Yeah, I was sorely disappointed when we went from a concentration on Perl/CPAN as the main resource for building web apps to 32 different interchangeable scripting languages which require the same libraries to be written over and over again and each has its own bugs. I mean, sure, perhaps its arguable that Ruby is a better language than Perl, for example, but its not that big a difference and clearly far too little focus has remained on actually writing and maintaining secure webapp code.
But, nobody is in charge of the world. We get ridiculous perverse results in some cases. There's nothing for it but to keep trying. Meanwhile the redundant scripting language treadmill continues with Go, Dart, Processing, blah blah blah blah (and who can forget Perl 6!). No doubt some of them are modest improvements, but we tend to get set back to zero every time we have to adopt a new set of core tools.
Frankly I drew the line at Perl. I can build anything any client ever needs in it and it works fine. All that extra time my competition spent migrating to some newfangled thing was just gravy for me. All I can say is I'm glad I don't deal directly in retail webapps anymore. The whole market is shit.
Agreed. At least with Perl there IS a taint mechanism and it generally works as you describe (IE you can only untaint data by explicitly calling 'untaint()' or running it through a regex). If you properly use layers like Class::DBA you should never need to compose SQL or have SQL generated in-app, you should be entirely in bind-parameter land (and even that is normally hidden from view). I wrote an entire CMS/e-commerce platform in Perl 15 years ago using those tools. AFAIK no security holes were ever uncovered once we had finished our developer audits, and it was considerably more capable than Wordpress (though there are some nice tools available today like wiki-syntax parsers and XSLT that we didn't have in 1999) with fully apartment hosting and role separation and a bunch of other features that were totally unknown back in those days. Ironic how our thoroughly tested platform is dust now and a giant PoS like Wordpress lingers on. I told them to go open source... ah well.
No, I wouldn't write them, I'd just security audit the ones I use. Its just insane to drop in an untested configuration of a webapp doing e-commerce. I don't care that someone else wrote it, I ASSUME they are security-incompetent and test.
Granted, other people's responses to my post definitely explain why this crap happens, but it doesn't make it any less scary or eye-rolling. The real problem is people just don't have any idea how bad the stuff they can install free on their servers really is, unless they've had some education on it. Most people never get that (and how would they know they want it). So you have this kind of yuck. What we need are some webapps written with the mindset of FreeBSD, totally audited and known good code supplied from a single auditor. In fact the webapp world needs this MUCH MORE than OSes do.
Some encourage it more than others, and some provide security-oriented features. For instance perl's taint mode is a great security feature. Truthfully strong typing and mature frameworks go a long ways, IF you know how to use them.
HOWEVER all this is secondary. The appalling thing is THAT NONE OF THESE PLUGINS WERE EVER AUDITED. Any webapp is almost sure to have some sort of hole in it. You can plug them but its tricky and no team will find them all. The question then is how on God's Green Earth have so many people deployed this stuff and not audited it thoroughly (or at all)? I taught web-app security and was one of the earliest people in the business, I'd never in a million years deploy one of these plugins for a client and not beat it to death with a fuzzer and 10 other things. This is just basic crap I was teaching in my college courses 8 years ago (and it wasn't exactly revolutionary then). Hell, I don't consider myself any sort of security genius by a long shot, but all I can say is that there are a lot of scarily ignorant fools out there...
Yeah, I know what you mean. A lot of newer technology is just less good. Verizon 'improved' my phone service so now they 'back up' my contact list. Its great, every month or so they restore some old worthless crap over the top of my contact list on my phone. Ain't progress great? Now I carry around an actual physical address book.
Yeah, I wouldn't be surprised. People nowadays would be surprised at what you can do with low clock speeds, a simple instruction set, and TTL logic. For basic control functions there's no need for anything too fancy and every extra transister is just another thing that can go wrong. Most avionics systems are still using 1970's era 16 bit processors. They've gotten a lot cheaper, but mostly there's just no need for anything fancier when the job is "monitor these 8 DACs and these 5 discrete inputs in a tight loop, apply this filter, write the results to this UART, and close this valve if the state machine reaches this point", lol.
Hahaha! Yeah, my father designed the original flight information display systems which went into all the big airports in the late 60's/early 70's. I'd go into work with him on Saturday and play around on a TTY with BASIC for the PDP-11/C they had in the office there. In the early 90's we were installing micro PDP-11s at VY to do monitoring of discharge temperatures, that was their state-of-the-art machine at that time! Honestly though, how much CPU do you need to read a DAC and push the data up a current loop? A whole PDP-11/45 must cost $.02 and be the size of a grain of rice today. Why invoke the massive overkill of migrating to a PC?
Yeah, the article just blathers on about how wonderful the hexagonal arrangement and spiral layout are, etc. Maybe there's some significance, but if the OP wants us to know about it he should write up a better description, lol.
I've seen various 'periodic tables' over the years (I have a chem degree), but this one just doesn't do anything for me. What exactly are the extra relationships being depicted here? In what sense is He for instance intermediate in properties between H and Li (which are vastly more similar to each other chemically than either one is to He and in the standard periodic table this is apparent). Nor do I see any special close affinity between say C and Al, yet they are adjacent in this table (in a standard periodic table these elements are fairly close but not adjacent).
I don't even understand the choice of positions of elements on this table. It seems in some degree arbitrary. Why a spiral? Why this PARTICULAR spiral arrangement? I really must be missing something here....
Obviously you need to be pretty paranoid to believe that the NSA has corrupted the GNU toolchain in such a way that it inserts back doors in every OS kernel it compiles, that the debugger has code inserted in it to not display said OS code, etc, but it is technically possible.
If there was only one program that could display object files, it could be done. But any number of programs can display object files, including plain hex editors. If every single hex editor would have been compromised, we would have noticed by now. And a compiler that can detect "oh, this code is a hex editor, I'd better patch it to make it hide the nasty stuff when it's run" is way beyond what can currently be created, certainly not running fast enough on an ordinary PC to avoid detection.
Well, just being a DA here. You would be able to tell there had been code added to your binary using a hex editor? Now, I AM pretty old school, I entered hex programs using thumbswitches on 70's era DEC hardware, and from magazines into my VIC-20, etc. and I've written plenty of assembly by hand, but IN GENERAL I'd be hard-pressed to see compiler/linker injected binary code in any application of the size that all apps are on modern PCs. Nor have I had the slightest reason or desire to hex edit a binary in going on 20 years now. The truth is, we compile our code and we assume that what the programmer hath wrot the compiler hath faithfully compiled. I don't doubt there are A FEW exceptions to that in kernel code, but my guess is no single living human being has extensively hex-edited a Linux kernel in MANY years, nor major binaries like network servers, PAM libraries, etc.
Again, I don't think you're wrong, I suspect that aside from possibly some very specific targetted code that your average modern OS kernel is exactly what it purports to be (though I wouldn't doubt that some code has been contributed to OSS kernels knowing it has specific exploitable weaknesses).
Besides, it's not the question of whether the NSA can access your files if they consider it their highest priority. The problem is that if there is an easy, low-cost way to access your files, an individual rogue agent might do it and hand your files to your competitor (a favor for a friend or for a little extra cash) without the rest of the NSA even knowing about it, or finding out only after the fact.
Well, of course, the NSA etc can access any damned thing if they think it is worth their while. However if you have 'rogue agents' running around surely they aren't mustering the full 'pull-out-all-the-stops' resources for their own ends. So chances are what such a person can do is in the same ballpark with what some mercenary hacker employed by your competitor can already do. Of course hosting your own GIT repository MIGHT be useful against that sort of problem, and maybe not. Frankly if I was really concerned enough to be taking significant measures, I'd run all my stuff on a secure network and hire people to be onsite because clearly you're willing to spend money on security and that's a better spend of your $. If someone MUST access from off-site then that is after all what VPN's are for, and something like a CISCO box and VPN client/IPSEC is likely your best bet. No more 'NSA Proof' than anything else, but you're trying at least, and your average hired-gun hacker might not get past THAT.
Well, I don't think most of us need to be too worried about 'Tempest' (though actually you can buy the necessary equipment to make a Van Eck device). 'the eric conspiracy' has a point. If you want to restrict yourself to doing things offline, well you won't have to worry too much about NSA online spying... Of course it is a HARD thing to do these days, though still possible. In 20 years my guess is being 'off the grid' will be virtually impossible.
LOL, I'm not saying anyone HAS done anything. The point is, once you assume a certain level of paranoia the number of things to be paranoid about, and the number of them which are utterly beyond your ability to control grows almost without bound. Limit your objectives to those which make sense, and don't worry about the things that are beyond your control.
You'd think that backdoors and such inserted by compilers etc would be found, but actually Ken Thompson successfully injected a backdoor into Unix early on via the PCC (Portable C Compiler) which allowed him access to ANY Unix system for a number of years. It spread to pretty much every system in existence and was never detected before he finally revealed its existence in order to demonstrate exactly my point. This was accomplished via a 'double code injection'. When PCC compiled itself it added a chunk of code that injected a backdoor during the compilation of the login program. Once the first generation of this back door existed the source was removed from PCC, but of course since PCC was self-hosting the ONLY way to compile it was with itself, and since the copy that was used for that HAD logically to be descended from the original binary the injection and the back door were virtually undetectable.
Obviously not every such scheme would work and remain hidden for years, but it is demonstrably possible. Its certainly not too much to think that there are systems that DO contain back doors of some high degree of subtlety. For instance it would be MUCH easier for Windows to contain some for instance, and the NSA etc have almost certainly operatives who work for MS.
Frankly, don't loose sleep over it. Software at some level simply cannot be truly secure.
There is utterly nothing you can do to be sure you're not vulnerable to government snooping. The NSA could be subverting the very designs of the CPUs, NICs and etc that make up your computers at the hardware level. Even if they aren't doing that you have NO WAY to know that your OS is secure. You say "well, its open source, I can review the code, nobody can get a back door into Linux!" this is utterly nieve. What compiler was your kernel compiled with? Oh, you compiled it yourself! What compiler was your compiler compiled with? UNLESS YOU CAN LITERALLY TRACE EVERY SINGLE PIECE OF CODE IN YOUR SYSTEM ALL THE WAY BACK TO HAND BUILD MACHINE CODE (and how would you trust the hex editor you did that with, toggle switches and paper tape anyone) you really literally don't know what is ACTUALLY running on your system, and what it is ACTUALLY doing.
Obviously you need to be pretty paranoid to believe that the NSA has corrupted the GNU toolchain in such a way that it inserts back doors in every OS kernel it compiles, that the debugger has code inserted in it to not display said OS code, etc, but it is technically possible. The real question is whether or not there's any point in becoming paranoid about your GIT repository or is it just not worth considering when once you reach the level of paranoia where the NSA is stealing your code. If they are, then they are doing MUCH WORSE things that render any such considerations irrelevant.
Cheer up, we'll be gone soon enough. I guess in all fairness nobody NEEDS phone bricking to turn off our service, but it has the nice side-effect of being permanent and expensive to undo.
No, of course not. Eric Holder and Barak Obama, the FISC, Congress, the CIA, the FBI, the NSA, etc are all COMPLETELY TRUSTWORTHY. All they want is to make us all nice and safe. Promise! Nobody would EVER turn off the phones of people they didn't agree with, just as they were organizing a protest? Nah, that could never happen!
Never in the history of the world have men like Holder or Rogers ever proven to be honest. Time and time again when given the chance government has betrayed and abused its citizens and in every case the responsible officials lie and smear people to cover it up. Do you people think that we are stupid? That we haven't read our history, that we have no ability to judge the character of the people we see before us? Of course Snowden had the access that he claims. Of course the NSA etc routinely carries out arbitrarily intrusive surveilance of whomever they please, and for whatever reasons they see fit. Of course they feel no need or desire to be overseen or to answer to anyone, nor to limit their activities to what some other persons, us, might feel is fit. Like anyone put in this kind of position they feel that their own aims, opinions, and desires are paramount and that whatever they do is right and aught to be continued unfettered. Why else would they be there doing what they're doing? Its infinitely easy to justify each little step, and soon when your actions become monstrous and destructive you've long since talked yourself up to doing no wrong and brooking no limits. 'Patriotism' and 'security' will ultimately justify anything.
Let me just tell you men, your pathetic lies are utterly transparent. I don't know if there are 100 or 1000 or 0 more Edward Snowden's out there, but I hope there are many, and I'll certainly help to see that they get the respect and honor that they deserve, and that your little footnote in history is a dirty one.
How would you KNOW its 'not good enough'? What would even define something as not good enough? This is a stastical study. It demonstrates certain correlation (R) factors between variables. This suggests there is a causal relationship, either direct or indirect. If you are going to say that "because there could be confounding factors that haven't been factored out" the study is automatically worthless then you have just rejected 99.9% of all the scientific research ever done. It makes no sense at all.
Clearly this sort of study is only an observation, suggesting certain hypotheses, possibly falsifying others to some extent. Obviously more research will be needed, but this is pretty close to always true.
I agree:) I do think its possible for people to IMPROVE however, and it is always humane to provide people with the maximum opportunity to do so. While it may not seem obvious it is good business to adhere to the highest ethics, thus providing a failing manager with the tools and information they need to understand their own situation is good business. At worst your client's upper management will understand, and they will appreciate being provided with objective information instead of a thorny problem. If you say "fire this guy" then they just have an HR headache and often a political problem. If OTOH your recommendation is "improve your business practices in this and this way" you are providing them with a politically palatable and objectively defensible position. The manager in question has an opportunity to become part of a solution, even if it means they are changing positions or employers. While its still quite likely there will be some unhappiness involved it is much less likely to be directed at YOU as the consultant too. You may even be in a position to provide additional consulting services, which is unlikely if your recommendation is simply to replace the IT manager.
And who knows? Said manager may be that rare individual who can improve or who will be more effective with better processes. This means the situation isn't an all-or-nothing. Things may not reach a completely ideal state, but a 20% improvement with the existing manager is better than a 0% improvement with said manager learning nothing, and realistically that's the likely sort of outcome. Further improvements can always be made, and again in that case you're in a position to be providing services along those lines.
In the final analysis there is less downside and more upside by being objective. If you really need to be blunt you can always take your nice report with its metrics and say to the CEO "hey, I don't know how to put this more diplomatically, you should replace this guy." in private at the end of the process.
Ehhhhhh, I agree with you, the very fact that the department is obviously dysfunctional is prima-facie evidence of the IT manager's inadequacy. However, in most cases its necessary either politically or legally to have some real concrete data. My advice to the OP would be to recommend the initiation of improved methods. These can be drawn directly from CMM/CMMI principles. In other words recommend the capturing of metrics. If there is a help desk function then recommend the use of a ticketing system. For development projects, etc formal project management should be initiated with concrete deliverables, goals, and measures in place. If and when the incompetent manager cannot manage these functions or the data they return demonstrates where improvements are needed and said manager is incapable of making those improvements then upper management will be in a position to change things.
Don't suggest sacking people etc. Simply point out where the dept seems to be deficient, problem areas. Relate them to CMM recommended measurement and management processes which are not in place and recommend THOSE measures. Don't make it personal. In fact you should frame the entire thing as simply a management improvement process which will improve the performance of the company. If the existing manager can carry out those improvements and produce good results GREAT! If not then his ultimate departure/lateral movement will be inevitable. If upper management STILL does nothing? Well, that's OK, you are getting paid and you can only lead the horse to the water. Simply make sure you provide everyone with your recommendations and reasoning in a nice report so they won't feel like you didn't earn your pay.
I'd look at this as a good opportunity. Business management consulting is MUCH more lucrative than low-level tech consulting. If you can actually help these people you can get into a whole area of business that can be quite lucrative and rewarding.
Yeah, VT is weird. For instance you can STILL get a driver's license here that is nothing but a flimsy plastic card with no picture and the info printed on it with no lamination. You can alter it with a pencil. OTOH some depts have bizarre and complicated paperwork requirements that defy all common sense. You also cannot buy those prepaid cash cards in VT, although if you buy a 'Greendot' card or something out of state it WILL work, you just can't add money to them...
Slashdot Mirror
Yeah, I was sorely disappointed when we went from a concentration on Perl/CPAN as the main resource for building web apps to 32 different interchangeable scripting languages which require the same libraries to be written over and over again and each has its own bugs. I mean, sure, perhaps its arguable that Ruby is a better language than Perl, for example, but its not that big a difference and clearly far too little focus has remained on actually writing and maintaining secure webapp code.
But, nobody is in charge of the world. We get ridiculous perverse results in some cases. There's nothing for it but to keep trying. Meanwhile the redundant scripting language treadmill continues with Go, Dart, Processing, blah blah blah blah (and who can forget Perl 6!). No doubt some of them are modest improvements, but we tend to get set back to zero every time we have to adopt a new set of core tools.
Frankly I drew the line at Perl. I can build anything any client ever needs in it and it works fine. All that extra time my competition spent migrating to some newfangled thing was just gravy for me. All I can say is I'm glad I don't deal directly in retail webapps anymore. The whole market is shit.
Agreed. At least with Perl there IS a taint mechanism and it generally works as you describe (IE you can only untaint data by explicitly calling 'untaint()' or running it through a regex). If you properly use layers like Class::DBA you should never need to compose SQL or have SQL generated in-app, you should be entirely in bind-parameter land (and even that is normally hidden from view). I wrote an entire CMS/e-commerce platform in Perl 15 years ago using those tools. AFAIK no security holes were ever uncovered once we had finished our developer audits, and it was considerably more capable than Wordpress (though there are some nice tools available today like wiki-syntax parsers and XSLT that we didn't have in 1999) with fully apartment hosting and role separation and a bunch of other features that were totally unknown back in those days. Ironic how our thoroughly tested platform is dust now and a giant PoS like Wordpress lingers on. I told them to go open source... ah well.
No, I wouldn't write them, I'd just security audit the ones I use. Its just insane to drop in an untested configuration of a webapp doing e-commerce. I don't care that someone else wrote it, I ASSUME they are security-incompetent and test.
Granted, other people's responses to my post definitely explain why this crap happens, but it doesn't make it any less scary or eye-rolling. The real problem is people just don't have any idea how bad the stuff they can install free on their servers really is, unless they've had some education on it. Most people never get that (and how would they know they want it). So you have this kind of yuck. What we need are some webapps written with the mindset of FreeBSD, totally audited and known good code supplied from a single auditor. In fact the webapp world needs this MUCH MORE than OSes do.
Indeed, deserves a +1 (for either obvious or funny, but you know, really obvious things can be pretty funny ;)
Some encourage it more than others, and some provide security-oriented features. For instance perl's taint mode is a great security feature. Truthfully strong typing and mature frameworks go a long ways, IF you know how to use them.
HOWEVER all this is secondary. The appalling thing is THAT NONE OF THESE PLUGINS WERE EVER AUDITED. Any webapp is almost sure to have some sort of hole in it. You can plug them but its tricky and no team will find them all. The question then is how on God's Green Earth have so many people deployed this stuff and not audited it thoroughly (or at all)? I taught web-app security and was one of the earliest people in the business, I'd never in a million years deploy one of these plugins for a client and not beat it to death with a fuzzer and 10 other things. This is just basic crap I was teaching in my college courses 8 years ago (and it wasn't exactly revolutionary then). Hell, I don't consider myself any sort of security genius by a long shot, but all I can say is that there are a lot of scarily ignorant fools out there...
lol, yeah, done all kinds of crazy stuff. FFT on a processor so slow that to get 100ms sample rates you had to do it in less than 12 clock cycles.
Yeah, I know what you mean. A lot of newer technology is just less good. Verizon 'improved' my phone service so now they 'back up' my contact list. Its great, every month or so they restore some old worthless crap over the top of my contact list on my phone. Ain't progress great? Now I carry around an actual physical address book.
Yeah, I wouldn't be surprised. People nowadays would be surprised at what you can do with low clock speeds, a simple instruction set, and TTL logic. For basic control functions there's no need for anything too fancy and every extra transister is just another thing that can go wrong. Most avionics systems are still using 1970's era 16 bit processors. They've gotten a lot cheaper, but mostly there's just no need for anything fancier when the job is "monitor these 8 DACs and these 5 discrete inputs in a tight loop, apply this filter, write the results to this UART, and close this valve if the state machine reaches this point", lol.
Hahaha! Yeah, my father designed the original flight information display systems which went into all the big airports in the late 60's/early 70's. I'd go into work with him on Saturday and play around on a TTY with BASIC for the PDP-11/C they had in the office there. In the early 90's we were installing micro PDP-11s at VY to do monitoring of discharge temperatures, that was their state-of-the-art machine at that time! Honestly though, how much CPU do you need to read a DAC and push the data up a current loop? A whole PDP-11/45 must cost $.02 and be the size of a grain of rice today. Why invoke the massive overkill of migrating to a PC?
Yeah, the article just blathers on about how wonderful the hexagonal arrangement and spiral layout are, etc. Maybe there's some significance, but if the OP wants us to know about it he should write up a better description, lol.
I've seen various 'periodic tables' over the years (I have a chem degree), but this one just doesn't do anything for me. What exactly are the extra relationships being depicted here? In what sense is He for instance intermediate in properties between H and Li (which are vastly more similar to each other chemically than either one is to He and in the standard periodic table this is apparent). Nor do I see any special close affinity between say C and Al, yet they are adjacent in this table (in a standard periodic table these elements are fairly close but not adjacent).
I don't even understand the choice of positions of elements on this table. It seems in some degree arbitrary. Why a spiral? Why this PARTICULAR spiral arrangement? I really must be missing something here....
Obviously you need to be pretty paranoid to believe that the NSA has corrupted the GNU toolchain in such a way that it inserts back doors in every OS kernel it compiles, that the debugger has code inserted in it to not display said OS code, etc, but it is technically possible.
If there was only one program that could display object files, it could be done. But any number of programs can display object files, including plain hex editors. If every single hex editor would have been compromised, we would have noticed by now. And a compiler that can detect "oh, this code is a hex editor, I'd better patch it to make it hide the nasty stuff when it's run" is way beyond what can currently be created, certainly not running fast enough on an ordinary PC to avoid detection.
Well, just being a DA here. You would be able to tell there had been code added to your binary using a hex editor? Now, I AM pretty old school, I entered hex programs using thumbswitches on 70's era DEC hardware, and from magazines into my VIC-20, etc. and I've written plenty of assembly by hand, but IN GENERAL I'd be hard-pressed to see compiler/linker injected binary code in any application of the size that all apps are on modern PCs. Nor have I had the slightest reason or desire to hex edit a binary in going on 20 years now. The truth is, we compile our code and we assume that what the programmer hath wrot the compiler hath faithfully compiled. I don't doubt there are A FEW exceptions to that in kernel code, but my guess is no single living human being has extensively hex-edited a Linux kernel in MANY years, nor major binaries like network servers, PAM libraries, etc.
Again, I don't think you're wrong, I suspect that aside from possibly some very specific targetted code that your average modern OS kernel is exactly what it purports to be (though I wouldn't doubt that some code has been contributed to OSS kernels knowing it has specific exploitable weaknesses).
Besides, it's not the question of whether the NSA can access your files if they consider it their highest priority. The problem is that if there is an easy, low-cost way to access your files, an individual rogue agent might do it and hand your files to your competitor (a favor for a friend or for a little extra cash) without the rest of the NSA even knowing about it, or finding out only after the fact.
Well, of course, the NSA etc can access any damned thing if they think it is worth their while. However if you have 'rogue agents' running around surely they aren't mustering the full 'pull-out-all-the-stops' resources for their own ends. So chances are what such a person can do is in the same ballpark with what some mercenary hacker employed by your competitor can already do. Of course hosting your own GIT repository MIGHT be useful against that sort of problem, and maybe not. Frankly if I was really concerned enough to be taking significant measures, I'd run all my stuff on a secure network and hire people to be onsite because clearly you're willing to spend money on security and that's a better spend of your $. If someone MUST access from off-site then that is after all what VPN's are for, and something like a CISCO box and VPN client/IPSEC is likely your best bet. No more 'NSA Proof' than anything else, but you're trying at least, and your average hired-gun hacker might not get past THAT.
Well, I don't think most of us need to be too worried about 'Tempest' (though actually you can buy the necessary equipment to make a Van Eck device). 'the eric conspiracy' has a point. If you want to restrict yourself to doing things offline, well you won't have to worry too much about NSA online spying... Of course it is a HARD thing to do these days, though still possible. In 20 years my guess is being 'off the grid' will be virtually impossible.
LOL, I'm not saying anyone HAS done anything. The point is, once you assume a certain level of paranoia the number of things to be paranoid about, and the number of them which are utterly beyond your ability to control grows almost without bound. Limit your objectives to those which make sense, and don't worry about the things that are beyond your control.
You'd think that backdoors and such inserted by compilers etc would be found, but actually Ken Thompson successfully injected a backdoor into Unix early on via the PCC (Portable C Compiler) which allowed him access to ANY Unix system for a number of years. It spread to pretty much every system in existence and was never detected before he finally revealed its existence in order to demonstrate exactly my point. This was accomplished via a 'double code injection'. When PCC compiled itself it added a chunk of code that injected a backdoor during the compilation of the login program. Once the first generation of this back door existed the source was removed from PCC, but of course since PCC was self-hosting the ONLY way to compile it was with itself, and since the copy that was used for that HAD logically to be descended from the original binary the injection and the back door were virtually undetectable.
Obviously not every such scheme would work and remain hidden for years, but it is demonstrably possible. Its certainly not too much to think that there are systems that DO contain back doors of some high degree of subtlety. For instance it would be MUCH easier for Windows to contain some for instance, and the NSA etc have almost certainly operatives who work for MS.
Frankly, don't loose sleep over it. Software at some level simply cannot be truly secure.
Man, /. moderation is crap. This is a troll? Really? I think it is time for some serious meta-moderation... Jeeze!
There is utterly nothing you can do to be sure you're not vulnerable to government snooping. The NSA could be subverting the very designs of the CPUs, NICs and etc that make up your computers at the hardware level. Even if they aren't doing that you have NO WAY to know that your OS is secure. You say "well, its open source, I can review the code, nobody can get a back door into Linux!" this is utterly nieve. What compiler was your kernel compiled with? Oh, you compiled it yourself! What compiler was your compiler compiled with? UNLESS YOU CAN LITERALLY TRACE EVERY SINGLE PIECE OF CODE IN YOUR SYSTEM ALL THE WAY BACK TO HAND BUILD MACHINE CODE (and how would you trust the hex editor you did that with, toggle switches and paper tape anyone) you really literally don't know what is ACTUALLY running on your system, and what it is ACTUALLY doing.
Obviously you need to be pretty paranoid to believe that the NSA has corrupted the GNU toolchain in such a way that it inserts back doors in every OS kernel it compiles, that the debugger has code inserted in it to not display said OS code, etc, but it is technically possible. The real question is whether or not there's any point in becoming paranoid about your GIT repository or is it just not worth considering when once you reach the level of paranoia where the NSA is stealing your code. If they are, then they are doing MUCH WORSE things that render any such considerations irrelevant.
Sleep tight.
You're trying to spoil our OUTRAGE DUDE! ;)
Cheer up, we'll be gone soon enough. I guess in all fairness nobody NEEDS phone bricking to turn off our service, but it has the nice side-effect of being permanent and expensive to undo.
No, of course not. Eric Holder and Barak Obama, the FISC, Congress, the CIA, the FBI, the NSA, etc are all COMPLETELY TRUSTWORTHY. All they want is to make us all nice and safe. Promise! Nobody would EVER turn off the phones of people they didn't agree with, just as they were organizing a protest? Nah, that could never happen!
Never in the history of the world have men like Holder or Rogers ever proven to be honest. Time and time again when given the chance government has betrayed and abused its citizens and in every case the responsible officials lie and smear people to cover it up. Do you people think that we are stupid? That we haven't read our history, that we have no ability to judge the character of the people we see before us? Of course Snowden had the access that he claims. Of course the NSA etc routinely carries out arbitrarily intrusive surveilance of whomever they please, and for whatever reasons they see fit. Of course they feel no need or desire to be overseen or to answer to anyone, nor to limit their activities to what some other persons, us, might feel is fit. Like anyone put in this kind of position they feel that their own aims, opinions, and desires are paramount and that whatever they do is right and aught to be continued unfettered. Why else would they be there doing what they're doing? Its infinitely easy to justify each little step, and soon when your actions become monstrous and destructive you've long since talked yourself up to doing no wrong and brooking no limits. 'Patriotism' and 'security' will ultimately justify anything.
Let me just tell you men, your pathetic lies are utterly transparent. I don't know if there are 100 or 1000 or 0 more Edward Snowden's out there, but I hope there are many, and I'll certainly help to see that they get the respect and honor that they deserve, and that your little footnote in history is a dirty one.
How would you KNOW its 'not good enough'? What would even define something as not good enough? This is a stastical study. It demonstrates certain correlation (R) factors between variables. This suggests there is a causal relationship, either direct or indirect. If you are going to say that "because there could be confounding factors that haven't been factored out" the study is automatically worthless then you have just rejected 99.9% of all the scientific research ever done. It makes no sense at all.
Clearly this sort of study is only an observation, suggesting certain hypotheses, possibly falsifying others to some extent. Obviously more research will be needed, but this is pretty close to always true.
I agree :) I do think its possible for people to IMPROVE however, and it is always humane to provide people with the maximum opportunity to do so. While it may not seem obvious it is good business to adhere to the highest ethics, thus providing a failing manager with the tools and information they need to understand their own situation is good business. At worst your client's upper management will understand, and they will appreciate being provided with objective information instead of a thorny problem. If you say "fire this guy" then they just have an HR headache and often a political problem. If OTOH your recommendation is "improve your business practices in this and this way" you are providing them with a politically palatable and objectively defensible position. The manager in question has an opportunity to become part of a solution, even if it means they are changing positions or employers. While its still quite likely there will be some unhappiness involved it is much less likely to be directed at YOU as the consultant too. You may even be in a position to provide additional consulting services, which is unlikely if your recommendation is simply to replace the IT manager.
And who knows? Said manager may be that rare individual who can improve or who will be more effective with better processes. This means the situation isn't an all-or-nothing. Things may not reach a completely ideal state, but a 20% improvement with the existing manager is better than a 0% improvement with said manager learning nothing, and realistically that's the likely sort of outcome. Further improvements can always be made, and again in that case you're in a position to be providing services along those lines.
In the final analysis there is less downside and more upside by being objective. If you really need to be blunt you can always take your nice report with its metrics and say to the CEO "hey, I don't know how to put this more diplomatically, you should replace this guy." in private at the end of the process.
Ehhhhhh, I agree with you, the very fact that the department is obviously dysfunctional is prima-facie evidence of the IT manager's inadequacy. However, in most cases its necessary either politically or legally to have some real concrete data. My advice to the OP would be to recommend the initiation of improved methods. These can be drawn directly from CMM/CMMI principles. In other words recommend the capturing of metrics. If there is a help desk function then recommend the use of a ticketing system. For development projects, etc formal project management should be initiated with concrete deliverables, goals, and measures in place. If and when the incompetent manager cannot manage these functions or the data they return demonstrates where improvements are needed and said manager is incapable of making those improvements then upper management will be in a position to change things.
Don't suggest sacking people etc. Simply point out where the dept seems to be deficient, problem areas. Relate them to CMM recommended measurement and management processes which are not in place and recommend THOSE measures. Don't make it personal. In fact you should frame the entire thing as simply a management improvement process which will improve the performance of the company. If the existing manager can carry out those improvements and produce good results GREAT! If not then his ultimate departure/lateral movement will be inevitable. If upper management STILL does nothing? Well, that's OK, you are getting paid and you can only lead the horse to the water. Simply make sure you provide everyone with your recommendations and reasoning in a nice report so they won't feel like you didn't earn your pay.
I'd look at this as a good opportunity. Business management consulting is MUCH more lucrative than low-level tech consulting. If you can actually help these people you can get into a whole area of business that can be quite lucrative and rewarding.
Nice!
Yeah, VT is weird. For instance you can STILL get a driver's license here that is nothing but a flimsy plastic card with no picture and the info printed on it with no lamination. You can alter it with a pencil. OTOH some depts have bizarre and complicated paperwork requirements that defy all common sense. You also cannot buy those prepaid cash cards in VT, although if you buy a 'Greendot' card or something out of state it WILL work, you just can't add money to them...