Nobody is obliged to make business data public excepting where some regulation says otherwise. The regs (primarly Reg NMS, but also some others) in the US requires some degree of disclosure of trading activity for some entities. This is mostly needed for pricing purposes though, not to reveal who's doing what, just at what price they're doing it. FINRA also requires most equity trading (stocks) to be reported through OATS, but that is an after-the-fact offline system and the data isn't released (and probably these days in most cases isn't even examined). Its primary purpose is to make it hard for small brokerages to operate profitably, but IN THEORY the purpose is to monitor trading activity for questionable practices and evaluation of regulatory controls.
If the prosecution can get a warrant to obtain information then you're obliged to provide the keys. This is long-established precedent in the US, 'testimony' does not include records, those are just evidence and you have no right to withhold physical evidence. Failure to provide a key will simply result in being jailed for contempt until you change your mind...
TOR obfuscates the source and destination of traffic. Common carriers are required to allow police to have that info. Once they know what they're looking at they can force you to give them your encryption keys. There is no "we will take no for an answer" EVER with the authorities. If you're legit then you've agreed to play ball with them, it doesn't work any other way.
if they don't provide law inforcement with the ability to tap into the traffic and identify its source and destination, and content too modulo user encryption. If you want to REGISTER your TOR network as a common carrier and be subjected to (in the US) CALEA then be my guest!
This whole thing is the UTTERLY predictable response to the whole TOR thing. When you join a conspiracy to hide what everyone is doing then don't be surprised when you're held responsible for the actions of the whole group (network). When are hackers going to learn that you can't route around the law? You might fool it or avoid it for a while, but in the West at least public order will ALWAYS dictate that the authorities WILL be able to drop a hammer on you. That's what power IS.
Eh, I've taught security. I would dispute the "frequently" part of that, but of course pen testing and other forms of evaluation have been going on for years. The interesting part is how you do it. Most organizations could afford to learn a LOT about this subject...
Huh? Are you talking about wireless data caps? Let me tell you that landline data caps in the US are pretty much meaningless. Most of us don't have one, and if you do it is so high it is generally ridiculous. I know there are a few locations where this may not be true, but unless you're in Canada where Rogers apparently runs the CRTC...
As for wireless data caps, meh, how is that going to impact anything? If you want data on your phone you're just darned well going to have to bite the bullet and get it, or else pull it over the wire when you're at home. It might suck, but most people don't have the option to store enough on mobile devices to keep all their stuff on them. Certainly it isn't relevant to a discussion of mechanical hard drives anyway...
Well, I don't know of any study or generally accepted theory in webapp security that jibs with your model. I don't think it is a bad THEORY as a sort of very general idea, but I don't think you can apply a formula. Different applications tend to end up in different verticals, some are bigger targets than others for instance. Just because an application is targeted more than another and has a smaller overall global user base doesn't NECESSARILY make it less secure. It would be something to look at, but I'd want to see and review the code.
As for Java serialization. Hmmmmmm. I'm not aware of where you would serialize java objects to the front end. You might of course use something like a REST service with JSON objects. You could expose serialization funniness vulnerabilities that way, but that's not specifically Java-related. If you ARE exposing JRMP over HTTP or something like that (interoperating with J2EE clients) then you have a whole other set of security issues that is pretty far outside of webapp stuff. Nor do any of the recent Java plugin issues have anything to do with that.
I don't think Java is any better intrinsically as a secure server-side than other platforms, but the security of your STACK and the security practices built into your actual application are far more important than any currently known issues with Java itself.
1) You seem to know nothing about Java and JVM security. It is immaterial what language you are using on the server-side, Java is no more or less secure than any other.
2) What difference does it make what the market share of a piece of software is. It is either SECURE or NOT SECURE. If it is not secure then it doesn't matter if one person uses it or 3 million, it is still not secure.
When evaluating the security of a web application there are many considerations (I've actually taught web app security courses and done all this stuff). You should certainly look at how many advisories there are on a given product. You should also see when these happened, how they were resolved, etc. It may be better to use an application that has had numerous issues that have been promptly fixed for instance. How easy are updates to roll out? How soon do fixes come out? Can you review the source code to look for good coding practices and engineering? As for SQL does the product EVER use anything but bind params? If it does construct dynamic SQL that's a red flag, but it MAY be OK if ALL input parameters are carefully cleaned (bonus points of something like perl's taint mode is in use). Ideally you'd also want to run a full security scan against your test install with a good fuzzer and see what happens. If you can easily shake out bugs yourself then that's a red flag too.
In other words you really can't sort out the security of an application by any simple formula, and certainly you need to use the right considerations. Anyone interested in getting more detailed advice would do well to start with something like OWASP https://www.owasp.org/index.php/Main_Page
For now, but the trend is clearly in the direction of moving a lot of storage online. The things IMHO that are most likely to move online are the 'fattest' files too, audio and video collections. Even without incredibly faster network speeds smarter caching helps too, but surely we're moving towards gigabit land line speeds.
Ah yes, and if I had 2 cents for every cheap "I won't be around to eat my words" economic prediction I'd be a very rich man. Tell you what, direct me to your peer reviewed proof of this horsepotato theory of yours. Show me why I should eat at the trough of the "Deregulating the banks will fix everything" McRomney tomfoolery in cold hard proven numbers. Not even the CONSERVATIVE economists drink that coolaide my friend.
Giant shared disk storage arrays are going to have much higher utilization than individual drives in people's homes, which are probably on average 50% full (and are also probably full of useless crap). Add in the deduplication capabilities that the current generation of storage arrays are equipped with and you could have order of magnitude decreases (since I'd bet that 90% of the bulk of storage is the same movies and MP3s over and over and over again). A million people might have a million Terabytes of hard drives at home. The same group might only need 20% of that if it was shared storage, maybe even 10%.
So, it is not just a straightforward shifting. Of course these drive arrays run harder and wear out faster and probably replace drives more often too, so what exactly would the factor be? Very hard to say. Still, it is likely to impact the trend in bulk storage and unlikely to lead to MORE demand.
I think my point is reasonable though. MS stock price has not performed badly relative to other companies in the same sector. They are definitely looking like a post-growth company, and it may be that Balmer WILL go, but I don't think the stagnant stock price in this market is enough by itself. If they don't show better performance in a few quarters and WP8/Surface go nowhere then we might see some sort of change. I doubt it would be stockholder driven though. More likely the board. MS is pretty tightly held anyway with Gates owning half the company. He really still calls the shots if he wants to.
Where's the bad performance? Anyone looked at the stock market? The tech sector OVERALL is at -22% since 2003 (9 years ago). MS is BEATING THE INDUSTRY, lol. Sure, APPLE is way up, but if you discount that one stock MS is actually pretty much the best performer around. I mean I'm sure you can find smaller plays that are of course MUCH MUCH better, or Apple, but I hardly think that the shareholders at MS have any big reason to complain currently. They MAY feel uneasy about the strategic direction of the company, but the notion that stock performance is going to get Balmer tossed is probably not even close to realistic. Truthfully stock holders don't generally think a lot about strategic considerations either, sadly. If they did a LOT of CEOs would be out of jobs...
I think it is just a sign that the market is no longer really competitive. There are too few vendors left in the business (basically what, 3 actual manufacturers are left now at this point).
Frankly I doubt this is going to continue for long. With more and more storage moving online (much more efficient use of drives on average), less desktops, movement of desktop and laptop storage to SSDs with falling SSD prices there is just not going to be the demand long-term. In fact the increased prices right now may just represent a need for these businesses to recapitalize and drive R&D. The only justification for hard drives is going to be sheer size (IE mb/$, mb/m^3, mb/watt) and that requires a lot of R&D to keep driving those numbers in a positive direction.
Software isn't free, I hate to tell you. I run a company who's product is software. We have spent and continue to spend a LOT of money developing and improving our product, including unique features which required a significant amount of time, effort, and ingeniousness to develop. Our costs are not all up front. There are plenty of support costs and ongoing costs for sales and marketing, etc. The idea that you simply design a piece of software and pop it online and its all free from there on is the uttermost ludicrous nonsense and shows an absolute lack of understanding of how business actually works.
If I can't rely on some sort of exclusive right to use my ideas to actually make money then I have NO INCENTIVE to develop those ideas. It is LITERALLY true that my business cannot be financed, the people with money who do that WILL NOT DO IT unless I can show them how I will have a secure market position that won't be obviated by copycats 2 weeks after I release my software. You and Mr Stallman of course have some perfectly good points in terms of the ridiculousness of MANY software patents and business method patents etc. OTOH there are PLENTY OF PATENTS which can and should apply to products which happen to be able to be realized in software, and your arbitrary hard line against that is untenable and unsupportable. Sorry.
sure, it is trivially easy for someone to get around my patent by adding some cheap microprocessor to their implementation. This sort of thing is often trivial.
You make a very good set of points. I've made similar points in other places too. The truth is there's no clean line between 'hardware' and 'software', and ANY process who's primary purpose is to consume and transform information is an embodiment of a fundamental numerical/logical algorithm.
Lets just imagine a simple case WRT to Stallman's suggestion. You implement an algorithm in hardware using discrete logic. You patent it. I implement the same algorithm purely in software on a general purpose computer. Is your patent applicable to my software? Why is it that we have to play a silly game of inventing a bunch of discrete logic in order to patent the thing? This is silly.
Yeah, I remember that. Always thought it was ugly, but it seemed to be pretty readable on CGA.
Gotta agree on the whole tab thing. Logical code indents should be tabs. Thankfully I'm in charge of coding practices (and everything else) at my place, so yay we get to do it:).
You have no idea what idiotic web applications people are running. You should ASSUME that any shared host is compromised. Don't store any unencrypted data there which is at all sensitive. Given the low cost of renting a virtual or physical host machine these days it seems there's little reason to bother with shared hosting (yes, it is cheaper, but honestly the cost of an AWS micro instance is pretty low).
The real problem is bulk shared hosting facilities just can't afford to tinker. There are often 100 or more accounts on a server, sometimes even 1000's. One stupid tweak to fix a security hole can break a LOT of scripts. These places will always prefer to just set up servers and not EVER patch them.
The ultimate observation is just that driving the cost of hosting down to $2.99 a month means doing absolutely nothing beyond what is absolutely needed to make it work. You get what you pay for.
It actually did a real number on us in Vermont. In fact it was the worst flooding since 1932 in many places, and the worst ever in some places.
Of course this whole thing may turn out to be nothing. It won't reach hear until Monday and I don't really put a huge amount of stock on weather predictions 3 days in advance. Anyway, we're ready, around here if you're not living in town you are probably always ready.
Slashdot Mirror
Who do you think makes the financial regulations and laws? lol.
Nobody is obliged to make business data public excepting where some regulation says otherwise. The regs (primarly Reg NMS, but also some others) in the US requires some degree of disclosure of trading activity for some entities. This is mostly needed for pricing purposes though, not to reveal who's doing what, just at what price they're doing it. FINRA also requires most equity trading (stocks) to be reported through OATS, but that is an after-the-fact offline system and the data isn't released (and probably these days in most cases isn't even examined). Its primary purpose is to make it hard for small brokerages to operate profitably, but IN THEORY the purpose is to monitor trading activity for questionable practices and evaluation of regulatory controls.
If the prosecution can get a warrant to obtain information then you're obliged to provide the keys. This is long-established precedent in the US, 'testimony' does not include records, those are just evidence and you have no right to withhold physical evidence. Failure to provide a key will simply result in being jailed for contempt until you change your mind...
TOR obfuscates the source and destination of traffic. Common carriers are required to allow police to have that info. Once they know what they're looking at they can force you to give them your encryption keys. There is no "we will take no for an answer" EVER with the authorities. If you're legit then you've agreed to play ball with them, it doesn't work any other way.
if they don't provide law inforcement with the ability to tap into the traffic and identify its source and destination, and content too modulo user encryption. If you want to REGISTER your TOR network as a common carrier and be subjected to (in the US) CALEA then be my guest!
This whole thing is the UTTERLY predictable response to the whole TOR thing. When you join a conspiracy to hide what everyone is doing then don't be surprised when you're held responsible for the actions of the whole group (network). When are hackers going to learn that you can't route around the law? You might fool it or avoid it for a while, but in the West at least public order will ALWAYS dictate that the authorities WILL be able to drop a hammer on you. That's what power IS.
Eh, I've taught security. I would dispute the "frequently" part of that, but of course pen testing and other forms of evaluation have been going on for years. The interesting part is how you do it. Most organizations could afford to learn a LOT about this subject...
Huh? Are you talking about wireless data caps? Let me tell you that landline data caps in the US are pretty much meaningless. Most of us don't have one, and if you do it is so high it is generally ridiculous. I know there are a few locations where this may not be true, but unless you're in Canada where Rogers apparently runs the CRTC...
As for wireless data caps, meh, how is that going to impact anything? If you want data on your phone you're just darned well going to have to bite the bullet and get it, or else pull it over the wire when you're at home. It might suck, but most people don't have the option to store enough on mobile devices to keep all their stuff on them. Certainly it isn't relevant to a discussion of mechanical hard drives anyway...
Well, I don't know of any study or generally accepted theory in webapp security that jibs with your model. I don't think it is a bad THEORY as a sort of very general idea, but I don't think you can apply a formula. Different applications tend to end up in different verticals, some are bigger targets than others for instance. Just because an application is targeted more than another and has a smaller overall global user base doesn't NECESSARILY make it less secure. It would be something to look at, but I'd want to see and review the code.
As for Java serialization. Hmmmmmm. I'm not aware of where you would serialize java objects to the front end. You might of course use something like a REST service with JSON objects. You could expose serialization funniness vulnerabilities that way, but that's not specifically Java-related. If you ARE exposing JRMP over HTTP or something like that (interoperating with J2EE clients) then you have a whole other set of security issues that is pretty far outside of webapp stuff. Nor do any of the recent Java plugin issues have anything to do with that.
I don't think Java is any better intrinsically as a secure server-side than other platforms, but the security of your STACK and the security practices built into your actual application are far more important than any currently known issues with Java itself.
1) You seem to know nothing about Java and JVM security. It is immaterial what language you are using on the server-side, Java is no more or less secure than any other.
2) What difference does it make what the market share of a piece of software is. It is either SECURE or NOT SECURE. If it is not secure then it doesn't matter if one person uses it or 3 million, it is still not secure.
When evaluating the security of a web application there are many considerations (I've actually taught web app security courses and done all this stuff). You should certainly look at how many advisories there are on a given product. You should also see when these happened, how they were resolved, etc. It may be better to use an application that has had numerous issues that have been promptly fixed for instance. How easy are updates to roll out? How soon do fixes come out? Can you review the source code to look for good coding practices and engineering? As for SQL does the product EVER use anything but bind params? If it does construct dynamic SQL that's a red flag, but it MAY be OK if ALL input parameters are carefully cleaned (bonus points of something like perl's taint mode is in use). Ideally you'd also want to run a full security scan against your test install with a good fuzzer and see what happens. If you can easily shake out bugs yourself then that's a red flag too.
In other words you really can't sort out the security of an application by any simple formula, and certainly you need to use the right considerations. Anyone interested in getting more detailed advice would do well to start with something like OWASP https://www.owasp.org/index.php/Main_Page
For now, but the trend is clearly in the direction of moving a lot of storage online. The things IMHO that are most likely to move online are the 'fattest' files too, audio and video collections. Even without incredibly faster network speeds smarter caching helps too, but surely we're moving towards gigabit land line speeds.
Ah yes, and if I had 2 cents for every cheap "I won't be around to eat my words" economic prediction I'd be a very rich man. Tell you what, direct me to your peer reviewed proof of this horsepotato theory of yours. Show me why I should eat at the trough of the "Deregulating the banks will fix everything" McRomney tomfoolery in cold hard proven numbers. Not even the CONSERVATIVE economists drink that coolaide my friend.
Sure, but people are less likely to leave it in places where they have to pay rent on the storage...
better than warmed over trickle down bullcrud. ;)
Giant shared disk storage arrays are going to have much higher utilization than individual drives in people's homes, which are probably on average 50% full (and are also probably full of useless crap). Add in the deduplication capabilities that the current generation of storage arrays are equipped with and you could have order of magnitude decreases (since I'd bet that 90% of the bulk of storage is the same movies and MP3s over and over and over again). A million people might have a million Terabytes of hard drives at home. The same group might only need 20% of that if it was shared storage, maybe even 10%.
So, it is not just a straightforward shifting. Of course these drive arrays run harder and wear out faster and probably replace drives more often too, so what exactly would the factor be? Very hard to say. Still, it is likely to impact the trend in bulk storage and unlikely to lead to MORE demand.
I think my point is reasonable though. MS stock price has not performed badly relative to other companies in the same sector. They are definitely looking like a post-growth company, and it may be that Balmer WILL go, but I don't think the stagnant stock price in this market is enough by itself. If they don't show better performance in a few quarters and WP8/Surface go nowhere then we might see some sort of change. I doubt it would be stockholder driven though. More likely the board. MS is pretty tightly held anyway with Gates owning half the company. He really still calls the shots if he wants to.
Where's the bad performance? Anyone looked at the stock market? The tech sector OVERALL is at -22% since 2003 (9 years ago). MS is BEATING THE INDUSTRY, lol. Sure, APPLE is way up, but if you discount that one stock MS is actually pretty much the best performer around. I mean I'm sure you can find smaller plays that are of course MUCH MUCH better, or Apple, but I hardly think that the shareholders at MS have any big reason to complain currently. They MAY feel uneasy about the strategic direction of the company, but the notion that stock performance is going to get Balmer tossed is probably not even close to realistic. Truthfully stock holders don't generally think a lot about strategic considerations either, sadly. If they did a LOT of CEOs would be out of jobs...
I think it is just a sign that the market is no longer really competitive. There are too few vendors left in the business (basically what, 3 actual manufacturers are left now at this point).
Frankly I doubt this is going to continue for long. With more and more storage moving online (much more efficient use of drives on average), less desktops, movement of desktop and laptop storage to SSDs with falling SSD prices there is just not going to be the demand long-term. In fact the increased prices right now may just represent a need for these businesses to recapitalize and drive R&D. The only justification for hard drives is going to be sheer size (IE mb/$, mb/m^3, mb/watt) and that requires a lot of R&D to keep driving those numbers in a positive direction.
Software isn't free, I hate to tell you. I run a company who's product is software. We have spent and continue to spend a LOT of money developing and improving our product, including unique features which required a significant amount of time, effort, and ingeniousness to develop. Our costs are not all up front. There are plenty of support costs and ongoing costs for sales and marketing, etc. The idea that you simply design a piece of software and pop it online and its all free from there on is the uttermost ludicrous nonsense and shows an absolute lack of understanding of how business actually works.
If I can't rely on some sort of exclusive right to use my ideas to actually make money then I have NO INCENTIVE to develop those ideas. It is LITERALLY true that my business cannot be financed, the people with money who do that WILL NOT DO IT unless I can show them how I will have a secure market position that won't be obviated by copycats 2 weeks after I release my software. You and Mr Stallman of course have some perfectly good points in terms of the ridiculousness of MANY software patents and business method patents etc. OTOH there are PLENTY OF PATENTS which can and should apply to products which happen to be able to be realized in software, and your arbitrary hard line against that is untenable and unsupportable. Sorry.
sure, it is trivially easy for someone to get around my patent by adding some cheap microprocessor to their implementation. This sort of thing is often trivial.
And you can't see how ridiculous that is and how it utterly defeats the purpose of patents?
You make a very good set of points. I've made similar points in other places too. The truth is there's no clean line between 'hardware' and 'software', and ANY process who's primary purpose is to consume and transform information is an embodiment of a fundamental numerical/logical algorithm.
Lets just imagine a simple case WRT to Stallman's suggestion. You implement an algorithm in hardware using discrete logic. You patent it. I implement the same algorithm purely in software on a general purpose computer. Is your patent applicable to my software? Why is it that we have to play a silly game of inventing a bunch of discrete logic in order to patent the thing? This is silly.
LOL, yeah, its probably some old version with known insecure settings configured globally.
Yeah, I remember that. Always thought it was ugly, but it seemed to be pretty readable on CGA.
Gotta agree on the whole tab thing. Logical code indents should be tabs. Thankfully I'm in charge of coding practices (and everything else) at my place, so yay we get to do it :).
You have no idea what idiotic web applications people are running. You should ASSUME that any shared host is compromised. Don't store any unencrypted data there which is at all sensitive. Given the low cost of renting a virtual or physical host machine these days it seems there's little reason to bother with shared hosting (yes, it is cheaper, but honestly the cost of an AWS micro instance is pretty low).
The real problem is bulk shared hosting facilities just can't afford to tinker. There are often 100 or more accounts on a server, sometimes even 1000's. One stupid tweak to fix a security hole can break a LOT of scripts. These places will always prefer to just set up servers and not EVER patch them.
The ultimate observation is just that driving the cost of hosting down to $2.99 a month means doing absolutely nothing beyond what is absolutely needed to make it work. You get what you pay for.
It actually did a real number on us in Vermont. In fact it was the worst flooding since 1932 in many places, and the worst ever in some places.
Of course this whole thing may turn out to be nothing. It won't reach hear until Monday and I don't really put a huge amount of stock on weather predictions 3 days in advance. Anyway, we're ready, around here if you're not living in town you are probably always ready.