You know it's funny, but so many people don't take the responsibility to protect their own (highly) personal and confidential information such as social security numbers and credit card numbers. You end up having companies like eBay and Paypal reminding people constantly that they need to do this. But when the government says that it needs to monitor its communication lines to prevent terrorism and gather certain information (information that is no more personal than your credit report), everyone jumps out of his/her skin and screams.
Regardless of what one thinks of the government in general (here in the U.S. or anywhere else), this phenomenon strikes me as oddly inconsistent.
Yes, I would agree that they are spreading themselves too thin. But two of the things you mentioned can only be blamed on Microsoft itself: The EU situation and the lawsuits. Those are not "market forces" like Apple or Google that Microsoft can say, "Well, they are our direct competitors and we have no choice but to deal with them and protect our market share." Getting sued because they are an aggressive and ruthless monopoly is solely their fault.
They had since August 2005 to address this, but the software patch only came out in early February of 2007. Then, they had the gall to change the instructions no less than four times while I was preparing to upgrade (KB930879 was updated three times while I was reading it two Thursdays ago), along with a new version of the upgrade tool that were substantially different from what the instructions said. Even the consulting firm we hired only got it to work this past Sunday night.
Microsoft blew it, folks. This is not to say that OSS does it much better, although Red Hat and FreeBSD (two other OSs we use) nailed the patch months ago. But when you are a $50B company and could only produce the detritus that is the DST patch, there is no excuse for it.
Your point is taken. However, Casablanca ends on an upbeat note for Rick and Ilsa. For SCO, the "service" costs millions of francs, the dealer has singled them out and determined to take every last penny they have, and their "discovery" process has not yielded a winning hand for FOUR YEARS.
From reading the article, it definitely sounds like Mr. Sannier leans heavily towards the "adopt new technologies, even if it sacrifices some security" end of the scale. That's fine if you are running your own shop and can take the heat if it all comes crashing down. But then he went on to disparage the security concerns as a ploy by those older IT managers to scrape some job security. I beg to differ:
(1) Older IT types are more likely to have little if any concern about data and communications security. I used to work under a CIO who thought that the entire company, which spanned five physical locations in two different timezones, was protected by a single switch that said "Security On/Off". He was not in the least concerned about data security, despite the fact that our payroll, production data and even manufacturing equipment controls are networked.
(2) While it is definitely exciting to see Google doing what Microsoft has struggled to do, namely perceiving the new paradigm of implementing software as network services, the practice of outsourcing vital organizational functions (email, collaboration, etc.) has liability and intellectual propery issues that the article did not address. For many organizations, the idea of letting corporate secrets reside on a server not physically present within the four walls can be unnerving, and that is understandable given privacy concerns, for example. Just because an IT director has these concerns does not make him old-schooled or outdated; it means that, as a director, he sees a lot more than just what the technologies can do for him. He needs to see the risks associated with any technology-driven practice, and that is what a director should be doing.
Apparently one of the results of this summit is the dropping of all support for past versions of Fedora Core prior to FC4, as a note on fedoralegacy.org said this past week.
I agree that we can't support all the versions in perpetuity, but I thought it would have been more helpful if they had included some reason other than "sorry, we just can't do it anymore". Did it not fit into the big picture of their support? What about future security fixes? etc. etc. As it was, it was very abrupt.
...cuz otherwise you'd be sweating about those beancounters finding out that you just laundered money (by first looking it up in a dictionary, no less). And those federal POUND-ME-IN-THE-ASS prisons are no white-collar resorts, either.
No, seriously. I have worked as a security consultant for financial firms; I have been an IT admin for brick-and-mortar shops who cared more about production line breakdowns than integrated, SQL-based inventory controls. This decision will be a result of each company taking a long, hard look at risk management, not some company who wants to use background check to make lives miserable for its applicants.
To wit, I was called into a local electric utility company to do a risk assessment after one of its ex-employees threatened to launch attacks from the outside because he was canned.
Just as technological risks are no longer confined to outside the perimeter, risky new hires can cause you endless nightmares. If you value your assets and want to have a basis for trusting your employees, do the right thing. The clean ones will respect you for it; the less-than-clean ones will be denied access. Your call.
Recently I came across a website of a security software programmer who asked visitors of his personal website to run a specific C code in order to obtain his email address. He had used a variation on the ROT-based encryption so it wasn't as trivial as cout"johnsmith@somewhere.com".
This "what if" question was in fact the aim of the group of eco-terrorists in the novel "Rainbow Six" when they devised a virus so lethal that it will kill all human beings in the world. The terrorists, in turn, will seek shelter in a Biodome-type containment area until the virus runs its course, and armed with the antidote they will become the seeds of a new "environmentally friendly" humanity.
My answer to anyone who practices tree-hugging blindly is the same as John Clark's comment to the presidential advisor at the end of the book: If they want to hug a tree, by all means proceed - but do so without destroying humankind or, as is the case here, asking inane "what if" questions.
If you look at the supported hardware list, there are similar comments in there about Adaptec RAID controllers. Theo is definitely not one to be timid, and it shows even in innocuous places. That said, if a little boat-rocking can get Intel to listen to the OOPs, so much the better (contrast Intel's behavior with that of, say, IBM, or even SCO).
In the book "Andromeda Strain", Michael Crichton discussed the various methods that an alien civilization might choose to contact us. Various manifestations of electromagnetic transmission, such as radio or television, are deemed to have too high a distance-to-expense ratio since signals fade in inverse square of the distance: Too little bang for too much buck.
An interesting solution was proposed whereby you would use biological organisms to spread the news of your existence. By spreading vast amounts of cheap, space-hardened spores that contain all the necessary ingredients to regenerate into a complete alien organism, you gain two advantages over EM transmissions: The "signal", in this case the regenerated organism, does not fade, and you can mass-produce these spores very cheaply. These organisms can then help whoever the recipient is to contact the home planet of the alien species.
I think it's safe to say that, barring a significant leap in our understanding of biology and biophysics, we are unfortunately still stuck at an intergalactic stone age when it comes to long-distance communication technologies.
What CA is doing here is complete nonsense. Several problems spring to mind immediately:
1) Identity theft involves a lot more than just the laptop sitting in front of a user. It involves the user's total awareness of unusual requests for personal information and commitment to protect that information. Social engineering, dumpster diving, and (certainly) user stupidity can all compromise the security of the data. CA will find a good chunk of its customers who were just careless about what they wrote down or told whom, and kick itself in the pants. You can't indemnify human failure.
2) If the laptop is compromised by a virus that sends keystrokes to a Romanian website, CA will want forensic proof. It will have to see conclusive evidence that (a) its software worked correctly and was not subject to accidental or deliberate tampering by the user, (b) any personal information obtained in this manner was used intentionally to impersonate the user and cause harm, and of course (c) that the machine in question "failed" as a direct result of the virus (although to what extent "failed" covers is unclear). Just the resources necessary to conduct proper forensics alone is daunting enough, and $5000 for theft and $1500 for virus infection seems a pittance. It's a lose-lose proposition, and CA is trying to make it sound generous.
3) The offer to encrypt or destroy data on any stolen laptop is laughably absurd, and serves no purpose except as a way to TRY and get the last laugh in. "So you took my laptop? Well, I'll just have to think of a REAL GOOD comebacker. Oh, I know. If you are stupid enough to connect it to the Internet, I can erase what you probably already got off the drive by then. Ha, ha." The machine is gone and at the mercy of the thief, and Josephine User is up the creek with no paddles.
4) Most frustratingly, it is misleading for a technology company to offer services that distorts what "identity theft" really involves. You are not educating the user in the process except "If I lose my laptop I get $$$". You are not providing a truly comprehensive plan to combat this problem. All this "offer" does is to try and make money. Again, clever marketing does not make a bad idea into a good one.
Back in the peak of the Bubble, I worked as a systems engineer for a software development shop. Of course, being a software startup during that period meant having $1000 Aeron chairs for everyone and pool tournaments ever so often, to say nothing of free Friday catered lunches. Then, when the money started to run dry and a few airliners crashed into a couple of buildings, the perks went away and so did my job.
What is interesting, however, is the way similar "perks" are perceived as rewards at Google. If you feel that perks are rightfully yours and must not be sacrificed even in the face of company financial difficulties (feeling "entitled"), then it's hard to make your brain justify working hard for your keep (or harder during particularly difficult times). Whereas if you are working on something for which you have genuine motivations AND have rewards to aim for, then the management has two aces in their deck: An employee's internal motivation (which can be invaluable), and external positive reinforcements. These two characteristics contribute directly to the health of the company both in its balance sheets and in its corporate culture, and that is A Good Thing.
Looking back, it wasn't the exuberance of the Bubble that destroyed it, because the way Google works can seem to be quite exuberant to some code monkey at Chrysler. It was the way that management could not decide (a) how to set business goals, and (b) how to manage its employees. When management forgets how to manage and employees forget how to work, you have a problem on your hands (see the sad saga that was Daikatana).
...they release their operating systems as quickly as they do their security patches. Eight days from the first report to a working patch? That's working fast!
China has historically been competing with the West, at various levels throughout history and national inferiority complex notwithstanding. During the 70's and the 80's, one of the most popular slogans was "Surpass England, Pursue America". Its "Four Modernizations" and various manifestations of five-year plans are simply more of the same.
It is interesting that China would do anything to give the impression that it is an advanced, highly evolved civilization, while everyone else notices cracks at the seams. The comment about space-born seeds having higher mineral and vitamin content would have been hilarious had they not been so astonishingly revealing about their collective peasant mentality.
Of course the technology to sequence genes and deduce their protein counterparts has been around for a while. But as we know proteins are three-dimensional structures, with intricate folds and chemically active sites (think enzymes) that will partake in only specific reactions and ONLY in certain ways. They also operate in highly regulated environments. Heat the protein beyond a certain tolerance level, or substitute an innocent-looking peptide somewhere in the chain, and you end up with a malfunctioning protein no longer any good.
It would be interesting to correlate the nature of genetic mutation with potential biochemical ramifications (i.e. how does a point mutation in a particular exon translate into a polypeptide that cannot fold the correct way, thereby impairing certain biochemical pathways).
Is/. really running out of news to cover that we have to resort to this kind of "I am not a specialist nor do I really care to do some basic background reading, but here goes" talking points? I see this kind of pseudo-deep-intellectual topics a lot on sci.crypt, where someone would claim to have found a brand-new algorithm, only to have one or several of the following happen:
1) The algorithm gets shot down in about fifteen minutes by several people who really know their stuff, 2) Someone posts, "Oh, this is exactly the same thing as that zippity-zing-zang algorithm that Chuck Dumbo 'invented' some years back. It's completely bogus." 3) Someone posts a follow-up question, and based on the reply given by the OP you suddenly realize that he has no clue whatsoever about crypto design.
It really is not that hard to research some basic, layer-1 information about networking and deduce some fundamental operating principles (as someone already pointed out, one of which is physical cabling). Cisco has plenty of introductory material that even my wife the musician can understand. Do your homework first, and then come back.
So far today,/. tells us that we shouldn't study that hard if we want to stay sane, and now this. It reminds me of that quote from "The Sea Wolf" where Wolf Larsen said of his brother Death Larsen, "He is too busy living life to think about it. My mistake was in opening the books."
Declaring certain protocols to be "illegal" is silly enough (just like the April Fool's joke of the "evil bit" and the CP80 project that requires labelling all p0rn traffic), but then they propose slapping a flat-fee on it, essentially saying, "We don't want you to do it, but we realize we can't stop you. So we'll at least try and make some money off you."
Slashdot Mirror
...to write and construct an interface between my brain and Madden 2007.
Minus the steroids, of course.
You know it's funny, but so many people don't take the responsibility to protect their own (highly) personal and confidential information such as social security numbers and credit card numbers. You end up having companies like eBay and Paypal reminding people constantly that they need to do this. But when the government says that it needs to monitor its communication lines to prevent terrorism and gather certain information (information that is no more personal than your credit report), everyone jumps out of his/her skin and screams.
Regardless of what one thinks of the government in general (here in the U.S. or anywhere else), this phenomenon strikes me as oddly inconsistent.
Yes, I would agree that they are spreading themselves too thin. But two of the things you mentioned can only be blamed on Microsoft itself: The EU situation and the lawsuits. Those are not "market forces" like Apple or Google that Microsoft can say, "Well, they are our direct competitors and we have no choice but to deal with them and protect our market share." Getting sued because they are an aggressive and ruthless monopoly is solely their fault.
They had since August 2005 to address this, but the software patch only came out in early February of 2007. Then, they had the gall to change the instructions no less than four times while I was preparing to upgrade (KB930879 was updated three times while I was reading it two Thursdays ago), along with a new version of the upgrade tool that were substantially different from what the instructions said. Even the consulting firm we hired only got it to work this past Sunday night.
Microsoft blew it, folks. This is not to say that OSS does it much better, although Red Hat and FreeBSD (two other OSs we use) nailed the patch months ago. But when you are a $50B company and could only produce the detritus that is the DST patch, there is no excuse for it.
And at any rate, someone had to be a REALLY BIG RODENT to have pulled off something like this.
I guess I am already using the next -release, while my wife is only using -unstable.
BA DA BING!
Your point is taken. However, Casablanca ends on an upbeat note for Rick and Ilsa. For SCO, the "service" costs millions of francs, the dealer has singled them out and determined to take every last penny they have, and their "discovery" process has not yielded a winning hand for FOUR YEARS.
From reading the article, it definitely sounds like Mr. Sannier leans heavily towards the "adopt new technologies, even if it sacrifices some security" end of the scale. That's fine if you are running your own shop and can take the heat if it all comes crashing down. But then he went on to disparage the security concerns as a ploy by those older IT managers to scrape some job security. I beg to differ:
(1) Older IT types are more likely to have little if any concern about data and communications security. I used to work under a CIO who thought that the entire company, which spanned five physical locations in two different timezones, was protected by a single switch that said "Security On/Off". He was not in the least concerned about data security, despite the fact that our payroll, production data and even manufacturing equipment controls are networked.
(2) While it is definitely exciting to see Google doing what Microsoft has struggled to do, namely perceiving the new paradigm of implementing software as network services, the practice of outsourcing vital organizational functions (email, collaboration, etc.) has liability and intellectual propery issues that the article did not address. For many organizations, the idea of letting corporate secrets reside on a server not physically present within the four walls can be unnerving, and that is understandable given privacy concerns, for example. Just because an IT director has these concerns does not make him old-schooled or outdated; it means that, as a director, he sees a lot more than just what the technologies can do for him. He needs to see the risks associated with any technology-driven practice, and that is what a director should be doing.
Apparently one of the results of this summit is the dropping of all support for past versions of Fedora Core prior to FC4, as a note on fedoralegacy.org said this past week.
I agree that we can't support all the versions in perpetuity, but I thought it would have been more helpful if they had included some reason other than "sorry, we just can't do it anymore". Did it not fit into the big picture of their support? What about future security fixes? etc. etc. As it was, it was very abrupt.
...cuz otherwise you'd be sweating about those beancounters finding out that you just laundered money (by first looking it up in a dictionary, no less). And those federal POUND-ME-IN-THE-ASS prisons are no white-collar resorts, either.
No, seriously. I have worked as a security consultant for financial firms; I have been an IT admin for brick-and-mortar shops who cared more about production line breakdowns than integrated, SQL-based inventory controls. This decision will be a result of each company taking a long, hard look at risk management, not some company who wants to use background check to make lives miserable for its applicants.
To wit, I was called into a local electric utility company to do a risk assessment after one of its ex-employees threatened to launch attacks from the outside because he was canned.
Just as technological risks are no longer confined to outside the perimeter, risky new hires can cause you endless nightmares. If you value your assets and want to have a basis for trusting your employees, do the right thing. The clean ones will respect you for it; the less-than-clean ones will be denied access. Your call.
Recently I came across a website of a security software programmer who asked visitors of his personal website to run a specific C code in order to obtain his email address. He had used a variation on the ROT-based encryption so it wasn't as trivial as cout"johnsmith@somewhere.com".
Software: "I can feel them."
(shortly before willing the five approaching human sentinels to explode)
This "what if" question was in fact the aim of the group of eco-terrorists in the novel "Rainbow Six" when they devised a virus so lethal that it will kill all human beings in the world. The terrorists, in turn, will seek shelter in a Biodome-type containment area until the virus runs its course, and armed with the antidote they will become the seeds of a new "environmentally friendly" humanity.
My answer to anyone who practices tree-hugging blindly is the same as John Clark's comment to the presidential advisor at the end of the book: If they want to hug a tree, by all means proceed - but do so without destroying humankind or, as is the case here, asking inane "what if" questions.
If you look at the supported hardware list, there are similar comments in there about Adaptec RAID controllers. Theo is definitely not one to be timid, and it shows even in innocuous places. That said, if a little boat-rocking can get Intel to listen to the OOPs, so much the better (contrast Intel's behavior with that of, say, IBM, or even SCO).
In the book "Andromeda Strain", Michael Crichton discussed the various methods that an alien civilization might choose to contact us. Various manifestations of electromagnetic transmission, such as radio or television, are deemed to have too high a distance-to-expense ratio since signals fade in inverse square of the distance: Too little bang for too much buck.
An interesting solution was proposed whereby you would use biological organisms to spread the news of your existence. By spreading vast amounts of cheap, space-hardened spores that contain all the necessary ingredients to regenerate into a complete alien organism, you gain two advantages over EM transmissions: The "signal", in this case the regenerated organism, does not fade, and you can mass-produce these spores very cheaply. These organisms can then help whoever the recipient is to contact the home planet of the alien species.
I think it's safe to say that, barring a significant leap in our understanding of biology and biophysics, we are unfortunately still stuck at an intergalactic stone age when it comes to long-distance communication technologies.
What CA is doing here is complete nonsense. Several problems spring to mind immediately:
1) Identity theft involves a lot more than just the laptop sitting in front of a user. It involves the user's total awareness of unusual requests for personal information and commitment to protect that information. Social engineering, dumpster diving, and (certainly) user stupidity can all compromise the security of the data. CA will find a good chunk of its customers who were just careless about what they wrote down or told whom, and kick itself in the pants. You can't indemnify human failure.
2) If the laptop is compromised by a virus that sends keystrokes to a Romanian website, CA will want forensic proof. It will have to see conclusive evidence that (a) its software worked correctly and was not subject to accidental or deliberate tampering by the user, (b) any personal information obtained in this manner was used intentionally to impersonate the user and cause harm, and of course (c) that the machine in question "failed" as a direct result of the virus (although to what extent "failed" covers is unclear). Just the resources necessary to conduct proper forensics alone is daunting enough, and $5000 for theft and $1500 for virus infection seems a pittance. It's a lose-lose proposition, and CA is trying to make it sound generous.
3) The offer to encrypt or destroy data on any stolen laptop is laughably absurd, and serves no purpose except as a way to TRY and get the last laugh in. "So you took my laptop? Well, I'll just have to think of a REAL GOOD comebacker. Oh, I know. If you are stupid enough to connect it to the Internet, I can erase what you probably already got off the drive by then. Ha, ha." The machine is gone and at the mercy of the thief, and Josephine User is up the creek with no paddles.
4) Most frustratingly, it is misleading for a technology company to offer services that distorts what "identity theft" really involves. You are not educating the user in the process except "If I lose my laptop I get $$$". You are not providing a truly comprehensive plan to combat this problem. All this "offer" does is to try and make money. Again, clever marketing does not make a bad idea into a good one.
Back in the peak of the Bubble, I worked as a systems engineer for a software development shop. Of course, being a software startup during that period meant having $1000 Aeron chairs for everyone and pool tournaments ever so often, to say nothing of free Friday catered lunches. Then, when the money started to run dry and a few airliners crashed into a couple of buildings, the perks went away and so did my job.
What is interesting, however, is the way similar "perks" are perceived as rewards at Google. If you feel that perks are rightfully yours and must not be sacrificed even in the face of company financial difficulties (feeling "entitled"), then it's hard to make your brain justify working hard for your keep (or harder during particularly difficult times). Whereas if you are working on something for which you have genuine motivations AND have rewards to aim for, then the management has two aces in their deck: An employee's internal motivation (which can be invaluable), and external positive reinforcements. These two characteristics contribute directly to the health of the company both in its balance sheets and in its corporate culture, and that is A Good Thing.
Looking back, it wasn't the exuberance of the Bubble that destroyed it, because the way Google works can seem to be quite exuberant to some code monkey at Chrysler. It was the way that management could not decide (a) how to set business goals, and (b) how to manage its employees. When management forgets how to manage and employees forget how to work, you have a problem on your hands (see the sad saga that was Daikatana).
...they release their operating systems as quickly as they do their security patches. Eight days from the first report to a working patch? That's working fast!
...for metamucil.
China has historically been competing with the West, at various levels throughout history and national inferiority complex notwithstanding. During the 70's and the 80's, one of the most popular slogans was "Surpass England, Pursue America". Its "Four Modernizations" and various manifestations of five-year plans are simply more of the same.
It is interesting that China would do anything to give the impression that it is an advanced, highly evolved civilization, while everyone else notices cracks at the seams. The comment about space-born seeds having higher mineral and vitamin content would have been hilarious had they not been so astonishingly revealing about their collective peasant mentality.
Of course the technology to sequence genes and deduce their protein counterparts has been around for a while. But as we know proteins are three-dimensional structures, with intricate folds and chemically active sites (think enzymes) that will partake in only specific reactions and ONLY in certain ways. They also operate in highly regulated environments. Heat the protein beyond a certain tolerance level, or substitute an innocent-looking peptide somewhere in the chain, and you end up with a malfunctioning protein no longer any good.
It would be interesting to correlate the nature of genetic mutation with potential biochemical ramifications (i.e. how does a point mutation in a particular exon translate into a polypeptide that cannot fold the correct way, thereby impairing certain biochemical pathways).
Is /. really running out of news to cover that we have to resort to this kind of "I am not a specialist nor do I really care to do some basic background reading, but here goes" talking points? I see this kind of pseudo-deep-intellectual topics a lot on sci.crypt, where someone would claim to have found a brand-new algorithm, only to have one or several of the following happen:
1) The algorithm gets shot down in about fifteen minutes by several people who really know their stuff,
2) Someone posts, "Oh, this is exactly the same thing as that zippity-zing-zang algorithm that Chuck Dumbo 'invented' some years back. It's completely bogus."
3) Someone posts a follow-up question, and based on the reply given by the OP you suddenly realize that he has no clue whatsoever about crypto design.
It really is not that hard to research some basic, layer-1 information about networking and deduce some fundamental operating principles (as someone already pointed out, one of which is physical cabling). Cisco has plenty of introductory material that even my wife the musician can understand. Do your homework first, and then come back.
Happy Friday.
Declaring certain protocols to be "illegal" is silly enough (just like the April Fool's joke of the "evil bit" and the CP80 project that requires labelling all p0rn traffic), but then they propose slapping a flat-fee on it, essentially saying, "We don't want you to do it, but we realize we can't stop you. So we'll at least try and make some money off you."
Ridiculous.