Facebook etc will not have your fingerprint. There are may different biometric models, but they don't actually store a copy of your fingerprint and then check the whorls against your thumb.
For example, a model may use a hash of key points in the thumbprint and that hash is used in a challenge/response from the server. A model may use the biometrics to generate a derived key or to unlock a local key store.
Any website or OS worth their salt (pun intended) doesn't store your password, they store a salted hash of your password and its the hash you authenticate with, not the actual password. Same concept here.
The first 6 digits are the BIN range which identify the Card Type (first digit) and Issuing Bank (rest of the BIN). Those are not (by themselves) sensitive. The PCI specification states that the first 6 and last 4 digits of a PAN may be in the clear i.e. 5555 43** **** 3232 and that this has a difficulty of being guesses of 10^6 (due to Luhn check).
As long as the middle 6 are not exposed, then first 6/last 4 isn't a 'huge' concern from a card compromise perspective. It is however, a large risk from a social engineering perspective. An attacker could answer certain security questions and/or pretend to be someone who legitimately has that kind of information and convince people to think they are an appropriate organization to share further information with.
No.. no more so than the XEROX printer hardware was 'vendor lock in' when RMS wanted the driver source code. In fact, while many applications will benefit, maybe require the cloud compute platform... a lot of what they have released can be used, and is being used in projects that aren't running on any cloud.
It's fear-mongering. We should be applauding every time any commercial company open sources something. FFS, I remember when it was an serious philosophical fight to even mention open source in a business for use, let alone broaching the idea of open sourcing any intellectual property. We should be dancing in the street that Microsoft, Google, Amazon etc. are opening up their code. At the same time, open source solutions like Elasticsearch, Hadoop, etc.are doing for "No SQL and Big Data open source" what Apache did for "web server open source", or mysql did for 'rdbms open source'. Or what Docker is doing for "Microservice open source"
The world is consuming open source at a scale we didn't expect at the turn of the century. Hell, if nothing else, it has proven that ESR's "Cathedral and Bazaar" was far more prophetic than anyone imagined.
Free Software was envisioned to open the code, not deny businesses the chance to profit. Open Source TensorFlow and commercial Google Cloud space is a great example of how to do it. Sharing the code isn't primarily about being able to build a competing service, its not about "benefiting the community" (that's a nice side effect in many cases), at its core, its the simple argument that if I use your code, I should be able to look at the code and modify it if necessary.
Besides, TensorFlow is a huge benefit to the community. I may not be able to pay for my own competing Google Cloud, but not every TensorFlow project requires Google Cloud. One can build extremely useful tools and services on a local cluster of physical or virtual machines. There are successful internal corporate projects being built in-house with TensorFlow. Companies are creating new products and services with TensorFlow (and no Cloud), any creative developer could easily build a working proof-of-concept without going to the cloud... they could even be inspired to create new code to improve TensorFlow.
THAT is what Free Software is all about, Free as in Speech, not Free as in Beer
In the organization I work for, sales are also responsible for a lot. Dealing with contract negotiations and making sure that pre-sales and post-sales are correlated. After that, they are responsible for keeping up with the customer to find new potential uses, catch dissatisfaction before it occurs, get feedback from the customer on new requirements or feature requests....
Society has become a reality-tv show based on absurdity. We live in a society that glorified Jackass. We live in a society that has merged fantasy, fake news, real news and social media into a simulation of reality. The psychological impact of no one having any clue as to what is true or false anymore will continue to spawn actions and incidents that make no sense. Sure, there is an issue of personal responsibility... but the hypernormalization of society surely bears some responsibility as well.
Recent studies seem to support that among some individuals, there may be genetic predispositions which pot may effectively set off. IT seems that pot may be a trigger for an underlying situation that already exists. I also had a friend that went from straight A's to dropout. However, pot was only a part of a much larger issue. It took him 10 years to eventually come to realize that it wasn't 'just the pot'. It was a combination of some genetic and social (home life) factors... pot was a part of the problem, but not the cause.
Later studies (2013) debunked the older studies (2011 and before) that marijuana causes schizophrenia in teens. A Harvard study which included pot smokers and their families (both with and without psychotic illness). The data indicates that if you're genetically predisposed to psychotic illness, you're likely to have psychotic illness and marijuana may have an effect on onset age. If you're not genetically predisposed to psychotic illness, then you're not likely to have a psychotic illness, even if you're a teenage stoner. It appears that young people with genetic predisposition to psychotic illness may seek out self-medication with marijuana, but the numbers show a very strong correlation with family traits and no statistically significant correlation with Marijuana use.
That's not to say that Marijuana is completely without risks, especially in adolescents with a predisposition to genetic or psychological issues. However, most recent studies do seem to indicate that without the predisposition, 'harm' is relatively limited. In adults, most recent studies indicate no long term effects at all.
Its a shame that the government shut down research on marijuana for so many decades. Who knows how many people could have been helped if doctors had accurate information.
There are tons of references to modern things, existing myths, historical events etc. Many of the main character's names are derivations on famous characters from legends, many of the locations are similarly related to other locations. Rand is very much part of the Dying God/Jesus type myth (Crown of Swords, spear in the side, must die and live again to save man, will fight in the final battle). There are even references to John Glenn and the Moon Landing in one of their myths.:D
A number of data protection solutions today (including the company I work for) actually prevent admin access. Basically, a policy can be defined by a security administrator on a Management server. The policy is deployed to the database as an encrypted package. The database has an agent which queries the policy. Only users listed in the policy have permission to decrypt/detokenise the data. If admin, root, dba, sa etc are not in the policy, they will only see the protected data. If they try to change their account to a privileged user, that action should generate an alert.
There are solutions like this implemented in many companies and they actually work.
I also agree with your additional point. Security event monitoring, intrusion detction, audits etc should all be in place, no matter what data protection method you're using.
In a properly implemented tokenization scheme, your solution is actually less secure. For example, lets say we have a value of 123-45-6789. We tokenize this value using proper randomization and get 4968-34-6789. There is no mathematical connection between the token value and the original value meaning that there are ~10^5 possible combinations and ANY of them could be valid.
When the ciphertext is stored alongside some of the plaintext, you open up the possibility of a known plaintext attack. Since tokens are not mathematically connected to the plaintext, partial text doesn't necessarily reduce the security of the scheme.
That being said, SSN isn't the best example. A credit card stored as 1234 56TT TTTT 9876 (where the T represents a tokenized digit) is equally secure as 1234 56** **** 9876 (difficulty of 10^5 and no verification to determine which of the 10^5 possible values are correct).
Also, having the encrypted data stored 'somewhere' is part of the older token design, where there is a vault that stores both the encrypted value and a token paired with it. Newer tokenization solutions do away with the valut completely.
Yes, SSN isn't the best example because that data could be manipulated. Another example would be exposing the first 6 and last 4 digits of a credit card. This provides the same security as 123456******1234 and is considered secure by the PCI standard. Properly implemented tokenization would mean that there is a 10^6 possible values (10^5 if you do luhn check verification) and that there is no way to mathematically verify which of the 10^5 values it is.
Monetization of data. All big companies do it. They collect as much data as possible and then sell subsets of data (perhaps anonymized) to 3rd parties, or they may provide roll-up analytic reports to third parties... Stuff like:
I want to build a for profit practice that specializes in cancer treatments. What part of the country am I most likely to find a high number of cancer patients who make enough money to afford what I want to charge for my services?
I buy a service from a data analytics company, they have deals with some insurance companies, medical research labs, big pharma groups etc. They submit the request to these companies. The companies do some research on their huge data sets and return their best results. The data analytics company makes a nice report and gives it to me. I know know that Somerich City, Alabama is totally where I want to build my practice.
In this scenario, no individual private data was provided... but its available at the source companies. This makes them prime attack destinations if the PII data isn't protected.
In some European countries though, the laws are strong enough that this kind of behavior is extremely limited and under heavy audit.
There are a number of solutions to the problem. There are data protection appliances that can be integrated to databases or applications (via API) where encrypted data is sent to for decryption and available only in the result set; never written to disk in the clear. In this scenario, even root or dba don't have access to the sensitive data, unless authorized by the appliance. Another option, (becoming more popular) is tokenization. The sensitive data is replaced by consistent non-sensitive token values. This often allows for many business analytic processes to operate on non-sensitive data. In many scenarios, all of the work in the main application/database can be done with tokens and then a secure 'detokenize' app is provided to specific users that may need the real data. Tokens can also retain some of the original data. So if we tokenized SSN 123-45-6789, we could generate a token that kept the same last 4 digits, 541-30-6789. If customer support uses the last four digits of SSN to verify customers on the phone, they can now do it without being exposed to the real sensitive data.
(Disclaimer: I work for a data protection company that does this kind of stuff)
I don't think its terribly unreasonable to postulate that a sufficiently advanced society may be world bound and following their bliss.
A sufficiently advanced society may actually have come to the realization that FTL travel/communication is impossible and that travelling to the nearest inhabited planet would be a centuries long one way expedition with little or no return on investment. So, if an advanced civilization figures out that they are forever trapped in a single solar system, with one or two habitable planets... why would they keep wasting effort on something they know is impossible? If you solve the problems on your planet and you know you'll never leave your planet... then why wouldn't you pursue pleasure instead?
Imagine if our society evolved beyond the primitive philosophies of religions, so we no longer had people worrying about what the invisible guy in the sky wanted. Imagine if we found cheap energy, ways to reduce scarcity etc. and assume that we also evolved beyond some of our basic primate programming of alpha and territorial dominance. In such a society, following one's bliss may well be the most logical choice.
The example provided here is a very high level Slashdot comment;-) There are several different risk models that can be used, either qualitative or quantitative. The right model depends heavily on the type of organization you're working with.
The one I mentioned is from the InfoSec Handbook. Others cover the value of the asset instead of Impact (Threat x Vulnerability x Asset) and some include accounting for mitigation and countermeasures like TIK (threat*vulnerability/countermeasure * Impact or Asset). I've worked for companies that have their own internal models, companies that want very complex models and companies that use very simple models which every variable is ranked 1 - 5 (1&2 Low, 3&4 Medium, 5 High).
The core thing here is not the specific model. As long as a consistent model is used to rank vulnerabilities and threats and can define a useful value for determining the cost of the event versus the cost of the protection method, then its useful (and may be sufficient, depending on the situation).
There are lots of different risks that must be considered when securing a network or system. In my many years of securiy architecture, I've found it make the most sense to create a risk assessment.
Threat x Vulnerability x Impact = Risk
Once you have defined the risks, you can define the best protection method to reduce each risk.
Application firewalls may not be the best protection method depending on the rest of your network security controls. If you have strong network firewalls and every device that connects to the network must be authenticated (and scanned for viruses) before its given an IP address, an application firewall may not reduce much risk. If it doesn't reduce much risk, it may not be necessary.
In business, security is like insurance. You have to justify how much to spend, based on how it will protect us if something bad happens. Further, you have to make sure that whatever the security control is, it doesn't interfere with what the business needs to function. If the database cannot function with a firewall, a firewall is not the best protection method and other options should be considered (Network Intrusion Prevention systems, Data Protection [encryption/tokenization/hashing], Anti-Virus, File Integrity Monitoring, etc). There are many tools available to security professionals today. A firewall is a good tool, but not the only tool... depending on the situation, it may not even be the right tool.
I grew up in the country in Ohio, lived in Columbus and NYC for awhile, moved to a fishing village in Turkey for a couple years and currently live in the countryside in the UK. Politically, I don't agree with either side of the American political false dichotomy (aka the Two Man Con).
What I do understand, however, is that looking at personal observations or eyewitness testimony is a really bad way to do science, criminal investigation or any sort of objective work. Individuals process objective data through the neurological system, which includes lots and lots of personal beliefs, bias and filters. Climate models may be wrong (I am not a scientist), but personal observation from "country folk" is certainly no more reliable and likely less so... particularly if they are part of a political party which denies global climate change as part of its tribal identifier.
See Also the 23 Enigma or the Law of Fives.
Re:sure you want to go with 'undead' ?
on
Perl Is Undead
·
· Score: 1
Slashdot Mirror
God is a crazy woman.
http://www.principiadiscordia....
Facebook etc will not have your fingerprint. There are may different biometric models, but they don't actually store a copy of your fingerprint and then check the whorls against your thumb.
For example, a model may use a hash of key points in the thumbprint and that hash is used in a challenge/response from the server. A model may use the biometrics to generate a derived key or to unlock a local key store.
Any website or OS worth their salt (pun intended) doesn't store your password, they store a salted hash of your password and its the hash you authenticate with, not the actual password. Same concept here.
The first 6 digits are the BIN range which identify the Card Type (first digit) and Issuing Bank (rest of the BIN). Those are not (by themselves) sensitive. The PCI specification states that the first 6 and last 4 digits of a PAN may be in the clear i.e. 5555 43** **** 3232 and that this has a difficulty of being guesses of 10^6 (due to Luhn check).
As long as the middle 6 are not exposed, then first 6/last 4 isn't a 'huge' concern from a card compromise perspective. It is however, a large risk from a social engineering perspective. An attacker could answer certain security questions and/or pretend to be someone who legitimately has that kind of information and convince people to think they are an appropriate organization to share further information with.
10 points for reference.
MCGA FTW!!!
No.. no more so than the XEROX printer hardware was 'vendor lock in' when RMS wanted the driver source code. In fact, while many applications will benefit, maybe require the cloud compute platform... a lot of what they have released can be used, and is being used in projects that aren't running on any cloud.
It's fear-mongering. We should be applauding every time any commercial company open sources something. FFS, I remember when it was an serious philosophical fight to even mention open source in a business for use, let alone broaching the idea of open sourcing any intellectual property. We should be dancing in the street that Microsoft, Google, Amazon etc. are opening up their code. At the same time, open source solutions like Elasticsearch, Hadoop, etc.are doing for "No SQL and Big Data open source" what Apache did for "web server open source", or mysql did for 'rdbms open source'. Or what Docker is doing for "Microservice open source"
The world is consuming open source at a scale we didn't expect at the turn of the century. Hell, if nothing else, it has proven that ESR's "Cathedral and Bazaar" was far more prophetic than anyone imagined.
Exactly this!
Free Software was envisioned to open the code, not deny businesses the chance to profit. Open Source TensorFlow and commercial Google Cloud space is a great example of how to do it. Sharing the code isn't primarily about being able to build a competing service, its not about "benefiting the community" (that's a nice side effect in many cases), at its core, its the simple argument that if I use your code, I should be able to look at the code and modify it if necessary.
Besides, TensorFlow is a huge benefit to the community. I may not be able to pay for my own competing Google Cloud, but not every TensorFlow project requires Google Cloud. One can build extremely useful tools and services on a local cluster of physical or virtual machines. There are successful internal corporate projects being built in-house with TensorFlow. Companies are creating new products and services with TensorFlow (and no Cloud), any creative developer could easily build a working proof-of-concept without going to the cloud... they could even be inspired to create new code to improve TensorFlow.
THAT is what Free Software is all about, Free as in Speech, not Free as in Beer
In the organization I work for, sales are also responsible for a lot. Dealing with contract negotiations and making sure that pre-sales and post-sales are correlated. After that, they are responsible for keeping up with the customer to find new potential uses, catch dissatisfaction before it occurs, get feedback from the customer on new requirements or feature requests....
Society has become a reality-tv show based on absurdity. We live in a society that glorified Jackass. We live in a society that has merged fantasy, fake news, real news and social media into a simulation of reality. The psychological impact of no one having any clue as to what is true or false anymore will continue to spawn actions and incidents that make no sense. Sure, there is an issue of personal responsibility... but the hypernormalization of society surely bears some responsibility as well.
Even Pluto can't escape George R R Martin Memes....
Recent studies seem to support that among some individuals, there may be genetic predispositions which pot may effectively set off. IT seems that pot may be a trigger for an underlying situation that already exists. I also had a friend that went from straight A's to dropout. However, pot was only a part of a much larger issue. It took him 10 years to eventually come to realize that it wasn't 'just the pot'. It was a combination of some genetic and social (home life) factors... pot was a part of the problem, but not the cause.
Later studies (2013) debunked the older studies (2011 and before) that marijuana causes schizophrenia in teens. A Harvard study which included pot smokers and their families (both with and without psychotic illness). The data indicates that if you're genetically predisposed to psychotic illness, you're likely to have psychotic illness and marijuana may have an effect on onset age. If you're not genetically predisposed to psychotic illness, then you're not likely to have a psychotic illness, even if you're a teenage stoner. It appears that young people with genetic predisposition to psychotic illness may seek out self-medication with marijuana, but the numbers show a very strong correlation with family traits and no statistically significant correlation with Marijuana use.
http://www.schres-journal.com/...
That's not to say that Marijuana is completely without risks, especially in adolescents with a predisposition to genetic or psychological issues. However, most recent studies do seem to indicate that without the predisposition, 'harm' is relatively limited. In adults, most recent studies indicate no long term effects at all.
Its a shame that the government shut down research on marijuana for so many decades. Who knows how many people could have been helped if doctors had accurate information.
There are tons of references to modern things, existing myths, historical events etc. Many of the main character's names are derivations on famous characters from legends, many of the locations are similarly related to other locations. Rand is very much part of the Dying God/Jesus type myth (Crown of Swords, spear in the side, must die and live again to save man, will fight in the final battle). There are even references to John Glenn and the Moon Landing in one of their myths. :D
Wasn't BMW, it was a Mercedes Benz hood ornament in The Shadow Rising.
A number of data protection solutions today (including the company I work for) actually prevent admin access. Basically, a policy can be defined by a security administrator on a Management server. The policy is deployed to the database as an encrypted package. The database has an agent which queries the policy. Only users listed in the policy have permission to decrypt/detokenise the data. If admin, root, dba, sa etc are not in the policy, they will only see the protected data. If they try to change their account to a privileged user, that action should generate an alert.
There are solutions like this implemented in many companies and they actually work.
I also agree with your additional point. Security event monitoring, intrusion detction, audits etc should all be in place, no matter what data protection method you're using.
In a properly implemented tokenization scheme, your solution is actually less secure. For example, lets say we have a value of 123-45-6789. We tokenize this value using proper randomization and get 4968-34-6789. There is no mathematical connection between the token value and the original value meaning that there are ~10^5 possible combinations and ANY of them could be valid.
When the ciphertext is stored alongside some of the plaintext, you open up the possibility of a known plaintext attack. Since tokens are not mathematically connected to the plaintext, partial text doesn't necessarily reduce the security of the scheme.
That being said, SSN isn't the best example. A credit card stored as 1234 56TT TTTT 9876 (where the T represents a tokenized digit) is equally secure as 1234 56** **** 9876 (difficulty of 10^5 and no verification to determine which of the 10^5 possible values are correct).
Also, having the encrypted data stored 'somewhere' is part of the older token design, where there is a vault that stores both the encrypted value and a token paired with it. Newer tokenization solutions do away with the valut completely.
Yes, SSN isn't the best example because that data could be manipulated. Another example would be exposing the first 6 and last 4 digits of a credit card. This provides the same security as 123456******1234 and is considered secure by the PCI standard. Properly implemented tokenization would mean that there is a 10^6 possible values (10^5 if you do luhn check verification) and that there is no way to mathematically verify which of the 10^5 values it is.
Monetization of data. All big companies do it. They collect as much data as possible and then sell subsets of data (perhaps anonymized) to 3rd parties, or they may provide roll-up analytic reports to third parties... Stuff like:
I want to build a for profit practice that specializes in cancer treatments. What part of the country am I most likely to find a high number of cancer patients who make enough money to afford what I want to charge for my services?
I buy a service from a data analytics company, they have deals with some insurance companies, medical research labs, big pharma groups etc. They submit the request to these companies. The companies do some research on their huge data sets and return their best results. The data analytics company makes a nice report and gives it to me. I know know that Somerich City, Alabama is totally where I want to build my practice.
In this scenario, no individual private data was provided... but its available at the source companies. This makes them prime attack destinations if the PII data isn't protected.
In some European countries though, the laws are strong enough that this kind of behavior is extremely limited and under heavy audit.
There are a number of solutions to the problem. There are data protection appliances that can be integrated to databases or applications (via API) where encrypted data is sent to for decryption and available only in the result set; never written to disk in the clear. In this scenario, even root or dba don't have access to the sensitive data, unless authorized by the appliance. Another option, (becoming more popular) is tokenization. The sensitive data is replaced by consistent non-sensitive token values. This often allows for many business analytic processes to operate on non-sensitive data. In many scenarios, all of the work in the main application/database can be done with tokens and then a secure 'detokenize' app is provided to specific users that may need the real data. Tokens can also retain some of the original data. So if we tokenized SSN 123-45-6789, we could generate a token that kept the same last 4 digits, 541-30-6789. If customer support uses the last four digits of SSN to verify customers on the phone, they can now do it without being exposed to the real sensitive data.
(Disclaimer: I work for a data protection company that does this kind of stuff)
I don't think its terribly unreasonable to postulate that a sufficiently advanced society may be world bound and following their bliss.
A sufficiently advanced society may actually have come to the realization that FTL travel/communication is impossible and that travelling to the nearest inhabited planet would be a centuries long one way expedition with little or no return on investment. So, if an advanced civilization figures out that they are forever trapped in a single solar system, with one or two habitable planets... why would they keep wasting effort on something they know is impossible? If you solve the problems on your planet and you know you'll never leave your planet... then why wouldn't you pursue pleasure instead?
Imagine if our society evolved beyond the primitive philosophies of religions, so we no longer had people worrying about what the invisible guy in the sky wanted. Imagine if we found cheap energy, ways to reduce scarcity etc. and assume that we also evolved beyond some of our basic primate programming of alpha and territorial dominance. In such a society, following one's bliss may well be the most logical choice.
The example provided here is a very high level Slashdot comment ;-) There are several different risk models that can be used, either qualitative or quantitative. The right model depends heavily on the type of organization you're working with.
The one I mentioned is from the InfoSec Handbook. Others cover the value of the asset instead of Impact (Threat x Vulnerability x Asset) and some include accounting for mitigation and countermeasures like TIK (threat*vulnerability/countermeasure * Impact or Asset). I've worked for companies that have their own internal models, companies that want very complex models and companies that use very simple models which every variable is ranked 1 - 5 (1&2 Low, 3&4 Medium, 5 High).
The core thing here is not the specific model. As long as a consistent model is used to rank vulnerabilities and threats and can define a useful value for determining the cost of the event versus the cost of the protection method, then its useful (and may be sufficient, depending on the situation).
There are lots of different risks that must be considered when securing a network or system. In my many years of securiy architecture, I've found it make the most sense to create a risk assessment.
Threat x Vulnerability x Impact = Risk
Once you have defined the risks, you can define the best protection method to reduce each risk.
Application firewalls may not be the best protection method depending on the rest of your network security controls. If you have strong network firewalls and every device that connects to the network must be authenticated (and scanned for viruses) before its given an IP address, an application firewall may not reduce much risk. If it doesn't reduce much risk, it may not be necessary.
In business, security is like insurance. You have to justify how much to spend, based on how it will protect us if something bad happens. Further, you have to make sure that whatever the security control is, it doesn't interfere with what the business needs to function. If the database cannot function with a firewall, a firewall is not the best protection method and other options should be considered (Network Intrusion Prevention systems, Data Protection [encryption/tokenization/hashing], Anti-Virus, File Integrity Monitoring, etc). There are many tools available to security professionals today. A firewall is a good tool, but not the only tool... depending on the situation, it may not even be the right tool.
I grew up in the country in Ohio, lived in Columbus and NYC for awhile, moved to a fishing village in Turkey for a couple years and currently live in the countryside in the UK. Politically, I don't agree with either side of the American political false dichotomy (aka the Two Man Con).
What I do understand, however, is that looking at personal observations or eyewitness testimony is a really bad way to do science, criminal investigation or any sort of objective work. Individuals process objective data through the neurological system, which includes lots and lots of personal beliefs, bias and filters. Climate models may be wrong (I am not a scientist), but personal observation from "country folk" is certainly no more reliable and likely less so... particularly if they are part of a political party which denies global climate change as part of its tribal identifier.
See Also the 23 Enigma or the Law of Fives.
Wow... way to make us feel old :P