Hunters -- well, nearly all hunters -- are cowards. They're too weak and afraid to actually
face their prey on even terms, which is why they heavily stack the odds in their favor by
using camouflage, lures, decoys, and weapons.
A hunter who actually had a modicum of courage would walk into the woods naked
and carrying nothing -- which is exactly what the creatures they hunt have. This still
putatively gives the hunter an enormous strategic advantage, because they possess
a considerably more functional brain. But at least it would be a relatively fair fight,
with both parties having only their intrinsic abilities.
But this never happens, of course. Hunters don't want a fair fight, they just want
to slaughter whatever-it-is they're after that day. They would turn the entire exercise
into a video game and engage in push-button butchery if they could. And the more
unfair the fight can be made -- the better. (Have you walked through the hunting section
of any store recently? There's an entire arsenal of technology designed for the purpose
of making the hunter's advantage as lopsided as possible.)
This is why, on those rare occasions when an animal manages to overcome the odds
and win this rigged contest by killing a hunter, I smile. It's justice, in its purest form.
So is it any wonder, really, that these same cowards would shoot a drone? Of course
they don't want witnesses to and documentation of their cowardice. Somewhere, deep
inside, they're ashamed -- as they should be. But unfortunately they're not strong enough
to actually admit it: no, they would rather try to cover it up, no matter how ineptly.
Facebook et.al. are data collection mechanisms coated over with a thin veneer
of "social networking" in order to convince people to willingly surrender their own
data. An employer stipulating employee presence on them clearly knows little
(and understands less) about basic security principles, and clearly does not value
the privacy of its employees. I think the proper response isn't "no", it's "hell no"
and a visit to one's attorney in order to prepare for litigation.
I have, shall we say, more than a little experience in the spam area. And having
studied it in considerable detail over a very long period of time, I can say --
rather definitively -- that Hotmail does, and has done for many years, an
absolutely horrible job of controlling outbound spam. (Which is of course
the most important criteria by which to measure them. Inbound spam only
matters to those with accounts there. Outbound spam matters to the
entire Internet.) The only reason I would award them an "F" grade for
their performance is that there is no lower grade available.
My handle is somewhat a reflection of my own nature, which can be condescending
and indeed, arrogant. But even I wouldn't attempt something of this magnitude:
Microsoft isn't merely exaggerating, they're absolutely, completely, totally lying.
Your first point is an excellent one. However, I would modify it to read:
I no longer care what the Wall Street Journal reports.
Given that the WSJ is now the mouthpiece of that disgusting piece of filth Rupert Murdoch,
and that it has abandoned any pretense of reason, logic and objectivity
there is no reason for any thinking person to read it. Ever. In fact, one can now begin making
the inference that those who persist in reading it are suspect, as they lack the critical thinking
faculties required to discern reality from fantasy, truth from lies, and argument from propaganda.
There's a tendency to think that the US is above all this -- that Bertrand Russell's
famous saying ("Religion is something left over from the infancy of our
intelligence, it will fade away as we adopt reason and science
as our guidelines.") refers not to the future, but to the past, and that we have
all somehow become enlightened, that we've matured out of these primitive superstitions
along with the violence, hatred, prejudice, bigotry, slavery, and ignorance that they support.
But we haven't. Let me suggest the following thought experiment to you: write on a large piece
of posterboard "I skullfucked Mary and shit on Jesus' face." Now go stand with that poster on
a streetcorner in Topeka, Kansas at 9 AM on Monday morning. Do you think you'll survive the day?
Of course these are purely mythical creatures, no more real than Arthur Dent or Allah or Harry
Potter or Zeus or Loki or any other fiction. But, amazing, there are people on this planet --
including in Topeka, Kansas, in the heart of the United States -- who will attack and kill
you for that sign.
Some will point out that at least this isn't codified into law: that is, that such attacks
are extralegal. My response to that is (a) not yet, they aren't, although if you're
paying any attention to contemporary American politics you know full well that there are
numerous attempts underway to make Christianity the state religion and (b) it's not clear
to me why, when you're lying in the street bleeding and dying, the lack of statutory authority
will matter to you.
When we in the United States have progressed beyond this -- when we no longer live
in a society where atheists are considered as trustworthy as rapists -- then perhaps we can claim some measure of the
moral high ground here.
Nonsense, of course. What he is...is a professional. Professionals do sit idly by while inferior
people make extremely stupid decisions -- of which "going Microsoft" is most assuredly one. They utilize
their best professional judgment, they protest, they complain, they argue, they do everything that they can
to argue their case. And if they fail? Then they resign in protest, as this person has. (And were I hiring:
I would hire this one in a minute. Most people are simply too weak to demonstrate this kind
of courage, to put their own job on the line.)
The people who most deserve our admiration are not the ones who meekly go along with incompetence
and short-sightedness and stupidity; no, they're the ones who stand up to it. And in a week where we
learned of the death of Roger Boisjoly, a man who did that very thing, maybe we should remind ourselves that if we really want
to call ourselves professionals -- and not cheap whores who will do anything for a paycheck -- then we are REQUIRED to
stand up for our principles. Anyone who can't or won't do that is a spineless, worthless coward.
I sort resumes into two piles: those with IT certifications and those without.
Those without are evaluated first, and those candidates given priority.
Those with will be considered only if the first batch doesn't yield enough
strong candidates.
Why? Because anyone naive enough to think that certifications are anything
other than cash cows for vendors lacks essential critical thinking skills. They're naive
and easily scammed: in fact, they've put the evidence of the latter right in front of me.
Such people are simply not up to the task for handling responsible security roles
(which is what I hire for): the first competent phisher to come along will easily fool them.
I already have a large number of clueless users who, just like everyone else's clueless
users, will find numerous creative ways to get themselves and thus the IT infrastructure
into trouble. I don't need staff members who are just as bad; I need staff members
who are cynical, hardened, ruthless bastards to even have fighting chance of keeping
this operation modestly secure.
I'm sure the inferior primates who do not comprehend physics, mathematics, statistics, climatology, oceanography,
geology, chemistry, or any of the other topics known to those of us who qualify as homo sapiens will once
again display their profound ignorance by declaring that anthropocentric global warming is false. These are the
same gibbering baboons that support "creation science" and "holistic medicine" and other idiocy. It's a sad
testament to the aggregate stupidity of our society that any of these are given more attention than summary dismissal.
And your on the lists yet dont bring up the subject but do on slashdot... interesting
I informed the developers privately. That may have been an error in judgment; perhaps I should
have mentioned it publicly (that is, on one of the Ubuntu mailing lists). But I did make an effort to
put the problem in front of the people I felt were best positioned to do something about it.
I think that anyone who is so intellectually impoverished that they cannot or will not relearn menus really ought not be using a computer, and certainly should not be permitted the privilege of being on the Internet, where they constitute an active, operational menace to everyone else.
As a side note, it should be interesting to study the privacy and security implications of this approach. A careful read of the Ubuntu mailing lists (all of which I'm on) reveals that -- so far -- nobody has put up their hand and pointed out that this "helpful" approach has as one obvious side effect the construction of a resource that's enormously useful to attackers.
I've been watching the hype over cloud-this and cloud-that for several years with
an increasingly cynical eye. Perhaps this incident will help convince a few others
to look pass the trendy buzzwords and actually THINK about what can happen.
For example:
1. Drives seized, eventually end up for sale to the public, random people now
own your data.
2. Cloud provider hacked, dangerous random people now own your data.
3. Drives seized, feds download all your data and start going through it to see
if they can make a case against you. (Oh, you don't think they can? Keep in
mind the words of Cardinal Richelieu: "If one would give me six lines written by the hand of the most honest man,
I would find something in them to have him hanged.")
4. Drives seized, someone decides to make a few extra bucks
selling your data to your competitors. Or spammers. Or phishers.
5. Drives seized, someone graciously decides to let you "have your
data back", but what you get back is not what you think it is -- it's
been quietly, carefully modified. Maybe your research statistics
have been subtly corrupted; maybe there's malware in it; maybe
it's missing a few key pieces here and there.
When you use a cloud provider, all you've got is your best hope.
And "hope" is not a valid security strategy.
If they really are "MS guys at heart", then they're not very well qualified.
This may be due to intrinsic low intelligence, but presuming you've ruled
that out, it's likely due to lack of significant experience with professional-quality
software. (I consider MS software fine for children and amateurs, but utterly
unsuitable for anyone who even pretends to be a professional.)
This exercise would thus make an excellent teaching moment for them: they should
be tasked with investigating the many fine pieces of open-source software (and data)
linked to in this thread, and educating themselves to the level necessary for them to
understand not only how the solution to your current problem has very likely already
been coded by someone else, but why it's very likely been coded by someone
else. In other words, I'm suggesting that they come to an understanding of why
common/ordinary/routing tasks should not be relegated to expensive, proprietary
software, but are included in free, open-source software during the normal course
of development.
Meanwhile, you should consider this question: is a relational database the best
way for you to attack this problem? Or should you, instead, consider alternate
ways of storing/searching the data? (I make no recommendation either way;
without MUCH more detail on your precise requirements, I can't.)
Not because it will reach people who need to know; I suspect that most
clueful people here already realize that SOPA and PIPA are awful legislation,
written by industry lobbyists and supported by their pet Congressmen -- who
have been well-paid for their votes. But because it will change the dialogue
from "Reddit is blacking out" to "Two sites are blacking out" and then -- when
another one joins "Three sites are blacking out" and then "Many sites are
blacking out" and then "A lot of sites are blacking out" and that is when
it will matter.
It matters because it shows we'll make sacrifices to make a point. It's easy
to post something whining about how bad these bills are, but much, much
tougher to actually give up something to back that up. The supporters of
these bills know that. They're counting on the millions and millions of us out
here to grump about it...and move on. To ignore it, as if it doesn't matter to
us, doesn't apply to us. We need to demonstrate that it DOES matter, that
we're not going to let it go.
A blackout isn't the end of that, of course. It's only the beginning. But it
would be a good way to start.
What you're doing, although I don't think you intended to, is making excuses
as to why those six mistakes are necessary. This is a fatal error. By justifying
them, you ignore the consequences -- which are that you've just about guaranteed
that you will be hacked the first time someone with sufficient expertise
and resources decides to target you.
The trick is to recognize that you cannot make these mistakes. Period.
No matter who you have to run over, who you have to piss off, who you have
to overrule, who you have to upset, no matter what. You have to be, and yes
I am, an arrogant bastard. Because the moment you compromise, you're doomed.
We've seen it over and over and over and over again, we're seeing it again today,
we'll see it again tomorrow. Every single data breach incident I've ever read about
included at least one of those six mistakes, and most of them included several.
Yet incompetent, weak-willed IT people insist on making them because "we've
always done it this way" or "that can't work!" or "but it would break..." or for
a thousand other reasons...none of which matter. (What good is having a
spiffy computing environment if it's not secure?)
The problem isn't that we don't know what to do. We do. The problem is
lack of will to do it.
This also includes clean installs on employee portable systems (laptops,
PDAs, tablets, phones) as well as anything they have at home that can
connect to the corporate network.
Of course, this will never happen.
Then it's time to go through all backup media and sanitize it, since of course
a potential future restore could re-initiate the breach.
Of course, this will never happen.
Meanwhile, forensic work needs to be done to figure out what the vector(s)
was/were for this incident. It's not enough to just identify and deal with those,
however; they need to be studied in context in order to achieve an understanding
of what additional, latent vectors exist that could be used.
Of course, this will never happen.
And then it's time for a very pointed session with a copy of Marcus Ranum's
"Six Dumbest Ideas in Computer Security", because chances are pretty high
that this organization used all six.
Of course, this -- especially this -- will never happen.
6) Films don't start at announced time. What starts at the announced
time are commercials, pro-MPAA propaganda, previews, and charitable
solicitations.
7) Refreshments are marked up about 1000%, served by surly, inefficient,
inattentive teenagers who hate their jobs. Also: no beer.
8) Staff refuse to eject patrons. (Went to see "The Ides of March". Woman in
row in front of mine was on cell phone four times during movie. Got out of my seat,
fetched manager during the fifth time. She was off it when he finally got there,
so he refused to take action. Great. Nothing like having an intense political
drama disrupted AND missing part of it.)
9) Poor projection. Use the right lens, for crying out loud.
10) Previews that give away the entire movie. (Or, perhaps, moves that suck so
tremendously that the preview CAN give away the entire movie, and may in some
cases be a superior entertainment experience.)
11) Movie industry that wants to destroy the Internet. See: SOPA, PIPA, whatever's next.
First, the proper term is "spam"; never "SPAM". The former refers to unsolicited bulk email; the latter
refers to a product of the Hormel Corporation.
Second, having conducted extensive testing on Gmail's spam filter, I can only award it a C; both its
false positive and false negative rates are unacceptably high, certainly not good enough to qualify
for professional use. (However, let me note in passing that this mediocre performance is still
much better than that of others competing in the same space; Yahoo and Hotmail both receive F's
with my regret that no lower grade is available.)
Third, user-driven spam/not-spam classification systems are fraught with difficulties -- most notably,
they're quite easy to game (in both directions). Some spammers are apparently well aware of this
and have been exploiting it quite effectively. Unfortunately, it has proven rather difficult to convince
those being exploited that it's being done to them -- they prefer to remain in denial rather than admit
that their elaborate scheme has been neatly undone by a combination of social engineering, botnets,
and modestly clever scripting.
Ah, a WHOIS lookup shows that it's the incompetent spammers-for-hire at Epsilon. (Go Google "epsilon spam" for
a glimpse at the tip of the iceberg. I'll wait.)
Back? Good. Epsilon does spam-for-hire for a number of companies; apparently
the crack reporting staff at the NYT isn't intelligent or diligent enough to figure this out
and report it to their own management. This is hardly the first incident involving them --
or rather, it's hardly the first widely-known incident involving them. Those of us who've
been studying spam for decades are well aware of this sleazy operation.
There's no reason to do so: SPF has no anti-spam and no anti-forgery value in the contemporary
environment. (That's why, despite the desperate flogging by the ignorant who claim that SPF is
anything from a preventative to a magic cure-all, the largest adopters of
SPF to date are spammers.)
Actually, you're wrong. The problem is NOT economic.
It'd be nice if it was -- because some obvious interdiction paths could be used.
But it's not.
The spam problem is behavioral: spammers are sociopaths. That's why there
are no ex-spammers: they can no more stop spamming than a pedophile can stop
molesting children. They're (pick your terminology) mentally ill, sick, etc.
How do we know this? Because we can observe (and we have observed) that they
continue spamming even when there's obviously no profit in it, nor any realistic
hope of any profit in the future. They're not all/always doing it for the money.
Now...it's certainly true that some spammers do make a profit; certainly the
spammers-for-hire that have adopted the guise of "responsible companies"
do very well, well enough to hire skilled propagandists who paint them as
professional email service providers -- even though they're just spammers
with better suits. But that doesn't change their underlying motivation: doing
what spammers do requires someone who's devoid of basic human
compassion, remorse, responsibility, empathy -- all the qualities
that enable people to relate to one another. And there's no easy/obvious
fix for that.
First, we've known for many years that IP-level techniques can deal with
a lot of spam. For example, using the Spamhaus "DROP" list in perimeter
devices is so incredibly effective that anyone who isn't doing it may summarily
be declared incompetent. As another example, perhaps more germane to this
paper, see http://use.perl.org/~merlyn/journal/17094 -- which demonstrates how to
use passive OS fingerprinting in the BSD pf firewall to throttle traffic from Windows
systems. (I presume everyone is well aware that bots are nearly always hosted
on Windows systems; my own research indicates that despite inroads by attackers
into non-Windows hosts, the probability that any given bot will be found to be
on a Windows system is still comfortably above 99.999%.) The technique shown
by poster "merlyn" in that example from 2004 can readily be extended and combined
with others.
Second, 95% true positive rate is impressive for a single measure, BUT we must
also consider the false positive rate, and we have to consider the resource cost
necessary to achieve this number. Frankly, doing this inside SpamAssassin is
very inefficient -- this is a function that can be handled either in the firewall or in the
MTA, or perhaps in a combination of the two. There's really no need to invoke
something as heavyweight, slow and complex as SA. (Nor is this desirable: the
more complex the anti-spam architecture, the more difficult it is to tune properly
and the more susceptible it is to gaming.)
Here's the TL;DR version: if a host passive-OS-fingerprints as Windows then
it's suspect. If it does that AND (lacks rDNS OR has generic rDNS) it's a bot.
We've seen the same thing with their treatment of spammer domains. It works
like this:
We notice some spam. We report it to them. They ignore the reports.
We notice some more spam. We report it to them. They tell us it
didn't come from their network/their customers/their affiliate/their anything.
We notice some more spam. We report it to them. They forward the
reports to the spammers, who either list-wash us or send us more spam
or send us nasty notes, sometimes with threats.
We notice some more spam. We report it more widely, and other people
start taking notice. Eventually a number of people concur that yes, it's
spam, and yes, it's GoDaddy's responsibility, and yes, they ought to do
something.
When the chorus gets loud enough, GoDaddy finally does something --
like forcing the spammers to move their domains elsewhere. They
announce this as a major blow against spam thanks to their own hard
work and diligence. They trumpet their anti-abuse policies, pat themselves
on the back, ignore the people who actually did the research, forget all about
how long the abuse went on, and claim the whole thing as yet another win for
themselves.
Process repeats.
So there is no doubt whatsoever in my mind that this is just the
latest variation of that scam. GoDaddy is only allegedly changing its mind
because of the money involved. It's not on principle, because they have none.
I guarantee you that -- behind the scenes -- they're still doing everything they
can to support this bill.
So, please, everyone: don't be naive and stupid enough to fall for this scam.
Remember: if GoDaddy was REALLY against this bill, they could have said
so yesterday. Or last week. They didn't.
Re:Keep GoDaddy's history in mind
on
GoDaddy Backs SOPA
·
· Score: 4, Insightful
It's difficult to figure out which comment you mean, but if it's the one
feebly attempting to justify spammer Bob Parson's actions, then do consider this:
let's presume, for the sake of argument, that the circumstances are
as you portray them. (I have strong doubts that this is the case, but
let's go with it for a moment.) Then, given that spammer Bob Parsons
is an extraordinarily wealthy man, why not hand a big fat check over to
one of the non-profit organizations trying to save endangered species...
so that they can relocate the elephant? And while they're at it, some
rhinos and primates, too -- there are a lot of animals which are endangered
in part because humans have occupied land essential to their survival.
Why not do some positive good in the world...instead of getting his rocks
off by slaughtering an innocent, thinking, feeling animal?
Slashdot Mirror
Hunters -- well, nearly all hunters -- are cowards. They're too weak and afraid to actually face their prey on even terms, which is why they heavily stack the odds in their favor by using camouflage, lures, decoys, and weapons.
A hunter who actually had a modicum of courage would walk into the woods naked and carrying nothing -- which is exactly what the creatures they hunt have. This still putatively gives the hunter an enormous strategic advantage, because they possess a considerably more functional brain. But at least it would be a relatively fair fight, with both parties having only their intrinsic abilities.
But this never happens, of course. Hunters don't want a fair fight, they just want to slaughter whatever-it-is they're after that day. They would turn the entire exercise into a video game and engage in push-button butchery if they could. And the more unfair the fight can be made -- the better. (Have you walked through the hunting section of any store recently? There's an entire arsenal of technology designed for the purpose of making the hunter's advantage as lopsided as possible.)
This is why, on those rare occasions when an animal manages to overcome the odds and win this rigged contest by killing a hunter, I smile. It's justice, in its purest form.
So is it any wonder, really, that these same cowards would shoot a drone? Of course they don't want witnesses to and documentation of their cowardice. Somewhere, deep inside, they're ashamed -- as they should be. But unfortunately they're not strong enough to actually admit it: no, they would rather try to cover it up, no matter how ineptly.
Facebook et.al. are data collection mechanisms coated over with a thin veneer of "social networking" in order to convince people to willingly surrender their own data. An employer stipulating employee presence on them clearly knows little (and understands less) about basic security principles, and clearly does not value the privacy of its employees. I think the proper response isn't "no", it's "hell no" and a visit to one's attorney in order to prepare for litigation.
I have, shall we say, more than a little experience in the spam area. And having studied it in considerable detail over a very long period of time, I can say -- rather definitively -- that Hotmail does, and has done for many years, an absolutely horrible job of controlling outbound spam. (Which is of course the most important criteria by which to measure them. Inbound spam only matters to those with accounts there. Outbound spam matters to the entire Internet.) The only reason I would award them an "F" grade for their performance is that there is no lower grade available.
My handle is somewhat a reflection of my own nature, which can be condescending and indeed, arrogant. But even I wouldn't attempt something of this magnitude: Microsoft isn't merely exaggerating, they're absolutely, completely, totally lying.
Your first point is an excellent one. However, I would modify it to read:
I no longer care what the Wall Street Journal reports.
Given that the WSJ is now the mouthpiece of that disgusting piece of filth Rupert Murdoch, and that it has abandoned any pretense of reason, logic and objectivity there is no reason for any thinking person to read it. Ever. In fact, one can now begin making the inference that those who persist in reading it are suspect, as they lack the critical thinking faculties required to discern reality from fantasy, truth from lies, and argument from propaganda.
There's a tendency to think that the US is above all this -- that Bertrand Russell's famous saying ("Religion is something left over from the infancy of our intelligence, it will fade away as we adopt reason and science as our guidelines.") refers not to the future, but to the past, and that we have all somehow become enlightened, that we've matured out of these primitive superstitions along with the violence, hatred, prejudice, bigotry, slavery, and ignorance that they support.
But we haven't. Let me suggest the following thought experiment to you: write on a large piece of posterboard "I skullfucked Mary and shit on Jesus' face." Now go stand with that poster on a streetcorner in Topeka, Kansas at 9 AM on Monday morning. Do you think you'll survive the day?
Of course these are purely mythical creatures, no more real than Arthur Dent or Allah or Harry Potter or Zeus or Loki or any other fiction. But, amazing, there are people on this planet -- including in Topeka, Kansas, in the heart of the United States -- who will attack and kill you for that sign.
Some will point out that at least this isn't codified into law: that is, that such attacks are extralegal. My response to that is (a) not yet, they aren't, although if you're paying any attention to contemporary American politics you know full well that there are numerous attempts underway to make Christianity the state religion and (b) it's not clear to me why, when you're lying in the street bleeding and dying, the lack of statutory authority will matter to you.
When we in the United States have progressed beyond this -- when we no longer live in a society where atheists are considered as trustworthy as rapists -- then perhaps we can claim some measure of the moral high ground here.
Nonsense, of course. What he is...is a professional. Professionals do sit idly by while inferior people make extremely stupid decisions -- of which "going Microsoft" is most assuredly one. They utilize their best professional judgment, they protest, they complain, they argue, they do everything that they can to argue their case. And if they fail? Then they resign in protest, as this person has. (And were I hiring: I would hire this one in a minute. Most people are simply too weak to demonstrate this kind of courage, to put their own job on the line.)
The people who most deserve our admiration are not the ones who meekly go along with incompetence and short-sightedness and stupidity; no, they're the ones who stand up to it. And in a week where we learned of the death of Roger Boisjoly, a man who did that very thing, maybe we should remind ourselves that if we really want to call ourselves professionals -- and not cheap whores who will do anything for a paycheck -- then we are REQUIRED to stand up for our principles. Anyone who can't or won't do that is a spineless, worthless coward.
I sort resumes into two piles: those with IT certifications and those without. Those without are evaluated first, and those candidates given priority. Those with will be considered only if the first batch doesn't yield enough strong candidates.
Why? Because anyone naive enough to think that certifications are anything other than cash cows for vendors lacks essential critical thinking skills. They're naive and easily scammed: in fact, they've put the evidence of the latter right in front of me. Such people are simply not up to the task for handling responsible security roles (which is what I hire for): the first competent phisher to come along will easily fool them.
I already have a large number of clueless users who, just like everyone else's clueless users, will find numerous creative ways to get themselves and thus the IT infrastructure into trouble. I don't need staff members who are just as bad; I need staff members who are cynical, hardened, ruthless bastards to even have fighting chance of keeping this operation modestly secure.
Please see:
http://scienceblogs.com/gregladen/2012/01/two_incontrovertible_things_an.php?utm_source=combinedfeed&utm_medium=rss
and
http://www.forbes.com/sites/petergleick/2012/01/27/remarkable-editorial-bias-on-climate-science-at-the-wall-street-journal/
and
http://blog.ucsusa.org/dismal-science-at-the-wall-street-journal
I'm sure the inferior primates who do not comprehend physics, mathematics, statistics, climatology, oceanography, geology, chemistry, or any of the other topics known to those of us who qualify as homo sapiens will once again display their profound ignorance by declaring that anthropocentric global warming is false. These are the same gibbering baboons that support "creation science" and "holistic medicine" and other idiocy. It's a sad testament to the aggregate stupidity of our society that any of these are given more attention than summary dismissal.
And your on the lists yet dont bring up the subject but do on slashdot... interesting
I informed the developers privately. That may have been an error in judgment; perhaps I should have mentioned it publicly (that is, on one of the Ubuntu mailing lists). But I did make an effort to put the problem in front of the people I felt were best positioned to do something about it.
I think that anyone who is so intellectually impoverished that they cannot or will not relearn menus really ought not be using a computer, and certainly should not be permitted the privilege of being on the Internet, where they constitute an active, operational menace to everyone else.
As a side note, it should be interesting to study the privacy and security implications of this approach. A careful read of the Ubuntu mailing lists (all of which I'm on) reveals that -- so far -- nobody has put up their hand and pointed out that this "helpful" approach has as one obvious side effect the construction of a resource that's enormously useful to attackers.
I've been watching the hype over cloud-this and cloud-that for several years with an increasingly cynical eye. Perhaps this incident will help convince a few others to look pass the trendy buzzwords and actually THINK about what can happen. For example:
1. Drives seized, eventually end up for sale to the public, random people now own your data.
2. Cloud provider hacked, dangerous random people now own your data.
3. Drives seized, feds download all your data and start going through it to see if they can make a case against you. (Oh, you don't think they can? Keep in mind the words of Cardinal Richelieu: "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.")
4. Drives seized, someone decides to make a few extra bucks selling your data to your competitors. Or spammers. Or phishers.
5. Drives seized, someone graciously decides to let you "have your data back", but what you get back is not what you think it is -- it's been quietly, carefully modified. Maybe your research statistics have been subtly corrupted; maybe there's malware in it; maybe it's missing a few key pieces here and there.
When you use a cloud provider, all you've got is your best hope. And "hope" is not a valid security strategy.
If they really are "MS guys at heart", then they're not very well qualified. This may be due to intrinsic low intelligence, but presuming you've ruled that out, it's likely due to lack of significant experience with professional-quality software. (I consider MS software fine for children and amateurs, but utterly unsuitable for anyone who even pretends to be a professional.)
This exercise would thus make an excellent teaching moment for them: they should be tasked with investigating the many fine pieces of open-source software (and data) linked to in this thread, and educating themselves to the level necessary for them to understand not only how the solution to your current problem has very likely already been coded by someone else, but why it's very likely been coded by someone else. In other words, I'm suggesting that they come to an understanding of why common/ordinary/routing tasks should not be relegated to expensive, proprietary software, but are included in free, open-source software during the normal course of development.
Meanwhile, you should consider this question: is a relational database the best way for you to attack this problem? Or should you, instead, consider alternate ways of storing/searching the data? (I make no recommendation either way; without MUCH more detail on your precise requirements, I can't.)
Not because it will reach people who need to know; I suspect that most clueful people here already realize that SOPA and PIPA are awful legislation, written by industry lobbyists and supported by their pet Congressmen -- who have been well-paid for their votes. But because it will change the dialogue from "Reddit is blacking out" to "Two sites are blacking out" and then -- when another one joins "Three sites are blacking out" and then "Many sites are blacking out" and then "A lot of sites are blacking out" and that is when it will matter.
It matters because it shows we'll make sacrifices to make a point. It's easy to post something whining about how bad these bills are, but much, much tougher to actually give up something to back that up. The supporters of these bills know that. They're counting on the millions and millions of us out here to grump about it...and move on. To ignore it, as if it doesn't matter to us, doesn't apply to us. We need to demonstrate that it DOES matter, that we're not going to let it go.
A blackout isn't the end of that, of course. It's only the beginning. But it would be a good way to start.
What you're doing, although I don't think you intended to, is making excuses as to why those six mistakes are necessary. This is a fatal error. By justifying them, you ignore the consequences -- which are that you've just about guaranteed that you will be hacked the first time someone with sufficient expertise and resources decides to target you.
The trick is to recognize that you cannot make these mistakes. Period. No matter who you have to run over, who you have to piss off, who you have to overrule, who you have to upset, no matter what. You have to be, and yes I am, an arrogant bastard. Because the moment you compromise, you're doomed. We've seen it over and over and over and over again, we're seeing it again today, we'll see it again tomorrow. Every single data breach incident I've ever read about included at least one of those six mistakes, and most of them included several. Yet incompetent, weak-willed IT people insist on making them because "we've always done it this way" or "that can't work!" or "but it would break..." or for a thousand other reasons...none of which matter. (What good is having a spiffy computing environment if it's not secure?)
The problem isn't that we don't know what to do. We do. The problem is lack of will to do it.
(I'm guessing "yes") If you are, what do you think about the work they've done?
This also includes clean installs on employee portable systems (laptops, PDAs, tablets, phones) as well as anything they have at home that can connect to the corporate network.
Of course, this will never happen.
Then it's time to go through all backup media and sanitize it, since of course a potential future restore could re-initiate the breach.
Of course, this will never happen.
Meanwhile, forensic work needs to be done to figure out what the vector(s) was/were for this incident. It's not enough to just identify and deal with those, however; they need to be studied in context in order to achieve an understanding of what additional, latent vectors exist that could be used.
Of course, this will never happen.
And then it's time for a very pointed session with a copy of Marcus Ranum's "Six Dumbest Ideas in Computer Security", because chances are pretty high that this organization used all six.
Of course, this -- especially this -- will never happen.
Add to that list:
6) Films don't start at announced time. What starts at the announced time are commercials, pro-MPAA propaganda, previews, and charitable solicitations.
7) Refreshments are marked up about 1000%, served by surly, inefficient, inattentive teenagers who hate their jobs. Also: no beer.
8) Staff refuse to eject patrons. (Went to see "The Ides of March". Woman in row in front of mine was on cell phone four times during movie. Got out of my seat, fetched manager during the fifth time. She was off it when he finally got there, so he refused to take action. Great. Nothing like having an intense political drama disrupted AND missing part of it.)
9) Poor projection. Use the right lens, for crying out loud.
10) Previews that give away the entire movie. (Or, perhaps, moves that suck so tremendously that the preview CAN give away the entire movie, and may in some cases be a superior entertainment experience.)
11) Movie industry that wants to destroy the Internet. See: SOPA, PIPA, whatever's next.
First, the proper term is "spam"; never "SPAM". The former refers to unsolicited bulk email; the latter refers to a product of the Hormel Corporation.
Second, having conducted extensive testing on Gmail's spam filter, I can only award it a C; both its false positive and false negative rates are unacceptably high, certainly not good enough to qualify for professional use. (However, let me note in passing that this mediocre performance is still much better than that of others competing in the same space; Yahoo and Hotmail both receive F's with my regret that no lower grade is available.)
Third, user-driven spam/not-spam classification systems are fraught with difficulties -- most notably, they're quite easy to game (in both directions). Some spammers are apparently well aware of this and have been exploiting it quite effectively. Unfortunately, it has proven rather difficult to convince those being exploited that it's being done to them -- they prefer to remain in denial rather than admit that their elaborate scheme has been neatly undone by a combination of social engineering, botnets, and modestly clever scripting.
Ah, a WHOIS lookup shows that it's the incompetent spammers-for-hire at Epsilon. (Go Google "epsilon spam" for a glimpse at the tip of the iceberg. I'll wait.)
Back? Good. Epsilon does spam-for-hire for a number of companies; apparently the crack reporting staff at the NYT isn't intelligent or diligent enough to figure this out and report it to their own management. This is hardly the first incident involving them -- or rather, it's hardly the first widely-known incident involving them. Those of us who've been studying spam for decades are well aware of this sleazy operation.
There's no reason to do so: SPF has no anti-spam and no anti-forgery value in the contemporary environment. (That's why, despite the desperate flogging by the ignorant who claim that SPF is anything from a preventative to a magic cure-all, the largest adopters of SPF to date are spammers.)
Actually, you're wrong. The problem is NOT economic. It'd be nice if it was -- because some obvious interdiction paths could be used. But it's not.
The spam problem is behavioral: spammers are sociopaths. That's why there are no ex-spammers: they can no more stop spamming than a pedophile can stop molesting children. They're (pick your terminology) mentally ill, sick, etc.
How do we know this? Because we can observe (and we have observed) that they continue spamming even when there's obviously no profit in it, nor any realistic hope of any profit in the future. They're not all/always doing it for the money.
Now...it's certainly true that some spammers do make a profit; certainly the spammers-for-hire that have adopted the guise of "responsible companies" do very well, well enough to hire skilled propagandists who paint them as professional email service providers -- even though they're just spammers with better suits. But that doesn't change their underlying motivation: doing what spammers do requires someone who's devoid of basic human compassion, remorse, responsibility, empathy -- all the qualities that enable people to relate to one another. And there's no easy/obvious fix for that.
First, we've known for many years that IP-level techniques can deal with a lot of spam. For example, using the Spamhaus "DROP" list in perimeter devices is so incredibly effective that anyone who isn't doing it may summarily be declared incompetent. As another example, perhaps more germane to this paper, see http://use.perl.org/~merlyn/journal/17094 -- which demonstrates how to use passive OS fingerprinting in the BSD pf firewall to throttle traffic from Windows systems. (I presume everyone is well aware that bots are nearly always hosted on Windows systems; my own research indicates that despite inroads by attackers into non-Windows hosts, the probability that any given bot will be found to be on a Windows system is still comfortably above 99.999%.) The technique shown by poster "merlyn" in that example from 2004 can readily be extended and combined with others.
Second, 95% true positive rate is impressive for a single measure, BUT we must also consider the false positive rate, and we have to consider the resource cost necessary to achieve this number. Frankly, doing this inside SpamAssassin is very inefficient -- this is a function that can be handled either in the firewall or in the MTA, or perhaps in a combination of the two. There's really no need to invoke something as heavyweight, slow and complex as SA. (Nor is this desirable: the more complex the anti-spam architecture, the more difficult it is to tune properly and the more susceptible it is to gaming.)
Here's the TL;DR version: if a host passive-OS-fingerprints as Windows then it's suspect. If it does that AND (lacks rDNS OR has generic rDNS) it's a bot.
We've seen the same thing with their treatment of spammer domains. It works like this:
We notice some spam. We report it to them. They ignore the reports.
We notice some more spam. We report it to them. They tell us it didn't come from their network/their customers/their affiliate/their anything.
We notice some more spam. We report it to them. They forward the reports to the spammers, who either list-wash us or send us more spam or send us nasty notes, sometimes with threats.
We notice some more spam. We report it more widely, and other people start taking notice. Eventually a number of people concur that yes, it's spam, and yes, it's GoDaddy's responsibility, and yes, they ought to do something.
When the chorus gets loud enough, GoDaddy finally does something -- like forcing the spammers to move their domains elsewhere. They announce this as a major blow against spam thanks to their own hard work and diligence. They trumpet their anti-abuse policies, pat themselves on the back, ignore the people who actually did the research, forget all about how long the abuse went on, and claim the whole thing as yet another win for themselves.
Process repeats.
So there is no doubt whatsoever in my mind that this is just the latest variation of that scam. GoDaddy is only allegedly changing its mind because of the money involved. It's not on principle, because they have none. I guarantee you that -- behind the scenes -- they're still doing everything they can to support this bill.
So, please, everyone: don't be naive and stupid enough to fall for this scam. Remember: if GoDaddy was REALLY against this bill, they could have said so yesterday. Or last week. They didn't.
It's difficult to figure out which comment you mean, but if it's the one feebly attempting to justify spammer Bob Parson's actions, then do consider this: let's presume, for the sake of argument, that the circumstances are as you portray them. (I have strong doubts that this is the case, but let's go with it for a moment.) Then, given that spammer Bob Parsons is an extraordinarily wealthy man, why not hand a big fat check over to one of the non-profit organizations trying to save endangered species... so that they can relocate the elephant? And while they're at it, some rhinos and primates, too -- there are a lot of animals which are endangered in part because humans have occupied land essential to their survival. Why not do some positive good in the world...instead of getting his rocks off by slaughtering an innocent, thinking, feeling animal?
NoDaddy.com is now owned by GoDaddy. See http://www.theregister.co.uk/2011/07/12/godaddy_shuts_down_nodaddy/ for details.