And finally, what does the fact that other RBL's have behaved worse have to do with anything? "Yeah, Bob punched someone in the face, but Bill over here beat people with lead pipes! Why should we worry about Bob?"
No. That's wrong. Because SpamHaus does not block anything.
The more correct analogy would be if you ask SpamHaus what their opinion is of Bob and they say "I don't like Bob".
Then when you don't do business with Bob, Bob gets mad and sues SpamHaus for damages.
And you ask someone else and they say that they don't like Bob OR his family.
Yes, that is what this is about. People asking other people what their opinion is of the people trying to send them email.
A digital scale may not realize that a.5 lb weight is on it doesn't make it unable to accurately tell you the weight of a 150 lb human.
So you're saying that it is accurate... for lies of a certain "weight" or larger.
LMAO
And your analogy is incorrect because the real polygraph can be fooled by you not caring about the lie. Even if the person interrogating you thinks it is an important issue.
So it's more like a digital scale that will tell you your weight... well, not your actual weight... more like if you're fat... as long as you believe that you're fat... and that you believe that you're fat enough for the scale to be able to tell that you're fat.
If you purposefully say something you believe to be untrue, there are generally certain biological responses made throughout your body and that is what the polygraph picks up.
#1. How accurate is the polygraph at measuring that? The answer is - not very accurate. As has been noted before, if you don't care about a subject, the polygraph will NOT be able to show you lying about it.
#2. Are there other situations which would yield the same results? The answer is - yes. Having a stress reaction to a question (even if you're telling the truth) will produce the same results as lying.
The general practitioner will recommend a specialist who will evaluate the situation and determine whether it falls within his area of expertise.
If not, he will recommend the patient to a different specialist.
That's the difference between having a hammer and being a carpenter. It might take you 5 minutes to buy a hammer... and years of using that hammer to become a carpenter.
Just look around at the "discussions" on slashdot. You'll find people who have that 95% accuracy arguing with people who have spent YEARS working in a specific field.
It isn't about what facts you can find. That's nothing more than trivia. And that depends upon the facts being correct in the first place.
To phrase it another way, the first 95% gained in the first 5 minutes is worth less than the next 4.9% gained in the next 55 minutes.
When you go in for major surgery, do you choose the doctor who hasn't specialized in that and spent 5 minutes reading about it? Or do you go with the one who's done 1,000 of those operations with a 99.9% success rate?
Keep your resume up-to-date and USE it. Shop yourself around at least every year to see what you're really worth and what job skills you should be working on.
The good thing about situations like that is that they look GREAT on your resume. Just work on the narrative and explain how you took on more responsibilities as the needs of your employer changed.
Everyday people are generating information that when cleverly pieced together can unravel every minute of their life. However, the caveat is that there is such a huge amount of information.
-and-
I heard on NPR yesterday about how people's health insurance is being stolen. And do you know why such a fraud occurs? Because, no one conclusively establishes the patient's identity.
Now imagine a criminal organization that is interested in collecting that information and sorting it into personal profiles. Start with a database of social security numbers.
Now add enough detail to be able to get loans or credentials in the names of those people (with the aforementioned social security numbers).
It wouldn't take much processing power or storage.
If degrees aren't covering what needs to be taught, what ARE the main objectives that would produce the best functioning graduates?
You'll see it all over. People with "20 years" of "experience" who really have 1 year of experience 20 times over.
Next up would be the ability (and desire) to dig to FIND problems. Not just "it compiles" or "it doesn't crash".
After that would be the ability to think in pluralities. Anyone can handle a single system with a single purpose used by a single user. Can you scale to multiple servers? Multiple users? With multiple services?
And finally, maintenance. Design your design... to make maintenance easy. Implement your design... to make maintenance easy. Design and implementation are fun. Maintenance is a bitch. Now people are using it and it is "business critical" and you only have a maintenance window of 1 hour at 11pm on Sunday.
Even if you are NOT perfect at all of the above... at least be aware of them and WORKING to improve your abilities in them.
Exactly... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.
AND if you're not using noscript (or equivalent) or you allow that site to run whatever javascript it wants. And so forth.
Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen.
Not exactly. From his page on this "exploit"...
You can try it out on this very website (I've only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.
It's hard to find, isn't it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.
So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.
Turn the idea into a product, turn the product into money.
Sell a service providing the customer with the FINAL (or as close to the final) product as possible.
Use your zero-day exploit to build a zombie army and sell spam services. Or collected credit card info. Or bank account info. Or access to corporate networks.
The do-it-yourself customer isn't going to spend a lot of money for something that he might not be able to verify.
I'm convinced that the software companies intentionally fuck up the interfaces like that. That way they are not responsible if the user installs something bad.
And, exactly like you posted, the user will NOT read the pop-ups after the first few. All they will see is a "click 'yes' to continue" the same as they see on the EULA's and every other pop-up. The same as "do you want to run this".
A basic white list would be better for the users than the current situation. And pop-up a DIFFERENT box when the user is trying to install anything not on that white list.
Who makes the white lists? Why not the anti-virus companies? Yeah, I know about McAfee. At least this way they'd be more effective. If you want to install Civ9 and the anti-virus app checks the hashes and sees that it is legit, then no scary warnings.
It should be easier to keep a list of software from major vendors than to try to track every possible variation of every piece of "malware" out there.
Do you actually think that all IT and PC security companies have a giant cartel going, where they all secretly agree to suck? Somehow including all the "independent security researchers", which includes anybody with a computer, a clue, and some free software?
No. And no one is saying that.
Seriously? If there were some magic bullet, the temptation for one cartel member to make a giant pile of cash on it would be overwhelming.
There is no SINGLE solution that is 100% EFFECTIVE for EVERY scenario.
But the current focus on black lists is ineffective. At least white lists would give SOME degree of protection.
Much more troublesome, for security, is the fact that there are no known methods of secure computing that are economically competitive with insecure ones, not to mention the issue of legacy systems.
Fuck legacy. Seriously. I'm tired of everyone trotting out "legacy" as if it were some natural law.
A 100% brand new system today will STILL be vulnerable to the same attacks that were directed at the previous version of that system. That is simply bad design.
You can buy a lot of low end sysadmins re-imaging infected machines for what it would cost to write a fully proven OS and application collection that matches people's expectations.
And why do you need that?
Why not just a series of steps getting from the current disaster to a state closer to "best practices"?
Because there will always be "malware" does NOT mean that the situation cannot be improved. Instead of millions of machines infected, how about we aim for an environment where only 100,000 machines are infected?
The spies buy the cheap eggs (because spies have to keep pretending they don't have lots of money) and put the microfiche inside the egg shell and leave it on the table for the "waiter" to pick up and send back to Hong Kong via carrier pigeon.
Besides continually innovating at hacking computer networks in the U.S. and globally, Chinese interests also hack companies physically by infiltrating them with people who can then be recruited as spies, Winkler said.
Huh? I can see infiltrating them with spies... but infiltrating them with people who you will then try to recruit to be a spy?
I had to delay entering college for two years and work while I was in school to afford the tuition -- but I managed to do it without burying myself under a mountain of student loan debt.
-and-
Of course, this guy hasn't suggested taking that help away, all he's suggested is applying some common sense to way we dole out that help.
So why did you spend 2 years avoiding the money being doled out?
And student loans are designed to be repaid. That's not being "doled out".
I think too many people are confused between "money for education that does NOT have to be repaid" and "money for education that DOES have to be repaid).
If I wrote down everything I did, I'd be more capable then most IT admins these days, the problem is I don't have that fancy piece of paper floating in front of my name.
So don't. Since you already have so much experience, get that documented instead.
If you have a CCIE, you'll get job offers even if you don't have a degree.
The point is that you need SOMETHING other than your claims about your skill levels. And 3rd party, standardized evaluations come in many flavours.
The government should not fund this waste, and if it does, it should be tied to the expectation of results (like the ROTC).
From TFA:
Spending more time in school also means greater overall student debt. The average student debt load in 2008 was $23,200 -- a nearly $5,000 increase over five years. Two-thirds of students graduating from four-year schools owe money on student loans.
Yes, I know there is free money available from the government. But that is limited.
Slashdot Mirror
No. That's wrong. Because SpamHaus does not block anything.
The more correct analogy would be if you ask SpamHaus what their opinion is of Bob and they say "I don't like Bob".
Then when you don't do business with Bob, Bob gets mad and sues SpamHaus for damages.
And you ask someone else and they say that they don't like Bob OR his family.
Yes, that is what this is about. People asking other people what their opinion is of the people trying to send them email.
So you're saying that it is accurate ... for lies of a certain "weight" or larger.
LMAO
And your analogy is incorrect because the real polygraph can be fooled by you not caring about the lie. Even if the person interrogating you thinks it is an important issue.
So it's more like a digital scale that will tell you your weight ... well, not your actual weight ... more like if you're fat ... as long as you believe that you're fat ... and that you believe that you're fat enough for the scale to be able to tell that you're fat.
And that invalidates the previous claim about how a polygraph works.
If it measures the responses to telling a lie, then it should be able to work no matter what the lie is.
Therefore, it does NOT accurately measure the responses of telling a lie.
#1. How accurate is the polygraph at measuring that?
The answer is - not very accurate. As has been noted before, if you don't care about a subject, the polygraph will NOT be able to show you lying about it.
#2. Are there other situations which would yield the same results?
The answer is - yes. Having a stress reaction to a question (even if you're telling the truth) will produce the same results as lying.
The general practitioner will recommend a specialist who will evaluate the situation and determine whether it falls within his area of expertise.
If not, he will recommend the patient to a different specialist.
That's the difference between having a hammer and being a carpenter. It might take you 5 minutes to buy a hammer ... and years of using that hammer to become a carpenter.
Just look around at the "discussions" on slashdot. You'll find people who have that 95% accuracy arguing with people who have spent YEARS working in a specific field.
It isn't about what facts you can find. That's nothing more than trivia. And that depends upon the facts being correct in the first place.
To phrase it another way, the first 95% gained in the first 5 minutes is worth less than the next 4.9% gained in the next 55 minutes.
When you go in for major surgery, do you choose the doctor who hasn't specialized in that and spent 5 minutes reading about it? Or do you go with the one who's done 1,000 of those operations with a 99.9% success rate?
Understand it and plan for it.
Keep your resume up-to-date and USE it. Shop yourself around at least every year to see what you're really worth and what job skills you should be working on.
The good thing about situations like that is that they look GREAT on your resume. Just work on the narrative and explain how you took on more responsibilities as the needs of your employer changed.
A better article would be one that identifies HOW to "know your apps" rather than just telling you that you should.
What tools are available. How to use them. What to look for in the most common circumstances.
IE6 will die ... eventually. When WinXP dies.
But Microsoft pushed for too many IE6-specific extensions for their development products.
Now companies NEED to run IE6 or spend time and money (and pain) re-writing the crappy apps that have evolved over the last 9 years.
To replace IE6, you need to wait for WinXP to die or you need to offer IE6 compatibility in the new browser.
-and-
Now imagine a criminal organization that is interested in collecting that information and sorting it into personal profiles. Start with a database of social security numbers.
Now add enough detail to be able to get loans or credentials in the names of those people (with the aforementioned social security numbers).
It wouldn't take much processing power or storage.
Every time ANY "disaster" hits there will always be people who want to use it as an analogy for something else.
And those people usually have no idea what they're talking about.
But they use the current disaster to grab headlines.
You'll see it all over. People with "20 years" of "experience" who really have 1 year of experience 20 times over.
Next up would be the ability (and desire) to dig to FIND problems. Not just "it compiles" or "it doesn't crash".
After that would be the ability to think in pluralities. Anyone can handle a single system with a single purpose used by a single user. Can you scale to multiple servers? Multiple users? With multiple services?
And finally, maintenance. Design your design ... to make maintenance easy. Implement your design ... to make maintenance easy. Design and implementation are fun. Maintenance is a bitch. Now people are using it and it is "business critical" and you only have a maintenance window of 1 hour at 11pm on Sunday.
Even if you are NOT perfect at all of the above ... at least be aware of them and WORKING to improve your abilities in them.
AND if you're not using noscript (or equivalent) or you allow that site to run whatever javascript it wants. And so forth.
Not exactly. From his page on this "exploit"...
So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.
They're doing this as a PR stunt to distract people from the mistakes they're making today.
Copernicus is known in almost every science class today. Who cares what The Church does with whatever-is-left-of-his-body now? 500 years later?
Turn the idea into a product, turn the product into money.
Sell a service providing the customer with the FINAL (or as close to the final) product as possible.
Use your zero-day exploit to build a zombie army and sell spam services.
Or collected credit card info.
Or bank account info.
Or access to corporate networks.
The do-it-yourself customer isn't going to spend a lot of money for something that he might not be able to verify.
I'm convinced that the software companies intentionally fuck up the interfaces like that. That way they are not responsible if the user installs something bad.
And, exactly like you posted, the user will NOT read the pop-ups after the first few. All they will see is a "click 'yes' to continue" the same as they see on the EULA's and every other pop-up. The same as "do you want to run this".
A basic white list would be better for the users than the current situation. And pop-up a DIFFERENT box when the user is trying to install anything not on that white list.
Who makes the white lists? Why not the anti-virus companies? Yeah, I know about McAfee. At least this way they'd be more effective. If you want to install Civ9 and the anti-virus app checks the hashes and sees that it is legit, then no scary warnings.
It should be easier to keep a list of software from major vendors than to try to track every possible variation of every piece of "malware" out there.
No. And no one is saying that.
You might want to look at this article.
http://www.ranum.com/security/computer_security/editorials/antivirus/index.html
There is no SINGLE solution that is 100% EFFECTIVE for EVERY scenario.
But the current focus on black lists is ineffective. At least white lists would give SOME degree of protection.
Fuck legacy. Seriously. I'm tired of everyone trotting out "legacy" as if it were some natural law.
A 100% brand new system today will STILL be vulnerable to the same attacks that were directed at the previous version of that system. That is simply bad design.
And why do you need that?
Why not just a series of steps getting from the current disaster to a state closer to "best practices"?
Because there will always be "malware" does NOT mean that the situation cannot be improved. Instead of millions of machines infected, how about we aim for an environment where only 100,000 machines are infected?
The spies buy the cheap eggs (because spies have to keep pretending they don't have lots of money) and put the microfiche inside the egg shell and leave it on the table for the "waiter" to pick up and send back to Hong Kong via carrier pigeon.
Why even risk the possibility that one of them will NOT take the offer?
Cut out the middleman and simply send them spies to be hired. Spies who have ALREADY agreed to be spies for you.
And furthermore:
Huh? I can see infiltrating them with spies ... but infiltrating them with people who you will then try to recruit to be a spy?
Isn't that a bit ... stupid?
And also provide the patches to businesses based in their country.
Who decides if some Senator's web site (hosted on a .gov address) is more important than a hospital's network? And why?
-and-
So why did you spend 2 years avoiding the money being doled out?
And student loans are designed to be repaid. That's not being "doled out".
I think too many people are confused between "money for education that does NOT have to be repaid" and "money for education that DOES have to be repaid).
So don't. Since you already have so much experience, get that documented instead.
If you have a CCIE, you'll get job offers even if you don't have a degree.
The point is that you need SOMETHING other than your claims about your skill levels. And 3rd party, standardized evaluations come in many flavours.
From TFA:
Yes, I know there is free money available from the government. But that is limited.