This study is groundbreaking. It completely trashes any argument for tax subsidies for EVs. If the economics are the same, there's no reason for a tax subsidy. Consumers will simply buy based on their needs without any additional inducement.
If I was to believe the conclusion, I would not believe the AREDS and AREDS II studies, which are widely accepted. In those studies, participants slowed the progression of macular degeneration by taking specific supplements.
Everyone needs to take a breath, and take a look at the CapOne web site. The certificate contains the correct URL for that page. The problem is NOT the SSL cert; it's the stupid Verisign seal thingy.
That Verisign seal thingy is coded to show the wrong sub-domain. Apparently CapitalOne created a seal for one sub-domain and inappropriately used it on a page in a different domain. They could do that because nothing the seal prevents it's use in the wrong domain. It won't even alert the user to an erroneous use.
That's the problem with the Verisign assurance seal. It assures absolutely nothing.
The FFIEC did not tell banks they have to adopt two factor authentication. The FFIEC did tell banks to assess the risk, and "where risk assessments indicate that the use of single factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to to mitigate those risks."
So banks may not have to do anything, or if something needs to be done, they can exercise other options besides two factor authentication.
Really, all the regulators want is for the risk to be mitigated. They don't care how.
Phishing exists because the phisher has a favorable risk/reward relationship. This legislation will help change that relationship by allowing law enforcement to get involved earlier. Today, LE has to wait for a fraud to occur and someone to complain. If my understanding is correct, under this legislation LE can get involved much earlier, when phishing or pharming is first detected. Earlier involvement means less time for the phish site to be operating (reducing return), and less time to destroy evidence (increasing risk).
Of course, whether they will become involved or not is subject to debate.
And don't you confuse a typically WinXP Home user, who uses the default setup and runs as Admin, with a seasoned user, who knows better. The key point for you to understand is that the DEFAULT is admin!
That's NOT the default on my Suse and OSX boxes, BTW.
Most US banks do use a static password for Internet banking. That's why phishing works so well in the US. The customer gives up the password, and the phish is on it's way to a winning evening at the bar.
I liked 9.0, and 9.1 is better in every way EXCEPT one or more of the security updates kill my wireless connection. From newsgroup comments, others have the same problem. No one seems to know the answer.
So, I'm working through the updates one-by-one, installing, rebooting, testing wireless, rinse and repeat.
My major suggestion to Suse is that they post a page with known bugs and solutions. Having to test each patch myself is a pain in the butt.
I got my mom an iMac, also! She's in her 70s, and needed *very little* help to get up to speed. Her greatest hurdle was learning what icons led to which applications.
I got her the iMac for two reasons: 1) It's about the same cost as a Windows box, once you figure in years worth of AV, a better firewall, etc etc, 2) I don't have to worry nearly as much about the box being secure, I just have to educate her about phishing and other user-targeted attacks, and 3) It just runs. I'm not running over to her house all the time to fix it.
The US Office of the Comptroller of the Currency issued a bulletin about phishing to all their banks on September 12, 2003. That bulletin asked banks to engage in a prevent, detect, and respond strategy.
Unfortunately, the US financial system is balkanized, with only one-fifth of the banks regulated by the OCC,and the rest regulated by the Federal Reserve, FDIC, OTS, and others. I can't locate warnings from those regulators.
Warnings from bank regulators to their banks can only do so much. The scam targets the user, and no one is responsible for educating the user.
Scams like this are one of the reason I've told my 70+ mother not to use Internet banking. Unfortunately, she's now looking into Internet brokerage. No matter what I do to secure her system, she is the weak link in the security chain. Many other Internet users are in the same boat.
Any ideas from slashdot land on how to educate those users, and how to protect them?
The author completely missed one important aspect of open source. People write for it because they love it, not because they need a paycheck.
Look at it this way. If you needed a door installed, would you call Harrison Ford? He's an actor, right? But he's also a master carpenter, and can probably do a better job than anyone you know. If he installs your door, he won't do it because he needs your money. On the other hand, you can hire laborers outside your local 7-11 to install the door also. They may do an adequate job, but they are working for money.
So, the page that kept track of unpatched MSIE holes is gone. That means that MSIE is now treated like any other software; the vulnerabilities are reported, but no one keeps track *publicly* of what is unpatched.
Why aren't other pages keeping track of unpatched vulnerabilities in other software? Well, have you ever tried to match up the CVE database with patches? It's difficult. I don't know anyone who can answer how many unpatched vulnerabilities are present in W2K, XP, and the like. Has to be boatloads.
Vulnerability disclsoure doesn't create pressure on MS, however. Malicious code creates pressure. Consider the MSIE vulnerability that led to QHosts. That one was old -- in August MS said that the patch they produced should have correct the Object Type vulnerability, but didn't. Yet the patch wasn't corrected until October, and that was only after QHosts exploited it. The exploit, however, raised MS's concern so much that they issued the patch on a Saturday instead of their regular Wednesday schedule....wow, the vulnerability is known for two months, then suddenly a patch appears AFTER the exploit is released.
What are the lessons? (1) Apparently ALL MS software has unpatched vulnerabilities (2) Apparently vulnerabilities are not priorities for MS unless exploits become newsworthy, (3) Trusting on MS patches to correct vulnerabilities is a recipe for disaster.
The FFIEC recently posted a new information security examination handbook. Because the booklet "serves as a supplement to agency GLBA 501(b) expectations", it may answer your questions.
1) People who don't know enough about computing to know that You Must Use Windows To Compute. Those people don't have Windoze software to load.
2) Those who know something about computing. I bought one Walmart box today. I'm loading Red Hat on one partition, and keeping Lindows for play. If it works, great. If not, I've got a inexpensive and useful computer.
Apparently Slashdot is populated by morons today. Have any of you heard that financial institutions must have charters from a state or the federal government? The hawalla is a financial institution, but without the required charter. They are unlicensed, and are operating illegally, just as if you hung out a shingle in the US without the proper license. You dingbats! You slander without thought just to pander to your political persuasions!
And before buying the line about money no longer being sent to poor Somalis, THINK! Banks exist, Somalia has BANKS! We have banks. Banks transfer money to other banks. Amazing that Slashdotters could be so stupid!
You are the one who is arrogant today. Go hide in shame.
Slashdot Mirror
This study is groundbreaking. It completely trashes any argument for tax subsidies for EVs. If the economics are the same, there's no reason for a tax subsidy. Consumers will simply buy based on their needs without any additional inducement.
If I was to believe the conclusion, I would not believe the AREDS and AREDS II studies, which are widely accepted. In those studies, participants slowed the progression of macular degeneration by taking specific supplements.
Everyone needs to take a breath, and take a look at the CapOne web site. The certificate contains the correct URL for that page. The problem is NOT the SSL cert; it's the stupid Verisign seal thingy.
That Verisign seal thingy is coded to show the wrong sub-domain. Apparently CapitalOne created a seal for one sub-domain and inappropriately used it on a page in a different domain. They could do that because nothing the seal prevents it's use in the wrong domain. It won't even alert the user to an erroneous use.
That's the problem with the Verisign assurance seal. It assures absolutely nothing.
For yucks, create a Versign seal -- but pay attention to their rules!
Comcast requiring MSIE on a Mac is disappointing. MSIE is not supported on the Mac. Requiring the use of unsupported software is simply irresponsible.
You'd think that Comcast would care about thier customers enough to not require the customers to be exploitable on the Comcast network.
Any security mechanism that relies on a consumer is inherently a bad idea. They don't perform their role. Want proof? Read http://usablesecurity.org/emperor/emperor.pdf
An end of page sig said it best: "When something is made idiot proof, nature will provide a better idiot"
Educating users mitigates some risk, but you might as well face it, most are and always will be sheep.
The FFIEC did not tell banks they have to adopt two factor authentication. The FFIEC did tell banks to assess the risk, and "where risk assessments indicate that the use of single factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to to mitigate those risks." So banks may not have to do anything, or if something needs to be done, they can exercise other options besides two factor authentication. Really, all the regulators want is for the risk to be mitigated. They don't care how.
Of course, whether they will become involved or not is subject to debate.
That's NOT the default on my Suse and OSX boxes, BTW.
Phishers are already rewriting the entire screen. They can rewrite the part that contains the Netcraft bar, also.
Also, does anyone know how the blacklisting works? Can an innocent firm be blacklisted until Netcraft gets around to unblacklisting them?
Regulator guidance to the industry was written in 2001, and does not indicate banks should try something better than a password
Maybe US banks will try a better authentication mechanism when customers wake up and no longer have confidence in the current authentication schemes.
I liked 9.0, and 9.1 is better in every way EXCEPT one or more of the security updates kill my wireless connection. From newsgroup comments, others have the same problem. No one seems to know the answer. So, I'm working through the updates one-by-one, installing, rebooting, testing wireless, rinse and repeat. My major suggestion to Suse is that they post a page with known bugs and solutions. Having to test each patch myself is a pain in the butt.
I got her the iMac for two reasons: 1) It's about the same cost as a Windows box, once you figure in years worth of AV, a better firewall, etc etc,
2) I don't have to worry nearly as much about the box being secure, I just have to educate her about phishing and other user-targeted attacks, and
3) It just runs. I'm not running over to her house all the time to fix it.
Unfortunately, the US financial system is balkanized, with only one-fifth of the banks regulated by the OCC,and the rest regulated by the Federal Reserve, FDIC, OTS, and others. I can't locate warnings from those regulators.
Warnings from bank regulators to their banks can only do so much. The scam targets the user, and no one is responsible for educating the user.
Scams like this are one of the reason I've told my 70+ mother not to use Internet banking. Unfortunately, she's now looking into Internet brokerage. No matter what I do to secure her system, she is the weak link in the security chain. Many other Internet users are in the same boat.
Any ideas from slashdot land on how to educate those users, and how to protect them?
The author completely missed one important aspect of open source. People write for it because they love it, not because they need a paycheck.
Look at it this way. If you needed a door installed, would you call Harrison Ford? He's an actor, right? But he's also a master carpenter, and can probably do a better job than anyone you know. If he installs your door, he won't do it because he needs your money. On the other hand, you can hire laborers outside your local 7-11 to install the door also. They may do an adequate job, but they are working for money.
# of high and medium vulnerabilities, last 3 months:
Windows2000 = 11
RedHat -- Linux = 4
# of high and medium vulnerabilities, last 6 months:
Windows2000 = 13
RedHat -- Linux =11
# of high and medium vulnerabilities, last year:
Windows2000 = 24
RedHat -- Linux = 11
...we can't answer your subpeona with any e-mails; we can't read them."
"Because forensic examination of the subject's computer failed to find any evidence of child pornography distribution..."
Of course there is a back door. Attorneys in civil suits and law enforcement need it.
Why aren't other pages keeping track of unpatched vulnerabilities in other software? Well, have you ever tried to match up the CVE database with patches? It's difficult. I don't know anyone who can answer how many unpatched vulnerabilities are present in W2K, XP, and the like. Has to be boatloads.
Vulnerability disclsoure doesn't create pressure on MS, however. Malicious code creates pressure. Consider the MSIE vulnerability that led to QHosts. That one was old -- in August MS said that the patch they produced should have correct the Object Type vulnerability, but didn't. Yet the patch wasn't corrected until October, and that was only after QHosts exploited it. The exploit, however, raised MS's concern so much that they issued the patch on a Saturday instead of their regular Wednesday schedule....wow, the vulnerability is known for two months, then suddenly a patch appears AFTER the exploit is released.
What are the lessons?
(1) Apparently ALL MS software has unpatched vulnerabilities
(2) Apparently vulnerabilities are not priorities for MS unless exploits become newsworthy, (3) Trusting on MS patches to correct vulnerabilities is a recipe for disaster.
The FFIEC recently posted a new information security examination handbook. Because the booklet "serves as a supplement to agency GLBA 501(b) expectations", it may answer your questions.
The market is
1) People who don't know enough about computing to know that You Must Use Windows To Compute. Those people don't have Windoze software to load.
2) Those who know something about computing. I bought one Walmart box today. I'm loading Red Hat on one partition, and keeping Lindows for play. If it works, great. If not, I've got a inexpensive and useful computer.
Apparently Slashdot is populated by morons today. Have any of you heard that financial institutions must have charters from a state or the federal government? The hawalla is a financial institution, but without the required charter. They are unlicensed, and are operating illegally, just as if you hung out a shingle in the US without the proper license. You dingbats! You slander without thought just to pander to your political persuasions!
And before buying the line about money no longer being sent to poor Somalis, THINK! Banks exist, Somalia has BANKS! We have banks. Banks transfer money to other banks. Amazing that Slashdotters could be so stupid!
You are the one who is arrogant today. Go hide in shame.