The IPs I'm leaving in web server logs are also throw-away addresses - read up RFC-4961.
You may be referencing the wrong RFC. That is more about port numbers than different IP addresses. The IP address of your machine should still be showing up in/.'s logs.
Without NAT, you're still hitting the stateful firewall and default deny rule at the edge of my network... Most home routers should default to this sort of behaviour.
Either that breaks most of the functionality of IPv6 or it entails a lot more effort and expertise on the part of the home user.
None of this crap with forwarding port 80 to one box and then... Oh, I need another web server... Hmm. 8080? Other random / arbitrarily selected ports? That sucks! It's broken.
So your hypothetical home user has a single IP address and runs multiple web servers. And you feel that "Most home routers" should default to supporting that?
The difference is, I can open up as many ports as I need with no limitations.
While I can manage as many ports AS I NEED without problems. Even with more than a 1,000 users at a single site.
Which is why IPv6 has been so slow to be implemented. You either lose the benefits in order to get the same level of security you had with IPv4 or you lose that level of security for features that the average person is not demanding today.
My home subnet is 2610:1e8:800:101::/64. Go ahead and tell me how many machines are in there...
Somewhere between 0 and approximately 18,446,744,073,709,551.
But, as always, the issue isn't hiding and hoping that no one finds you. The issue is how do you protect your systems and networks from people who (in the worst case scenario) already know what your IP address is?
With NAT they are attacking a single firewall.
With having all of your systems directly accessible to the Internet, the crackers can attack any and all of them.
Getting your IP address can be as simple as putting up a web server with some stupid content and having/. link to it.
... are just ornamental and serve no other purpose?
You added the "and serve no other purpose" onto the original statement:
Nothing except the ornamental bits.
Everything you listed DOES serve another purpose.
BUT none of them affect the operation of the weapon. I spent 7 years in the Army and I can shoot a weapon with a carrying handle as effectively as one without a carrying handle.
If you perform enough miracles enough times when THEIR decisions have caused (predictable) problems they will start to believe that THEY are the ones performing miracles.
At which point the problems will pile on.
Be ready to leave before that point. If there are certifications, collect them and keep them current.
Try to interview at least once every quarter. Even if you do not intend to leave your job.
Just realize that you are NOT smarter than the people reporting to you. You just happened to get stuck in that management slot.
Next, learn that just because you've been TALKING since you were 2 does not mean that you are a master at COMMUNICATION. Take classes. Read books. LEARN to communicate.
Now you can give rapid feedback to your people. Instead of the once-a-year-review aim for the every-2-weeks-review. That way you will remember all the reasons why the main project was delayed. Remember your new communication skills.
Finally, decide whether you're going to fuck your people in order to make other managers look good or whether you're going to help your people get the skills to move up and onward.
He's part of the "system". Therefore, his view is that anyone who isn't directly supporting the "system" is opposing it. Which means you're opposing him and the "good" work that he is doing. You are friendly to the "terrorists".
"Terrorists" in this case being defined as anyone Mark Rowley does not agree with.
Personally, I think that there are far more corrupt cops and corrupt politicians and so on who would abuse their authority than there are terrorists who can attack us.
1. It has ALWAYS been about "Reducing Dependence on Human Workers". A person with years of hand-crafting skill is replaced by someone with months of machine-operating skill. And so forth.
2. Machines are NOT as good as she claims at predicting HUMAN behaviour. They're just getting to be better than the average human (who sucks at it).
3.
Now machines at call centers can be used to seamlessly generate spoken responses to customer inquiries, so that a single operator can handle multiple customers all at once.
No. HUMANS can be forced to read off a script but MACHINES suck at anything more complex than "Did you say "yes"".
It all comes down to proper design and the ability to say "NO".
Security cannot be retro-fitted to a badly designed system.
The person who can demand that you support X in Y configuration NO MATTER WHAT is the person who controls your security. No matter what his/her knowledge level is.
Next, understand that you will (eventually) be cracked. Someone somewhere will make some mistake just long enough. MONITOR for that. KNOW what the regular traffic on your network looks like. PLAN for what you are going to do WHEN that happens.
I hereby claim that I have hands, therefore I am able to stab someone. Should I be detained and my property seized because I am ABLE to commit a crime?
Situational.
The government does NOT do jokes about fucking with airplanes.
I guarantee you that if you were walking around an airport with a knife talking about how you COULD stab then you'd be detained. And they'd probably keep your knife.
One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling.
The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.
One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done).
A different password but does it still have the same "reset answers" that the other category does?
And you are depending upon the admins of those sites to correctly secure them and keep them sites secure for THEIR ENTIRE EXISTENCE.
And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
Just about all of the damage can be reversed. It's just a matter of how much time and how much money is lost doing so.
This is about preventing the damage before it costs you time and money.
Your Amazon account should NOT have the same password that your eBay account has. No matter how much you trust either of them.
My PayPal and banking accounts have their own passwords,...
And they should have their own email accounts tied to them. If someone cracks your GameYouUsedToPlay.com account that should NOT give them the email address you use at your bank.
Now, for the secret revelation!
Passwords WERE once used for security.
NOW they are mostly (99.9%+) used for MARKETING. That is why almost all the sites out there require a unique login. And those sites are very lax with their MARKETING data (your username/password/answers).
Once you understand that (and what information you are leaking when you give it to them) you can make better decisions on how much RE-USABLE information you want to give them.
Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.
It doesn't matter. If someone is cracking your (end-user) password at work then they probably have some other means of attempting it.
1. keylogger 2. some reduction attack 3. pass the hash 4. fake authentication request & server 5. etc
By the time the attacker has copies of the hashes and is trying to use any of the techniques in TFA on them it's too late for you as an end-user.
For non-work websites just remember 2 things: a. DO NOT USE THE SAME PASSWORD b. If it is financial, don't use the same username/email-address as other sites.
Sure, the problem is probably not Machine X can't connect to Machine Y, and more likely to be VLAN 17 can't initiate a connection to VLAN 56 over port 8080, but maybe you're the only one at your company who needs to make that particular connection at that time.
And you call it in and the network engineer will ask some questions:
a1. Has this ever worked in the past? (they will always answer "yes") a2. When was the last time you know it was working? (50% "yesterday" 50% "last week") a3. Has anything changed on the boxes or were they moved? (100% no nothing same as always)
b1. Is this a new install? (95% of the time this will be the problem but they will only admit it 1% of the time)
But if your network has dozens of VLANs, multiple gateways and complex firewall rules, it very well could be a network issue that so far only you have experienced.
And the change control logs should IMMEDIATELY show you where the problem is, in that case.
In my example, if VLAN 17 and VLAN 56 are QA networks, there's a reasonable chance your network team won't give a shit and it'll take them a week to even take a look, so it's probably worthwhile as a sysadmin to make sure that A) Machine X is actually sending the data out the network interface and B) Machine Y isn't receiving the data and just discarding it.
That's the problem. Change control shows no changes on 17 or 56 in the last 6 months.
The alarm systems show no changes.
I can pull up the data on the ports X & Y are using in 30 seconds. No errors showing.
In another 30 seconds I can check all the stats for 17 & 56.
The network is SIMPLE! It really is. Troubleshooting a connection issue takes a few minutes at most.
In your example, the sysadmin will just say "the network is the problem" when the REAL PROBLEM is that the LATEST UPDATE of his app means it now listens on 443 instead of 8080.
And a quick Google search will bring up page after page of references to that just using the app name and the app version number.
"Hypocrisy" has a clear definition. Tim Cook is NOT a hypocrite on that issue. Fiorina is WRONG.
The worst that can be said is that Tim Cook has a "double standard" when it comes to advocating for gay rights in the USofA vs other countries.
Yet he also appears to be effective in advocating for gay rights in the USofA. Where is Fiorina's advocacy?
Fiorina is being a "concern troll" on these issues.
Even worse, she is being a concern troll for topics that she does not personally support. How much Saudi business did she turn down at HP? How much of her money has she spent on advocating for gay rights?
Make sure that everyone knows what they're supposed to do, what's expected, and when it's due. It's really not that hard, except that apparently it's really hard.
The problem is that the day-to-day emergencies get in the way of the 11-month-projects.
But the day-to-day emergencies are soon forgotten and the 11-month-projects are what you are judged on.
Most people here are probably familiar with the "annual performance review" and how much they hate it. So drop it.
Instead, replace it with a LOT of shorter, more frequent reviews. Weekly if possible. Every 4 weeks at the very latest. Lasting between 10 and 15 minutes. Then the annual review for HR is simply a roll-up of 52 weekly reviews.
This helps because EVERYONE knows what the situations are AT ALL TIMES.
There will be problems and the sooner you've identified them and resolved them (or mitigated them) the better.
While the semantics over what was 'authorized' can be debated, that large numbers of agency personnel had access to the data to troll at their leisure without fear of reprisal still hasn't been refuted.
And, apparently, there were no safeguards set in place to detect such activities.
It SHOULD have been easy to have a few internal people randomly checking the legality/applicability of searches.
From TFA:
Those who don't pay too close attention think the NSA is out there gathering up whatever it can without rhyme or reason. But, in fact, [collection] is in response to things called intelligence requirements, which are made through a big, formal process across the executive branch, by which different parts of the policy apparatus articulate needs for information.
If those statements were accurate than Snowden's "betrayal" would be meaningless.
Following an August 4, 2010, federal court ruling that Proposition 8 was unconstitutional, Fiorina expressed disagreement with the ruling, saying that California voters spoke clearly against same-sex unions when a majority approved the proposition in 2008.
And she wants to lead the Executive Branch?
Majority != Constitutional.
And she's got a bit of money. So.... what's she been doing with it AS A PRIVATE INDIVIDUAL to help with any of the "problems" that she's talking about?
So far it looks like a lot of paid speaking engagements. She is paid to be "concerned" but she doesn't fund anything herself.
They're getting cracked because they're not paying attention to their security.
After resetting users passwords, Twitch initially introduced longer password character requirements, but had to dial back its new 20-character password length requirement to 8 characters after users complained.
Fuck you! If you cannot detect and mitigate a brute force attack then hire someone who can.
Twitch also said it encrypted passwords, but warned that hackers might have been able to capture passwords in the clear as users were logging on.
And make sure you know the difference between encrypted and hashed.
Seconded on the different email addresses. And you don't have to own your own domain for that. Just make some random'ish gmail account and use that ONCE for more secure requirements (like your bank).
The trick is to prepare them in advance. And write them down in a PHYSICALLY secure location.
If you're using the same email account for your bank as you use on Facebook then your security could be improved.
Well because the mass amount of data that would be grabbed in the event of an accident would far overshadow a reasonable amount of capture memory during normal driving, which would utilize a lesser set of sensors and maybe lower grade video, which didn't have to factor into the explanation for the accident.
256GB of flash is just over $100 right now. Storage is not a problem. Even AIRCRAFT do not have a problem with storage and they have a LOT more data to store.
Step 2 would include choices such as hit the breaks if it would work. I just used summary steps to make it easy to understand.
Taking power from the engine is NOT the same a braking.
Taking your foot off the gas is NOT the same as stepping on the brake.
Seriously. Try it on a hill. You might end up going FASTER at the bottom of the hill than at the top.
Your plates store information about your car, hence you know from looking the number up, everything to know about the car via reference lookup.
Make/model/year/VIN/owner/owner's address. And maybe whether it passed inspection or not.
How will knowing the VIN tell you anything about hitting it?
Or the owner's address?
Or the owner's name?
Or any of the other information?
And what happens when the site you're trying to use to look up that useless information is slow?
To prove them, I expect large fleets sponsored by the manufacturer or systems integrator will drive many thousands of hours per-car to establish a baseline, similarly to how an MTBF is established for devices, and that rate of collision or other liability-causing event will factor into the insurance companies' rates for those cars.
I think it will be even easier.
The autonomous cars will be packed with sensors that record EVERYTHING.
If there is an accident then the insurance companies will know which car has a 100% complete record of the incident that SHOULD exonerate it. Such as staying below the speed limit. Keeping a recommended distance from the car in front of it. Staying in the center of its lane. And exact information on how hard the brakes were applied and when and how that affected traction prior to the collision.
In theory, the insurance company for the autonomous car should win ever time (except in cases of software/hardware failure).
Slashdot Mirror
You may be referencing the wrong RFC. That is more about port numbers than different IP addresses. The IP address of your machine should still be showing up in /.'s logs.
Either that breaks most of the functionality of IPv6 or it entails a lot more effort and expertise on the part of the home user.
So your hypothetical home user has a single IP address and runs multiple web servers. And you feel that "Most home routers" should default to supporting that?
While I can manage as many ports AS I NEED without problems. Even with more than a 1,000 users at a single site.
Which is why IPv6 has been so slow to be implemented. You either lose the benefits in order to get the same level of security you had with IPv4 or you lose that level of security for features that the average person is not demanding today.
Somewhere between 0 and approximately 18,446,744,073,709,551.
But, as always, the issue isn't hiding and hoping that no one finds you. The issue is how do you protect your systems and networks from people who (in the worst case scenario) already know what your IP address is?
With NAT they are attacking a single firewall.
With having all of your systems directly accessible to the Internet, the crackers can attack any and all of them.
Getting your IP address can be as simple as putting up a web server with some stupid content and having /. link to it.
You added the "and serve no other purpose" onto the original statement:
Everything you listed DOES serve another purpose.
BUT none of them affect the operation of the weapon. I spent 7 years in the Army and I can shoot a weapon with a carrying handle as effectively as one without a carrying handle.
If you perform enough miracles enough times when THEIR decisions have caused (predictable) problems they will start to believe that THEY are the ones performing miracles.
At which point the problems will pile on.
Be ready to leave before that point. If there are certifications, collect them and keep them current.
Try to interview at least once every quarter. Even if you do not intend to leave your job.
I doubt it. It's too easy NOT to be.
Just realize that you are NOT smarter than the people reporting to you. You just happened to get stuck in that management slot.
Next, learn that just because you've been TALKING since you were 2 does not mean that you are a master at COMMUNICATION. Take classes. Read books. LEARN to communicate.
Now you can give rapid feedback to your people. Instead of the once-a-year-review aim for the every-2-weeks-review. That way you will remember all the reasons why the main project was delayed. Remember your new communication skills.
Finally, decide whether you're going to fuck your people in order to make other managers look good or whether you're going to help your people get the skills to move up and onward.
He's part of the "system". Therefore, his view is that anyone who isn't directly supporting the "system" is opposing it. Which means you're opposing him and the "good" work that he is doing. You are friendly to the "terrorists".
"Terrorists" in this case being defined as anyone Mark Rowley does not agree with.
Personally, I think that there are far more corrupt cops and corrupt politicians and so on who would abuse their authority than there are terrorists who can attack us.
She's wrong on a few points.
1. It has ALWAYS been about "Reducing Dependence on Human Workers". A person with years of hand-crafting skill is replaced by someone with months of machine-operating skill. And so forth.
2. Machines are NOT as good as she claims at predicting HUMAN behaviour. They're just getting to be better than the average human (who sucks at it).
3.
No. HUMANS can be forced to read off a script but MACHINES suck at anything more complex than "Did you say "yes"".
It all comes down to proper design and the ability to say "NO".
Security cannot be retro-fitted to a badly designed system.
The person who can demand that you support X in Y configuration NO MATTER WHAT is the person who controls your security. No matter what his/her knowledge level is.
Next, understand that you will (eventually) be cracked. Someone somewhere will make some mistake just long enough. MONITOR for that. KNOW what the regular traffic on your network looks like. PLAN for what you are going to do WHEN that happens.
Situational.
The government does NOT do jokes about fucking with airplanes.
I guarantee you that if you were walking around an airport with a knife talking about how you COULD stab then you'd be detained. And they'd probably keep your knife.
Read to the end for a secret revelation.
The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.
A different password but does it still have the same "reset answers" that the other category does?
And you are depending upon the admins of those sites to correctly secure them and keep them sites secure for THEIR ENTIRE EXISTENCE.
Just about all of the damage can be reversed. It's just a matter of how much time and how much money is lost doing so.
This is about preventing the damage before it costs you time and money.
Your Amazon account should NOT have the same password that your eBay account has. No matter how much you trust either of them.
And they should have their own email accounts tied to them. If someone cracks your GameYouUsedToPlay.com account that should NOT give them the email address you use at your bank.
Now, for the secret revelation!
Passwords WERE once used for security.
NOW they are mostly (99.9%+) used for MARKETING. That is why almost all the sites out there require a unique login. And those sites are very lax with their MARKETING data (your username/password/answers).
Once you understand that (and what information you are leaking when you give it to them) you can make better decisions on how much RE-USABLE information you want to give them.
Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.
It doesn't matter. If someone is cracking your (end-user) password at work then they probably have some other means of attempting it.
1. keylogger
2. some reduction attack
3. pass the hash
4. fake authentication request & server
5. etc
By the time the attacker has copies of the hashes and is trying to use any of the techniques in TFA on them it's too late for you as an end-user.
For non-work websites just remember 2 things:
a. DO NOT USE THE SAME PASSWORD
b. If it is financial, don't use the same username/email-address as other sites.
And you call it in and the network engineer will ask some questions:
a1. Has this ever worked in the past? (they will always answer "yes")
a2. When was the last time you know it was working? (50% "yesterday" 50% "last week")
a3. Has anything changed on the boxes or were they moved? (100% no nothing same as always)
b1. Is this a new install? (95% of the time this will be the problem but they will only admit it 1% of the time)
And the change control logs should IMMEDIATELY show you where the problem is, in that case.
That's the problem. Change control shows no changes on 17 or 56 in the last 6 months.
The alarm systems show no changes.
I can pull up the data on the ports X & Y are using in 30 seconds. No errors showing.
In another 30 seconds I can check all the stats for 17 & 56.
The network is SIMPLE! It really is. Troubleshooting a connection issue takes a few minutes at most.
In your example, the sysadmin will just say "the network is the problem" when the REAL PROBLEM is that the LATEST UPDATE of his app means it now listens on 443 instead of 8080.
And a quick Google search will bring up page after page of references to that just using the app name and the app version number.
If there really is a "network problem" then it won't be just your machine that cannot connect to some other machine.
It would be lots of people and/or machines that would not be able to talk to lots of other machines and/or people.
And the network rarely experiences "problems" that only show up after you've applied a patch.
As a network engineer, I can quote almost EXACTLY what the sysadmin will say. Understanding them is easy.
Communicating something they do not want to hear is the issue.
"Hypocrisy" has a clear definition. Tim Cook is NOT a hypocrite on that issue. Fiorina is WRONG.
The worst that can be said is that Tim Cook has a "double standard" when it comes to advocating for gay rights in the USofA vs other countries.
Yet he also appears to be effective in advocating for gay rights in the USofA. Where is Fiorina's advocacy?
Fiorina is being a "concern troll" on these issues.
Even worse, she is being a concern troll for topics that she does not personally support. How much Saudi business did she turn down at HP? How much of her money has she spent on advocating for gay rights?
The problem is that the day-to-day emergencies get in the way of the 11-month-projects.
But the day-to-day emergencies are soon forgotten and the 11-month-projects are what you are judged on.
Most people here are probably familiar with the "annual performance review" and how much they hate it. So drop it.
Instead, replace it with a LOT of shorter, more frequent reviews. Weekly if possible. Every 4 weeks at the very latest. Lasting between 10 and 15 minutes. Then the annual review for HR is simply a roll-up of 52 weekly reviews.
This helps because EVERYONE knows what the situations are AT ALL TIMES.
There will be problems and the sooner you've identified them and resolved them (or mitigated them) the better.
And, apparently, there were no safeguards set in place to detect such activities.
It SHOULD have been easy to have a few internal people randomly checking the legality/applicability of searches.
From TFA:
If those statements were accurate than Snowden's "betrayal" would be meaningless.
You cannot have it both ways.
And that's not all. From her Wikipedia page:
And she wants to lead the Executive Branch?
Majority != Constitutional.
And she's got a bit of money. So .... what's she been doing with it AS A PRIVATE INDIVIDUAL to help with any of the "problems" that she's talking about?
So far it looks like a lot of paid speaking engagements. She is paid to be "concerned" but she doesn't fund anything herself.
They're getting cracked because they're not paying attention to their security.
Fuck you! If you cannot detect and mitigate a brute force attack then hire someone who can.
And make sure you know the difference between encrypted and hashed.
Let's be a bit more specific about that.
If they're restricting the length to something like 8 or 12 or 16 instead of 128 or 256 then they are PROBABLY not hashing the passwords.
Which means that your password is PROBABLY being stored in plain text (or possibly encrypted). NEITHER of which are acceptable methods today.
Seconded on the different email addresses. And you don't have to own your own domain for that. Just make some random'ish gmail account and use that ONCE for more secure requirements (like your bank).
The trick is to prepare them in advance. And write them down in a PHYSICALLY secure location.
If you're using the same email account for your bank as you use on Facebook then your security could be improved.
256GB of flash is just over $100 right now. Storage is not a problem. Even AIRCRAFT do not have a problem with storage and they have a LOT more data to store.
Taking power from the engine is NOT the same a braking.
Taking your foot off the gas is NOT the same as stepping on the brake.
Seriously. Try it on a hill. You might end up going FASTER at the bottom of the hill than at the top.
Make/model/year/VIN/owner/owner's address. And maybe whether it passed inspection or not.
How will knowing the VIN tell you anything about hitting it?
Or the owner's address?
Or the owner's name?
Or any of the other information?
And what happens when the site you're trying to use to look up that useless information is slow?
Which of those steps covers engaging the braking system?
And how does the license plate "determine what would happen if you hit it"?
Why weren't the cameras and sensors on already if the car was operating autonomously?
That would be "suicide".
And the sensor logs of the car should be able to show that it was suicide.
But more to the point, how would that situation be any different in a faster-reacting-autonomous-car than in a human-controlled-car?
Or are you postulating a world where there are no cars because someone might try to commit suicide by jumping in front of one?
I think it will be even easier.
The autonomous cars will be packed with sensors that record EVERYTHING.
If there is an accident then the insurance companies will know which car has a 100% complete record of the incident that SHOULD exonerate it. Such as staying below the speed limit. Keeping a recommended distance from the car in front of it. Staying in the center of its lane. And exact information on how hard the brakes were applied and when and how that affected traction prior to the collision.
In theory, the insurance company for the autonomous car should win ever time (except in cases of software/hardware failure).
It's even easier than that.
Do YOU want to be the person dragged into court because YOU wrote the program that INTENTIONALLY HIT AND KILLED someone?
No? Then write the code to be 100% neutral. The code will ONLY attempt to stop the vehicle as fast as possible.
If pedestrians are within X meters of the car then the car should slow to Y. If they get closer then the car should stop.
But the code should NEVER have the option "hit object X".