Is that while the C&A process can be interpreted many ways, in general, it is the security posture of the system and its components, not the functionality. Most assessors do not go that far because depending on the system, they may not be able to, or be equipped to test the actual functionality beyond the component level.
The people performing the process actually follow the guidelines as they were intended.
The guidelines are based on NIST 800 series documentation, as well as any other internal rulebooks and policies in place at a particular organization.
The entire process needs to be performed by independent auditors (as a consultant, one of my duties is the technical aspect of the C&A process), there is no incentive for me to bow to political or management pressure of the system owner. The results are provided directly to the certifying authority, designated for that system, which also falls outside the chain of command for the system being certified.
The problem is that too many federal entities do the C&A process in house, which allows management to futz with the results before passing them on to OMB (all C&A results end up at OMB for the yearly scorecard to be calculated).
With regards to FAA, as I have worked with them in the past, they have had the C&A process performed by in house contractors, or previously, using the DOT C&A group. When the latter option is used, the results tend to be a little better, but they can still be fudged.
Flaws and vulnerabilities discovered during the C&A process result in POA&Ms (Plan of Action and milestones) for each flaw and vulnerability. Each of those POA&Ms is tracked, and there is timeframe that the issue must be resolved, depending on the severity. Once flaw remediation is complete, the POA&M is closed.
No recertification required. The only time recertification is required is when a certain percentage of the system is changed, not updated or fixed.
No matter where you look, each location will have its own fair share of problems. Rather then picking a location based on economics and political issues, pick a location where you will be happy.
Now obviously, being happy is contingent on being employed and being able to live where you choose, but I guarantee you one thing, following the money does not always work.
I have been using vps's for a very long time. Recently I added 2 new ones, one in the UK and one in Germany, in addition to my existing US one (which I will be switching soon to a cheaper one).
The US one I have been using for years is somewhat pricey, at around $25 a month, as an early adopter one gets to pay a premium. However I have looked recently and found much cheaper ones (I only need a basic VPS).
I run openvpn on the US based VPS, with the UK and DE ones connecting to it as a client (In addition to my home gateway connecting to it as well).
On the VPN server, I have routes set based on on the various IP databases (RIPE in the case of EU), those get pushed out to the clients. Completely transparent to the laptops, smartphones and desktops in my home, if I go to say bbc.com I get routed out the UK VPS.
I am currently paying $5 a month for a vps in the uk. Costs no more then the unblock-us stuff and you have far more functionality. I also use static routes based on RIPE subnets in my openvpn configuration that routes traffic across either my UK or DE hosts (both cost me $5 a month, and I will be switching my US one as well (that one is costing me $25 a month, but I found one for around $5 a month). I only need the basic VPS, I'm not running intensive applications.
Go out and purchase a VPS hosted in the data center of your choice in the country of your choice.
I do this currently, granted it is not to get around GEO IP Blocking, rather for a centrally hosted box I can connect my roaming devices to via VPN and route all my traffic through it.
I like the BBC, and yes I could go TPB route if I wanted, I can also pay $10 a month for a VPS hosted in a data center in the UK, which would allow me to watch BBC streamed programs without having to wait for them to show up on BBC America. That, and well, who needs ATT/Verizon/whomever snooping on your traffic and profiting from it..
That is all this is. What most people seem to have missed is the fact that verizon has not currently stated how users will be notified.. sharing 1G of data between two phones.. when 1 might be a heavy user, will the other user be notified when they reach the 1G limit.. or will they just be charged an overage fee.
Data is data, and should be sold as such, you pay for 1G through 10G of whatever, and you use it as you see fit, no matter the number of devices or uses, then you pay for more data when you run out and need it.
Carriers have lost so much revenue on voice and sms, that they needed to find a new cash cow, and rather then be reasonable, they (and I do mean they as the others will follow suit) chose a very confusing and convoluted method of charging per device, and then charging even more for less data per device then the current plans.
Time to find a foreign VPS for my openvpn server
on
House Passes CISPA
·
· Score: 2
I currently have a VPS that I use as a VPN server for my mobile devices and laptop when I am on travel and redirect all of my traffic through. I do this mainly to keep Verizon and ATT (specifically ATT when I tether) grubby little mitts of my data.
I think it is time to switch to a foreign VPS provider, somewhere in the EU or Asia, and reroute ALL of my traffic through there. My only issue is currently my FIOS speeds far exceed my throughput at my current VPS..
Holding the button in for 3 to 5 seconds does kill the engine, however, it is not blatantly noted in the owners manual, not that people read those things..
That brings me to the next point, how far out of reach is the button, if you have to over reach to get to it, you may steer the vehicle right off the road.
Also, the vehicle (At least Toyotas/Lexus, Jeep [which probably means all chryslers] and Nissan/Infiniti) will continue to run with no key, however it will yell at you and beep at you the entire time. Otherwise people who's key fob batteries die while in motion... would come to a surprising stop...
I think the article has more to do with AU preventing the US companies and firms from operating assets (cloud, server farms, hosting, etc) in AU, and providing services to the AU gov, rather then hauling all that traffic back to US soil, and using US firm resources here.
That said, I do see major issues with companies storing data on US assets (whether abroad or not). Especially when we read articles about whole sale data monitoring by US gov entities (FBI, NSA, CIA, take your pick), whether legal or not, it is happening.
This really has nothing to do with cheap, programmers. Even cheap programmers are competent in the basics, and while prepared statements (for the original OP of this thread) work, the best solution, and really only solution for many of these types of attacks, would be input validation. That would prevent the ability to send garbage attacks in the first place, and would also negate the need for a third party program to protect the assets.
I do not know of too many radio/audio manufacturers in the US, specifically none in MS, however there is Emotiva, which is made in Tennessee, and is very well priced compared to some of the other high end products from Yamaha, Denon, Pioneer, etc. They are not cheap by any means, but they are also not expensive either.. And they are 100% made in the US (well, except for many of the internal components, transistors, capacitors, etc etc, which are no doubt made in China).
Seriously, they stated the top 5% in congested markets would be throttled, which would be fine, if they utilized the actual top 5%. Not the arbitrary number they pulled out of their ass that stated the top 5% used approx 2G of traffic.
Yet they are selling tiered plans with 3G caps.. If throttling should occur, it should not start until the 3G mark.
I was going to go on a rant, but I have been ranting about this shit for months now every since I found out about the throttling, and ended up being throttled at 2.2G.. in the DC area, I seriously doubt 2.2G is even close to the users in the top 5% for the DC Metro area.
This is strictly a money play, ATT can go fuck themselves for all I care.... The only reason I stay with them.. is because when I am not throttled, I get between 30 and 50mbit rates on the LTE network in DC... Verizon does not even come close, and I hate Verizon more than I hate ATT..
This is complete speculation... but I suspect it has alot to do with money, or rather the requirements and policies the US puts on other countries to trade with the US. Everyone hates the US blah blah blah, is a sentiment of the populations, however, the governments of those same countries (with the exception of a few like Iran, Venezuela, cuba etc) all want to be in the US governments good graces, and will in many cases give up way to much power to the US to remain in the US's good graces..
That depends, one of the charges against him was money laundering, if said laundering was used to fund terrorism (yes, that is a huge stretch by any imagination...), the Patriot act would apply...
Law enforcement (Federal and Local) have been known to stretch the facts to get what they want though...
Try rootbsd.com It is what I use since I wanted a freebsd vps.
Not the most expensive, not the cheapest, but has been very reliable for me.
I use it as a VPN server. My home network (FIOS) connects to the vpn Server, this allows me access to all my internal hosts (vmware, storage, various other boxes) from the outside world using port forwarding. Gets around pesky filtering.
They make software. It does various things, and it can be used for good or evil.
The carriers are the ones who requested the software to be placed on the handsets. The handset makers are the ones who screwed up, specifically HTC who left debug mode enabled on a production handset. The Samsung handsets do not exhibit the same issues that were shown in the video that the HTC handsets show.
The whole FBI link, no one really knows for sure, what the deal is, other then they refused a FOIA. That could mean they utilize the data, or they are in fact investigating CIQ itself.
Honestly, for the purposes that CIQ claim the software is for, I have no real issue with it. However they built far more capability then was needed in the software, and that I do have a major issue with.
Mandela.. Noble.. your joking right.. Maybe later in life he ended up that way, but it does not excuse what he and his cohorts did prior to his imprisonment. If you look at his past in today's context, he would be labeled a terrorist, and rightly so.
I will concede that he did many great things later in life, but his history remains, and it is not a pretty one.
Welcome back to apartheid, only under black rule instead of white rule..
This country (I am an expat) is intent on destroying itself. They have been trying to change history by renaming, or removing all monuments, good or bad, to historical figures and events.
I'm glad I left.. as have most of my friends. SA while a beautiful country from a landscape aspect, is an absolute shithole from a people aspect, black, white, indian, makes not difference, the few good ones left should get the fuck out while the getting is good.
They have been making phones for years.. starting way back in the windows mobile days. Granted, they were mostly OEM for other brands, but they are not new.
Actually, not really. While there is plenty of bullshit, the government requires a certain portion of the work to go to small businesses. So there is a good chance that a small business will get the work.
However, the small businesses that do get the work, tend to be partnered with larger firms, who end up doing all the paperwork to help the small business win the contract. I know, I work for one of those monstrous companies and we partner with, and supply the paper framework all the time.
I purchase older generation off lease equipment off of ebay for use in my own home lab.
I currently have around 4 2u servers with dual dualcore or quadcore cpu's. About the only thing you need to purchase are hard drives. For that I picked up 1 3u 15 bay drive chassis with dual amd dualcore cpus, 16G ram and running about 8 500G drives and 8 1TB drives. It has 4 gig network adapters that I use lacp with for link aggregation on a cheap managed switch that supports lacp.
The only problem is my switch, I paid around $60 for a dell 24port gig switch, but the dell switch kind of sucks, I should have spent a little more (okay a lot) and picked up a cisco.
While there are programs and apps that allow for tethering, there is no real need to root your phone as others have suggested. Well at least not permanently. Most of the customized ROMS that the carriers place on their devices have tethering disabled by default so they can charge you for a service that you already pay for. Data is data.. it does not matter how you use it, so fuck the carrier.
Initially you will need root to install a rom manager, once you have that complete, go peruse XDA Developers and find the rom you want for your particular device. Most of the ROMS cooked up there have androids built in tethering functions enabled (Yes, Any stock Android ROM from 2.2 and onwards has tethering via USB cable, or wifi by default, it is under the network settings). Pick one with some fancy customizations, or just a plain stock Android build (hell you could build it yourself if you want, many devices already have the android source out there).
Once you have reimaged your phone, you can remove root access if you do not feel comfortable leaving it enabled (although there is currently very little risk, just be aware of what you install and you will be fine).
This message brought to you by my Samsung Galaxy S on ATT rooted and tethered using the stock android functionality, no additional software or apps required. Hell, it even supports using WPA for your wifi tethering fun.
Slashdot Mirror
Is that while the C&A process can be interpreted many ways, in general, it is the security posture of the system and its components, not the functionality. Most assessors do not go that far because depending on the system, they may not be able to, or be equipped to test the actual functionality beyond the component level.
The people performing the process actually follow the guidelines as they were intended.
The guidelines are based on NIST 800 series documentation, as well as any other internal rulebooks and policies in place at a particular organization.
The entire process needs to be performed by independent auditors (as a consultant, one of my duties is the technical aspect of the C&A process), there is no incentive for me to bow to political or management pressure of the system owner. The results are provided directly to the certifying authority, designated for that system, which also falls outside the chain of command for the system being certified.
The problem is that too many federal entities do the C&A process in house, which allows management to futz with the results before passing them on to OMB (all C&A results end up at OMB for the yearly scorecard to be calculated).
With regards to FAA, as I have worked with them in the past, they have had the C&A process performed by in house contractors, or previously, using the DOT C&A group. When the latter option is used, the results tend to be a little better, but they can still be fudged.
This is totally incorrect.
Flaws and vulnerabilities discovered during the C&A process result in POA&Ms (Plan of Action and milestones) for each flaw and vulnerability. Each of those POA&Ms is tracked, and there is timeframe that the issue must be resolved, depending on the severity. Once flaw remediation is complete, the POA&M is closed.
No recertification required. The only time recertification is required is when a certain percentage of the system is changed, not updated or fixed.
No matter where you look, each location will have its own fair share of problems. Rather then picking a location based on economics and political issues, pick a location where you will be happy.
Now obviously, being happy is contingent on being employed and being able to live where you choose, but I guarantee you one thing, following the money does not always work.
I have been using vps's for a very long time. Recently I added 2 new ones, one in the UK and one in Germany, in addition to my existing US one (which I will be switching soon to a cheaper one).
The US one I have been using for years is somewhat pricey, at around $25 a month, as an early adopter one gets to pay a premium. However I have looked recently and found much cheaper ones (I only need a basic VPS).
I run openvpn on the US based VPS, with the UK and DE ones connecting to it as a client (In addition to my home gateway connecting to it as well).
On the VPN server, I have routes set based on on the various IP databases (RIPE in the case of EU), those get pushed out to the clients. Completely transparent to the laptops, smartphones and desktops in my home, if I go to say bbc.com I get routed out the UK VPS.
I am currently paying $5 a month for a vps in the uk. Costs no more then the unblock-us stuff and you have far more functionality. I also use static routes based on RIPE subnets in my openvpn configuration that routes traffic across either my UK or DE hosts (both cost me $5 a month, and I will be switching my US one as well (that one is costing me $25 a month, but I found one for around $5 a month). I only need the basic VPS, I'm not running intensive applications.
Go out and purchase a VPS hosted in the data center of your choice in the country of your choice.
I do this currently, granted it is not to get around GEO IP Blocking, rather for a centrally hosted box I can connect my roaming devices to via VPN and route all my traffic through it.
I like the BBC, and yes I could go TPB route if I wanted, I can also pay $10 a month for a VPS hosted in a data center in the UK, which would allow me to watch BBC streamed programs without having to wait for them to show up on BBC America. That, and well, who needs ATT/Verizon/whomever snooping on your traffic and profiting from it..
That is all this is. What most people seem to have missed is the fact that verizon has not currently stated how users will be notified.. sharing 1G of data between two phones.. when 1 might be a heavy user, will the other user be notified when they reach the 1G limit.. or will they just be charged an overage fee.
Data is data, and should be sold as such, you pay for 1G through 10G of whatever, and you use it as you see fit, no matter the number of devices or uses, then you pay for more data when you run out and need it.
Carriers have lost so much revenue on voice and sms, that they needed to find a new cash cow, and rather then be reasonable, they (and I do mean they as the others will follow suit) chose a very confusing and convoluted method of charging per device, and then charging even more for less data per device then the current plans.
I currently have a VPS that I use as a VPN server for my mobile devices and laptop when I am on travel and redirect all of my traffic through. I do this mainly to keep Verizon and ATT (specifically ATT when I tether) grubby little mitts of my data.
I think it is time to switch to a foreign VPS provider, somewhere in the EU or Asia, and reroute ALL of my traffic through there. My only issue is currently my FIOS speeds far exceed my throughput at my current VPS..
Holding the button in for 3 to 5 seconds does kill the engine, however, it is not blatantly noted in the owners manual, not that people read those things..
That brings me to the next point, how far out of reach is the button, if you have to over reach to get to it, you may steer the vehicle right off the road.
Also, the vehicle (At least Toyotas/Lexus, Jeep [which probably means all chryslers] and Nissan/Infiniti) will continue to run with no key, however it will yell at you and beep at you the entire time. Otherwise people who's key fob batteries die while in motion... would come to a surprising stop...
I think the article has more to do with AU preventing the US companies and firms from operating assets (cloud, server farms, hosting, etc) in AU, and providing services to the AU gov, rather then hauling all that traffic back to US soil, and using US firm resources here.
That said, I do see major issues with companies storing data on US assets (whether abroad or not). Especially when we read articles about whole sale data monitoring by US gov entities (FBI, NSA, CIA, take your pick), whether legal or not, it is happening.
I could be wrong.. but I suspect I am not.
This really has nothing to do with cheap, programmers. Even cheap programmers are competent in the basics, and while prepared statements (for the original OP of this thread) work, the best solution, and really only solution for many of these types of attacks, would be input validation. That would prevent the ability to send garbage attacks in the first place, and would also negate the need for a third party program to protect the assets.
I do not know of too many radio/audio manufacturers in the US, specifically none in MS, however there is Emotiva, which is made in Tennessee, and is very well priced compared to some of the other high end products from Yamaha, Denon, Pioneer, etc. They are not cheap by any means, but they are also not expensive either.. And they are 100% made in the US (well, except for many of the internal components, transistors, capacitors, etc etc, which are no doubt made in China).
Seriously, they stated the top 5% in congested markets would be throttled, which would be fine, if they utilized the actual top 5%. Not the arbitrary number they pulled out of their ass that stated the top 5% used approx 2G of traffic.
Yet they are selling tiered plans with 3G caps.. If throttling should occur, it should not start until the 3G mark.
I was going to go on a rant, but I have been ranting about this shit for months now every since I found out about the throttling, and ended up being throttled at 2.2G.. in the DC area, I seriously doubt 2.2G is even close to the users in the top 5% for the DC Metro area.
This is strictly a money play, ATT can go fuck themselves for all I care.... The only reason I stay with them.. is because when I am not throttled, I get between 30 and 50mbit rates on the LTE network in DC... Verizon does not even come close, and I hate Verizon more than I hate ATT..
This is complete speculation... but I suspect it has alot to do with money, or rather the requirements and policies the US puts on other countries to trade with the US.
Everyone hates the US blah blah blah, is a sentiment of the populations, however, the governments of those same countries (with the exception of a few like Iran, Venezuela, cuba etc) all want to be in the US governments good graces, and will in many cases give up way to much power to the US to remain in the US's good graces..
That depends, one of the charges against him was money laundering, if said laundering was used to fund terrorism (yes, that is a huge stretch by any imagination...), the Patriot act would apply...
Law enforcement (Federal and Local) have been known to stretch the facts to get what they want though...
Try rootbsd.com It is what I use since I wanted a freebsd vps.
Not the most expensive, not the cheapest, but has been very reliable for me.
I use it as a VPN server. My home network (FIOS) connects to the vpn Server, this allows me access to all my internal hosts (vmware, storage, various other boxes) from the outside world using port forwarding. Gets around pesky filtering.
First off.. CIQ are not the bad guys here.
They make software. It does various things, and it can be used for good or evil.
The carriers are the ones who requested the software to be placed on the handsets. The handset makers are the ones who screwed up, specifically HTC who left debug mode enabled on a production handset. The Samsung handsets do not exhibit the same issues that were shown in the video that the HTC handsets show.
The whole FBI link, no one really knows for sure, what the deal is, other then they refused a FOIA. That could mean they utilize the data, or they are in fact investigating CIQ itself.
Honestly, for the purposes that CIQ claim the software is for, I have no real issue with it. However they built far more capability then was needed in the software, and that I do have a major issue with.
Mandela.. Noble.. your joking right.. Maybe later in life he ended up that way, but it does not excuse what he and his cohorts did prior to his imprisonment. If you look at his past in today's context, he would be labeled a terrorist, and rightly so.
I will concede that he did many great things later in life, but his history remains, and it is not a pretty one.
I will take your comment seriously when you remove the shroud of anonymity and post as an actual person.
There is nothing to see here, move along..
Welcome back to apartheid, only under black rule instead of white rule..
This country (I am an expat) is intent on destroying itself. They have been trying to change history by renaming, or removing all monuments, good or bad, to historical figures and events.
I'm glad I left.. as have most of my friends. SA while a beautiful country from a landscape aspect, is an absolute shithole from a people aspect, black, white, indian, makes not difference, the few good ones left should get the fuck out while the getting is good.
They have been making phones for years.. starting way back in the windows mobile days. Granted, they were mostly OEM for other brands, but they are not new.
Actually, not really. While there is plenty of bullshit, the government requires a certain portion of the work to go to small businesses. So there is a good chance that a small business will get the work.
However, the small businesses that do get the work, tend to be partnered with larger firms, who end up doing all the paperwork to help the small business win the contract. I know, I work for one of those monstrous companies and we partner with, and supply the paper framework all the time.
I purchase older generation off lease equipment off of ebay for use in my own home lab.
I currently have around 4 2u servers with dual dualcore or quadcore cpu's. About the only thing you need to purchase are hard drives. For that I picked up 1 3u 15 bay drive chassis with dual amd dualcore cpus, 16G ram and running about 8 500G drives and 8 1TB drives. It has 4 gig network adapters that I use lacp with for link aggregation on a cheap managed switch that supports lacp.
The only problem is my switch, I paid around $60 for a dell 24port gig switch, but the dell switch kind of sucks, I should have spent a little more (okay a lot) and picked up a cisco.
While there are programs and apps that allow for tethering, there is no real need to root your phone as others have suggested. Well at least not permanently. Most of the customized ROMS that the carriers place on their devices have tethering disabled by default so they can charge you for a service that you already pay for. Data is data.. it does not matter how you use it, so fuck the carrier.
Initially you will need root to install a rom manager, once you have that complete, go peruse XDA Developers and find the rom you want for your particular device. Most of the ROMS cooked up there have androids built in tethering functions enabled (Yes, Any stock Android ROM from 2.2 and onwards has tethering via USB cable, or wifi by default, it is under the network settings). Pick one with some fancy customizations, or just a plain stock Android build (hell you could build it yourself if you want, many devices already have the android source out there).
Once you have reimaged your phone, you can remove root access if you do not feel comfortable leaving it enabled (although there is currently very little risk, just be aware of what you install and you will be fine).
This message brought to you by my Samsung Galaxy S on ATT rooted and tethered using the stock android functionality, no additional software or apps required. Hell, it even supports using WPA for your wifi tethering fun.