For example, many of the CIOs I know have started referring to shadow IT as shadow innovation. Rather than staying awake from worry, CIOs are trying to figure out how they can adapt a cool technology project that someone is leading in marketing or in the retail arm, learn from it, and bring it across the whole organization.
So the people in Marketing know more about IT than those CIOs do?
Or is it that those CIOs do not understand computer security any better than the Marketing people do?
If it escalates into a problem, then CIOs take full responsibility â" either they havenâ(TM)t explained how they can collaborate with other teams, or they havenâ(TM)t explained the value that IT can bring to the larger organization.
So when was the last time a CIO was fired because credit card info was leaked?
And I'm not just referring to talent shortages (our most recent CIO survey revealed talent gaps in the areas of data, security, and app development).
Have you tried looking in the Marketing department?
The issues with talent go beyond hiring as CIOs struggle to build and retain teams that can handle the fast-moving, ever-changing needs of digital transformation.
What "fast-moving"?
I recently spoke with the CIO of an Ivy League institution who told me they have a firing problem, not a hiring problem.
It's funny because, you see, it rhymes.
Finding the right IT talent that is also able to understand and articulate what the business needs to succeed with technology is very challenging.
Maybe. But he (and his competitors) have elasticity in their salaries. He reduced his salary and increased his employees' salaries.
While his labour costs may be higher than his competitors', his overall costs can be the same. So he can charge the same as they do.
Where this MIGHT hurt him is smoozing with other CxO's to get their business. Wearing the expensive watches and taking them to the expensive golf courses and showing off your expensive houses and expensive cars.
At some point, you have to apply Occam's Razor and ask: who benefits? And the most obvious, direct, and clear beneficiary of this kind of interference is China. Not the US, not the UK, not some imagined Western Illuminati cabal with China being innocent victims; no: China.
No. You're limiting it too much.
"Who benefits" could be some 15 year old kid who just got world-wide attention (and the respect of his friends) for his "hacking". So don't limit the list of suspects.
It's not just nations. It's not just nations and NGO's. On the Internet, it is EVERYBODY.
Trust me, you're not missing anything from TFA's. Here's one quote:
The Philippines (and its U.S. allies) should accordingly start preparing now for a massive digital tantrum by Chinese patriot hackers if the ruling, expected by the end of the year, goes against the Middle Kingdom.
They blame "China" for the "attack" but then refer to "patriot hackers".
There's a huge difference between a government operation and some kids doing it.
And I have not been able to find any reference to the nature of the "malware" installed. I'm betting it wasn't a 0-day exploit.
This should also include their liabilities, which is to provide continued support for sold devices.
It should, but it does not.
Look at how Cisco treated LinkSys before they sold it to Belkin.
We're still a lot safer with the device getting patched for as long as possible.
No one is arguing otherwise.
The issue is that the hardware WILL outlast the support. So the situation will not change. Systems that are vulnerable today will still be vulnerable. New systems that auto-update will eventually be unsupported. And those will still be vulnerable to attacks from other (compromised) systems on the internal network.
The problem will be when the company selling those routers stops supporting them.
Built correctly, those things should last for years and years. Longer than the companies want to spend money supporting them. They'd rather you purchased the newest model.
But the security holes don't fix themselves.
And even if you lock them down so that they cannot be "managed" from the Internet side, they're still vulnerable. It's just that the attack has to come from inside the network. Maybe via an ad banner or Java or whatever on a PC/laptop connecting through that router.
I worked for a company where HQ was in one city and the warehouse was in a different city.
Through the magic of VoIP, the calls from the warehouse went through HQ. Which is a problem when the 911 people look up the location of the phone number.
Since the company was NOT going to spend the money to run 911 calls from the warehouse to their local 911 center (or even to have the phone numbers show up correctly), the people in the warehouse were told to call 911 on their cell phones if something should happen.
Sucks when cell phone reception isn't a priority in the concrete building.
They just didn't want to pay for the technology to do it correctly AND someone to work with the local 911 people to make sure that a call from the North end of the warehouse resulted in aid showing up at the North doors instead of the South doors.
FUCK THAT SHIT! Put phones on the pillars holding up the ceiling and include documentation on which door to use. Yeah it will cost more. Yeah it will interrupt operations in an emergency. But it is still the right thing to do.
They are now using SWAT teams to deal with unlicensed SERVICE operations.
Running a barber shop without the appropriate license and fees? They will bust down your door, weapons drawn. Don't resist. Don't try to run. They are authorized to use lethal force.
They aren't objecting to being filmed, they're objecting to people trying to get them to make a mistake on camera.
The problem is that the kind of "mistakes" that are being filmed are "mistakes" of shooting unarmed people or beating people who have been handcuffed.
So now the FBI director says that because cops are afraid that someone will film those "mistakes" that the cops will refuse to do the job that the public pays them to do.
And that's okay with him.
How in the fuck would that even be logical in any other job? I can't kick customers so don't expect me fix a network problem?
Do you really think they block blogs etc but let all potential hacking attempts right on through?
Yes. Because to block everything else would be unmanageable.
Blocking certain sites is feasible AND won't ruin their attempts at international commerce.
Blocking ALL sites (except for approved sites) is feasible BUT it would ruin their attempts at international commerce. And require an army of sysadmins. And fail anyway.
If they do let all attempts through then they are approving it. That would make it at least state acknowledged if not state sponsored.
No. Because blocking "A" but not blocking "B" does not mean that you approve of "B".
That's one of the oldest fallacies in existence.
They can disapprove of "B" but still need "B" in order to achieve "C" (something they want). They just like "C" more than they hate "B". And they can hate "A" enough to block it.
Check you logs. Were you "attacked" by any IP's in the USofA? Or Europe?
Just because an "attack" is coming from an ISP owned by someone does not mean that that someone is connected to the attack.
Any minimally competent attacker would have bounced the attack through at least 2 other cracked systems outside of his/her home or government or whatever.
Or, to clarify that, a competent Chinese attacker would connect to a machine in France that would connect to a machine in California that would run the script that would attack your system. At a minimum.
This is because, unlike Hollywood movies, most attacks are scripted. There isn't a "hacker" sitting at a keyboard thinking about what to type in real time.
It is unlikely that 'self-driving cars' will reach a point where they can handle 100% of all driving circumstances without human intervention, emergency circumstances being the first and foremost example of what an automated system could not adequately handle unaided; what will we do then, when injuries that could have been avoided or when lives are lost because people aren't competent to operate a vehicle any longer?
That is a SINGLE sentence.
How about if the autonomous car just stopped itself as quickly as possible in the case of an incident that it cannot handle? Then a human could take over.
From Wikipedia:
On average in 2012, 92 people were killed on the roadways of the U.S. each day, in 30,800 fatal crashes during the year.
FATAL crashes.
Not just regular crashes. Or crashes with some injuries.
Even if we can only reduce that by 50% it would be worth it. Who cares if people don't learn how to operate a vehicle? As the parent poster noted, they seem to be having problems doing so SAFELY right now.
... disregard for the rules that apply to 'little people'...
That is the issue for me.
She is supposed to be so smart yet she did not think that the Secretary of State would be handing confidential / secret / top secret information via email?
Yes, it is a political attack by the Republicans. But that does not change the fact that her actions were stupid UNLESS they were to hide something.
Between Trump and Clinton, I'd have to vote Clinton. But I'm still campaigning for Sanders or Lessig.
Because death by airplane crash is more exotic than death by car crash.
More like it is so rare AND so many people die that the news organizations play it over and over and Over and OVER and OVER!!!
Now imagine if those news organizations gave that same coverage to every single car crash (with a fatality).
The news would be nothing but car crashes.
And people would start to be terrified of driving anywhere.
Also TFA is incredibly stupid. His examples are meaningless in this context. An autonomous car SHOULD be able to stop itself and turn control over to a human when it encounters something it cannot handle.
And, over time, those cars WILL become more popular because the people who use them will pay lower insurance rates. That is because any accident they are in SHOULD be the fault of another driver OR the programming.
Look at the airports around Thanksgiving. They will be packed with people. Because people see the value in flying. Even when they give up control to someone else and it could result in an "exotic" death. The same with autonomous cars.
Slashdot Mirror
Not resistant to change.
Just pointing out that the "new" thing has been done before. And before. And before.
Each time, a new "magic bullet" was promised. And each time it failed.
The wise learn from the mistakes of others.
The average learn from their own mistakes.
The foolish repeat their mistakes.
And no one likes it when someone else points to their latest failure and says "I told you it would not work".
So the people in Marketing know more about IT than those CIOs do?
Or is it that those CIOs do not understand computer security any better than the Marketing people do?
So when was the last time a CIO was fired because credit card info was leaked?
Have you tried looking in the Marketing department?
What "fast-moving"?
It's funny because, you see, it rhymes.
That is the CIO's job.
Don't forget all the "anti-virus" companies whose products would not detect the rootkit.
You would think that those companies would be issuing updates to identify and remove the rootkit a day or two after it was discovered.
You would be wrong.
Maybe. But he (and his competitors) have elasticity in their salaries. He reduced his salary and increased his employees' salaries.
While his labour costs may be higher than his competitors', his overall costs can be the same. So he can charge the same as they do.
Where this MIGHT hurt him is smoozing with other CxO's to get their business. Wearing the expensive watches and taking them to the expensive golf courses and showing off your expensive houses and expensive cars.
No. You're limiting it too much.
"Who benefits" could be some 15 year old kid who just got world-wide attention (and the respect of his friends) for his "hacking". So don't limit the list of suspects.
It's not just nations.
It's not just nations and NGO's.
On the Internet, it is EVERYBODY.
Trust me, you're not missing anything from TFA's. Here's one quote:
They blame "China" for the "attack" but then refer to "patriot hackers".
There's a huge difference between a government operation and some kids doing it.
And I have not been able to find any reference to the nature of the "malware" installed. I'm betting it wasn't a 0-day exploit.
It probably won't change much, do to inertia.
As long as his clients see the reward of staying with him as higher than the risk of moving to a different vendor, they will stay.
And happy employees are one factor in his favour.
It should, but it does not.
Look at how Cisco treated LinkSys before they sold it to Belkin.
No one is arguing otherwise.
The issue is that the hardware WILL outlast the support. So the situation will not change. Systems that are vulnerable today will still be vulnerable. New systems that auto-update will eventually be unsupported. And those will still be vulnerable to attacks from other (compromised) systems on the internal network.
There aren't easy answers to this issue.
The problem will be when the company selling those routers stops supporting them.
Built correctly, those things should last for years and years. Longer than the companies want to spend money supporting them. They'd rather you purchased the newest model.
But the security holes don't fix themselves.
And even if you lock them down so that they cannot be "managed" from the Internet side, they're still vulnerable. It's just that the attack has to come from inside the network. Maybe via an ad banner or Java or whatever on a PC/laptop connecting through that router.
A different outlook:
http://swiftonsecurity.tumblr.com/post/98675308034/a-story-about-jessica
The COMPANIES with the most influence over the security of your systems usually have the LEAST incentive.
It can be.
I worked for a company where HQ was in one city and the warehouse was in a different city.
Through the magic of VoIP, the calls from the warehouse went through HQ. Which is a problem when the 911 people look up the location of the phone number.
Since the company was NOT going to spend the money to run 911 calls from the warehouse to their local 911 center (or even to have the phone numbers show up correctly), the people in the warehouse were told to call 911 on their cell phones if something should happen.
Sucks when cell phone reception isn't a priority in the concrete building.
They just didn't want to pay for the technology to do it correctly AND someone to work with the local 911 people to make sure that a call from the North end of the warehouse resulted in aid showing up at the North doors instead of the South doors.
FUCK THAT SHIT! Put phones on the pillars holding up the ceiling and include documentation on which door to use. Yeah it will cost more. Yeah it will interrupt operations in an emergency. But it is still the right thing to do.
They are now using SWAT teams to deal with unlicensed SERVICE operations.
Running a barber shop without the appropriate license and fees? They will bust down your door, weapons drawn. Don't resist. Don't try to run. They are authorized to use lethal force.
Remember, they are on the side of the Law.
The problem is that the kind of "mistakes" that are being filmed are "mistakes" of shooting unarmed people or beating people who have been handcuffed.
So now the FBI director says that because cops are afraid that someone will film those "mistakes" that the cops will refuse to do the job that the public pays them to do.
And that's okay with him.
How in the fuck would that even be logical in any other job? I can't kick customers so don't expect me fix a network problem?
I think an even easier approach would be to maintain hashes of the passwords and forbid anything that matches an existing or previous hash.
Of course the forbid process would take 1 second in order to block brute force attempts.
And you can pre-seed the database of hashes by using various dictionary lists and other sites' cracked password lists.
Over time you'll end up with unique passwords for all users that are not in any of the dictionaries.
Also, demand "pass phrases" instead of "passwords". 15 characters or more.
And use as much of the keyboard as possible. If your password system can accept ALT+15 then so much the better.
There is a HUGE difference between "30 types of jam" and "over 150 different pension plans".
At the most basic level, you will know that you picked the "wrong" jam in the near future and still be able to get a different one.
With a pension plan you won't really know until it is too late and you won't have any option.
Which is why most of us do NOT have a problem picking up a loaf of bread and a jar of jam.
Agreed. It's okay to "break" his other "rules" AS LONG AS YOU CORRECTLY DOCUMENT WHAT AND WHY.
Fucking up the documentation just to show that you're smarter than your boss is childish.
The problem is that the ONLY people who can use email this way would have to be 100% certain that no one sending them anything will ever betray them.
And that gets even more ludicrous when you're talking about a PUBLIC email service.
Do you think that China and Russia and everyone else does NOT have people working at GMail and Yahoo! and Verizon and so forth?
If they don't have direct access to the public email servers then I'm sure they have access to the ISP's feeding those email servers.
ENCRYPTION! Use it. Love it. Because they really are out to get you.
Yes. Because to block everything else would be unmanageable.
Blocking certain sites is feasible AND won't ruin their attempts at international commerce.
Blocking ALL sites (except for approved sites) is feasible BUT it would ruin their attempts at international commerce. And require an army of sysadmins. And fail anyway.
No. Because blocking "A" but not blocking "B" does not mean that you approve of "B".
That's one of the oldest fallacies in existence.
They can disapprove of "B" but still need "B" in order to achieve "C" (something they want). They just like "C" more than they hate "B". And they can hate "A" enough to block it.
Check you logs. Were you "attacked" by any IP's in the USofA? Or Europe?
Just because an "attack" is coming from an ISP owned by someone does not mean that that someone is connected to the attack.
Any minimally competent attacker would have bounced the attack through at least 2 other cracked systems outside of his/her home or government or whatever.
Or, to clarify that, a competent Chinese attacker would connect to a machine in France that would connect to a machine in California that would run the script that would attack your system. At a minimum.
This is because, unlike Hollywood movies, most attacks are scripted. There isn't a "hacker" sitting at a keyboard thinking about what to type in real time.
Quick advice: move the port to some random (RANDOM!!!) port above 1024.
It won't help your security but it will stop you log from filling up with notifications.
I see "attacks" from addresses in almost every nation. It isn't that I'm under constant attack. It isn't that I'm particularly valuable.
It's that it is easily scripted.
Not only that, but:
That is a SINGLE sentence.
How about if the autonomous car just stopped itself as quickly as possible in the case of an incident that it cannot handle? Then a human could take over.
From Wikipedia:
FATAL crashes.
Not just regular crashes. Or crashes with some injuries.
Even if we can only reduce that by 50% it would be worth it. Who cares if people don't learn how to operate a vehicle? As the parent poster noted, they seem to be having problems doing so SAFELY right now.
Why aren't those other vehicles reacting to whatever caused the car to stop and turn over control?
That is the issue for me.
She is supposed to be so smart yet she did not think that the Secretary of State would be handing confidential / secret / top secret information via email?
Yes, it is a political attack by the Republicans. But that does not change the fact that her actions were stupid UNLESS they were to hide something.
Between Trump and Clinton, I'd have to vote Clinton. But I'm still campaigning for Sanders or Lessig.
You're making the same mistake that TFA makes.
No one is saying that a car IN MOTION should cease autonomous operation.
What I said was that the car should STOP and then turn over control to a human when it encounters a problem it cannot handle.
More like it is so rare AND so many people die that the news organizations play it over and over and Over and OVER and OVER!!!
Now imagine if those news organizations gave that same coverage to every single car crash (with a fatality).
The news would be nothing but car crashes.
And people would start to be terrified of driving anywhere.
Also TFA is incredibly stupid. His examples are meaningless in this context. An autonomous car SHOULD be able to stop itself and turn control over to a human when it encounters something it cannot handle.
And, over time, those cars WILL become more popular because the people who use them will pay lower insurance rates. That is because any accident they are in SHOULD be the fault of another driver OR the programming.
Look at the airports around Thanksgiving. They will be packed with people. Because people see the value in flying. Even when they give up control to someone else and it could result in an "exotic" death. The same with autonomous cars.