Let's go with a nice capitalist version: A worker is underpaid when his or her regular expenses are higher than what they make in net income during the same average period. Note that the definition isn't a particular dollar amount, but rather depends heavily on one's expenses, which in turn are defined mostly by societal and local norms. An intended side effect of this definition is that someone with high expenses can still be underpaid if those expenses aren't covered.
A worker is worth less than the value he or she creates, period.
A worker is a human life whose value is independent of what they are able to produce, period.
If the work a person does only generates $5.00 an hour in value, are you making the case that the worker should be paid more anyway?
No.
How long do [you] expect that employer to continue employing that worker when the revenue generated doesn't cover said employee's cost?
No time at all.
Is it okay to "screw over" the employer by making that person pay more to the employee than he/she generates in profit?
No.
If the worker's output is not profitable for the company, the business should raise its prices so it can be profitable while still supporting its workers for their time. If the market does not support such prices, the business model should not be considered viable.
Rather than say "this worker produces $5/hour of output", let's phrase it as "this worker produces output for which the market now pays $5/hour". That leaves open the options to increase the rate the market will pay (marketing), increase the worker's output (automation), or to accept that the business as it exists now is not viable (reorganization). In the latter case, it may be as simple as firing the worker and hiring one who can produce more, or it may involve restructuring the whole company to produce a different product, for which the market will pay more.
I have yet to see an argument for why "business" is a good reason to lock people into a job that doesn't cover their expenses. Bearing in mind that changing jobs is an expense in itself (for time spent applying, interviewing, a clean suit, etc.), I fail to see how it is beneficial to society to essentially enslave people so an entrepreneur can pitch a product to a market that won't sustain it.
You know... you make a coherent enough argument that I don't actually think you're trolling. Unfortunately, it's a weak argument.
Let's take rent control as a simple example. Imposing these distortions removes the incentive for landlords to maintain and improve their properties. When this happens, the wealthier people eventually move away to better properties, leaving only the impoverished who can't move.
That's half of the problem, but what about the alternative? If rent prices rise, the impoverished still can't move to more affordable places (who also would be removing rent control, and thus becoming less affordable every year). Instead, they get evicted and become homeless, in the process usually losing most investments (furniture, clothes, and other personal items) they've managed to accumulate. Once homeless, they are extremely vulnerable, and crime against the homeless typically runs rampant. The end result is that your low-income community has turned into a high-rent development that looks shiny, but sits vacant because of the crime and housing problem... and in turn, the landlords still don't get paid.
Another example is minimum wage floors. These make it prohibitive for businesses to start, and make it harder for existing businesses to continue remaining viable.
What makes starting a business such a special event that it requires employees to live in poverty? If your business model is so bad and your business so unsuccessful that you have to underpay your workforce, perhaps you shouldn't be starting a business. I know it's the Great American Dream to own a business, but perhaps we should ensure nobody else gets screwed over in the process?
The GPL enforces freedom, while MIT/BSD licenses do not.
I've often used the term "careless licenses" to describe MIT and BSD, because the authors of software under such licenses don't care how it's used. With the GPL, in contrast, they are requiring that you keep derivatives open-source as well.
That is the main freedom the GPL is concerned about: the freedom to view, modify, and use the source code for the software you run. Not only does the GPL require the author to release source code, but it requires redistributors to do the same, ensuring that that very specific freedom endures. On the other hand, MIT/BSD licenses are little more than a disclaimer of warranty, allowing unscrupulous enterprises to rebuild the software and sell it as a commercial product, effectively taking credit for the original author's work - which the SCOTUS has found to be of significant economic value.
In short, it's a matter of perspective. The GPL protects the users and original author by adding restrictions, while the MIT/BSD licenses protect nothing while requiring nothing. To an author, it is a matter of preference what they care about most.
There isn't a hard limit in physics for an EMP, but the inverse-square law and easy hardening techniques will make the required power (and thus the cost) get out of hand pretty quickly, unless you start deploying mankind's most compact and inexpensive power sources: nukes. Those will get you an EMP, but being the first nation in 50 years to use them in warfare will bring a new kind of political hell that you really don't want to defend against.
In a past professional life, I maintained an Emergency Broadcast System transmitter. EBS works by cutting into radio transmissions if a neighboring station transmits the right signal, repeating the broadcast on the local station. Essentially, if one station reported an emergency, the whole region would repeat it automatically. If the sirens work similarly, hijacking one would trigger the whole system.
The whole point is moot, anyway. Ability doesn't need to be shown.
I'm very curious about the basis for your analysis. The only price tag mentioned in TFAs is a half-million-dollar contract to "maintain and repair" the system over the next 6 years. Roughly speaking, that's two salaried ($47,000/year) employees working full-time.
Per TFS, there are 156 alarm systems. At the low end, you're estimating a cost of $5 per system. That's not enough funding for a security consultant to sneeze at a system, let alone actually fix anything. Even if the $800 covers a centralized fix for all of the alarms, that would barely cover the time for a consultant to perform a mediocre security audit, or the price tag for a low-end hardware device, but not both. Of course, being a government panic-driven project, you can safely expect that the expensive-but-fast solution will be chosen, probably driving the cost upwards of $10K per instance.
However, $800 does buy a decent amount of consumable art supplies (paint, paper, wire, plaster), and if someone covers the consumable cost, it's actually pretty easy to find local artists and studios willing to donate time and nonconsumable supplies (work space, tools). Considering your analysis at the high end at $800 per alarm, the total price tag is $124,800... which is sufficient to hire an art teacher and rent space, as well.
Regarding the effectivity of the alarms... that's not really how it works, at all. If we get into a political situation where the sirens are likely to be necessary, you can expect a public-education campaign reminding people what they're for. No, it won't be as effective as keeping people in a persistent state of panic, but it's overall the safer route, compared to having the population on a hair-trigger to go rushing into shelters.
On the one hand, you have a low-damage attack that has happened once in a few decades. On the other, you have the real cost of continually upgrading and hardening (and re-hardening) a system over those few decades, taking funding away from other public programs.
As a taxpayer, I'm okay with risking an unscheduled wakeup, if it means my local high school gets an arts program. As a security expert, I'm still okay with the low risk of leaving such vulnerabilities open, as long as they aren't able to be used as staging for other attacks.
Everywhere has shit security. Every manager is a moron. Everything is dangerous.
A door being unlocked does not give one the right to steal what's behind it, and similarly having a vulnerable system does not give one the right to attack it.
The CIA has the capability to spy on you, find what you like, and match it with someone who can win your affection, and appear to return affection as well. In fact, that capability is entirely within their mandate as an espionage and intelligence organization, as you might be a foreign agent on whom a honey trap may work well.
However, unless they have a good reason to interfere with your romantic escapades, they won't do anything. Mostly, they won't because you're not important enough to justify jumping through the legal hoops. If you're not a US citizen, a lot of those hoops fall away automatically, but not all.
This is also not mathematically true. You are assuming an even and symmetrical distribution of "better than average" and "worse than average" programmers, but the term "average" doesn't necessarily equal the median.
If you have a number of exceptionally-good programmers, but few exceptionally-bad programmers, the average will be raised to where over 50% of your programmer population is actually qualified as "below average", regardless of their opinions about their skill.
However, we must consider the dynamics of the programming industry. If someone is indeed a terrible programmer, they are likely to be driven out of the industry, either by their own choice or by management. On the other hand, the good programmers will usually be encouraged to stay. That puts a bias on the distribution, raising the average quality of programmers beyond the median quality of programmers.
In which case, I assume any student can go to the appropriate university services department and get the video transcribed accordingly, like any other educational material.
The difference would be that it's an on-demand transcription, which would presumably cost a lot less than mandated transcription of all the videos regardless of demand, just because they're public.
That's a great ideal, but it's not the way the real world works.
You can have great people trying to follow great policies... but mistakes happen, especially when it's a late night with an impending deadline (and yes, attackers know those deadlines) or a well-executed social engineering attack. It's not helpful to just say "you're an imposter" and dismiss the fact that the system allowed the attack to succeed.
Humans are fallible, even the "proper" ones. A poor craftsman always blames his tools, but a good craftsman doesn't rely on bad tools.
Competent admins: Use proper tools to push applications across the domain, and leave the feature enabled so there's yet another hurdle between the malware-pushing support-call scammers and admin-level access to the system.
Unfortunately, it's no longer a safe assumption that even "sysadmins/developers" actually make an effective barrier against attacks. They get scammed just like everybody else, and are just as susceptible to a well-crafted phishing site or an urgent call from the CEO's new assistant.
The majority of Windows systems are corporate workstations, which only need an office suite, PDF reader, and a few corporate-approved applications, typically pushed through SCCM (which I assume will be exempt from this feature).
I agree it could be awkward for home users, but I'll reserve my harsh judgement for when it actually becomes a problem.
I had an old Yahoo account that has definitely been inactive for over 5 years. I just tried to log in, and it tried to send a validation code (good?) to a Hotmail address that I haven't used in even longer than that. That Hotmail account appears to have been properly deleted and re-registered (by someone whose security questions are in a different language than I would have used).
So... They're just like post office boxes, on which the system was modeled, or street addresses. In both of those cases, someone else can get your address after you leave and communicate in your name!
While getting your own domain is significantly easier than getting your own post office or private street, the effect is still the same. Those are the only ways to reliably use their respective addresses as identities.
something you can give to an intern to do at $25/hr vs your 25 years experience $75/hr
That's a great example, since fixing interns' mistakes has made my years of experience very profitable.
Sure, an intern can write the software spec, unless he doesn't understand the difference between a Widget and a Wotsit, and doesn't even realize that there are two different things. With sufficient minimal skill, he can flub his way through a basic review (often done by other intern-quality folks) and get the spec published, then be long gone with his credit and job offer once the complaints start coming in.
Similarly, an amateur electrician can screw things up in ways that aren't obvious, like pulling wires through conduit roughly enough to strip insulation. Sure, it's working fine now, but in a few years, it could very well be a fire risk. Another particularly egregious example from my own experience is seeing a ground wire attached with an eye terminal with a nylon washer (instead of a star washer) on one side and a painted (instead of conductive) surface on the other. The connection at the terminal's edge was enough to make a connectivity meter happy, but in an emergency that poor connection could have been lethal.
[Grunt work] takes a long time, but not a job you can screw up unless...
...you don't have the experience to know that what you're doing is wrong.
You want to import someone and pay them $40K? Go to the back of the line. You're willing to pay $200K salary because there truly aren't any Americans available with those skills? You're at the front of the line.
...So what if I want to hire an Indian tech writer who understands all dialects of Hindi, so he can write manuals for my product being exported overseas? Is that application going to be competing with every American tech writer? Will it compete with every H-1B application? Will it compete with every Indian?
Right now, there is an easily-understood process. Employers submit applications, and a limited number of H-1B visas are granted, regardless of industry, skillset, or salary. Basically, beyond initial review, there is nothing anyone can do to game the system. If Trump introduces more "competition", however, that also means that the selection process becomes either industry favoritism or a game of picking buckets.
If all applicants are in the same pool, and judgement is purely on salary, then the H-1B system becomes reduced to a tool for Silicon Valley at the expense of the rest of the country. Industries and locations with high expenses (and therefore already-inflated salaries) get preferential acceptance, while low-paying visa applications are rejected. In short, that accomplishes the exact opposite of what is promised: Americans get the lower-paid jobs, while high-salary tech jobs get more of the H-1B allocation, and even more American salary money goes overseas.
Alternatively, with more criteria for judgement, the system becomes more open to abuse. To use my hypothetical tech writer, I could claim on his visa application that he also has an in-depth understanding of Elbonian custom that Americans simply do not have, so he should be considered his own special case, separate from other tech writers. Without a thorough investigation, the fraud (or misrepresentation, or careful planning, however you want to call it) would be unnoticeable, and my candidate would be the highest salary in his field.
If a company truly can't find American workers with the required skills, if the imported labor actually has special skills, the company will be willing to *pay* for those skills.
More often, the company will just pay less for someone without those special skills, then expect their existing staff to train the newbie to have the skills. That inevitably fails, so the company has to hire more inadequate staff to get the job done, raising costs further, but at least it creates jobs.
Of course, that only works until management starts seeing the higher costs and lower productivity, and realizes they can move the whole operation overseas. Why pay for an American office full of H-1B staff when you can just pay for a foreign office with a few key American personnel? Unlike the days of James Madison, communication between offices is no longer a significant issue. For the cost of gambling on a handful of H-1B hires, a large company can set up shop in a whole new labor pool, often getting a nice tax break to boot. The only downside is that they lose some of the comforts of an American office, but those amenities can be rebuilt overseas cheaply enough. It's just the cost of doing business in Trump's America!
This is yet another populist measure being run with no understanding of the underlying system. Trump is giving the people exactly what they asked for, but he isn't paying attention to the people who understand the systems already in place. He thinks his ideas are the best ideas, regardless of their actual effects.
At the nation state level, I don't think it operates the same way. That is, I don't think they rely on a few dumb operators. Looking at what the NSA does, they're able to attack the supply lines and send you pre-compromised hardware. They have advanced exfiltration systems that don't need to touch your network at all. They have malware that cannot be decrypted by any machine other than the target that makes you think there's nothing wrong. It's also custom, just for you, so AV programs aren't going to see it.
Those statements are mostly true, but only to a certain extent.
The APT teams aren't operating at a nation-state level. They are nation-state funded, but they're still operating more like an experiment, mostly due to the lack of available expertise in the field. Think more along the lines of the Manhattan Project. A very small number of people are doing the real work, and a lot of people figuring out how to apply this new weapon strategically.
Yes, the intelligence agencies have lots of fancy tools, and they're shared among the APT teams as needed, but usually the attacks are boring script-kiddy stuff. Most of the time, pass-the-hash and Word macros will get the job done, so there's no reason to risk exposing the elite tools and zero-day vulnerabilities.
I know they labeled the DNC hack as an APT, but it appears to be an ordinary criminal gang. It simply doesn't match the profile of nation state level attacks. They want long-term access without getting caught. Sending an email like the one to Podesta got someone ~2 days of access, as best we can tell. Enough to download a few emails, only to end up locked out. When nation states do spear phishing, they have a custom written piece of malware disguised as a legitimate attachment. It won't be noticed by any AV programs. They will use that to make sure they have long-term access to your systems.
The Podesta hack and the DNC hacks were separate events, by related teams. They used different tactics, but shared some (but not all) infrastructure. Both teams were involved in the DNC hack, but apparently weren't aware of each other's presence, since they'd attack servers that the other team had already penetrated.
In the DNC hack, they did have long-term access. One group had been active on the network for over a year, and the other was sloppier, and was detected after only a month of activity.
The Podesta attack wasn't particularly specialized. It was a wide attack using automated tools. There was no attachment, just a link to a bit.ly-shortened URL that wouldn't be caught by the spam filter. There was nothing downloaded from the phishing site, either. It just decrypted the Base64-encoded parameter in the emailed URL, and displayed that. Again, don't fall into the mental trap that nation-state attacks must be highly-sophisticated next-generation hacks. In hacking, if it's stupid and it works, then it isn't stupid.
They just don't operate the same way because they don't have the same goals. It's not like Russia is the only possible culprit here, either.
Russia isn't the only possible culprit, but they are the only likely culprit. Their same infrastructure (bit.ly account, phishing site host, and mail-sending botnet) had previously been used to attack 1800 accounts in 2015. Those accounts were overwhelmingly non-Russian military personnel. There's a great analysis of the hack by pwnallthethings on Twitter. I highly recommend expanding the thread and reading.
As for goals, the goal is simple: Gather any useful access. Hacking Podesta's email was probably a lucky stroke for the attackers, but they were more likely looking for anything useful. If not Podesta, then someone else might have made a good victim. If they got someone's account, but it wasn't particularly useful at the time, they don't care. The automated tool is
This is Slashdot. We light hair on fire every time anybody sneezes in a way we don't like. Of course, you could always read the bill itself.
It actually does look pretty bad for renewable fuel efforts. I don't see any obvious loopholes, and it effectively imposes a tax on renewable energy by 1 cent per kWh, that the utilities can't pass on to customers. Pretty much, the only way to run a renewable energy installation in Wyoming is to pay for a nonrenewable energy facility somewhere outside the state, or make sure all of your energy is going out of the state.
I apologize for the length of these posts... Weekends get boring, and I tend to ramble about these things.
It doesn't really take much. For a nation-state attacker, it takes almost no resources in comparison to a foreign-based physical operation.
First, understand that there are two different kinds of attacks being discussed here. The DNC hack was a general APT penetration, while attacks on SCADA systems (like Stuxnet) are usually more targeted and require more expert knowledge. Since they work hand-in-hand, I'll describe a mix of the two in a major hypothetical attack.
Let's suppose Strong Badia wants to attack Elbonia. Strong Badia first launches a campaign against several technology companies in Lower Slobbovia, with phishing bait emails trying to get internal credentials. They use those credentials to compromise public-facing servers, and use those servers to launch more attacks against Elbonian companies. That second round of attacks looks like it comes from Lower Slobbovia, so it's more difficult to investigate. This multi-stage effort relies on automated tools (available for a few thousand dollars) to exploit common software. Since the phishing mails are sent in bulk and do indeed rely on luck to get hits, they're automated for scale. They can be run by one social engineer working part time, who usually just needs to wait until he gets a few particularly useful credentials.
With credentials in hand, Strong Badia turns to making their presence persistent. A small number of experts (two or three, even) establish more permanent access credentials, and plant malware that they can use to restore access if it's ever disrupted. This effort is targeted to a specific network infrastructure, but again most of the tools are automated. This time, they aren't automated for scale, but rather to hide their presence better. Attack packages can be uploaded and held, hiding their traffic from monitoring systems. Again, this is only a couple of people to decide which servers (and users) are worth attacking and map out the Elbonian network.
In the case of the DNC hack, that was about all that happened. The attackers gained access to the DNC, became persistent, and copied out documents. As I recall, there is evidence (in writing style, level of expertise, and preferred attack patterns) that the DNC hack had up to a dozen operatives. Other attacks get more complicated.
If a target is "special", it might need a more customized approach. For the sake of analogy, this is the point in the heist movie where the crew realizes that the bank's security is something new, and they need to recruit that quirky specialist to get the job done. They'll go out and buy a copy of the bank's vault, posing as a wealthy individual who just has to have the best protection for their widgets. Similarly, in out hypothetical attack, this is where Strong Badia claims they need the latest and greatest in Elbonian technology, and purchases a SCADA system just like what their target has. While the purchase of such equipment does indeed take some effort, I don't count it as part of the attacking force. The purchasers would likely think they're actually purchasing equipment for a legitimate construction project, so it's a little unfair to count them against the trained spies.
With equipment, an expert in that system (our fourth Strong Badian team member) can begin reverse-engineering it to find new zero-day vulnerabilities, and perhaps with the aid of another Strong Badian, he can turn it into a malware package for that target.
That malware can then be handed back to the APT team, who have the understanding of the Elbonian bureaucracy. They can create fake problem reports that require a call to tech support, and the social engineer can assist in making it seem legitimate. To jump an airgap, they might need a participant in Elbonia, but that could be a simple matter of attacking the Elbonian support subcontractor in a similar manner, and such an attack could be executed by the very same five-man band.
Slashdot Mirror
Please define "underpay."
Let's go with a nice capitalist version: A worker is underpaid when his or her regular expenses are higher than what they make in net income during the same average period. Note that the definition isn't a particular dollar amount, but rather depends heavily on one's expenses, which in turn are defined mostly by societal and local norms. An intended side effect of this definition is that someone with high expenses can still be underpaid if those expenses aren't covered.
A worker is worth less than the value he or she creates, period.
A worker is a human life whose value is independent of what they are able to produce, period.
If the work a person does only generates $5.00 an hour in value, are you making the case that the worker should be paid more anyway?
No.
How long do [you] expect that employer to continue employing that worker when the revenue generated doesn't cover said employee's cost?
No time at all.
Is it okay to "screw over" the employer by making that person pay more to the employee than he/she generates in profit?
No.
If the worker's output is not profitable for the company, the business should raise its prices so it can be profitable while still supporting its workers for their time. If the market does not support such prices, the business model should not be considered viable.
Rather than say "this worker produces $5/hour of output", let's phrase it as "this worker produces output for which the market now pays $5/hour". That leaves open the options to increase the rate the market will pay (marketing), increase the worker's output (automation), or to accept that the business as it exists now is not viable (reorganization). In the latter case, it may be as simple as firing the worker and hiring one who can produce more, or it may involve restructuring the whole company to produce a different product, for which the market will pay more.
I have yet to see an argument for why "business" is a good reason to lock people into a job that doesn't cover their expenses. Bearing in mind that changing jobs is an expense in itself (for time spent applying, interviewing, a clean suit, etc.), I fail to see how it is beneficial to society to essentially enslave people so an entrepreneur can pitch a product to a market that won't sustain it.
You know... you make a coherent enough argument that I don't actually think you're trolling. Unfortunately, it's a weak argument.
Let's take rent control as a simple example. Imposing these distortions removes the incentive for landlords to maintain and improve their properties. When this happens, the wealthier people eventually move away to better properties, leaving only the impoverished who can't move.
That's half of the problem, but what about the alternative? If rent prices rise, the impoverished still can't move to more affordable places (who also would be removing rent control, and thus becoming less affordable every year). Instead, they get evicted and become homeless, in the process usually losing most investments (furniture, clothes, and other personal items) they've managed to accumulate. Once homeless, they are extremely vulnerable, and crime against the homeless typically runs rampant. The end result is that your low-income community has turned into a high-rent development that looks shiny, but sits vacant because of the crime and housing problem... and in turn, the landlords still don't get paid.
Another example is minimum wage floors. These make it prohibitive for businesses to start, and make it harder for existing businesses to continue remaining viable.
What makes starting a business such a special event that it requires employees to live in poverty? If your business model is so bad and your business so unsuccessful that you have to underpay your workforce, perhaps you shouldn't be starting a business. I know it's the Great American Dream to own a business, but perhaps we should ensure nobody else gets screwed over in the process?
The GPL enforces freedom, while MIT/BSD licenses do not.
I've often used the term "careless licenses" to describe MIT and BSD, because the authors of software under such licenses don't care how it's used. With the GPL, in contrast, they are requiring that you keep derivatives open-source as well.
That is the main freedom the GPL is concerned about: the freedom to view, modify, and use the source code for the software you run. Not only does the GPL require the author to release source code, but it requires redistributors to do the same, ensuring that that very specific freedom endures. On the other hand, MIT/BSD licenses are little more than a disclaimer of warranty, allowing unscrupulous enterprises to rebuild the software and sell it as a commercial product, effectively taking credit for the original author's work - which the SCOTUS has found to be of significant economic value.
In short, it's a matter of perspective. The GPL protects the users and original author by adding restrictions, while the MIT/BSD licenses protect nothing while requiring nothing. To an author, it is a matter of preference what they care about most.
There isn't a hard limit in physics for an EMP, but the inverse-square law and easy hardening techniques will make the required power (and thus the cost) get out of hand pretty quickly, unless you start deploying mankind's most compact and inexpensive power sources: nukes. Those will get you an EMP, but being the first nation in 50 years to use them in warfare will bring a new kind of political hell that you really don't want to defend against.
Eh... not necessarily.
In a past professional life, I maintained an Emergency Broadcast System transmitter. EBS works by cutting into radio transmissions if a neighboring station transmits the right signal, repeating the broadcast on the local station. Essentially, if one station reported an emergency, the whole region would repeat it automatically. If the sirens work similarly, hijacking one would trigger the whole system.
The whole point is moot, anyway. Ability doesn't need to be shown.
I'm very curious about the basis for your analysis. The only price tag mentioned in TFAs is a half-million-dollar contract to "maintain and repair" the system over the next 6 years. Roughly speaking, that's two salaried ($47,000/year) employees working full-time.
Per TFS, there are 156 alarm systems. At the low end, you're estimating a cost of $5 per system. That's not enough funding for a security consultant to sneeze at a system, let alone actually fix anything. Even if the $800 covers a centralized fix for all of the alarms, that would barely cover the time for a consultant to perform a mediocre security audit, or the price tag for a low-end hardware device, but not both. Of course, being a government panic-driven project, you can safely expect that the expensive-but-fast solution will be chosen, probably driving the cost upwards of $10K per instance.
However, $800 does buy a decent amount of consumable art supplies (paint, paper, wire, plaster), and if someone covers the consumable cost, it's actually pretty easy to find local artists and studios willing to donate time and nonconsumable supplies (work space, tools). Considering your analysis at the high end at $800 per alarm, the total price tag is $124,800... which is sufficient to hire an art teacher and rent space, as well.
Regarding the effectivity of the alarms... that's not really how it works, at all. If we get into a political situation where the sirens are likely to be necessary, you can expect a public-education campaign reminding people what they're for. No, it won't be as effective as keeping people in a persistent state of panic, but it's overall the safer route, compared to having the population on a hair-trigger to go rushing into shelters.
On the one hand, you have a low-damage attack that has happened once in a few decades. On the other, you have the real cost of continually upgrading and hardening (and re-hardening) a system over those few decades, taking funding away from other public programs.
As a taxpayer, I'm okay with risking an unscheduled wakeup, if it means my local high school gets an arts program. As a security expert, I'm still okay with the low risk of leaving such vulnerabilities open, as long as they aren't able to be used as staging for other attacks.
...Until John gets fired, and he calls Bob from the parking lot saying there's an unscheduled federal readiness inspection, including a response test.
Every system is vulnerable. The only difference is the attack vector.
Everywhere has shit security. Every manager is a moron. Everything is dangerous.
A door being unlocked does not give one the right to steal what's behind it, and similarly having a vulnerable system does not give one the right to attack it.
Yes, they can.
The CIA has the capability to spy on you, find what you like, and match it with someone who can win your affection, and appear to return affection as well. In fact, that capability is entirely within their mandate as an espionage and intelligence organization, as you might be a foreign agent on whom a honey trap may work well.
However, unless they have a good reason to interfere with your romantic escapades, they won't do anything. Mostly, they won't because you're not important enough to justify jumping through the legal hoops. If you're not a US citizen, a lot of those hoops fall away automatically, but not all.
This is also not mathematically true. You are assuming an even and symmetrical distribution of "better than average" and "worse than average" programmers, but the term "average" doesn't necessarily equal the median.
If you have a number of exceptionally-good programmers, but few exceptionally-bad programmers, the average will be raised to where over 50% of your programmer population is actually qualified as "below average", regardless of their opinions about their skill.
However, we must consider the dynamics of the programming industry. If someone is indeed a terrible programmer, they are likely to be driven out of the industry, either by their own choice or by management. On the other hand, the good programmers will usually be encouraged to stay. That puts a bias on the distribution, raising the average quality of programmers beyond the median quality of programmers.
So what exactly did you think "support" was? Do you really think it's limited to drivers?
Never mind the development, testing, and troubleshooting going on behind the scenes for the whole array of CPUs.
...So you're saying that for better experiments, we should make more superfund sites?
In which case, I assume any student can go to the appropriate university services department and get the video transcribed accordingly, like any other educational material.
The difference would be that it's an on-demand transcription, which would presumably cost a lot less than mandated transcription of all the videos regardless of demand, just because they're public.
That's a great ideal, but it's not the way the real world works.
You can have great people trying to follow great policies... but mistakes happen, especially when it's a late night with an impending deadline (and yes, attackers know those deadlines) or a well-executed social engineering attack. It's not helpful to just say "you're an imposter" and dismiss the fact that the system allowed the attack to succeed.
Humans are fallible, even the "proper" ones. A poor craftsman always blames his tools, but a good craftsman doesn't rely on bad tools.
Competent admins: Use proper tools to push applications across the domain, and leave the feature enabled so there's yet another hurdle between the malware-pushing support-call scammers and admin-level access to the system.
Unfortunately, it's no longer a safe assumption that even "sysadmins/developers" actually make an effective barrier against attacks. They get scammed just like everybody else, and are just as susceptible to a well-crafted phishing site or an urgent call from the CEO's new assistant.
The majority of Windows systems are corporate workstations, which only need an office suite, PDF reader, and a few corporate-approved applications, typically pushed through SCCM (which I assume will be exempt from this feature).
I agree it could be awkward for home users, but I'll reserve my harsh judgement for when it actually becomes a problem.
You mean the malware account?
Yeah... I call bullshit.
I had an old Yahoo account that has definitely been inactive for over 5 years. I just tried to log in, and it tried to send a validation code (good?) to a Hotmail address that I haven't used in even longer than that. That Hotmail account appears to have been properly deleted and re-registered (by someone whose security questions are in a different language than I would have used).
So... They're just like post office boxes, on which the system was modeled, or street addresses. In both of those cases, someone else can get your address after you leave and communicate in your name!
While getting your own domain is significantly easier than getting your own post office or private street, the effect is still the same. Those are the only ways to reliably use their respective addresses as identities.
something you can give to an intern to do at $25/hr vs your 25 years experience $75/hr
That's a great example, since fixing interns' mistakes has made my years of experience very profitable.
Sure, an intern can write the software spec, unless he doesn't understand the difference between a Widget and a Wotsit, and doesn't even realize that there are two different things. With sufficient minimal skill, he can flub his way through a basic review (often done by other intern-quality folks) and get the spec published, then be long gone with his credit and job offer once the complaints start coming in.
Similarly, an amateur electrician can screw things up in ways that aren't obvious, like pulling wires through conduit roughly enough to strip insulation. Sure, it's working fine now, but in a few years, it could very well be a fire risk. Another particularly egregious example from my own experience is seeing a ground wire attached with an eye terminal with a nylon washer (instead of a star washer) on one side and a painted (instead of conductive) surface on the other. The connection at the terminal's edge was enough to make a connectivity meter happy, but in an emergency that poor connection could have been lethal.
[Grunt work] takes a long time, but not a job you can screw up unless...
...you don't have the experience to know that what you're doing is wrong.
You want to import someone and pay them $40K? Go to the back of the line. You're willing to pay $200K salary because there truly aren't any Americans available with those skills? You're at the front of the line.
...So what if I want to hire an Indian tech writer who understands all dialects of Hindi, so he can write manuals for my product being exported overseas? Is that application going to be competing with every American tech writer? Will it compete with every H-1B application? Will it compete with every Indian?
Right now, there is an easily-understood process. Employers submit applications, and a limited number of H-1B visas are granted, regardless of industry, skillset, or salary. Basically, beyond initial review, there is nothing anyone can do to game the system. If Trump introduces more "competition", however, that also means that the selection process becomes either industry favoritism or a game of picking buckets.
If all applicants are in the same pool, and judgement is purely on salary, then the H-1B system becomes reduced to a tool for Silicon Valley at the expense of the rest of the country. Industries and locations with high expenses (and therefore already-inflated salaries) get preferential acceptance, while low-paying visa applications are rejected. In short, that accomplishes the exact opposite of what is promised: Americans get the lower-paid jobs, while high-salary tech jobs get more of the H-1B allocation, and even more American salary money goes overseas.
Alternatively, with more criteria for judgement, the system becomes more open to abuse. To use my hypothetical tech writer, I could claim on his visa application that he also has an in-depth understanding of Elbonian custom that Americans simply do not have, so he should be considered his own special case, separate from other tech writers. Without a thorough investigation, the fraud (or misrepresentation, or careful planning, however you want to call it) would be unnoticeable, and my candidate would be the highest salary in his field.
If a company truly can't find American workers with the required skills, if the imported labor actually has special skills, the company will be willing to *pay* for those skills.
More often, the company will just pay less for someone without those special skills, then expect their existing staff to train the newbie to have the skills. That inevitably fails, so the company has to hire more inadequate staff to get the job done, raising costs further, but at least it creates jobs.
Of course, that only works until management starts seeing the higher costs and lower productivity, and realizes they can move the whole operation overseas. Why pay for an American office full of H-1B staff when you can just pay for a foreign office with a few key American personnel? Unlike the days of James Madison, communication between offices is no longer a significant issue. For the cost of gambling on a handful of H-1B hires, a large company can set up shop in a whole new labor pool, often getting a nice tax break to boot. The only downside is that they lose some of the comforts of an American office, but those amenities can be rebuilt overseas cheaply enough. It's just the cost of doing business in Trump's America!
This is yet another populist measure being run with no understanding of the underlying system. Trump is giving the people exactly what they asked for, but he isn't paying attention to the people who understand the systems already in place. He thinks his ideas are the best ideas, regardless of their actual effects.
At the nation state level, I don't think it operates the same way. That is, I don't think they rely on a few dumb operators. Looking at what the NSA does, they're able to attack the supply lines and send you pre-compromised hardware. They have advanced exfiltration systems that don't need to touch your network at all. They have malware that cannot be decrypted by any machine other than the target that makes you think there's nothing wrong. It's also custom, just for you, so AV programs aren't going to see it.
Those statements are mostly true, but only to a certain extent.
The APT teams aren't operating at a nation-state level. They are nation-state funded, but they're still operating more like an experiment, mostly due to the lack of available expertise in the field. Think more along the lines of the Manhattan Project. A very small number of people are doing the real work, and a lot of people figuring out how to apply this new weapon strategically.
Yes, the intelligence agencies have lots of fancy tools, and they're shared among the APT teams as needed, but usually the attacks are boring script-kiddy stuff. Most of the time, pass-the-hash and Word macros will get the job done, so there's no reason to risk exposing the elite tools and zero-day vulnerabilities.
I know they labeled the DNC hack as an APT, but it appears to be an ordinary criminal gang. It simply doesn't match the profile of nation state level attacks. They want long-term access without getting caught. Sending an email like the one to Podesta got someone ~2 days of access, as best we can tell. Enough to download a few emails, only to end up locked out. When nation states do spear phishing, they have a custom written piece of malware disguised as a legitimate attachment. It won't be noticed by any AV programs. They will use that to make sure they have long-term access to your systems.
The Podesta hack and the DNC hacks were separate events, by related teams. They used different tactics, but shared some (but not all) infrastructure. Both teams were involved in the DNC hack, but apparently weren't aware of each other's presence, since they'd attack servers that the other team had already penetrated.
In the DNC hack, they did have long-term access. One group had been active on the network for over a year, and the other was sloppier, and was detected after only a month of activity.
The Podesta attack wasn't particularly specialized. It was a wide attack using automated tools. There was no attachment, just a link to a bit.ly-shortened URL that wouldn't be caught by the spam filter. There was nothing downloaded from the phishing site, either. It just decrypted the Base64-encoded parameter in the emailed URL, and displayed that. Again, don't fall into the mental trap that nation-state attacks must be highly-sophisticated next-generation hacks. In hacking, if it's stupid and it works, then it isn't stupid.
They just don't operate the same way because they don't have the same goals. It's not like Russia is the only possible culprit here, either.
Russia isn't the only possible culprit, but they are the only likely culprit. Their same infrastructure (bit.ly account, phishing site host, and mail-sending botnet) had previously been used to attack 1800 accounts in 2015. Those accounts were overwhelmingly non-Russian military personnel. There's a great analysis of the hack by pwnallthethings on Twitter. I highly recommend expanding the thread and reading.
As for goals, the goal is simple: Gather any useful access. Hacking Podesta's email was probably a lucky stroke for the attackers, but they were more likely looking for anything useful. If not Podesta, then someone else might have made a good victim. If they got someone's account, but it wasn't particularly useful at the time, they don't care. The automated tool is
This is Slashdot. We light hair on fire every time anybody sneezes in a way we don't like. Of course, you could always read the bill itself.
It actually does look pretty bad for renewable fuel efforts. I don't see any obvious loopholes, and it effectively imposes a tax on renewable energy by 1 cent per kWh, that the utilities can't pass on to customers. Pretty much, the only way to run a renewable energy installation in Wyoming is to pay for a nonrenewable energy facility somewhere outside the state, or make sure all of your energy is going out of the state.
I apologize for the length of these posts... Weekends get boring, and I tend to ramble about these things.
It doesn't really take much. For a nation-state attacker, it takes almost no resources in comparison to a foreign-based physical operation.
First, understand that there are two different kinds of attacks being discussed here. The DNC hack was a general APT penetration, while attacks on SCADA systems (like Stuxnet) are usually more targeted and require more expert knowledge. Since they work hand-in-hand, I'll describe a mix of the two in a major hypothetical attack.
Let's suppose Strong Badia wants to attack Elbonia. Strong Badia first launches a campaign against several technology companies in Lower Slobbovia, with phishing bait emails trying to get internal credentials. They use those credentials to compromise public-facing servers, and use those servers to launch more attacks against Elbonian companies. That second round of attacks looks like it comes from Lower Slobbovia, so it's more difficult to investigate. This multi-stage effort relies on automated tools (available for a few thousand dollars) to exploit common software. Since the phishing mails are sent in bulk and do indeed rely on luck to get hits, they're automated for scale. They can be run by one social engineer working part time, who usually just needs to wait until he gets a few particularly useful credentials.
With credentials in hand, Strong Badia turns to making their presence persistent. A small number of experts (two or three, even) establish more permanent access credentials, and plant malware that they can use to restore access if it's ever disrupted. This effort is targeted to a specific network infrastructure, but again most of the tools are automated. This time, they aren't automated for scale, but rather to hide their presence better. Attack packages can be uploaded and held, hiding their traffic from monitoring systems. Again, this is only a couple of people to decide which servers (and users) are worth attacking and map out the Elbonian network.
In the case of the DNC hack, that was about all that happened. The attackers gained access to the DNC, became persistent, and copied out documents. As I recall, there is evidence (in writing style, level of expertise, and preferred attack patterns) that the DNC hack had up to a dozen operatives. Other attacks get more complicated.
If a target is "special", it might need a more customized approach. For the sake of analogy, this is the point in the heist movie where the crew realizes that the bank's security is something new, and they need to recruit that quirky specialist to get the job done. They'll go out and buy a copy of the bank's vault, posing as a wealthy individual who just has to have the best protection for their widgets. Similarly, in out hypothetical attack, this is where Strong Badia claims they need the latest and greatest in Elbonian technology, and purchases a SCADA system just like what their target has. While the purchase of such equipment does indeed take some effort, I don't count it as part of the attacking force. The purchasers would likely think they're actually purchasing equipment for a legitimate construction project, so it's a little unfair to count them against the trained spies.
With equipment, an expert in that system (our fourth Strong Badian team member) can begin reverse-engineering it to find new zero-day vulnerabilities, and perhaps with the aid of another Strong Badian, he can turn it into a malware package for that target.
That malware can then be handed back to the APT team, who have the understanding of the Elbonian bureaucracy. They can create fake problem reports that require a call to tech support, and the social engineer can assist in making it seem legitimate. To jump an airgap, they might need a participant in Elbonia, but that could be a simple matter of attacking the Elbonian support subcontractor in a similar manner, and such an attack could be executed by the very same five-man band.
W