I cannot think of an application where having some assurance that you are connecting to whom you think you connecting to are one and the same. For experimental or extremely low-value transactions like avoiding your work proxy, you can self-sign.
In the case of P2P sites where you're illegally distributing movies, music, software or pron, you're basically doing the equivalent of leaving fingerprints at the scene of the crime. You're protecting the server operator, but making it trivially easy to determine which computer under your control is connecting.
And when you do something nefarious with your signed code, the police will subpoena the CA for the details of your transaction, get your info from the credit card company, and send a cop to your door.
You really should read and understand more about this before spouting off like some sort of authority.
Encryption by itself is not very useful, as it only operates at the network layer. So some nefarious network user or ISP admin will be unable to read your communications. Big freaking deal.
SSL Certs aren't a silver bullet to save you from fraud, but they do provide a measure of security against attacks like address spoofing or upstream network users proxying your connection. They also provide an audit trail to help establish who is operating the site.
Apple has never been primarily a software company, so naturally they'd lag behind any full-time software company when it comes to creating applications.
That was exactly the point the Bill Gates was making. While Apple was dicking around with hardware that most people care about (Macs were like $2500 more than PCs during that era), they ignored the software... because the software was far more important.
Today, Apple understands what the consumer wants in the software space, much of which is internet-based. Microsoft has the disadvantage of owning the market, and ultra-conservative idiots running enterprise IT have too much influence on the company.
For all the bitching, Vista fixes all of the problems that IT folks bitched about incessantly. Tighter security, robust group policy, more efficient imaging format. Problem is, consumers don't really give a shit.
In all of the states that I'm aware of, the prison system exists to provide good-paying jobs to corrections officers in out of the way areas with bleak economic prospects. The other aspects (punishment, rehabilitation, etc) are just side-effects.
Do some googling about DoD contract management, and you'll see that it does not, in fact, work. Government auditors basically gave up when they identified $23 billion of spending that could not be accounted for.
They also want people who aren't going to be upset by the glacial pace of the court system. I served on a case for a total of 3 weeks that was open and shut -- we found the guy not guilty in like 10 minutes. But the fucking lawyers wouldn't shut up.
I just missed deadlines and work -- but I did get paid. One of our fellow jurors worked at a commercial bakery, which didn't pay the difference between jury pay and his normal pay. So he lost hundreds of dollars a week, plus overtime.
I totally agree with you on taking proactive measures during the planning phases of the project. That also makes me stop and think that the team-building approach that Brooks laid out in the "Mythical Man-Month" is the type of approach that would help address problems like this.
When people talk about the Mythical Man-Month, they usually refer to the assertion that throwing people on a project tends to delay the project. But another key point in that book was that the programming/implementation team was more like a surgical team than a bunch of interchangeable people. He described an architect, tool-builder, documentation person and other roles, which could conceivably include security.
If you took a bright programmer on each team, and had her focus on security issues as a primary responsibility, I think you'd develop a fantastic core of security expertise on project teams. Certainly better than the drive-by security types that dominate the field.
Of course, security consultants think that security should be left to the professionals. (ie, them)
The information security people are getting jealous because project managers have the certification/religious body (PMI) and a certification (PMP) that is basically required for many serious projects. That keeps the rates high by limiting the marketplace and mandating some prescribed process for doing everything.
Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit. So now every so-called security guru is coming around telling us that the russian mafia has probably already hacked our systems, and the Chinese are going to take over the world, starting with our company's PCs. The magazines roll out witicisms like "digital pearl harbor" and "cyber 9/11".
The solution, is to give more money to security consultancies. Maybe buy some million dollar IDS solutions from the likes of Symantec to let you know that some putz in accounting tried to use FTP.
IMO, it's all bunk. IT people are finally starting to question the dubious value of cash-cow security software like AV, so the security community rolls out some more fear-mongering.
But if to fix that vulnerability in 2 years will cost $500k, and to fix it in 3 months will cost $2M, and delay other projects with security implications and I don't have $2M looking for a home, that's an issue too. Maintaining secure systems is a critical part of the business, but you can't use it as an excuse to paralyze the business.
All that I'm saying is that you have to balance security with the needs and resources available to the business. If you can mitigate the risk to buy time, that's a totally valid strategy.
I don't think that things are as cut and dry as the people posting here, and security people in general often make it out to be. A case in point was an audit that I was involved in about two years ago. One of the risks that the auditors threw a fit about, (and that management successfully lowered the risk rating of) was a six-character password limit on a legacy system which contains sensitive data. The security people threatened, cajoled and generally made an ass of themselves about this issue without looking at the circumstances.
In that case, management was correct to lower the risk of this flaw, because they mitigated it. Access controls to that particular system were moved to a web-based terminal emulator, which is secured by complex passwords and a two-factor authentication system. Those six character passwords were randomized daily and linked to a specific user in the emulation system.
All I am saying is that there is a difference between fraud, negligence and compromise. Just because management is twisting the arm of a zealous auditor, or the infosec crew is pissed off because their latest policy or acquisition got shot down doesn't mean your organization is run by Gorden Gecko or Ken Lay. Money and resources are not in unlimited supply, and sometimes standards need to be compromised or worked-around so that business can continue.
If you're ethical standards can't handle that, you'd better move to academia or write security books, because there isn't an non-trivial environment anywhere that achieves perfect adherence to security standards.
You do realize this means all businesses (not just the bigwigs like Amazon) outside the state of New York will suddenly have to deal with filing sales taxes with New York (ie. dealing with an entirely different state's tax laws) if they happen to receive an order from a customer residing in that state?
<p>I'm glad that you mentioned that. In New York, counties and some cities have the authority to levy sales taxes... so the rates vary. Collecting the 4% state sales tax is easy, but the local sales tax component ranges from 3-6%. AND some counties have exceptions for clothing under $110.</p>
<p>How the fuck is a small merchant in Nevada going to figure this out?</p>
Actually, you have no clue about this. In the colonial days, British law essentially prohibited significant industry from forming in the colonies. So if you wanted to order a manufactured good, including cloth, you had to order it from England.
Mail ordering has continued since then. In the late 1800's, many people ordered kit houses from the Sears catalog. Until the 1940's, if you didn't live in a city, you basically had to mail order many products.
Bitorrent is a fringe thing that is more popular than it would ordinarily be because the TV and movie people are afraid of digital distribution. Once they start getting clueful, they'll make arrangements with major ISPs to colocate video at peering points, just like Google, Microsoft, Apple, AOL, Akamai, etc have for years. The average person will pay for convenience, and the hax0r/warez crowd will find another way to blow bandwidth, just as they have with BBSs, IRC, Bittorrent.
I disagree with you about the telecom carriers - the. The giant carriers like Verizon, AT&T, etc ultimately want the kinds of high-margin services that they enjoy on the wireless side. They make billions on text messages, and see email and metering as a new frontier for revenues. They frame the discussion around things like P2P, since in the mind of most people P2P=Illegal activity. After they have the regulatory structure in place, they'll want to respond to the email traffic crisis, photo transfer crisis, etc by charging you per message, picture, etc.
Sure, and by paying your internet access bill, you're paying for the internet's infrastructure, just as taxes pay for the roads.
And yes, there are exceptions... toll highways and bridges exist all over the world, and London charges you to drive in the city center. The point is, without paying a consumption based fee of any kind, you can drive freely on millions of miles of roadway world-wide.
Yeah, like all of that replacement equipment is free.
Your right, it's not free -- but it's a planned expense that is accounted for in the rates already. If the network operator has a clue, it becomes quickly apparent that maintaining legacy equipment is often more expensive than replacing it.
It depends. The internet service providers currently charge you a fee to connect to their copper (in the case of POTS), fiber (in the case of FIOS) or coaxial cable networks to access the internet and other services to your home.
Sometimes the providers subsidize wiring and installation to entice you to sign up for the service.
The road/driveway analogy doesn't really work in this case, as the capital costs for connecting a home to a communications service is a $50-500 job (assuming the shared infrastructure is in place), while building a driveway is $5000+. There isn't an incentive for GM or Toyota to subsidize my driveway, but there is one for a telecom or mobile provider to hook up my home or give me a free/cheap wireless device.
What is your basis for claiming that the internet is clogged and choked up? With few exceptions, the internet is working just fine, thank you very much. Moving to a consumption-based billing model is nothing more than an excuse for the telecommunications providers to extract more money and perform fewer upgrades. The notion that ISPs are buckling under the weight of P2P and YouTube is even more retarded when you consider that P2P protocols by their nature prefer to use fast, local peers and companies like Google use backhaul networks to deliver content to local peering points.
The current model is elegant in that the exchanges between ISPs are essentially free. If Comcast/AT&T/Time Warner/etc are suddenly able to charge me in KB/s or have a tariff for each Email/IM sent like the wireless carriers do, someday they'll wake up and say "Hey, let's charge Verizon for accessing our customers!" Then the whole system breaks down, and you time travel back to 1989 when you had Prodigy (the IBM/Sears version), Compuserve and GEnie.
I work in an organization that maintains a carrier-grade private network that connects about 25,000 locations. But since even carrier-grade equipment has a relatively short lifespan, routine infrastructure refreshes give us next-generation technology, automatically, whether we need it or not. In 2004, it would have cost millions for ISPs to implement metro Gigabit networks to connect customer nodes... but today, equipment swap-outs will essentially give them that capability for next to nothing. In 2012/2013 when today's new equipment is obsolete, 10G ethernet will be the norm.
When your local transportation department discovers that traffic patterns have changed, they don't start billing you for your time on the highways. They figure out what the problem is, re-engineer traffic signaling or change maintenance schedules to widen/pave/etc roads. ISPs need to do the same.
I think there's larger implications to technologies like Twitter. Do you really want a public record of your comings and goings out there for the world to see?
I'm not an introvert, but I also don't really care for people knowing everything about me either. And honestly, I'd don't really want to know about whatever nonsense my associates are up to. IM is a really good tool IMHO, but the newer stuff like twitter doesn't seem to have much of a practical application other than among students who actually care about their friends trivialities.
That if you give kids responsibility early on, they'll step up. My last crop of interns at work were college juniors, and couldn't be trusted to make copies, much less administer anything.
So this guy is a power-hungry freak. Wow... did anyone not see this like a year ago, when Jimmy Wales was basically telling the world that he was here to save us all?
Slashdot Mirror
I cannot think of an application where having some assurance that you are connecting to whom you think you connecting to are one and the same. For experimental or extremely low-value transactions like avoiding your work proxy, you can self-sign.
In the case of P2P sites where you're illegally distributing movies, music, software or pron, you're basically doing the equivalent of leaving fingerprints at the scene of the crime. You're protecting the server operator, but making it trivially easy to determine which computer under your control is connecting.
And when you do something nefarious with your signed code, the police will subpoena the CA for the details of your transaction, get your info from the credit card company, and send a cop to your door.
You really should read and understand more about this before spouting off like some sort of authority.
Encryption by itself is not very useful, as it only operates at the network layer. So some nefarious network user or ISP admin will be unable to read your communications. Big freaking deal.
SSL Certs aren't a silver bullet to save you from fraud, but they do provide a measure of security against attacks like address spoofing or upstream network users proxying your connection. They also provide an audit trail to help establish who is operating the site.
Apple has never been primarily a software company, so naturally they'd lag behind any full-time software company when it comes to creating applications.
That was exactly the point the Bill Gates was making. While Apple was dicking around with hardware that most people care about (Macs were like $2500 more than PCs during that era), they ignored the software... because the software was far more important.
Today, Apple understands what the consumer wants in the software space, much of which is internet-based. Microsoft has the disadvantage of owning the market, and ultra-conservative idiots running enterprise IT have too much influence on the company.
For all the bitching, Vista fixes all of the problems that IT folks bitched about incessantly. Tighter security, robust group policy, more efficient imaging format. Problem is, consumers don't really give a shit.
You made the point. IBM, Apple and the myriad of other forgetten PC companies were pretty poorly managed.
Until they got it right with OSX and the iPod, Apple had been an also-ran since the mid 80's.
IBM defines poor management -- most IBMers that I've talked to have never even met their management.
I think it can... I've been getting spammed by spanish-speaking callers selling Mexican phone cards. The caller ID reads 000-000-0000
In all of the states that I'm aware of, the prison system exists to provide good-paying jobs to corrections officers in out of the way areas with bleak economic prospects. The other aspects (punishment, rehabilitation, etc) are just side-effects.
Have you ever used a Treo? Biggest piece of shit ever.
Do some googling about DoD contract management, and you'll see that it does not, in fact, work. Government auditors basically gave up when they identified $23 billion of spending that could not be accounted for.
They also want people who aren't going to be upset by the glacial pace of the court system. I served on a case for a total of 3 weeks that was open and shut -- we found the guy not guilty in like 10 minutes. But the fucking lawyers wouldn't shut up.
I just missed deadlines and work -- but I did get paid. One of our fellow jurors worked at a commercial bakery, which didn't pay the difference between jury pay and his normal pay. So he lost hundreds of dollars a week, plus overtime.
I totally agree with you on taking proactive measures during the planning phases of the project. That also makes me stop and think that the team-building approach that Brooks laid out in the "Mythical Man-Month" is the type of approach that would help address problems like this.
When people talk about the Mythical Man-Month, they usually refer to the assertion that throwing people on a project tends to delay the project. But another key point in that book was that the programming/implementation team was more like a surgical team than a bunch of interchangeable people. He described an architect, tool-builder, documentation person and other roles, which could conceivably include security.
If you took a bright programmer on each team, and had her focus on security issues as a primary responsibility, I think you'd develop a fantastic core of security expertise on project teams. Certainly better than the drive-by security types that dominate the field.
Of course, security consultants think that security should be left to the professionals. (ie, them)
The information security people are getting jealous because project managers have the certification/religious body (PMI) and a certification (PMP) that is basically required for many serious projects. That keeps the rates high by limiting the marketplace and mandating some prescribed process for doing everything.
Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit. So now every so-called security guru is coming around telling us that the russian mafia has probably already hacked our systems, and the Chinese are going to take over the world, starting with our company's PCs. The magazines roll out witicisms like "digital pearl harbor" and "cyber 9/11".
The solution, is to give more money to security consultancies. Maybe buy some million dollar IDS solutions from the likes of Symantec to let you know that some putz in accounting tried to use FTP.
IMO, it's all bunk. IT people are finally starting to question the dubious value of cash-cow security software like AV, so the security community rolls out some more fear-mongering.
Totally agreed.
But if to fix that vulnerability in 2 years will cost $500k, and to fix it in 3 months will cost $2M, and delay other projects with security implications and I don't have $2M looking for a home, that's an issue too. Maintaining secure systems is a critical part of the business, but you can't use it as an excuse to paralyze the business.
All that I'm saying is that you have to balance security with the needs and resources available to the business. If you can mitigate the risk to buy time, that's a totally valid strategy.
I don't think that things are as cut and dry as the people posting here, and security people in general often make it out to be. A case in point was an audit that I was involved in about two years ago. One of the risks that the auditors threw a fit about, (and that management successfully lowered the risk rating of) was a six-character password limit on a legacy system which contains sensitive data. The security people threatened, cajoled and generally made an ass of themselves about this issue without looking at the circumstances.
In that case, management was correct to lower the risk of this flaw, because they mitigated it. Access controls to that particular system were moved to a web-based terminal emulator, which is secured by complex passwords and a two-factor authentication system. Those six character passwords were randomized daily and linked to a specific user in the emulation system.
All I am saying is that there is a difference between fraud, negligence and compromise. Just because management is twisting the arm of a zealous auditor, or the infosec crew is pissed off because their latest policy or acquisition got shot down doesn't mean your organization is run by Gorden Gecko or Ken Lay. Money and resources are not in unlimited supply, and sometimes standards need to be compromised or worked-around so that business can continue.
If you're ethical standards can't handle that, you'd better move to academia or write security books, because there isn't an non-trivial environment anywhere that achieves perfect adherence to security standards.
<p>I'm glad that you mentioned that. In New York, counties and some cities have the authority to levy sales taxes... so the rates vary. Collecting the 4% state sales tax is easy, but the local sales tax component ranges from 3-6%. AND some counties have exceptions for clothing under $110.</p>
<p>How the fuck is a small merchant in Nevada going to figure this out?</p>
Actually, you have no clue about this. In the colonial days, British law essentially prohibited significant industry from forming in the colonies. So if you wanted to order a manufactured good, including cloth, you had to order it from England.
Mail ordering has continued since then. In the late 1800's, many people ordered kit houses from the Sears catalog. Until the 1940's, if you didn't live in a city, you basically had to mail order many products.
Bitorrent is a fringe thing that is more popular than it would ordinarily be because the TV and movie people are afraid of digital distribution. Once they start getting clueful, they'll make arrangements with major ISPs to colocate video at peering points, just like Google, Microsoft, Apple, AOL, Akamai, etc have for years. The average person will pay for convenience, and the hax0r/warez crowd will find another way to blow bandwidth, just as they have with BBSs, IRC, Bittorrent.
I disagree with you about the telecom carriers - the. The giant carriers like Verizon, AT&T, etc ultimately want the kinds of high-margin services that they enjoy on the wireless side. They make billions on text messages, and see email and metering as a new frontier for revenues. They frame the discussion around things like P2P, since in the mind of most people P2P=Illegal activity. After they have the regulatory structure in place, they'll want to respond to the email traffic crisis, photo transfer crisis, etc by charging you per message, picture, etc.
Sure, and by paying your internet access bill, you're paying for the internet's infrastructure, just as taxes pay for the roads.
And yes, there are exceptions... toll highways and bridges exist all over the world, and London charges you to drive in the city center. The point is, without paying a consumption based fee of any kind, you can drive freely on millions of miles of roadway world-wide.
Your right, it's not free -- but it's a planned expense that is accounted for in the rates already. If the network operator has a clue, it becomes quickly apparent that maintaining legacy equipment is often more expensive than replacing it.
It depends. The internet service providers currently charge you a fee to connect to their copper (in the case of POTS), fiber (in the case of FIOS) or coaxial cable networks to access the internet and other services to your home.
Sometimes the providers subsidize wiring and installation to entice you to sign up for the service.
The road/driveway analogy doesn't really work in this case, as the capital costs for connecting a home to a communications service is a $50-500 job (assuming the shared infrastructure is in place), while building a driveway is $5000+. There isn't an incentive for GM or Toyota to subsidize my driveway, but there is one for a telecom or mobile provider to hook up my home or give me a free/cheap wireless device.
What is your basis for claiming that the internet is clogged and choked up? With few exceptions, the internet is working just fine, thank you very much. Moving to a consumption-based billing model is nothing more than an excuse for the telecommunications providers to extract more money and perform fewer upgrades. The notion that ISPs are buckling under the weight of P2P and YouTube is even more retarded when you consider that P2P protocols by their nature prefer to use fast, local peers and companies like Google use backhaul networks to deliver content to local peering points.
The current model is elegant in that the exchanges between ISPs are essentially free. If Comcast/AT&T/Time Warner/etc are suddenly able to charge me in KB/s or have a tariff for each Email/IM sent like the wireless carriers do, someday they'll wake up and say "Hey, let's charge Verizon for accessing our customers!" Then the whole system breaks down, and you time travel back to 1989 when you had Prodigy (the IBM/Sears version), Compuserve and GEnie.
I work in an organization that maintains a carrier-grade private network that connects about 25,000 locations. But since even carrier-grade equipment has a relatively short lifespan, routine infrastructure refreshes give us next-generation technology, automatically, whether we need it or not. In 2004, it would have cost millions for ISPs to implement metro Gigabit networks to connect customer nodes... but today, equipment swap-outs will essentially give them that capability for next to nothing. In 2012/2013 when today's new equipment is obsolete, 10G ethernet will be the norm.
When your local transportation department discovers that traffic patterns have changed, they don't start billing you for your time on the highways. They figure out what the problem is, re-engineer traffic signaling or change maintenance schedules to widen/pave/etc roads. ISPs need to do the same.
I think there's larger implications to technologies like Twitter. Do you really want a public record of your comings and goings out there for the world to see?
I'm not an introvert, but I also don't really care for people knowing everything about me either. And honestly, I'd don't really want to know about whatever nonsense my associates are up to. IM is a really good tool IMHO, but the newer stuff like twitter doesn't seem to have much of a practical application other than among students who actually care about their friends trivialities.
That if you give kids responsibility early on, they'll step up. My last crop of interns at work were college juniors, and couldn't be trusted to make copies, much less administer anything.
So this guy is a power-hungry freak. Wow... did anyone not see this like a year ago, when Jimmy Wales was basically telling the world that he was here to save us all?
Hopefully he'll be selling timeshares again soon.
"The system" expects you to obey the law, not make it up as you go.