I think you know what you're asking for is impossible, John. Is that your point?
Physical penetration tests can validate the presence of password lists in wallets, in desks, and in caches on workstations. I think I can say with confidence that there are no sources of metrics for what you have specifically asked.
So where are we then? No one can prove anything and therefore we can all claim to be correct? That's awful. That's also the state of the security industry; mountaintop sages and so called best practices sold by vendors.
Your suggestion on having a little book with them is also pretty bad. It breaks the password model of being something you know to something you have.
Remember everyone, multi-factor authentication should be a combination of something you are, something you have, and/or something you know.
If everyone did as you suggest, all thieves would have to do would be to throw an admin in the back of a van. In fact, I'm surprised that we haven't been seeing more of that anyway.
If anyone gathered metrics on such practices, I would bet that for most environments, they would find that it yields the opposite effect of what is intended.
It makes strong passwords and lots and lots of password lists under keyboards, in text files, and on post-it notes.
I gave a little talk at a Toorcon event a couple years ago where I included some pictures of password lists found in the wild.
I think everyone competent knows about these things, they just choose not to say anything about it because it is a "best practice."
I could explain it, but why not watch their presentation that they gave a couple weeks ago at CCC and actually understand what they're talking about firsthand. Presentation page, big mp4 video, torrent.
As a consultant, I was paid quite a lot for being available for an on-call basis; several thousand a month.
I also didn't have to do much when things happened. I would join a call, establish that it was not my problem, and then drop off.
If you're deeply concerned for your jobs, get better at your jobs and leave your bad gigs. Retention and performance problems should correct this problem of thinking that management assholes can get people to work for free. They would never work for without compensation. Why should people who are smarter than them?
Also It's been donebefore and well. The code has been open for a long time now. I'm just surprised it hasn't happened sooner.
The code used to be archived by some of the industry cool kids for quite a while, but I'm not readily finding it in the allowed attention span of this comment.
I always suspected that Cringely was completely clueless, but now I have something to point to which by his own words damn him more than anything I could ever say.
This is the kind of writing that you can point at as an example of how some people do not get it despite their pomp and bigdealness.
With the rise of consumer databases, I realized that it was pointless to spurn social networks as anyone with pocket change can buy more information from any of these firms than I know about myself.
Sure. You can have privacy from the casual websearching douche, but if they don't mind spending tens of dollars, they can know all there is to know.
The game is over, and unless you go all unibomber off the grid and only pay cash, forget about it. You might as well get laid by scenewhores on myspace.
Ok. An embryo is not a voter and until it is, I do not agree with splitting my political representation with one.
Not all opinions are equal. For instance, the opinion that people with mindsets like yours get to be the arbiters of what is sentient/worthwhile life and what is not pompous and infantile.
It's to be expected since people who follow your line of reasoning like circular patterns.
In short, I hope your god gives you up to the ironic experience of acquiring a debilitating illness that this type of research is working to cure. Perhaps then you will find some merit in working for the greater good instead of bronze-age logic of "a big dude in the clouds says so."
I find it interesting that it is always the guy that is characterized as lacking of social skills, when there are examples such as this that show up routinely.
Call it what you want, but I give the lack of ability to get a clue and lack of ability to give one one blanket ruling: social retardation that either sex can enjoy.
It bites that those interpol people (you know, the guys that might actually have crime statistics) are out to get you specifically...and if you did see statistics on their webpage, you would want to confirm that with the individual precincts that reported them, and then to each individual that made a report.
At what point can you allow yourself to believe a statistic from a large organization that would actually bother tabulating these statistics?
I therefore view your criticism as being wholly without merit. Have a nice day!
It should be noted that, if like me, you are a user of the mozilla calendar extention, you are hosed if you upgrade right now.
Wait for the extention to catch up with the release build or be sorry.. like me.:(
your spelling correction is clearly relevant:D (I'll actually spell check things this time)
I haven't seen too many problems with people out of work in linux (well.. lately anyway). I've seen a lot of consulting and contracting ops and contract-to-hire positions popping up for the last six months, and in the last three months fairly heavily. Good times should be back soon, methinks.
I was even inspired to ramble briefly in my lame blog, and one of the projects I linked to above did incorporate SIP into IMs in somekind of way, though I have not tried it.
I would think it more likely that this would be merged into gnomemeeting in some kind of plugin fashion in the future, but hey. I'll be happy with however it works out.
POTS to VOIP interoperability will likely be sticky for years and years. I anticipate running my own until the market gets to where I want it to be.. likely in several years.
Until then, it's a nice toy. Everyone I've heard about (large office structures possibly accepted) have had huge headaches in their adoption.
Who didn't see this coming after RedHat slit their own throat by killing their free distro?
Novell buys Ximian and starts making top notch stuff and bundling it all together well. IBM was already somewhat invested in Novell. IBM (speaking from personal experience) does not care whos linux they use. They have internal mirrors for all common distrobutions and have proprietary software in java.
Why should they care? Let the market decide which is the most alluring, and sell that one.
Vendor impartiality is going to be back in black in a big way as MS loses more marketshare (due to related costs to insecurity from insurers, incidents, licenses, and development practices) and linux and linux compatable systems (Hi Sun Microsystems) finally start getting the enterprise implementations that people were talking about doing before the whole market started circling the bowl a few years ago.
there should be somekind of centralized authority.
people keep suggesting trusted models without a strong distributed trust model.
Just as the posters have mentioned over and over again, it'll eventually come down to people either adopting a centralized and distributed from there trust model (akin to dns perhaps or opensrs).
That will work for about 5 min until the spammers start cracking boxes and sending cubic fucktonnes of spam through there like is already happening.
or the "let's pay for email" model could be adopted which would also solve nothing except for having large costs associated with breakins and aformentioned cubic fucktonnes.
good luck, folks. someone huge will have to do it first in any case.
there are discovery channel specials about this. it's been in production for years.
interestingly enough, based on how this goes, they may do the same thing to the snake-head fish (no really. seriously.) in new york state and elsewhere. Another candidate is the zebra muscle found in many lakes and rivers in north america.
programs like this seem like a good idea in order to get rid of an animal without a natural predator where they have invaded and pushed out the natural ecosystem. as long as there is no chance of natural migration to affect other populations, then it is truly a terrific way to get rid of a populace.
Of course, technology like this must be treated with much care. The genie is out of the bottle now, so it is just yet another thing to keep tabs on.
Slashdot Mirror
Okay. I think I'm done. I'm going to terminate my traffic, all of it, via VPN in some other country.
Do they want to secure customer data, or provide a documented mechanism for institutional wiretaps.
They should pick one and stick with it.
I think you know what you're asking for is impossible, John. Is that your point?
Physical penetration tests can validate the presence of password lists in wallets, in desks, and in caches on workstations. I think I can say with confidence that there are no sources of metrics for what you have specifically asked.
So where are we then? No one can prove anything and therefore we can all claim to be correct? That's awful. That's also the state of the security industry; mountaintop sages and so called best practices sold by vendors.
Your suggestion on having a little book with them is also pretty bad. It breaks the password model of being something you know to something you have.
Remember everyone, multi-factor authentication should be a combination of something you are, something you have, and/or something you know.
If everyone did as you suggest, all thieves would have to do would be to throw an admin in the back of a van. In fact, I'm surprised that we haven't been seeing more of that anyway.
If anyone gathered metrics on such practices, I would bet that for most environments, they would find that it yields the opposite effect of what is intended.
It makes strong passwords and lots and lots of password lists under keyboards, in text files, and on post-it notes.
I gave a little talk at a Toorcon event a couple years ago where I included some pictures of password lists found in the wild.
I think everyone competent knows about these things, they just choose not to say anything about it because it is a "best practice."
I could explain it, but why not watch their presentation that they gave a couple weeks ago at CCC and actually understand what they're talking about firsthand.
Presentation page, big mp4 video, torrent.
As a consultant, I was paid quite a lot for being available for an on-call basis; several thousand a month.
I also didn't have to do much when things happened. I would join a call, establish that it was not my problem, and then drop off.
If you're deeply concerned for your jobs, get better at your jobs and leave your bad gigs. Retention and performance problems should correct this problem of thinking that management assholes can get people to work for free. They would never work for without compensation. Why should people who are smarter than them?
Take a shot, you will.
RTFA, guy. It's not free.
Also It's been done before and well. The code has been open for a long time now. I'm just surprised it hasn't happened sooner.
The code used to be archived by some of the industry cool kids for quite a while, but I'm not readily finding it in the allowed attention span of this comment.
I always suspected that Cringely was completely clueless, but now I have something to point to which by his own words damn him more than anything I could ever say.
This is the kind of writing that you can point at as an example of how some people do not get it despite their pomp and bigdealness.
With the rise of consumer databases, I realized that it was pointless to spurn social networks as anyone with pocket change can buy more information from any of these firms than I know about myself.
Sure. You can have privacy from the casual websearching douche, but if they don't mind spending tens of dollars, they can know all there is to know.
The game is over, and unless you go all unibomber off the grid and only pay cash, forget about it. You might as well get laid by scenewhores on myspace.
Ok. An embryo is not a voter and until it is, I do not agree with splitting my political representation with one.
Not all opinions are equal. For instance, the opinion that people with mindsets like yours get to be the arbiters of what is sentient/worthwhile life and what is not pompous and infantile.
It's to be expected since people who follow your line of reasoning like circular patterns.
In short, I hope your god gives you up to the ironic experience of acquiring a debilitating illness that this type of research is working to cure. Perhaps then you will find some merit in working for the greater good instead of bronze-age logic of "a big dude in the clouds says so."
I find it interesting that it is always the guy that is characterized as lacking of social skills, when there are examples such as this that show up routinely.
Call it what you want, but I give the lack of ability to get a clue and lack of ability to give one one blanket ruling: social retardation that either sex can enjoy.
actually if you look at the license disclosure in the nCircle documentation, you'll see that it uses nessus.
removing the gpl for future developments just allows Tenable to get paid by companies such as nCircle.
It bites that those interpol people (you know, the guys that might actually have crime statistics) are out to get you specifically. ..and if you did see statistics on their webpage, you would want to confirm that with the individual precincts that reported them, and then to each individual that made a report.
At what point can you allow yourself to believe a statistic from a large organization that would actually bother tabulating these statistics?
I therefore view your criticism as being wholly without merit. Have a nice day!
It should be noted that, if like me, you are a user of the mozilla calendar extention, you are hosed if you upgrade right now. Wait for the extention to catch up with the release build or be sorry.. like me. :(
your spelling correction is clearly relevant :D (I'll actually spell check things this time)
I haven't seen too many problems with people out of work in linux (well.. lately anyway). I've seen a lot of consulting and contracting ops and contract-to-hire positions popping up for the last six months, and in the last three months fairly heavily. Good times should be back soon, methinks.
I was even inspired to ramble briefly in my lame blog, and one of the projects I linked to above did incorporate SIP into IMs in somekind of way, though I have not tried it.
I would think it more likely that this would be merged into gnomemeeting in some kind of plugin fashion in the future, but hey. I'll be happy with however it works out.
POTS to VOIP interoperability will likely be sticky for years and years. I anticipate running my own until the market gets to where I want it to be.. likely in several years.
Until then, it's a nice toy. Everyone I've heard about (large office structures possibly accepted) have had huge headaches in their adoption.
there is already a bunch of SIP talking linux soft-phones and supporting software.
kphone
linphone
some other supporting software
galago
sarp
sipimp
look at the freeworlddialup forums for lots of chatter about SIP softphones and using images on cisco hardware.
assorted other softphone downloads here.
I think that it is refreshing to see some trustbusting and pricefixing countermeasures in our cosey little global economy.
you know, more than just obvious corporate welfare, subsidies and pandering. At least the Japanese look after their own a little.
Who didn't see this coming after RedHat slit their own throat by killing their free distro?
Novell buys Ximian and starts making top notch stuff and bundling it all together well. IBM was already somewhat invested in Novell. IBM (speaking from personal experience) does not care whos linux they use. They have internal mirrors for all common distrobutions and have proprietary software in java.
Why should they care? Let the market decide which is the most alluring, and sell that one.
Vendor impartiality is going to be back in black in a big way as MS loses more marketshare (due to related costs to insecurity from insurers, incidents, licenses, and development practices) and linux and linux compatable systems (Hi Sun Microsystems) finally start getting the enterprise implementations that people were talking about doing before the whole market started circling the bowl a few years ago.
Saddle up kids, the stampede is coming.
there should be somekind of centralized authority.
people keep suggesting trusted models without a strong distributed trust model.
Just as the posters have mentioned over and over again, it'll eventually come down to people either adopting a centralized and distributed from there trust model (akin to dns perhaps or opensrs).
That will work for about 5 min until the spammers start cracking boxes and sending cubic fucktonnes of spam through there like is already happening.
or the "let's pay for email" model could be adopted which would also solve nothing except for having large costs associated with breakins and aformentioned cubic fucktonnes.
good luck, folks. someone huge will have to do it first in any case.
there are discovery channel specials about this. it's been in production for years.
interestingly enough, based on how this goes, they may do the same thing to the snake-head fish (no really. seriously.) in new york state and elsewhere. Another candidate is the zebra muscle found in many lakes and rivers in north america.
programs like this seem like a good idea in order to get rid of an animal without a natural predator where they have invaded and pushed out the natural ecosystem. as long as there is no chance of natural migration to affect other populations, then it is truly a terrific way to get rid of a populace.
Of course, technology like this must be treated with much care. The genie is out of the bottle now, so it is just yet another thing to keep tabs on.
true.
however,
it's just a question of frustrating the chaff. the ninjas will still assault the ivory tower with a minimum of frustration.
see the wired article from about two months ago.
t ml
http://www.wired.com/wired/archive/11.09/ppt1.h
Didn't I just see some of those in the last episode of Ghost in the Shell - Stand Alone Complex?
I suppose they're all fun and great until they start stacking and sorting schoolchildren.
well why not just call it what it is; a tax subsidy.
:D
given some of the new trade rules coming down from the ivory tower of the WTO regarding subsidies, there is a chance that this may be illegal.