A News Corp subsidiary that happens to be a tabloid (which as we all know don't count as real journalism)
The subsidiary in question is News International. They run the biggest selling papers in the UK including The Times, which has one of the most respected newspapers here for centuries.
hired a private investigator to complete his own investigation on the murder of a girl
No they (presumably a team at the News of The World) hired a man to investigate the disappearance of a girl. This is quite an important distinction, they knew the types of technique liable to be used, it would be quite a different kettle of fish doing this once it had become a murder investigation.
The private investigator, acting as a lone agent, "hacked in"... to her voicemail and used a message on it to add to his investigation.
They (News International) have already acknowledged they are responsible for a string of similar incidents (targetted at celebrities rather than murder victims).
I think the most reasonable explanation is that they didn't know the details, didn't want to, and didn't care what techniques were employed to get their story. News International should work hard to show they've grown enough respect for journalistic ethics to keep their house in order.
Also the investigator manipulated the messages on the phone (apparently to free space so more could come in). Meditate on how awful a thing to do that is.
Rupert Murdoch didn't personally hold anybody at gunpoint demanding a passcode. News Corp didn't send Nazi Zombies after her family demanding information. But I can already tell from the headline that some people will just go there right off the bat.
No one is seriously suggesting Rupert Murdoch is complicit here or was anywhere close to decisions being taken here. Shit goes uphill though, and you're tarred by association. It is completely correct for people who are revolted by the actions of the News of The World appoint some blame to the parent, right the way up to the top.
When you send someone out to get you something, and they come back with a bunch of cash and a stain for your reputation - you can take both or neither.
I'm all for charging the PI with obstruction of justice, but unless News Corp explicitly told him what to do, their involvement in this is tangential at best.
This is not an isolated phone hacking incident; to suggest that journalists would get information from PI's using these techniques over and over and over without knowing some shennanigans were going on is absurd to the point of lunacy or extreme naivete.
Certainly the brunt of public ire (and there is substantial outrage and shock) is where it should be with News International and not the parent News Corp, but if you want to make some radical argument like the parent does not have any responsibility for the culture of subsidiaries, or that the News of The World acted in good faith throughout this affair - spouting enough factual errors to prove you have only a tenuous grasp on events is not a good starting point.
Well I'm sure that public projects have boards of individually talented people running them and vested to a degree in their success, and let's not forget that the greatest things we've ever done (sanitation, electricity, the welfare state, insert your own list here, civil engineering mega projects) have been public works.
I dunno, maybe this project is being run by people better suited to another career, it's certainly too complex to sum up in a sentence or two! The point I failed to make was that public projects seem to sit in special sort of bubble immune to anyone really kicking up a stink about them going wrong. The public peeks in from time to time as if gawking at a train crash where no one they know got hurt, gasps and shakes their head, then promptly forgets about it whilst the whole endeavour churns merrily along sucking up resource and offering no value. I was lamenting how easy it is to write something off as somebody else's problem more than anything.
I, for one, am very happy to spend 10 minutes writing about this on Slashdot - instead of actually trying to participate.
I think it's right to go further and say that in general recording your users' passwords without suitably salting them and passing them through a secure hasing algorithm is, unless you have an extremely robust justification, antiethical to claims or basic IT security competency.
Tid bit: I remember an application once (perhaps a linux distribution?) that had an embarrassing bug where the installer asked you to enter a password and which could end up recorded in a log file. Silly errors always trounce best practice.
I think that's pretty uncontroversially going to be son/daughter - not many people consider the provinance of the uterus a person develops in as an indicator of your parents.
A little more interesting would be the case if a woman acts as surrogate mother for a child conceived with a gamete from her daughter. It'd make for some fucked up sex ed. classes when the kid explains that their grandmother gave birth to them and their mother is their sister.
And in any case the articale really doesn't give any insight into to the mindset behind a judge's surprise at someone appealing a judgement which - to most people - seems huge.
Storing personal data without appropriate security controls in place is 'evil'. If companies develop an expectation that they *will* be hacked without good security measues then that is a good thing.
All for security in depth, but personally I think the security benefit of running ssh on a non-standard port (which is making it so most automatic attacks miss you, as you say) is so miniscule that the increase in complexity isn't worth it.
Or put another way - there should be a very compelling reason behind every non-standard change you make, and avoiding automated scans isn't compelling enough for me.
Ask them what their processes and policies are in regards to this. They're your supplier, make them tell you why you should trust them with your DB.
That said....firstly understand that securing the database is a small piece of a very big complicated jigsaw made up of randomly cut pieces with an abstract painting on them. Security is hard.
My first step is always to get the infrastructure up to something I'm happy with.
* Set your firewall to block all incoming connections by default, only ever allow connections to port 80 (and 443 if necessary) on your web server/load balancer.
* Designate a couple of 'management IP addresses'. IE your home, or another location. Open up SSH to these addresses only.
* Configure SSH so the only way to access it is via certificates. Do not allow tunnelled plaintext passwords, ever.
* Try to ensure all your secret SSH keys are password protected
* For all server management issues use SSH. Use it for uploading, direct DB access, deploying etc. The only external connections to any of your servers happen on port 443/80/22.
* If you are using SSL use a secure cipher suite (running SSL Digger) will tell you if you are using any weak ciphers
* Decide on an update policy (ours is to have a human monitor all package updates daily, decide when an important one comes out, test it on stage, then update production) that ensures critical security fixes are applied quickly
* Google "security guide app" and review what the Internet says about securing Apache/Lighttpd/Squid/MySQL/RabbitMQ/Whatever. Understand it! Pay particular attention to anything the user interacts with (ie Joomla/Drupal/Wordpress)
Hmm, that's a pretty big list, mostly incomplete, and isn't even where your big security problems lie - most attack vectors are likely to come through flaws in your application. SQL Injection (shockingly!) is still happening, and if you give users the opportunity, someone WILL shoot themselves in the foot.
Man, security is hard! You can hire an agency to test things for yuo and give you a report. These tend go from quite cheap (ie the firm just ran Nessus and sent you the output) to extremely ellaborate white-box penetration testing that usually comes back with practical real world advice.
Great that you are concerned enough about this to ask Slashdot, don't work for Sony do you;)
Whenever I use iReport there is about a sixth of a second delay between interacting with it and it doing what I asked. It's barely noticeable but still drives me insane.
But SQL injection vulnerabilities are pretty easy to avoid. I'd say in the general case SQL injection problems point are a good indication to avoid a company.
If you inadvertently allow malicious access to your DB via SQL injection - fine. Just don't fib by saying your company should be taken at all seriously when considering their security credentials.
Isn't irony ("Situational irony" as Wikipedia calls it seems to be what most folks mean when they say it) when the opposite of what you expect to happen happens? For example, if I implemented a set of policies to prevent leaks and then those policies caused a leak - very ironic. That's not what happened here, what is the irony in this situation?
Still....Ads are unquestionably distracting, but as a consumer, wanting to be exposed to them to find out about new products you find interesting seems perfectly reasonable. Personally I get my fill from billboards and tube trains, so am more than happy to entirely cut them out of the websites I browse using AdBlock. I don't think it's particularly weird to enjoy them though. Also, I've never thought the underlying message was about self worth (except in ads about cosmetic products, or 'lifetsyle brands') but rather trying to make you think a particular product was a better investment than a competitor, or how a new product could enhance your life.
Then eat them! Blueberries are nutritious and delicious. Maybe they won't make you live forever; seriously though - what do people want from a damned fruit!
Open source is a way of building software that some folks reckon yields a better quality software product. As a side effect lots of people are tend to benefit from it.
The four basic freedoms espoused by the GNU underpin a Free Software philosphy quite different. It's quite possible to derive benefit from open source and not give a damn about the Free Software movement.
Moreover though, it is not not *not* hypocitical for a company to benefit from open source but refuse to release a Linux client for their product. You may think it immoral, unfair, unjust, and a generally slimy way to do business - but if the behaviour couldn't conceivably be summed up as "those lying bastards are bullshitting me" it's not what I would mean by hypcrisy.
Slashdot Mirror
http://xkcd.com/859/
Whoah, hold on a minute.
A News Corp subsidiary that happens to be a tabloid (which as we all know don't count as real journalism)
The subsidiary in question is News International. They run the biggest selling papers in the UK including The Times, which has one of the most respected newspapers here for centuries.
hired a private investigator to complete his own investigation on the murder of a girl
No they (presumably a team at the News of The World) hired a man to investigate the disappearance of a girl. This is quite an important distinction, they knew the types of technique liable to be used, it would be quite a different kettle of fish doing this once it had become a murder investigation.
The private investigator, acting as a lone agent, "hacked in" ... to her voicemail and used a message on it to add to his investigation.
They (News International) have already acknowledged they are responsible for a string of similar incidents (targetted at celebrities rather than murder victims).
I think the most reasonable explanation is that they didn't know the details, didn't want to, and didn't care what techniques were employed to get their story. News International should work hard to show they've grown enough respect for journalistic ethics to keep their house in order.
Also the investigator manipulated the messages on the phone (apparently to free space so more could come in). Meditate on how awful a thing to do that is.
Rupert Murdoch didn't personally hold anybody at gunpoint demanding a passcode. News Corp didn't send Nazi Zombies after her family demanding information. But I can already tell from the headline that some people will just go there right off the bat.
No one is seriously suggesting Rupert Murdoch is complicit here or was anywhere close to decisions being taken here. Shit goes uphill though, and you're tarred by association. It is completely correct for people who are revolted by the actions of the News of The World appoint some blame to the parent, right the way up to the top.
When you send someone out to get you something, and they come back with a bunch of cash and a stain for your reputation - you can take both or neither.
I'm all for charging the PI with obstruction of justice, but unless News Corp explicitly told him what to do, their involvement in this is tangential at best.
This is not an isolated phone hacking incident; to suggest that journalists would get information from PI's using these techniques over and over and over without knowing some shennanigans were going on is absurd to the point of lunacy or extreme naivete.
Certainly the brunt of public ire (and there is substantial outrage and shock) is where it should be with News International and not the parent News Corp, but if you want to make some radical argument like the parent does not have any responsibility for the culture of subsidiaries, or that the News of The World acted in good faith throughout this affair - spouting enough factual errors to prove you have only a tenuous grasp on events is not a good starting point.
Well I'm sure that public projects have boards of individually talented people running them and vested to a degree in their success, and let's not forget that the greatest things we've ever done (sanitation, electricity, the welfare state, insert your own list here, civil engineering mega projects) have been public works.
I dunno, maybe this project is being run by people better suited to another career, it's certainly too complex to sum up in a sentence or two! The point I failed to make was that public projects seem to sit in special sort of bubble immune to anyone really kicking up a stink about them going wrong. The public peeks in from time to time as if gawking at a train crash where no one they know got hurt, gasps and shakes their head, then promptly forgets about it whilst the whole endeavour churns merrily along sucking up resource and offering no value. I was lamenting how easy it is to write something off as somebody else's problem more than anything.
I, for one, am very happy to spend 10 minutes writing about this on Slashdot - instead of actually trying to participate.
If something's owned by everybody it's owned by nobody, and that's exactly who'll gives a fuck about making it work well.
I think it's right to go further and say that in general recording your users' passwords without suitably salting them and passing them through a secure hasing algorithm is, unless you have an extremely robust justification, antiethical to claims or basic IT security competency.
Tid bit: I remember an application once (perhaps a linux distribution?) that had an embarrassing bug where the installer asked you to enter a password and which could end up recorded in a log file. Silly errors always trounce best practice.
I think that's pretty uncontroversially going to be son/daughter - not many people consider the provinance of the uterus a person develops in as an indicator of your parents.
A little more interesting would be the case if a woman acts as surrogate mother for a child conceived with a gamete from her daughter. It'd make for some fucked up sex ed. classes when the kid explains that their grandmother gave birth to them and their mother is their sister.
He could be quoting from the article.
And in any case the articale really doesn't give any insight into to the mindset behind a judge's surprise at someone appealing a judgement which - to most people - seems huge.
Storing personal data without appropriate security controls in place is 'evil'. If companies develop an expectation that they *will* be hacked without good security measues then that is a good thing.
In fact they often justify the cost by claiming they save on food
That one's right up there with 'God told me to do it'.
LA Noire is very very different from GTA, Red Dead and their ilk.
Except for the part where it gett boring part way through.
All for security in depth, but personally I think the security benefit of running ssh on a non-standard port (which is making it so most automatic attacks miss you, as you say) is so miniscule that the increase in complexity isn't worth it.
Or put another way - there should be a very compelling reason behind every non-standard change you make, and avoiding automated scans isn't compelling enough for me.
http://www.twinhelix.com/css/iepngfix/demo/ - but really, in most all cases the time for IE6 hacks is nearing an end.
IE6 not supporting alpha channels in PNG files? There's a hack for that!
Ask them what their processes and policies are in regards to this. They're your supplier, make them tell you why you should trust them with your DB.
That said....firstly understand that securing the database is a small piece of a very big complicated jigsaw made up of randomly cut pieces with an abstract painting on them. Security is hard.
My first step is always to get the infrastructure up to something I'm happy with.
* Set your firewall to block all incoming connections by default, only ever allow connections to port 80 (and 443 if necessary) on your web server/load balancer.
* Designate a couple of 'management IP addresses'. IE your home, or another location. Open up SSH to these addresses only.
* Configure SSH so the only way to access it is via certificates. Do not allow tunnelled plaintext passwords, ever.
* Try to ensure all your secret SSH keys are password protected
* For all server management issues use SSH. Use it for uploading, direct DB access, deploying etc. The only external connections to any of your servers happen on port 443/80/22.
* If you are using SSL use a secure cipher suite (running SSL Digger) will tell you if you are using any weak ciphers
* Decide on an update policy (ours is to have a human monitor all package updates daily, decide when an important one comes out, test it on stage, then update production) that ensures critical security fixes are applied quickly
* Google "security guide app" and review what the Internet says about securing Apache/Lighttpd/Squid/MySQL/RabbitMQ/Whatever. Understand it! Pay particular attention to anything the user interacts with (ie Joomla/Drupal/Wordpress)
Hmm, that's a pretty big list, mostly incomplete, and isn't even where your big security problems lie - most attack vectors are likely to come through flaws in your application. SQL Injection (shockingly!) is still happening, and if you give users the opportunity, someone WILL shoot themselves in the foot.
Man, security is hard! You can hire an agency to test things for yuo and give you a report. These tend go from quite cheap (ie the firm just ran Nessus and sent you the output) to extremely ellaborate white-box penetration testing that usually comes back with practical real world advice.
Great that you are concerned enough about this to ask Slashdot, don't work for Sony do you ;)
Whenever I use iReport there is about a sixth of a second delay between interacting with it and it doing what I asked. It's barely noticeable but still drives me insane.
OK, I'm interested. How can this help me leverage the cloud?
But SQL injection vulnerabilities are pretty easy to avoid. I'd say in the general case SQL injection problems point are a good indication to avoid a company.
If you inadvertently allow malicious access to your DB via SQL injection - fine. Just don't fib by saying your company should be taken at all seriously when considering their security credentials.
Get to it then!
Hope you've never played naughts and crosses on paper, that shit is made fom plants you know.
Isn't irony ("Situational irony" as Wikipedia calls it seems to be what most folks mean when they say it) when the opposite of what you expect to happen happens? For example, if I implemented a set of policies to prevent leaks and then those policies caused a leak - very ironic. That's not what happened here, what is the irony in this situation?
Considering that when you are married, in terms of property rights, you are considered a single legal entity
We fixed that in the 1800's...didn't you guys?
I think your quoting Timothy, not the submitter.
Still....Ads are unquestionably distracting, but as a consumer, wanting to be exposed to them to find out about new products you find interesting seems perfectly reasonable. Personally I get my fill from billboards and tube trains, so am more than happy to entirely cut them out of the websites I browse using AdBlock. I don't think it's particularly weird to enjoy them though. Also, I've never thought the underlying message was about self worth (except in ads about cosmetic products, or 'lifetsyle brands') but rather trying to make you think a particular product was a better investment than a competitor, or how a new product could enhance your life.
Too bad, I love blueberries.
Then eat them! Blueberries are nutritious and delicious. Maybe they won't make you live forever; seriously though - what do people want from a damned fruit!
Open source is a way of building software that some folks reckon yields a better quality software product. As a side effect lots of people are tend to benefit from it.
The four basic freedoms espoused by the GNU underpin a Free Software philosphy quite different. It's quite possible to derive benefit from open source and not give a damn about the Free Software movement.
Moreover though, it is not not *not* hypocitical for a company to benefit from open source but refuse to release a Linux client for their product. You may think it immoral, unfair, unjust, and a generally slimy way to do business - but if the behaviour couldn't conceivably be summed up as "those lying bastards are bullshitting me" it's not what I would mean by hypcrisy.
I'll take my cars good and fast, and my women fast and cheap, thanks.