It's the management's responsibility - not the IT staff's responsibility - to make sure the company comes out in the black on the balance sheet every year. The average IT staffer doesn't see every penny coming in and going out - that job belongs to the CFO and the accounting department.
Management needs to take a stock of how the cash is flowing and make strategic decisions on how best to save for long-term growth. Buying that shiny and new equipment may not make much sense, until you realize that you are throwing away five times as much money in manhours every year by not biting the bullet and upgrading.
I used to work for a manufacturing facility, and there are a lot of old-timers who think that saving money involves turning off their PCs every night. But they were not looking at how much time they are wasting every day in dealing with old OSs and crash-prone programs. They also did not look at how much time I (the network engineer) had to go over and "fix" their machines by rebooting for them.
Having your corporate culture mumbling to itself "gotta save money, gotta save money" is a good sign that the senior management, together with middle management, has not done its job in formulating and communicating a coherent game plan to the rest of the company.
Just as the gaming industry has traditionally driven research and development of advanced hardware and software, I'd like to see fruits of AI research in this area bring some benefits into computer security.
As much as we have come a long way in computer security, we still have a long way to go. We are still using signature-based software to detect attacks from viruses and malicious packets alike. Behavior-based products are beginning to look somewhat decent; but the level of sophistication still lags far behind some of the most insidious attacks we've seen collectively.
In any arms race you have opponents of roughly equivalent strengths pitted against each other. I am beginning to wonder if this security "arms race" will amount to a little more than a one-sided butt-whipping. Yes, I am a natural-born pessimist.
Seriously, if the FBI had the resources and access to the right people, why couldn't they build Carnivore out of open-source material and not resort to "commercially available" products?
Put another way: With modern hardware being dirt cheap and OSS getting better and better, what would it take to build a system that comes close (or even surpasses) what Carnivore had to offer?
It's been a long while ago since I graduated from college. Unfortunately, while it took other people perhaps a semester or two to realize their true calling, it took me four years, plus two years after college, to realize that I didn't want to follow through my undergrad degree in biology and spend the rest of my days smearing botullinum onto chocolate agar. Since then I've held a number of jobs, all in IT (I am currently an information security consultant), but the desire to go back to school has never left me.
I guess I took a somewhat different path to touch on many of the topics that Joel discussed in the article. I am an excellent writer of English (though I spent my first eleven years overseas in a non-English-speaking country), but it took me a while to understand the dynamics of business, to learn to interact with people well in a business context (and not just being "a nice person"), to bear down and do the grunt, "boring" work, and so on. I also learned to appreciate and understand the world - and people in general - in their myriad gray areas, something not easily learned without experience.
Ultimately what Joel is writing about is not so much a treatise on "how to survive as a CS graduate", but a pointer to excellence of living. The applications are many, the paths of learning varied, but the lessons are the same: Use your utmost to dream - and achieve - the ultimate. I certainly have been learning my lessons as a biology grad, and this can certainly apply to anyone else.
Part of the problem is that the concept of security, paradoxically, works against the very thing that it is designed to protect. Government agencies compete for the same pool of money and resources; not everyone will win the biggest slice of the $86 billion package. There are inter-agency rivalries, "politics-as-usual", and even backstabbing, as each group struggles to even understand what "security" means, and what it means to them in particular.
So, two things stand out to me:
1) Inconsistency in the vision of national security as each agency/special interest group has its own idea of security, complicated by divergent political interests and even hostile political rivalries, and further hindered by the administration's own unclear directives of what constitutes national security (you can't lead from bottom-up; there must be a cohesive, unified vision from top-down).
2) The notion of security, in a strange, Orwellian way, goes against some of the most treasured principles of this country: Freedom of thought, and freedom of the expression of those thoughts. The demands of national security will sometimes rely on classified government contracts, covert operations, and the famous "wall of silence". Yet the human nature in this nation is such that we have TV programs like "Fleecing of America" by NBC that will "expose" the "vast abuses" by the government, at the expense of the average working taxpayers. We all want to know, but our very own livelihood demands sometimes that we NOT know. The wherefores and the how-to's of this controlling of information are very much at the heart of national security. (This is part of the reason why something like 9/11 is not likely to happen in a totalitarian state like North Korea, where the concept of privacy and freedom of the individual is absent.)
It seems that Microsoft, for all its blustery and arrogant, dismissive attitudes toward end users, manages to find itself in a quandary. If it releases too much vulnerability information, it could very well help exploits be written at a faster clip; if too little, then it risks being irrelevant. The timing is tricky too in this case.
Another problem, though, may have something to do with the audience. Trying to be "all things to all people" (including less-than-clueful admins), it is likely that they decided to "dumb down" the announcement, in short proclaiming that your computer "may be vulnerable". Some could argue that it is language of FUD, but I would say that they are trying to impress on as many people as possible that this is not just another "critical" update. This one is really, really critical.
Besides watering down the information that the average person would have to know about a particular system, it sounds like that scene in "My Cousin Vinny" where Vinny and his fiancee went into a local eatery the morning after they arrived for the murder trial, only to see the menu listing "Breakfast", "Lunch", and "Dinner" as the only available options.
I wonder if Bill Gates is inbred.
With so many lawyers in this country...
on
Vehicles of Tomorrow?
·
· Score: 2, Funny
Why would you need to have pedestrian recognition systems?
...also includes implementing ideas like the two-factor authentication for users who re-use their passwords, or write them on stickies, or lose their smartcards once every two weeks, or are simply computer-illiterate, etc.
What does AOL hope to accomplish through using the smartcard? A better investment in security would be to stem the flood of spams currently coming out of their slice of TLD. This measure is like a new bandaid for the old bandaid that's falling apart, and the wound is fourteen inches long and gushing blood.
Your points are granted. The problem is not that Americans all are gun-lovers and are itching to fire anything automatic if they haven't done so for a few days. The issue is that Americans:
1) do not have compulsory military service for eligible men, 2) have (believe it or not) more restrictive gun control policies than Switzerland.
Where I live in Massachusetts, you pretty much can't get a gun unless you are in the police or military force (or if you have license to "carry concealed weapons for protection life and property" - but those are really, really hard to get). If someone gets mugged or raped in broad daylight, nobody is able to just pull out a handgun and subdue the punkface until the police gets here.
In a recent/. story, a small group of programmer had a monster time tackling an off-by-one problem in the OpenBSD kernel - one that is touted as one of the most secure OS's in the world. Judging from the way this particular bug was tracked down and analyzed, it's safe to say that this was a set of eyeballs that had some degree of coordination and management to it.
The problem, as the author points out, is that many eyeballs do not equal "eyeballs in depth" or "coordinated eyeballs". The housefly has thousands of "eyes", yet that doesn't make it necessarily more visually acute (contrast it with, say, the eagle or the falcon).
I would suggest that, if you are going to code a secure product, that the people and processes that make up the audit team should themselves be auditted. The flowchart of security shouldn't start at the product itself; it should start at the people and processes that produce the product. Otherwise, what you would end up is a lot of people "reaching for the low-hanging fruit" (as the article suggest), making flashy features work, while the obscurer and necessary work get ignored or done poorly. Security must be managed from top down, not invented along the way by coders.
I am not a lawyer, and I am seeing what amounts to little more than:
IBM: We want summary judgment now. SCO: No, you can't. You haven't given us [INSERT NAME OF RANDOM STUFF]. IBM: But that stuff is irrelevant. Besides, you haven't given us any proof. We want judgment now. SCO: No, you can't. You haven't given us [INSERT NAME OF MORE RANDOM STUFF].
(ad infinitum)
What can IBM do legally to stop the cycle and for the judge to say, "Enough!"?
After being put on hold for over twenty minutes, I finally spoke with a man named Henry who said that he has never heard that JumpDrive had a security problem (even after I confronted him with the advisory from @Stake), and did not know that @Stake was trying to contact them for over a month. He was quite shocked but promised to check out/. and @Stake to verify the claim.
I tried both calling them and trying their live chat feature from their website, but so far no response. The company is in California, and I am calling them about 3:30 PM EDT. So far, no responses from either the phone call (I am still on hold) or the live webchat.
Sounds awfully like a head-in-the-sand approach to security to me.
...is if China views this tremendous opportunity for cooperation and collaboration as a chance to exercise "techno-nationalism". Recall recent technological initiatives by China, such as the E-DVD format, that have been criticized as efforts to strongarm international community to adopt China's own technological standards - standards which even its own manufacturers have trouble meeting and even denounce as unworkable. While other efforts have been more subtle (think "Red Flag Linux"), one can't help but wonder if China's own tremendous potential may be undone by its nationalistic bent. But for the time being, China is indeed in the "zone".
Slashdot Mirror
It's the management's responsibility - not the IT staff's responsibility - to make sure the company comes out in the black on the balance sheet every year. The average IT staffer doesn't see every penny coming in and going out - that job belongs to the CFO and the accounting department.
Management needs to take a stock of how the cash is flowing and make strategic decisions on how best to save for long-term growth. Buying that shiny and new equipment may not make much sense, until you realize that you are throwing away five times as much money in manhours every year by not biting the bullet and upgrading.
I used to work for a manufacturing facility, and there are a lot of old-timers who think that saving money involves turning off their PCs every night. But they were not looking at how much time they are wasting every day in dealing with old OSs and crash-prone programs. They also did not look at how much time I (the network engineer) had to go over and "fix" their machines by rebooting for them.
Having your corporate culture mumbling to itself "gotta save money, gotta save money" is a good sign that the senior management, together with middle management, has not done its job in formulating and communicating a coherent game plan to the rest of the company.
Just as the gaming industry has traditionally driven research and development of advanced hardware and software, I'd like to see fruits of AI research in this area bring some benefits into computer security.
As much as we have come a long way in computer security, we still have a long way to go. We are still using signature-based software to detect attacks from viruses and malicious packets alike. Behavior-based products are beginning to look somewhat decent; but the level of sophistication still lags far behind some of the most insidious attacks we've seen collectively.
In any arms race you have opponents of roughly equivalent strengths pitted against each other. I am beginning to wonder if this security "arms race" will amount to a little more than a one-sided butt-whipping. Yes, I am a natural-born pessimist.
Because of tcpdump?
Seriously, if the FBI had the resources and access to the right people, why couldn't they build Carnivore out of open-source material and not resort to "commercially available" products?
Put another way: With modern hardware being dirt cheap and OSS getting better and better, what would it take to build a system that comes close (or even surpasses) what Carnivore had to offer?
It's been a long while ago since I graduated from college. Unfortunately, while it took other people perhaps a semester or two to realize their true calling, it took me four years, plus two years after college, to realize that I didn't want to follow through my undergrad degree in biology and spend the rest of my days smearing botullinum onto chocolate agar. Since then I've held a number of jobs, all in IT (I am currently an information security consultant), but the desire to go back to school has never left me.
I guess I took a somewhat different path to touch on many of the topics that Joel discussed in the article. I am an excellent writer of English (though I spent my first eleven years overseas in a non-English-speaking country), but it took me a while to understand the dynamics of business, to learn to interact with people well in a business context (and not just being "a nice person"), to bear down and do the grunt, "boring" work, and so on. I also learned to appreciate and understand the world - and people in general - in their myriad gray areas, something not easily learned without experience.
Ultimately what Joel is writing about is not so much a treatise on "how to survive as a CS graduate", but a pointer to excellence of living. The applications are many, the paths of learning varied, but the lessons are the same: Use your utmost to dream - and achieve - the ultimate. I certainly have been learning my lessons as a biology grad, and this can certainly apply to anyone else.
Great. Back to the basics. What's next - the incline plane?
would have referred to SCO's reason behind its repeated attempts to co-opt Linux as "a riddle, wrapped in a mystery, inside an enigma".
Part of the problem is that the concept of security, paradoxically, works against the very thing that it is designed to protect. Government agencies compete for the same pool of money and resources; not everyone will win the biggest slice of the $86 billion package. There are inter-agency rivalries, "politics-as-usual", and even backstabbing, as each group struggles to even understand what "security" means, and what it means to them in particular.
So, two things stand out to me:
1) Inconsistency in the vision of national security as each agency/special interest group has its own idea of security, complicated by divergent political interests and even hostile political rivalries, and further hindered by the administration's own unclear directives of what constitutes national security (you can't lead from bottom-up; there must be a cohesive, unified vision from top-down).
2) The notion of security, in a strange, Orwellian way, goes against some of the most treasured principles of this country: Freedom of thought, and freedom of the expression of those thoughts. The demands of national security will sometimes rely on classified government contracts, covert operations, and the famous "wall of silence". Yet the human nature in this nation is such that we have TV programs like "Fleecing of America" by NBC that will "expose" the "vast abuses" by the government, at the expense of the average working taxpayers. We all want to know, but our very own livelihood demands sometimes that we NOT know. The wherefores and the how-to's of this controlling of information are very much at the heart of national security. (This is part of the reason why something like 9/11 is not likely to happen in a totalitarian state like North Korea, where the concept of privacy and freedom of the individual is absent.)
It seems that Microsoft, for all its blustery and arrogant, dismissive attitudes toward end users, manages to find itself in a quandary. If it releases too much vulnerability information, it could very well help exploits be written at a faster clip; if too little, then it risks being irrelevant. The timing is tricky too in this case.
Another problem, though, may have something to do with the audience. Trying to be "all things to all people" (including less-than-clueful admins), it is likely that they decided to "dumb down" the announcement, in short proclaiming that your computer "may be vulnerable". Some could argue that it is language of FUD, but I would say that they are trying to impress on as many people as possible that this is not just another "critical" update. This one is really, really critical.
Man: So, what's *YOUR* USB stick color?
Woman: Drop dead, bozo. Yours doesn't compute.
(This scenario assumes a heterosexual leaning.)
I am pretty sure, because they do talk about "grits" in another part of the movie.
Besides watering down the information that the average person would have to know about a particular system, it sounds like that scene in "My Cousin Vinny" where Vinny and his fiancee went into a local eatery the morning after they arrived for the murder trial, only to see the menu listing "Breakfast", "Lunch", and "Dinner" as the only available options.
I wonder if Bill Gates is inbred.
Why would you need to have pedestrian recognition systems?
...also includes implementing ideas like the two-factor authentication for users who re-use their passwords, or write them on stickies, or lose their smartcards once every two weeks, or are simply computer-illiterate, etc.
What does AOL hope to accomplish through using the smartcard? A better investment in security would be to stem the flood of spams currently coming out of their slice of TLD. This measure is like a new bandaid for the old bandaid that's falling apart, and the wound is fourteen inches long and gushing blood.
...and you'd be a fool to pay $20 per.
You actually paid cold hard cash for that? It sucks to be you, I guess.
Yes, I claim "temporary blindness"... ;-)
I stand corrected. Sorry about that.
Your points are granted. The problem is not that Americans all are gun-lovers and are itching to fire anything automatic if they haven't done so for a few days. The issue is that Americans:
1) do not have compulsory military service for eligible men,
2) have (believe it or not) more restrictive gun control policies than Switzerland.
Where I live in Massachusetts, you pretty much can't get a gun unless you are in the police or military force (or if you have license to "carry concealed weapons for protection life and property" - but those are really, really hard to get). If someone gets mugged or raped in broad daylight, nobody is able to just pull out a handgun and subdue the punkface until the police gets here.
The problem, as the author points out, is that many eyeballs do not equal "eyeballs in depth" or "coordinated eyeballs". The housefly has thousands of "eyes", yet that doesn't make it necessarily more visually acute (contrast it with, say, the eagle or the falcon).
I would suggest that, if you are going to code a secure product, that the people and processes that make up the audit team should themselves be auditted. The flowchart of security shouldn't start at the product itself; it should start at the people and processes that produce the product. Otherwise, what you would end up is a lot of people "reaching for the low-hanging fruit" (as the article suggest), making flashy features work, while the obscurer and necessary work get ignored or done poorly. Security must be managed from top down, not invented along the way by coders.
A webcam pretty much does the same thing - except you don't have avatars, you ARE the avatar.
What would a device called "house" be like? A hand-drive mouse, perhaps?
Oh, wait...
So now, instead of having to talk to your plant, your plant will talk to you???
(Maybe you need watering once in a while too.)
I am not a lawyer, and I am seeing what amounts to little more than:
IBM: We want summary judgment now.
SCO: No, you can't. You haven't given us [INSERT NAME OF RANDOM STUFF].
IBM: But that stuff is irrelevant. Besides, you haven't given us any proof. We want judgment now.
SCO: No, you can't. You haven't given us [INSERT NAME OF MORE RANDOM STUFF].
(ad infinitum)
What can IBM do legally to stop the cycle and for the judge to say, "Enough!"?
After being put on hold for over twenty minutes, I finally spoke with a man named Henry who said that he has never heard that JumpDrive had a security problem (even after I confronted him with the advisory from @Stake), and did not know that @Stake was trying to contact them for over a month. He was quite shocked but promised to check out /. and @Stake to verify the claim.
The ostrich finally wakes up.
I tried both calling them and trying their live chat feature from their website, but so far no response. The company is in California, and I am calling them about 3:30 PM EDT. So far, no responses from either the phone call (I am still on hold) or the live webchat.
Sounds awfully like a head-in-the-sand approach to security to me.
...is if China views this tremendous opportunity for cooperation and collaboration as a chance to exercise "techno-nationalism". Recall recent technological initiatives by China, such as the E-DVD format, that have been criticized as efforts to strongarm international community to adopt China's own technological standards - standards which even its own manufacturers have trouble meeting and even denounce as unworkable. While other efforts have been more subtle (think "Red Flag Linux"), one can't help but wonder if China's own tremendous potential may be undone by its nationalistic bent. But for the time being, China is indeed in the "zone".