IT should be a 'business enabler'... I often need to send encrypted files (because the policies of my customers don't allow me to send the docs un-encrypted). And those files are often blocked... Do you really think there is a danger? Hackers targeting your company would simply send the latest 0-day, which your anti-virus wouldn't catch anyway. I don't care about little Hitlers in IT that talk about staff as 'The user has no basis or justification to'... WTF! Anything the user needs for business you should provide! And that doesn't mean that he/she can get anything he/she wants, but instead of 'being reasonable' and blocking everything you should provide a solution to enable that user in secure file-sharing with people if there is a business need... And yes, my docs are confidential and none of you IT monkeys should be able to read them...
You might want to have a look at http://www.keylength.com/ (overview of all 'official' recommendations regarding protocols and minimal keylengths).
If you work for banks: take into account the Payment Card Industry standard (https://www.pcisecuritystandards.org/ - strictly speeking only valid for credit card handling systems) and look at national compliancy requirements...
It is even worse: description of companies in Google Places cannot use certain words anymore (I perform penetration tests and 'penetration' is now in that list of forbidden words). Crazy enough 'penetration' is allowed as Adword!
You have obviously bought too many Microsoft software lately. You know the feeling: you open the box, read a piece of paper with "EULA - DON'T PANIC" on it. Suddenly you realise that what you have bought is nothing more than that paper, telling you that you are the proud new owner of a licence (not necesserily to be used with whatever is in the box).
This is not the same system as (e)mail. If you receive email, you are the owner. If you send someone mail, it is suddenly HIS mail, not yours, even it you put "TOP SECRET - DO NOT DISTRIBUTE" on it. The recipient can do whatever he or she wants with that email (unless bound by a contract or something similar). Atleast according to the law of my country...
And please, you don't have any privacy, if you are using Email. It will pass in the clear on the network, on Email servers,... Every sys- or netadmin on the road to the destination (which you can't control) can read your mail...
I tend to disagree. None of my personal contacts,and only very few of my business contacts, have an email certificate, let alone that they understand the consequences of using one. Even if the email program warns the user that there is something wrong, people will click away the pop-up faster than the fastest graphical card can display it fully on screen.
And ofcourse, most encryption plugins "remember" your passphrase for X minutes, what is stopping the virus to sign all emails while your passphrase is cached?
So yes, it might be a solution for "techies", but not for the vast majority of users.
Although it's good to have an independant security audit of the hardware/software, it's still a far cry from what I would call development of a secure system.
Did an independant auditor (or security specialist) audit the design - both hardware and software - from a security point of view? Where there independant audits/reviews of the coding or assembly of the hardware? Can you trust the developers or factory workers? Who is monitoring the deployment, development, good working,...? What are the logging/auding possibilities? How secure is the data transmitted? How secure is that data stored?
Who will monitor the people who are in charge of the system?
Ultimately, you have to trust someone. And putting trust in the wrong kind of people is the biggest security risk there is...
Slashdot Mirror
IT should be a 'business enabler' ... I often need to send encrypted files (because the policies of my customers don't allow me to send the docs un-encrypted). And those files are often blocked ... Do you really think there is a danger? Hackers targeting your company would simply send the latest 0-day, which your anti-virus wouldn't catch anyway. I don't care about little Hitlers in IT that talk about staff as 'The user has no basis or justification to' ... WTF! Anything the user needs for business you should provide! And that doesn't mean that he/she can get anything he/she wants, but instead of 'being reasonable' and blocking everything you should provide a solution to enable that user in secure file-sharing with people if there is a business need... And yes, my docs are confidential and none of you IT monkeys should be able to read them ...
You might want to have a look at http://www.keylength.com/ (overview of all 'official' recommendations regarding protocols and minimal keylengths).
If you work for banks: take into account the Payment Card Industry standard (https://www.pcisecuritystandards.org/ - strictly speeking only valid for credit card handling systems) and look at national compliancy requirements ...
It is even worse: description of companies in Google Places cannot use certain words anymore (I perform penetration tests and 'penetration' is now in that list of forbidden words). Crazy enough 'penetration' is allowed as Adword!
See http://blog.astyran.sg/2010/11/google-term-penetration-is-not-allowed.html.
still is useful to tell the browser to use (well, interpret) the correct encoding, when a HTML page is saved and then opened in the browser.
I thought that Java was far from open, and not even an official standard?
You have obviously bought too many Microsoft software lately. You know the feeling: you open the box, read a piece of paper with "EULA - DON'T PANIC" on it. Suddenly you realise that what you have bought is nothing more than that paper, telling you that you are the proud new owner of a licence (not necesserily to be used with whatever is in the box).
... Every sys- or netadmin on the road to the destination (which you can't control) can read your mail ...
This is not the same system as (e)mail. If you receive email, you are the owner. If you send someone mail, it is suddenly HIS mail, not yours, even it you put "TOP SECRET - DO NOT DISTRIBUTE" on it. The recipient can do whatever he or she wants with that email (unless bound by a contract or something similar). Atleast according to the law of my country...
And please, you don't have any privacy, if you are using Email. It will pass in the clear on the network, on Email servers,
Please disconnect from the internet immediately.
It's impossible that your connection to Slashdot or whatever is only accomplished through "Free" software.
Since web-sites are all about sharing information or nice looking girls, it might be very worthwile to look at "Information Mapping".
The Information Mapping method is a research-based approach to the analysis, organization, and visual presentation of information.
See web-site of professor Robert Horn for a start. Unfortunately, his web-site doesn't use the techniques :), but you'll find some usefull PDFs.
Site: http://www.stanford.edu/~rhorn/The designer of the slashdot site could also use a background on Information Mapping(R), IMHO :)
There is no reason why the security of a system should be dependant on an admin.
Software/Hardware should be secure by default, it should take a highly skilled admin to mess up the security of a system.
Why not SSHD? Nobody in his right mind uses telnet nowadays.
Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:
:))
- something you have (such as a token) or
- something you know (such as a password or pin
Jar Jar Binks was worse enough, we don't need more fake actors.
Well, my IP aren't in danger, I only have to be careful when I update the news headlines from /.
From the "Slashdot Code":
"If your automated loading of slashdot becomes too much of a burden on our servers, you run the risk of having your IP banned, so play fair!"
Couldn't they ban the IP from SCO and solve a lot of problems?
I tend to disagree. None of my personal contacts ,and only very few of my business contacts, have an email certificate, let alone that they understand the consequences of using one. Even if the email program warns the user that there is something wrong, people will click away the pop-up faster than the fastest graphical card can display it fully on screen.
...
And ofcourse, most encryption plugins "remember" your passphrase for X minutes, what is stopping the virus to sign all emails while your passphrase is cached?
So yes, it might be a solution for "techies", but not for the vast majority of users.
There is no easy solution for this
Although it's good to have an independant security audit of the hardware/software, it's still a far cry from what I would call development of a secure system.
...? What are the logging/auding possibilities? How secure is the data transmitted? How secure is that data stored?
...
Did an independant auditor (or security specialist) audit the design - both hardware and software - from a security point of view? Where there independant audits/reviews of the coding or assembly of the hardware? Can you trust the developers or factory workers? Who is monitoring the deployment, development, good working,
Who will monitor the people who are in charge of the system?
Ultimately, you have to trust someone. And putting trust in the wrong kind of people is the biggest security risk there is
Any new book - and certainly a second edition- on programming (whatever the language) should have a full chapter on security.