If a user has access to a file, a user can be conned or tricked into giving someone else the file. At the very least, user education must focus on recognizing social engineering and protecting enterprise information assests, whether in a digital or other form.
Too many people are already convinced that we can solve all information security problems through technical means. I'm sad to see a respected "expert" propogating that myth.
The Cisco advisory for the link-local parser vulnerability states very clearly that if IPV6 routing is turned off, the router is not vulnerable. I even pasted that part of the advisory into the message you are replying to. Have you not read the advisory, or do you have evidence that it's wrong? If it's wrong, a lot of people would be interested in seeing it, since most people who aren't running IPV6 haven't patched for this vulnerability. I guess whoever modded your post informative has access to this same secret information, too.
I know what Mike's point was, but I'm not sure what your point was when you said, "He could get into pretty much any Cisco router w/ his attack, whereas this proxy attack isn't going to affect anything on the global net." Mike's attack works on local routers, and yes, in theory could hop from router to router. But to be a useful attack against a remote target, you would need an chain of vulnerable routers from you to the target network. Add the fact that both attacks require a feature that isn't running on most routers in the public Internet and it makes the practicality of Mike's attack about equal (meaning very, very low) to this one.
I guess Cisco is just the current popular FUD target.
And furthermore, the exploit only works if you can generate packets local to the router:
Summary
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Thus, your assertion that Lynn could succesfully attack "pretty much any router" appears to have no basis in fact.
Probably not related, other than Lynn's findings explain the obviously cya statement "and potentially an arbitrary code execution attack". which is normally not in their security advisories.
There's no evidence that this vulnerability is exploitable as anything other than a DoS, inflamatory headline notwithstanding.
It doesn't matter who is relying on the GPL, you or the person who made the copy and gave it to you. If the GPL isn't valid, you don't have a right to the copy. US law allows you to make a copy of the program if required to run it if you own the program. You must have some form of license to make a copy of the program. That license is the GPL. The GPL is only different from Microsoft EULA's in it's terms. In point of fact, the GPL is one of a category called End User License Agreement.
A company who uses empty certifications as a significant step in determining interview candidates is a company that probably values other empty pursuits, and won't provide fulfilling work.
1. Not all certifications are equal, some certainly are empty. Not all skills warrant certification.
2. How could someone with no certifications evaluate what constitutes an "empty" certification?
3. Given 1 and 2, couldn't someone who has certain certifications rationally baseline others who have those same certifications? Isn't that the point of these certifications, establishing a certain professional baseline?
Sadly, you do point out that the execs at the corporation don't go to jail.
The execs aren't the corporation, so if the corporation misbehaves, why should they go to jail? If you think that they should go to jail because they "should" know and be responsible for everything the corporation does, that's actually a better argument for locking up the board of directors. OTOH, if the executives themselves misbehave, they do go to jail. See Enron, Worldcom, Adelphia...
How do you know if they are a "likely good candidate?" If you get 1,000 resumes, that ostensibly meet your requirements, you can't give 5 mintues to each one for an interview. You can't even read each one. You need some way to make a first pass. Certifications are useful for that. Yes, you may cull out the one in a thousand really sharp guy who hasn't bothered to take the test, but its well worth it, and trust me, there are plenty of sharp guys who did bother to take the test. This strategy only fails if your requirements are so unique that it is likely that you will eliminate the single quallified applicant. But if that's the situation, you will probably have a small pool to begin with.
It's actually almost scary how hard it is to find really good admins now. Putting up a job opening will result in tons of responses, but 99% of them seem to be people who think that since they were able to install Fedora at home, they're qualified to be a sysadmin.
That's why without certifications you aren't likely to get an interview with me. If you have the knowlege, go out and take the exam. It won't prove anything to you, put to third parties who don't know you from Adam, it at least shows that you have some modicum of knowledge. However, if that's all you've got, you won't get past the phone interview.
Trial and error may indeed get you to a solution. But it will rarely get you to the "right" or "best" solution. And even if it does, you won't know it. So, if getting it done, without regard for how long it takes, or how efficiently you do it, by all means continue with the trial and error approach.
To a certain extent, the dot.com explosion is to blame for this mentality. For many startups, labor was nearly free, costing little more than stock options and free snacks. When developers and engineers are willing to work 16 hours a day for chicken scratch, it's attractive (but flawed) to allow them to reinvent wheels rather than hiring skilled but expensive wheel smiths.
As the senior technical person on my team, I would rather my boss be less technical and more managerial. The team and I can handle all of the technical aspects of our job, and explain to him anyting he needs to know. We need him to act as an abstraction layer between us and upper management.
IME, most technical people who complain about a boss who "just doesn't get it" should point the finger of blame at themselves. These individuals are typically people who find pride in being a "jack of all trades", or a "hobbyist" who expects everyone's knowledge to be as broad as his own. Unfortunately most such people have broad but shallow knowledge, and are not very useful outside of their comfort zone. I know that individuals like this are highly prized in some environments, but for most tasks in a large enterprise, I'll take a focused expert over a so-so generalist anyday. A common trait of this class of IT worker is that they also typically aren't good at explaining concepts to non-technical folks, since they don't really understand what they are doing, having gained most of their knowledge by playing until something works.
As a mentor of mine used to say, "If you casn't explain it, you don't understand it." If your boss doesn't understand what you do, you have no one to blame but yourself. Of course, there are exceptions.
Regardless of how it works "most of the time" POP and SMTP just aren't intended or optimized for anything approaching real-time communication. Messages can be queued for hours or days, and if the message doesn't go through right away, it may not be resent immediately.
IM is designed for real time messaging between people who are currently online.
The cited article indicates that neural stem cells can be grown in culture, it also indicates that (as of 5 years ago) reasearchers were experimenting to see if stem cells from marrow could give similar results. Further, if you are generating customized embryonic stem cells, it shouldn't matter what line they originally come from.
Yes, you are underreacting. Did you miss the original Slashdot posting:
NCSA Compares Google and Yahoo Index Numbers
chrisd (former Slashdot editor and now Google employee) writes "Recently, Yahoo claimed an increase of index size to "over 20 billion items", compared to Google's 8.16 billion pages. Now, researchers at NCSA have done their own, independent, comparison of the two engines. "
Notice that the summary was submitted by a well known Google employee, and that it states the study was conducted by the NCSA.
What a perfect example of the kind of disinformation the GP was posting about. The aritcle you cited is about adult stem cells on which there are absolutely no research restrictions. Further, every viable treatment to date using stem cells has been using adult stem cells as well.
Two datasets can result in the same MD5 hash, assuming a fixed has length.
For any hash function which produces a fixed length hash, there will be an infinite number of inputs that produce the same result. The usefulness of a hash function depends on the difficulty in finding an input that generates a particular output. Note that to defeate the function, you don't have to come up with the "right" input, just any input that returns the same hash.
Slashdot Mirror
Many slashdotters don't know about Tipper Gore's crusade, or remember a time before music came with warning labels.
If a user has access to a file, a user can be conned or tricked into giving someone else the file. At the very least, user education must focus on recognizing social engineering and protecting enterprise information assests, whether in a digital or other form.
Too many people are already convinced that we can solve all information security problems through technical means. I'm sad to see a respected "expert" propogating that myth.
The Cisco advisory for the link-local parser vulnerability states very clearly that if IPV6 routing is turned off, the router is not vulnerable. I even pasted that part of the advisory into the message you are replying to. Have you not read the advisory, or do you have evidence that it's wrong? If it's wrong, a lot of people would be interested in seeing it, since most people who aren't running IPV6 haven't patched for this vulnerability. I guess whoever modded your post informative has access to this same secret information, too.
I know what Mike's point was, but I'm not sure what your point was when you said, "He could get into pretty much any Cisco router w/ his attack, whereas this proxy attack isn't going to affect anything on the global net." Mike's attack works on local routers, and yes, in theory could hop from router to router. But to be a useful attack against a remote target, you would need an chain of vulnerable routers from you to the target network. Add the fact that both attacks require a feature that isn't running on most routers in the public Internet and it makes the practicality of Mike's attack about equal (meaning very, very low) to this one.
I guess Cisco is just the current popular FUD target.
Believe it or not, Cisco makes many products that don't run IOS.
And furthermore, the exploit only works if you can generate packets local to the router:
Thus, your assertion that Lynn could succesfully attack "pretty much any router" appears to have no basis in fact.
He could get into pretty much any Cisco router w/ his attack...
Except all the routers not running IPV6.
Probably not related, other than Lynn's findings explain the obviously cya statement "and potentially an arbitrary code execution attack". which is normally not in their security advisories.
There's no evidence that this vulnerability is exploitable as anything other than a DoS, inflamatory headline notwithstanding.
Why must you plagarize the work of others?
It doesn't matter who is relying on the GPL, you or the person who made the copy and gave it to you. If the GPL isn't valid, you don't have a right to the copy. US law allows you to make a copy of the program if required to run it if you own the program. You must have some form of license to make a copy of the program. That license is the GPL. The GPL is only different from Microsoft EULA's in it's terms. In point of fact, the GPL is one of a category called End User License Agreement.
But the parent's didn't pay for it. Would you part with $120,000 so that they could have their child back?
How is that different than Opera giving away free keys so that more people will use their browser?
A company who uses empty certifications as a significant step in determining interview candidates is a company that probably values other empty pursuits, and won't provide fulfilling work.
1. Not all certifications are equal, some certainly are empty. Not all skills warrant certification.
2. How could someone with no certifications evaluate what constitutes an "empty" certification?
3. Given 1 and 2, couldn't someone who has certain certifications rationally baseline others who have those same certifications? Isn't that the point of these certifications, establishing a certain professional baseline?
Sadly, you do point out that the execs at the corporation don't go to jail.
The execs aren't the corporation, so if the corporation misbehaves, why should they go to jail? If you think that they should go to jail because they "should" know and be responsible for everything the corporation does, that's actually a better argument for locking up the board of directors. OTOH, if the executives themselves misbehave, they do go to jail. See Enron, Worldcom, Adelphia...
How do you know if they are a "likely good candidate?" If you get 1,000 resumes, that ostensibly meet your requirements, you can't give 5 mintues to each one for an interview. You can't even read each one. You need some way to make a first pass. Certifications are useful for that. Yes, you may cull out the one in a thousand really sharp guy who hasn't bothered to take the test, but its well worth it, and trust me, there are plenty of sharp guys who did bother to take the test. This strategy only fails if your requirements are so unique that it is likely that you will eliminate the single quallified applicant. But if that's the situation, you will probably have a small pool to begin with.
It's actually almost scary how hard it is to find really good admins now. Putting up a job opening will result in tons of responses, but 99% of them seem to be people who think that since they were able to install Fedora at home, they're qualified to be a sysadmin.
That's why without certifications you aren't likely to get an interview with me. If you have the knowlege, go out and take the exam. It won't prove anything to you, put to third parties who don't know you from Adam, it at least shows that you have some modicum of knowledge. However, if that's all you've got, you won't get past the phone interview.
Trial and error may indeed get you to a solution. But it will rarely get you to the "right" or "best" solution. And even if it does, you won't know it. So, if getting it done, without regard for how long it takes, or how efficiently you do it, by all means continue with the trial and error approach.
To a certain extent, the dot.com explosion is to blame for this mentality. For many startups, labor was nearly free, costing little more than stock options and free snacks. When developers and engineers are willing to work 16 hours a day for chicken scratch, it's attractive (but flawed) to allow them to reinvent wheels rather than hiring skilled but expensive wheel smiths.
I'm sure there are exceptions.
As the senior technical person on my team, I would rather my boss be less technical and more managerial. The team and I can handle all of the technical aspects of our job, and explain to him anyting he needs to know. We need him to act as an abstraction layer between us and upper management.
IME, most technical people who complain about a boss who "just doesn't get it" should point the finger of blame at themselves. These individuals are typically people who find pride in being a "jack of all trades", or a "hobbyist" who expects everyone's knowledge to be as broad as his own. Unfortunately most such people have broad but shallow knowledge, and are not very useful outside of their comfort zone. I know that individuals like this are highly prized in some environments, but for most tasks in a large enterprise, I'll take a focused expert over a so-so generalist anyday. A common trait of this class of IT worker is that they also typically aren't good at explaining concepts to non-technical folks, since they don't really understand what they are doing, having gained most of their knowledge by playing until something works.
As a mentor of mine used to say, "If you casn't explain it, you don't understand it." If your boss doesn't understand what you do, you have no one to blame but yourself. Of course, there are exceptions.
Cisco was running 10Mb Ethernet over barbed wire years ago.
Not mine. Running your own mail server and being your own webmail povider means that you get to be responsible for your own privacy.
Regardless of how it works "most of the time" POP and SMTP just aren't intended or optimized for anything approaching real-time communication. Messages can be queued for hours or days, and if the message doesn't go through right away, it may not be resent immediately.
IM is designed for real time messaging between people who are currently online.
The cited article indicates that neural stem cells can be grown in culture, it also indicates that (as of 5 years ago) reasearchers were experimenting to see if stem cells from marrow could give similar results. Further, if you are generating customized embryonic stem cells, it shouldn't matter what line they originally come from.
Notice that the summary was submitted by a well known Google employee, and that it states the study was conducted by the NCSA.
What a perfect example of the kind of disinformation the GP was posting about. The aritcle you cited is about adult stem cells on which there are absolutely no research restrictions. Further, every viable treatment to date using stem cells has been using adult stem cells as well.
Two datasets can result in the same MD5 hash, assuming a fixed has length.
For any hash function which produces a fixed length hash, there will be an infinite number of inputs that produce the same result. The usefulness of a hash function depends on the difficulty in finding an input that generates a particular output. Note that to defeate the function, you don't have to come up with the "right" input, just any input that returns the same hash.
I think you need to up your meds.