Yes but if your site has a mostly domestic user base, then you probably don't need all 20 running. As others have said, using virtual machines, you could probably have most of the physical ones shut down, but brought back automatically as the load increases.
Of course there should be multiple layers of security. Do you trust that your firewall will block all malicious traffic and leave all your accounts password free? Do you turn off anti-virus on the desktop because you run it on the mail server?
Yes, there has to be proper acknowledgment when any one piece fails, even if it doesn't result in any kind of breach.
Dry ice and a fan? Seriously though, there's not much you can do here. What is the cost to the business if hardware starts failing if it overheats? How does that compare with the total cost of installing another A/C unit?
There was never a transaction in which the details could have been let loose.
He then (in another post) admits he has used it once. Besides which, there are other ways for the details to be leaked than just through a transaction.
Actually, I don't want to absolve anybody, what I do want to do is point out that there are alternatives. Your intial card could have been compromised in transit. How about statements? Were monthly statements sent? Were they sent via email (very easy to compromise) or by regular mail (already discussed). How much information is available from those? Do you have online banking? If so, there have been issues with numerous online banking sites, not to mention the possibility of a local piece of malware capturing your credentials.
My point is that there are often LOTS of overlooked places where information can be leaked, intentionally or not. The bank may have been the source, but I can pretty much guarantee its not the only possible source.
I'm not trying to suggest it wasn't someone at the bank, but there's always lots of possibilities. Someone could have been watching your mail (including the mailman/post office), found the envelope with the card, and "borrowed" it for a while to gather the details before returning it. An envelope isn't exactly a secure device (in most cases).
There was never a transaction in which the details could have been let loose.
Care to explain that? Every transaction presents a potential breach of the information.
On the web... sure the site uses SSL, but how is it handled after the webserver gets the POST? Is it stored by the company? If so how, where? If not, how do they pass it to the merchant account. Are the employees of those companies (and the developers of the software) all trustworthy?
In a restaurant, typically some person you've never met, disappears with your CC for several minutes or longer.
In a retail outlet, you or the merchant swipes your card through a machine. Is that machine trustworthy? There have been multiple cases where those machines have been tampered with.
Just using your card, in any circumstance I can fathom, opens you to the risk of compromising that information.
Not saying this is the case, but often fire fighters will want to shut off all breakers (remove fuses), and shut off gas lines in a residential fire. Often, the breaker box and gas shut off valve are in the basement. Of course, it can be done externally by the utilities as well, but it can be faster to do locally
Lets bet on the outcome of 100 flips of a quarter. Given that the odds of any one flip are 50/50, then 100 flips shouldn't be any different right? So, even odds, $100, I'll bet you can't flip it 100 times and gets heads every time.
Because there are too many "gotchas" to not do FDE these days. Did you configure all your applications to only cache/auto-save/etc to the "secure" area of the drive? Did that last update to application Y override those changes? What about hibernation mode? The pagefile?
We went with Safeboot also, but given the submitter's description, I wouldn't recommend it. Safeboot is nice for an enterprise type rollout, not for one laptop. You really don't want to support the backend infrastructure for one machine.
You're assuming illusion isn't useful. Anyone who spends time to think about it knows that the TSA is pointless for its directed task (stopping scary people from getting on airplanes). But the government assumes that most people won't think about it too much. They simply think Mr. and Mrs. America view air travel as "OMG! The terrorists could strike at any moment. Good thing we have all this security to stop them!".
The problem is, illusions are not security. Security is not there to provide Joe Public a warm and fuzzy, its to prevent the "bad guys" from doing "bad things" (or at least reduce the risk of it happening).
In the situation you mentioned, Mr. and Mrs. America may think the "illusion" is a great preventative measure and will surely save them. However, what they think isn't really the concern. The concern is (or at least should be) real security. Bad Guy isn't going to be fooled by the illusion of security.
You may want to read that again. It basically says, "little of what they are doing is more than illusion", which is roughly translated to "little of what they do is useful".
I would not call that typical in Canadian cities today. Maybe in small towns you may find it occasionally. Moore (like lots of film makers) picks abnormal situations and plays them as normal to make a point.
Re:Interesting addition to security
on
Virtual Honeypots
·
· Score: 2, Insightful
Sure, the idea has been around for a long while. But, real security is based on misinformation. If you want to protect some data, you create multiple copies of the data all of which appear to be about the same thing, but all reaching different conclusions.It is not so much a honeypot to attract, but a honeypot to create doubt.
That sounds a lot like security through obscurity to me.
As far as I'm concerned, a honeypot is not a security tool, its a security research tool, and there's a vast difference between the two
You might want to read that again. Running 9 miles per hour (for an hour) will burn 900 calories. That fits (roughly) with what my treadmill tells me. I tend to run at about 6 miles/hour for 25 minutes (with a bit of walking included) at a 4.5 degree incline and it tells me I burn 350-400 calories.
There's a couple issues with the one Dan created. First, its slashdotted. Secondly, some ISPs don't allow querying from just anywhere, only from its own customers (IPs). Here's a test you can run from any machine with dig on it: https://www.dns-oarc.net/oarc/services/porttest
Slashdot Mirror
They have buyer's remorse after trading all their land for a single bead.
Yes but if your site has a mostly domestic user base, then you probably don't need all 20 running. As others have said, using virtual machines, you could probably have most of the physical ones shut down, but brought back automatically as the load increases.
As much as I love Steam, it not made mainly for the mod community. It was made as a content distribution platform.
Of course there should be multiple layers of security. Do you trust that your firewall will block all malicious traffic and leave all your accounts password free? Do you turn off anti-virus on the desktop because you run it on the mail server?
Yes, there has to be proper acknowledgment when any one piece fails, even if it doesn't result in any kind of breach.
Dry ice and a fan? Seriously though, there's not much you can do here. What is the cost to the business if hardware starts failing if it overheats? How does that compare with the total cost of installing another A/C unit?
What he said was:
There was never a transaction in which the details could have been let loose.
He then (in another post) admits he has used it once. Besides which, there are other ways for the details to be leaked than just through a transaction.
Actually, I don't want to absolve anybody, what I do want to do is point out that there are alternatives. Your intial card could have been compromised in transit. How about statements? Were monthly statements sent? Were they sent via email (very easy to compromise) or by regular mail (already discussed). How much information is available from those? Do you have online banking? If so, there have been issues with numerous online banking sites, not to mention the possibility of a local piece of malware capturing your credentials.
My point is that there are often LOTS of overlooked places where information can be leaked, intentionally or not. The bank may have been the source, but I can pretty much guarantee its not the only possible source.
I'm not trying to suggest it wasn't someone at the bank, but there's always lots of possibilities. Someone could have been watching your mail (including the mailman/post office), found the envelope with the card, and "borrowed" it for a while to gather the details before returning it. An envelope isn't exactly a secure device (in most cases).
There was never a transaction in which the details could have been let loose.
Care to explain that? Every transaction presents a potential breach of the information.
On the web... sure the site uses SSL, but how is it handled after the webserver gets the POST? Is it stored by the company? If so how, where? If not, how do they pass it to the merchant account. Are the employees of those companies (and the developers of the software) all trustworthy?
In a restaurant, typically some person you've never met, disappears with your CC for several minutes or longer.
In a retail outlet, you or the merchant swipes your card through a machine. Is that machine trustworthy? There have been multiple cases where those machines have been tampered with.
Just using your card, in any circumstance I can fathom, opens you to the risk of compromising that information.
Assuming the metres are on the outside, which is not always the case.
Not saying this is the case, but often fire fighters will want to shut off all breakers (remove fuses), and shut off gas lines in a residential fire. Often, the breaker box and gas shut off valve are in the basement. Of course, it can be done externally by the utilities as well, but it can be faster to do locally
Bet we twice that you'll flip heads 100 times in a row? Your on.
Lets bet on the outcome of 100 flips of a quarter. Given that the odds of any one flip are 50/50, then 100 flips shouldn't be any different right? So, even odds, $100, I'll bet you can't flip it 100 times and gets heads every time.
No way, I'm not getting sucked into that again.
Just truecrypt the saved data.
Because there are too many "gotchas" to not do FDE these days. Did you configure all your applications to only cache/auto-save/etc to the "secure" area of the drive? Did that last update to application Y override those changes? What about hibernation mode? The pagefile?
We went with Safeboot also, but given the submitter's description, I wouldn't recommend it. Safeboot is nice for an enterprise type rollout, not for one laptop. You really don't want to support the backend infrastructure for one machine.
Go with TrueCrypt or BitLocker for a one-off.
You're assuming illusion isn't useful. Anyone who spends time to think about it knows that the TSA is pointless for its directed task (stopping scary people from getting on airplanes). But the government assumes that most people won't think about it too much. They simply think Mr. and Mrs. America view air travel as "OMG! The terrorists could strike at any moment. Good thing we have all this security to stop them!".
The problem is, illusions are not security. Security is not there to provide Joe Public a warm and fuzzy, its to prevent the "bad guys" from doing "bad things" (or at least reduce the risk of it happening).
In the situation you mentioned, Mr. and Mrs. America may think the "illusion" is a great preventative measure and will surely save them. However, what they think isn't really the concern. The concern is (or at least should be) real security. Bad Guy isn't going to be fooled by the illusion of security.
You may want to read that again. It basically says, "little of what they are doing is more than illusion", which is roughly translated to "little of what they do is useful".
They'll have a heck of a time suing when they knew before hand of the sloppy security measures and actually game them an extension on PCI compliance: http://www.darkreading.com/document.asp?doc_id=138838
Its even easier: http://xkcd.com/454/
I would not call that typical in Canadian cities today. Maybe in small towns you may find it occasionally. Moore (like lots of film makers) picks abnormal situations and plays them as normal to make a point.
Sure, the idea has been around for a long while. But, real security is based on misinformation. If you want to protect some data, you create multiple copies of the data all of which appear to be about the same thing, but all reaching different conclusions.It is not so much a honeypot to attract, but a honeypot to create doubt.
That sounds a lot like security through obscurity to me.
As far as I'm concerned, a honeypot is not a security tool, its a security research tool, and there's a vast difference between the two
You might want to read that again. Running 9 miles per hour (for an hour) will burn 900 calories. That fits (roughly) with what my treadmill tells me. I tend to run at about 6 miles/hour for 25 minutes (with a bit of walking included) at a 4.5 degree incline and it tells me I burn 350-400 calories.
Luckily, you can just switch your DNS servers to something like OpenDNS.
There's a couple issues with the one Dan created. First, its slashdotted. Secondly, some ISPs don't allow querying from just anywhere, only from its own customers (IPs). Here's a test you can run from any machine with dig on it:
https://www.dns-oarc.net/oarc/services/porttest