Any idiot can run an SRR. You actually have to know what you're doing to be able to look at the results and say "Yes that really is a finding... or No that's a false positive." Our clients are starting to come around to the concept that it pays to have someone do the analysis. If you don't, you'll end up having to go through the analysis phase yourself and then have go back and fight your auditor.
Someone should introduce Congress to the FISMA act of 2002, which mandates that federal agencies control for this kind of stuff. As part of my work at the DoD I occasionally audit non military systems. In the past this has included systems for the IRS, DHS and FBI. All of them are required to comply with FISMA regulations, specifically NIST 800-53. The relevant section, Appendix F Section SA-6 page F-222 (or page 293, for those reading the PDF) states:
The organization controls and documents the use of publicly accessible peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Now, I realize that's highly generic, but it's up to the organizational unit to write some sort of policy around the guidance. If they aren't able to do that, they're not in compliance with FISMA and the GAO should rightly be sticking a rather large boot up their ass.
I do IA work for the DoD. I primarily do Certification and Accreditation for the Department of Navy.
The DoD 8500.2 controls require your operating systems to be Common Criteria certified. The EAL level is going to depend on your classification. There are several Linux distributions that have gone through the certification process. For specific versions of specific software (Linux Kernel, OpenSSL etc.) you're probably referring to the IAVA (IAV-A, IAV-B IAV-T) notices. These are specific known vulnerabilities that usually come from CVE or some other repository. They change as often as I change my underwear (insert joke about average slashdotter here). It would be impossible to keep a system up to date without significantly breaking functionality.
The thing I keep seeing is lazy DISA auditors that see the STIG's as black and white. Most of the testers I've run into aren't technical people. They run the automated SRR scripts and ding you for having your kernel version out of spec. If I were to sit them down and ask why a particular control was an open finding they'd tell me "Because the STIG said so" without digging deeper as to why.
The most recent test I was on, the testing team hit the sys admins for an out of date Kernel on a VMWare ESX box. VMWare uses a highly customized version of RHEL. Installing the most recent Kernel would turn the box into a paperweight. The best advice I can give you is to first check with the tester to find out exactly what the vulnerability is and what their recommended fix action is. Depending on your tester you may be wasting your time. I've see far too many tester leave comments like "Not up to STIG compliance".
Check with your vendor to see if they have issued a patch to address that vulnerability. Once you have that information you can place your comments into a POA&M and go back to your DAA and explain why a given open finding isn't really a finding and/or won't be fixed. You can also look into mitigation factors to see if you can reduce the severity. Many controls will state "If you're doing X, Y and Z this finding may be reduced from a CAT I to a CAT II".
Good luck with your C&A and be glad you're not on the documentation side of things:^)
The abysmal score (69%) from the World War 2 question cracked me up. How could anyone in congress miss that question, a good portion of them were alive while it was going on.
but I'm way to lazy to search through 300+ comments:^) That being said... one should be recycling their unneeded "junk" rather than just pitching it. Depending on where you live this may or may not be a hassle to accomplish. The city of Ann Arbor, MI has recycling drop off stations that accept almost everything. They even accept larger items for a small fee.
G4 Television has their gcycle service. You put in your zip code and it will give you a list of businesses in the area that can take your stuff off your hands. Be warned, the website is entirely in flash.
There is always Google. If you do a map search for "recycle <your town>" you'll come up with a pretty good list. Unfortunately, what companies will accept is pretty hit or miss. You'll probably have to call around a bit to find out what they'll take and whether or not there will be fees involved.
What the fuck is he talking about? Ceasing to be a common carrier is not good news for an ISP.
The problem here is that ISP's are not common carriers. The FCC deemed them information services, not telecommunications services, which is good as common carriers are subject to all sorts of additional government regulation.
The DMCA already provides the MPAA with an avenue to stop online piracy. The MPAA wants to have their cake and eat it too. In this case DMCA is a good thing. In fact, it could be argued that the DMCA actually disourages the kind of absurd filtering that Glickman is talking about.
I think the problem here is two-fold: 1) The MPAA/RIAA are starting to realize that DRM doesn't work and will never work. 2) The DMCA only works after infringement has been identified, not before. This is why they're targeting ISP's, it's just the latest version of the same battle they've been fighting for the better part of a decade.
I for one would be willing to spend $20-30 per month to have access to a pre lawsuit Napster or Napster like service. I remember reading that at its height, Napster had 20 Million people using the service. Imagine if the RIAA embraced Napster way back when. 20 Million people spending $30 a month is a huge chunk of change, and it would be almost 100% profit (20M * $30/mo * 12mo = $7.2Billion/year). In addition to the money, you now have a massive database of consumer preferences, you'll know what people are searching for, what people are downloading, what the "hottest" track is at any given moment (marketers would drool over the opportunity to get data like this).
The main reason P2P apps are so popular is due to the fact that there is no market providing this service (at least nothing like what I describe above). Lets assume for a moment that the **AA are able to convince lawmakers to require ISP's to filter content. How on earth is this enforceable? The possibility of encryption renders the whole filtering concept moot, never mind the government using the "filtering" to further clamp down on our rights. Nothing will change. This will result in nothing more than a perpetual game of wack-a-mole.
What would happen if consumers set up their own network not connected to the Internet and shared content amongst themselves? Forgive my ignorance on the inner workings of P2P applications, but does Bittorrent need a connection to the Internet at large to function? Setting up something like this in a small apartment complex would be trivial, even if one didn't use wireless.
The upshot is that Nissan will re-design the key so it's not affected by cell-phones, new cars will ship with the redesigned key and owners of existing cars will have to pay a small fortune to replace the keys because it's not a safety recall issue.
I have a Nissan Altima. I received a letter from Nissan informing me of this issue several weeks ago. The letter states:
"Nissan is developing a modified I-key to prevent this from happening, and will provide you with these new keys, at no cost to you, in early fall 2007."
I make another prediction: within 10 years, if Borders is still in business, you will be able to order a used book through them at their B&M store. They will cultivate a stable of online used book dealers to supply them.
Actually, you can order used books through our B&M stores right now. We have a partnership with alibris. Customers can order used books from our in store kiosks, or just speak with a bookseller. The markup on used books isn't as bad as one might assume. We actually end up making a pretty good amount of money.
(I recall a clerk once telling me that they received directions from corporate about which books were to go in which display windows). But buying books from customers requires lots of on-the-spot decision making, and that is incompatible with their corporate culture.
As a manager working in one of Borders stores I actually have a large degree of freedom and I am able to make a lot of the on-the-spot decisions you're referring to. There are, however, many displays that are corporate mandated. This is due to our relationships with publishers. Many publishers pay us (as a corporation) to co-op their merchandise on displays around the store. My store is relatively close to the corporate HQ in Ann Arbor, so I'm sure we get this quite a bit more than the average Borders store.
Yeah they want the whole front of the page to be the ad. Like the problem is we just havn't noticed yet, like they're gonna get their way and all of the sudden websurfers around the world are gonna go yeah HoTTE_mAly_98 I've got this web page here and holy shit these pages have ads on them damn I thought they were all 1337 and stuff.
"Happiness in intelligent people is the rarest thing I know."
From the article: The Audio Home Recording Act of 1992 (AHRA),
meanwhile, may protect Napster users since the AHRA allows audio music swapping for noncommercial use.
From the back cover of several CDs I own: ...
Unauthorised copying, lending, public peformance and broadcasting of this record prohibited.
Can the record company really stop unauthorised lending? I am not a lawyer, but it would seem to me that would be against the law for the record company to make such a statment. Although, that the way things seem to be going now. Albums you purchase are for your ears only; software you purchase is for your computer only; books you purchase are for your eyes only. Where is this going to end?
Also from the article:
Here, manufacturers like
Yamaha or Philips who market digital audio tape recorders and CD-R burners must pay a statutory royalty as a penalty for making
devices that could foreseeably be used to infringe copyright. Such manufacturers must pony up for the potential undermining of
the value of copyrighted material. Notwithstanding the incoherence of assigning rights in some imagined value the copyrighted
material may have, wealth here is distributed from manufacturer to music industry. Similarly, consumers who purchase blank
recording media must pay special excise taxes to the music industry.
Does any industry have the right to charge consumers for possible losses? This remindes me of a cartoon I saw in the paper a few days ago:
"Do you remember that loud mouthed lawyer on TV? He's suing me because I changed channels during his commercial."
"Happiness in intelligent people is the rarest thing I know."
I have faith in the consumer to strike this one down. It happened with Divx it can happen with this. Most consumers don't like being told what they are and are not allowed to do with the products they purchase. Which is why I'm not suprised the MPAA hasn't started a huge adversisment campaign against DeCSS. (i.e. not on-line)
I think the main fight over this will take place on-line and the general population will not take much notice. Once someone isn't able to what what they want when they want all of this madness will stop.
"Happiness in intelligent people is the rarest thing I know."
The students are over stimulated; better remove all the colored chalk from the classrooms. While you're at it be sure to purchase new school uniforms, just make sure they can stand up to the rain. We can't have any of our kids having any fun now can we.
Seriously though Kudos to Patrick Griffiths for standing up for what he believes in. He may have gotten burned, but he made his point. Personally I would have kept my school record as is. I would have had the referral / suspension notice framed and hung on my wall. I would have copied it and stapled it to my resume and all college applications. Most Colleges actually encourage independent thought.
Gore:
Sure I did some pot when I was young, but that was many years ago. I have learned the errors of my ways and I think I'm a much better person becasue of it. (and I didn't even have to spend time in prison -- what??? no you wern't supposed to hear that)
Bush:
I have never done any drug in my life. Unlike my opponent gore who actually admitted to smoking marajuana. When I am elected president I will put an end to all drug use forever. I put my trust in the american people to make the right decision.
2) Minority Religions
Gore: The constitution directly prohibits discrimination of any faith.
Bush: I am not sure what you mean by minority religions. When I am elected I will make it my duty to insure that all americans come to know God as I have. I put my trust in the american people to make the right decision.
3) Why give a tax cut?
Gore: I support any tax cut as long as it can be proven to benefit everyone.
Bush: Under my system the top 1% of the top 25% of the bottom 6% will get a small refund if the square root of the number of letters in their name is less than or equal to the cube root of 5 times the number of children they have. I put my trust in the american people to make the right decision.
4) electoral reform
Gore: No comment
Bush: I put my trust in the american people to make the right decision.
Sorry I didn't have time to finish this... I'm off to PHY 183 lecture. I'll post the rest of my humor at a later time
I've seen that link 100 times. Every Patent story slashdot posts usually has some AC linking to that article. It's somewhat amusing, but just as the:
I want to patent air, resperation, breathing etc.. It's beginning to wear quite thin.
I read somewhere that in most movies they usually create a blue screen on the monitor and insert the "fake OS" over it. Anyone else see the connection here?
I've been to something similar in Seattle. I believe it's called the omni-dome. Very cool...
It looks like a standard movie theatre, but instead of facing the screen you sit on seats that are attached to a large cone in the center of the room. The screen is all around you. Each 1/2 of the room sees the same movie which wraps around the screen.
You're right about those low flying camera shots... it's a strange sensation.
I've also been to the IMAX Theatre in Spokane, WA. If you've ever seen the movie about the Explorer's in Arctic... (or was it Antacrtic??) The room becomes extreemly cold.
Thanks to the US's DMCA Europe is now considering an equal law.
AFAIK Jack Valenti. sp?? (Head of the MPAA) said that the DMCA does not go far enough and he wanted to model US copyright laws after those in Europe. Later, when asked about the suject he said Europe's copyright laws do not go far enough.
"Columbine spoke to a larger issue, and it's really a matter of culture. It's a culture that
somewhere along the line we begun to disrespect life, where a child can walk in and have their heart turn dark as a result of being on the Internet, and walk in and decide to take somebody
else's life."
So what you're saying here is that a bunch of 0's and 1's are responsible for the atrocities that happened at Columbine. That must be some of that new ass backwards logic I've been hearing so much about. This new learning amazes me could you explain to me again how sheep's bladders can be employed to prevent earthquakes?
The number 42 being the most important number in all of existence needs to be protected. My patent would keep the knowledge of the aforementioned number out of the hands of those whom would use the knowledge contained in it for purposes of scientific discovery. This patent covers everything you'll ever need to know.
----
It's a bit more creative that patenting Air/respiration isn't it.
Slashdot Mirror
Look, the law doesn't apply to the lawmakers.
Oh, it certainly applies, it's just being ignored. I don't blame Congress for that, I blame the idiots that put these people there.
Any idiot can run an SRR. You actually have to know what you're doing to be able to look at the results and say "Yes that really is a finding... or No that's a false positive." Our clients are starting to come around to the concept that it pays to have someone do the analysis. If you don't, you'll end up having to go through the analysis phase yourself and then have go back and fight your auditor.
Now, I realize that's highly generic, but it's up to the organizational unit to write some sort of policy around the guidance. If they aren't able to do that, they're not in compliance with FISMA and the GAO should rightly be sticking a rather large boot up their ass.
The thing I keep seeing is lazy DISA auditors that see the STIG's as black and white. Most of the testers I've run into aren't technical people. They run the automated SRR scripts and ding you for having your kernel version out of spec. If I were to sit them down and ask why a particular control was an open finding they'd tell me "Because the STIG said so" without digging deeper as to why.
The most recent test I was on, the testing team hit the sys admins for an out of date Kernel on a VMWare ESX box. VMWare uses a highly customized version of RHEL. Installing the most recent Kernel would turn the box into a paperweight. The best advice I can give you is to first check with the tester to find out exactly what the vulnerability is and what their recommended fix action is. Depending on your tester you may be wasting your time. I've see far too many tester leave comments like "Not up to STIG compliance". Check with your vendor to see if they have issued a patch to address that vulnerability. Once you have that information you can place your comments into a POA&M and go back to your DAA and explain why a given open finding isn't really a finding and/or won't be fixed. You can also look into mitigation factors to see if you can reduce the severity. Many controls will state "If you're doing X, Y and Z this finding may be reduced from a CAT I to a CAT II".
Good luck with your C&A and be glad you're not on the documentation side of things :^)
DeepThought
Earth
Hactar
Eddie
Marvin
The abysmal score (69%) from the World War 2 question cracked me up. How could anyone in congress miss that question, a good portion of them were alive while it was going on.
G4 Television has their gcycle service. You put in your zip code and it will give you a list of businesses in the area that can take your stuff off your hands. Be warned, the website is entirely in flash.
There is always Google. If you do a map search for "recycle <your town>" you'll come up with a pretty good list. Unfortunately, what companies will accept is pretty hit or miss. You'll probably have to call around a bit to find out what they'll take and whether or not there will be fees involved.
The problem here is that ISP's are not common carriers. The FCC deemed them information services, not telecommunications services, which is good as common carriers are subject to all sorts of additional government regulation.
The DMCA already provides the MPAA with an avenue to stop online piracy. The MPAA wants to have their cake and eat it too. In this case DMCA is a good thing. In fact, it could be argued that the DMCA actually disourages the kind of absurd filtering that Glickman is talking about.
I think the problem here is two-fold: 1) The MPAA/RIAA are starting to realize that DRM doesn't work and will never work. 2) The DMCA only works after infringement has been identified, not before. This is why they're targeting ISP's, it's just the latest version of the same battle they've been fighting for the better part of a decade.
The main reason P2P apps are so popular is due to the fact that there is no market providing this service (at least nothing like what I describe above). Lets assume for a moment that the **AA are able to convince lawmakers to require ISP's to filter content. How on earth is this enforceable? The possibility of encryption renders the whole filtering concept moot, never mind the government using the "filtering" to further clamp down on our rights. Nothing will change. This will result in nothing more than a perpetual game of wack-a-mole.
What would happen if consumers set up their own network not connected to the Internet and shared content amongst themselves? Forgive my ignorance on the inner workings of P2P applications, but does Bittorrent need a connection to the Internet at large to function? Setting up something like this in a small apartment complex would be trivial, even if one didn't use wireless.
I attended the Ann Arbor Party. I got into a conversation with Hemos about Vasectomies. I got a good laugh the next morning when I read penny arcade.
I have a Nissan Altima. I received a letter from Nissan informing me of this issue several weeks ago. The letter states:
"Happiness in intelligent people is the rarest thing I know."
The Audio Home Recording Act of 1992 (AHRA), meanwhile, may protect Napster users since the AHRA allows audio music swapping for noncommercial use.
From the back cover of several CDs I own:
...
Unauthorised copying, lending, public peformance and broadcasting of this record prohibited.
Can the record company really stop unauthorised lending? I am not a lawyer, but it would seem to me that would be against the law for the record company to make such a statment. Although, that the way things seem to be going now. Albums you purchase are for your ears only; software you purchase is for your computer only; books you purchase are for your eyes only. Where is this going to end?
Also from the article:
Here, manufacturers like Yamaha or Philips who market digital audio tape recorders and CD-R burners must pay a statutory royalty as a penalty for making devices that could foreseeably be used to infringe copyright. Such manufacturers must pony up for the potential undermining of the value of copyrighted material. Notwithstanding the incoherence of assigning rights in some imagined value the copyrighted material may have, wealth here is distributed from manufacturer to music industry. Similarly, consumers who purchase blank recording media must pay special excise taxes to the music industry.
Does any industry have the right to charge consumers for possible losses? This remindes me of a cartoon I saw in the paper a few days ago:
"Do you remember that loud mouthed lawyer on TV? He's suing me because I changed channels during his commercial."
"Happiness in intelligent people is the rarest thing I know."
Also, check out this galary of case mods to look at, I've got some very cool ideas from this site. Check out the last one on the main page.
"Happiness in intelligent people is the rarest thing I know."
I think the main fight over this will take place on-line and the general population will not take much notice. Once someone isn't able to what what they want when they want all of this madness will stop.
"Happiness in intelligent people is the rarest thing I know."
Seriously though Kudos to Patrick Griffiths for standing up for what he believes in. He may have gotten burned, but he made his point. Personally I would have kept my school record as is. I would have had the referral / suspension notice framed and hung on my wall. I would have copied it and stapled it to my resume and all college applications. Most Colleges actually encourage independent thought.
Gore:
Sure I did some pot when I was young, but that was many years ago. I have learned the errors of my ways and I think I'm a much better person becasue of it. (and I didn't even have to spend time in prison -- what??? no you wern't supposed to hear that)
Bush:
I have never done any drug in my life. Unlike my opponent gore who actually admitted to smoking marajuana. When I am elected president I will put an end to all drug use forever. I put my trust in the american people to make the right decision.
2) Minority Religions
Gore:
The constitution directly prohibits discrimination of any faith.
Bush:
I am not sure what you mean by minority religions. When I am elected I will make it my duty to insure that all americans come to know God as I have. I put my trust in the american people to make the right decision.
3) Why give a tax cut?
Gore:
I support any tax cut as long as it can be proven to benefit everyone.
Bush:
Under my system the top 1% of the top 25% of the bottom 6% will get a small refund if the square root of the number of letters in their name is less than or equal to the cube root of 5 times the number of children they have. I put my trust in the american people to make the right decision.
4) electoral reform
Gore:
No comment
Bush:
I put my trust in the american people to make the right decision.
Sorry I didn't have time to finish this... I'm off to PHY 183 lecture. I'll post the rest of my humor at a later time
Kibo
I've seen that link 100 times. Every Patent story slashdot posts usually has some AC linking to that article. It's somewhat amusing, but just as the: I want to patent air, resperation, breathing etc.. It's beginning to wear quite thin.
Nevermind the fact that the judge was also Time Warner's Lawyer during their whole DVD fiasco.
I read somewhere that in most movies they usually create a blue screen on the monitor and insert the "fake OS" over it. Anyone else see the connection here?
You're right about those low flying camera shots... it's a strange sensation.
I've also been to the IMAX Theatre in Spokane, WA. If you've ever seen the movie about the Explorer's in Arctic... (or was it Antacrtic??) The room becomes extreemly cold.
AFAIK Jack Valenti. sp?? (Head of the MPAA) said that the DMCA does not go far enough and he wanted to model US copyright laws after those in Europe. Later, when asked about the suject he said Europe's copyright laws do not go far enough.
So what you're saying here is that a bunch of 0's and 1's are responsible for the atrocities that happened at Columbine. That must be some of that new ass backwards logic I've been hearing so much about. This new learning amazes me could you explain to me again how sheep's bladders can be employed to prevent earthquakes?
The number 42 being the most important number in all of existence needs to be protected. My patent would keep the knowledge of the aforementioned number out of the hands of those whom would use the knowledge contained in it for purposes of scientific discovery. This patent covers everything you'll ever need to know.
----
It's a bit more creative that patenting Air/respiration isn't it.