this is just one more datapoint as to why.
Secondly, if they won't fix the problem (and I don't mean won't do it quickly, I mean won't do it at all) then I'm sure someone else will discover it and anonymously disclose it....Cough... Right?...Cough...
Slashdot Mirror
Ok, first, he's probably being held in Kuwait because he was stationed in Iraq at the time he was taken into custody. I really don't think it's for the reasons you think it is.
More importantly the OP asked why he was held without charge, not held in Kuwait, ok?
Only on /. can one seriously answer an AC's question and be modded a troll.
FFS This isn't "Informative" it's being a "Troll."
This perp is in the military- there is absolutely no need for the "2006 military commission act." He VOLUNTARILY put himself under the UCMJ.
Because they're doing a proper investigation first. This isn't a civilian under the jurisdiction of normal criminal laws.
Would you not agree that given the nature of the actions he is believed to have committed it was important to get him out of circulation ASAP?
Seriously though- what do you expect to happen to a traitor guilty of espionage while in uniform? We're not talking about prison sentences here- shouldn't caution be the word?
...Which is exactly why it is so damn bothersome and confusing that this appears to have happened.
That would make sense- if they hadn't gone out of their way to state that the propeller is driven by the wheels and spinning against the wind.
I'm sure nobody but us is reading this, heh, but anyways...
If you go and reread the original post by amanicdroid, my reply to him, and your reply yo me, I think you'll see the relevance.
The biggest point of correction that I'll make is that we're not talking about correcting an externality but the "cross elasticity of demand" between regular and clean energy.
Economist humor abounds! Taken in that context I am in fact arguing that there is an externality and you against it (you'll gladly pay plenty for clean energy).
However I really wasn't talking about externalities, I was trying to talk to the fact that amanicdroid and you were both saying "I'll pay shitloads more" to which I was trying to point out that you will not get fit to the curve ;)
I'm sorry even Austin is more expensive than that. Are you sure you're the entire household? Living in an unsubsidized house or apartment? Paying your actual and FULL living expenses?
(Full market rent, making the full car payment, or the repairs if it's an old car, your own gas and tolls, your insurance (don't forget medical! That costs like $500/mo and your $11k/yr employer won't provide it in the real world), clothing, full price for groceries and food, your phone, and on and on.)
Yeah, I didn't think so.
Hopefully by now you've realized your experience isn't that relevant to the real world and actual working people/families. Don't be naive and think they aren't the vast majority of the people who would be paying your $0.50/kw(h) surcharge.
Because in the REAL world people can barely survive on $11k/yr... They definitely don't have things like medical care which would definitely be a priority over paying triple the electric bill, wouldn't it?
So on $11,000/yr you would be OK spending $2500-3600/yr on electricity (5x increase)?
Riiight.
You're the one that chooses to live in Hawaii buddy (or some other country, but HI is the only state in the US with those kind of rates). I pay about $0.20, but that is really high for the US.
Take a look at http://www.eia.doe.gov/energyexplained/index.cfm?page=electricity_factors_affecting_prices ...
It varies greatly by location. I pay US$0.19/kwh for daytime use, which is on the expensive side.
Unfortunately I work from home (I don't say that often!) so most of my use is daytime.
You have no idea what your electricity costs, do you?
I'd be willing to pay maybe $0.05/kwh more, 33-50% increase, but I'm not too interested in the 300-500% increase you seem to be willing to accept!
LMAO!!!
Actually this isn't even true- when you initially submit it to the first MTA that connection always was from 'you.' That server would be (in the worst case) the first one that used DNS to the receiving domain. It would also be a host trying to directly connect to the MX.
I can't think of a single protocol this isn't true for, so how would anyone except whomever you choosen as your LDNS provider and parties authoritative for your destination ever be seeing this information?
I know, I'm preaching to the choir, sorry!
Because the organization that runs the authoritative DNS isn't going to see your source IP in a fraction of a second when you make the connection to their (in this case) web server?
Ok so by "shoddy CDN companies" you mean every CDN anyone here has ever heard of? And the vast majority of enterprises that have hot/hot (public) datacenters?
Using anycast for serving content is a guarantee of fail. Great for DNS, less than ideal for HTTP. How serious a failure depends on important reliable and consistent end user experience is. Using geolocation based on the actual source address for content within the pages is a very intelligent thing to do in addition to doing it at the LDNS level initially.
On the innertubes anycast is good for things for which UDP is appropriate (even if they use other transports), and it can be acceptable for HA between a hot and a warm datacenter, but it's just not robust enough for a "CDN".
Yeah, as long as your entire transaction consists of a single packet being sent to the server. It's not reliable after that.
Sure you can! If you don't mind effing up the URL bar and possibly generating certificate warnings.
It's not a clean nor transparent way to do it.
So not only did Russia intentionally cause the crash, but NATO cooked up this volcano ash story and grounded almost all flights in European airspace just so they wouldn't have to go to the Funeral?
And they say the Polish are prone to conspiracy!
Heck I was at a small IT security trade event yesterday and like a quarter of the attendees had to cancel because they were dealing with the aftermath...
McAfee had almost a 50% corporate AV market share, and nearly all of those companies still run many XP SP3 boxes. If 10% pulled the DAT before it was yanked, that's a metric buttload of machines...
Well that's fucking boring!
Well, you're either naive and misinformed, or you're trying to be dense.
First of all we're talking about a specific use case for a WAF- not WAFs as the panacea of network or application security. I don't think I ever stated that simply adding another "security appliance" necessarily increased security overall. I did say that with a WAF you can patch holes like this yourself. Do you really disagree with that?
That said:
Nothing you posted is an inherent problem with WAFs (over firewalls, routers, managed switches, IPS', etc.) besides them needing to decyrpt SSL. (Which BTW if you send your traffic encrypted through your IPS, good luck with that!) On the SSL front- It's far more secure to centrally manage your public certs on a hardened device than have it on every backend you own. Terminating SSL (full strenght, public cert) is an insecure and inefficient practice that most sane shops abandoned years ago. If you have physical security concerns you can always re-encrypt your traffic, and do it with certs that are not signed by a public CA. [Though I would suggest that if someone could create a span port or plug something in inline with an uplink, you have far larger problems then a WAF to worry about. If you are mandated to encrypt on the wire, sorry.]
Like anything else it's about selecting the correct one and using it properly. You need to size if for how you're going to use it: If you want to run RegEx matches (inherently very expensive things) against all your traffic in both directions, hell yeah it's going to need to be a bigger solution. However your thinking that a WAF primarily relies on RegEx's shows either that you don't know what you're talking about, or you're just throwing FUD. A WAF is not just a fancy IPS. Most of what they do, including most of the things we'd be talking about for patching an auth based security hole in an application, don't involve pattern matching, none the less full RegEx matching, at all.
And it's not for going beyond the marketing blather it's for spouting off about mostly non-concerns, blowing others out of proportion, and acting like it's really some different beast to adding a router, managed switch, IPS, or Firewall- any of which need to be sized properly, evaluated for potential security vulnerabilities, and intelligently architected.
However the point remains valid: If the OP had a WAF, he could almost assuredly fix this problem himself in a few minutes. Unless you are proposing that I'm incorrect and you have a better solutions, what are we talking about here?
There is plenty to argue against your FUD*, but in reality though I wasn't recommending a WAF in the traditional preemptive protective capacity.
If you have a good WAF then when you, the person responsible for security, discover a vulnerability you, the person responsible for security, can patch it in minutes.
Even if your applications are completely in-house developed it still takes time to get the vulnerability fixed and it's not within your control how long that process takes! With a WAF you take all of that process which you cannot control and move it out of your critical path.
Even if you use an app firewall for nothing else it is a security tool well worth having.
*Actually good ones do a lot more than that, and can do a lot of what you claim without manual configuration. Additionally they provide layers of protection that no existing security device can offer even without customized policies. I've heard arguments like yours before, and I apologize for generalizing, but only from OSS zealots. This is one market where the commercial offerings are leaps and bounds better. This is because of a PCI DSS 6.6- The organizations that had to comply were the ones who could afford to purchase a commercial solution, but not the luxury of time to wait for an OSS to develop. As a side effect the commercial market has matured a lot over the past 24 months.
Full disclosure: I work for a company that, among other things, makes a commercial Layer 7 firewall...
Frankly the web app firewall idea is the most appropriate solution to this entire category of problem for your organization. You should want one, and this is just one more datapoint as to why.
Secondly, if they won't fix the problem (and I don't mean won't do it quickly, I mean won't do it at all) then I'm sure someone else will discover it and anonymously disclose it. ...Cough... Right? ...Cough...