Yes, but do you really want to go through the password recovery process on a device that someone else has been managing with free reign? What if the configuration wasn't written to the device, you reboot it, and then you're facing a pristine new configuration? Congratulations, you now get to start rebuilding a network by hand with no real idea how it's setup. On top of that the guy who built it is sitting in jail and _really_ doesn't want to help you. You may be locked out, but at least the network still functions.
That may be, but there are some times when rules don't allow someone with a record to hold a privileged position. I've seen a few cases where people couldn't be allowed to do a certain job because of past actions. They were 20+ years earlier and, IMHO, rather minor. Regardless, sometime it's just not allowed.
Thanks, that's an interesting way to make a comparison. I just checked for my 15 mile commute to work, which takes 20-30 minutes. If I took public transportation it would take about 2 hours and 20 minutes. Yeah, that's much more efficient.
I would agree with PGP, once the proper legalities and assurances are in place. However, I'd worry about the non-technical issues before working on a technical solution.
There are a number of issues to be resolved before worrying about how to get the data transferred. Has the consultant and/or their firm verified their security and controls to your firm's satisfaction with something like a SAS 70? Are there legal agreements in place concerning the proper controls of this data, the explanations or responsibilities in case of a disclosure, etc.? Has the idea been proposed to create bogus data for testing so that live data isn't used? Can the application be loaded on-site, so that a machine outside of your firm's control will not contain highly-sensitive employee data?
I'd ask a lot of questions like these and get answers to my satisfaction before I sent out any data. I would greatly prefer to have to explain to my management why I'm "holding up the train" than have to explain to my coworkers why I was involved in the disclosure of their personal information and mine.
I may be wrong, but I don't remember anyone claiming that OpenBSD is the "highest security OS." The last I checked, it wasn't on the list for A1. It's likely to be one of the most secure open source operating systems, but it's by no means the ultimate.
Not trying to trivialize too much, but it's the same requirements that businesses have to meet due to e-discovery rules. If they can do it, one would think the White House could.
A 28-year-old and a 29-year-old snag some passwords and access the PeopleSoft system. These aren't kids, they're grown adults with unauthorized access into the school's system. Why, exactly, shouldn't they be punished?
The owner of property doesn't own the radio frequencies through which both cell phones and jammers operate. He can legally put up the infrastructure to passively stop those radio waves from entering his building. Putting up a device that actively transmits on a frequency for which he doesn't privately own and isn't licensed for isn't legal.
An assertion is made that VMware infringes on Linux-related copyrights held by others, but no concrete proof has been shown. Why should they have to disprove an as-yet unproven allegation, regardless of who made it? When SCO made a statement about Linux without concrete proof, the overriding opinion was "Prove it." Why wouldn't the same standard be applied to someone making a statement about VMware? Shouldn't they be given the assumption of innocence until proven guilty?
I'm not saying they infringed and I'm not saying they didn't, as I honestly don't know. Regardless, shouldn't the impetus on the accuser to prove their case?
Didn't he also say that he was going to be the CEO President and run the government like a business? That's why I voted for him in 2000. I didn't vote for him in 2004, because I realized that the business he meant was Enron.....
As far as classes go, SANS (www.sans.org) is a great place. That's actually where the Red Team came from. Shoot, the students might have lucked out. At least they didn't unleash Ed Skoudis and Kevin Liston on them too. This might have been a dramatically shorted program.:)
True, but they're also not normally tasked with running firewalls and installing IDS. That usually falls on those who actually are trained in network security. They gave two groups of complete noobs a PIX? Hell, no wonder they were rooted. I know guys who ran them professionally and still had problems borking the rules on occasion.
This just seems like a completely pointless exercise. Taking a group of college students, giving them an unrealistically short time, and then turning some experienced hackers on them just seems like a waste of time. It's like taking a high school football team, having them play the New England Patriots, and then saying "You can make a lot of money in a year playing football, but it's not as easy as it sounds." Duh.
Actually, the purpose of the IT Department is to provide information technology services to the users so they can perform their jobs. Do I care if you bring in your iPod and listen to it at work? Nope. Shoot, I bring in mine (which is _never_ connected to a corporate machine). I _do_ care if you connect your iPod to your PC, use it as a USB hard drive, and download sensitive information to be taken outside. I care what software you install, so you don't download a Trojan that records all of your keystrokes and uploads them to a server in Eastern Europe. I care if you use IM and intentionally or unwittingly send sensitive data to the outside or (just as bad) get a worm on your PC via your IM client.
Companies have to follow various regulations (PCI, HIPAA, SOX, GLBA, etc.) that the users often don't know or have even heard of. There can be major detriments to the company if they don't follow these and something bad happens (T.J. Maxx, anyone?) There are rules and policies in place within IT. Some are stupid, some are not. Don't paint all policies and IT Depts with the same brush. You may not understand or agree with the policies, but there is usually a very good reason for them (usually, not always).
If the developers wanted a larger percentage of the sales, then they should have negotiated for that. If Macheist wouldn't agree to that, then the developers could have said, "No." I have no problem with the distribution of money and don't see why anyone else does. The owners of the rights to the software packages agreed to received a certain amount of money and in exchange allowed Macheist to sell their products. Where is the problem?
I would disagree. I think Morse Code is a pretty cool and quite useful communications method. Having said that, I think that forcing potential hams to learn it really sucks.
The biggest values of Morse Code are that it can be used pretty well on a noisy or congested band and that it doesn't take a lot of power. One can do voice or computer-based communications via battery power, but it's hard to operate as long as someone with a CW (Morse) rig.
This sounds interesting, but is it truly a usable idea? Most of the folks who I've seen use macros wouldn't be comfortable with and/or capable of writing such an application. This means that the responsibility for creating, maintaining, and supporting this would likely fall to the web development or programming groups. They likely have the talent to do this, but do they have the manpower to do this in a reasonable timeframe? The business folks are used to creating this stuff as needed and having it done. This new method would require them to decide exactly what they want, open a request with the group to create it, have QA check out the app, and then it would be released to them. Don't get me wrong, I think this is the right thing to do for important things (budgets, strategic projections, HR benefits enrollment, etc.), but it's not necessarily feasible in today's business environment.
It's interesting, I don't live in "the frontier West" but I live in a society where people carry guns with them almost all the time. With the exceptions of certain places (bars, schools, places where the owner specifically says no) they carry a firearm on them at all times.
Yes, but the possession of these devices is already prohibited in many violent inner cities. It's not legal for the average person to possess a working firearm in Washington, DC. That has obviously helped a tremendous amount in lowering the crime rate there....
Slashdot Mirror
Yes, but do you really want to go through the password recovery process on a device that someone else has been managing with free reign? What if the configuration wasn't written to the device, you reboot it, and then you're facing a pristine new configuration? Congratulations, you now get to start rebuilding a network by hand with no real idea how it's setup. On top of that the guy who built it is sitting in jail and _really_ doesn't want to help you. You may be locked out, but at least the network still functions.
That may be, but there are some times when rules don't allow someone with a record to hold a privileged position. I've seen a few cases where people couldn't be allowed to do a certain job because of past actions. They were 20+ years earlier and, IMHO, rather minor. Regardless, sometime it's just not allowed.
Thanks, that's an interesting way to make a comparison. I just checked for my 15 mile commute to work, which takes 20-30 minutes. If I took public transportation it would take about 2 hours and 20 minutes. Yeah, that's much more efficient.
I would agree with PGP, once the proper legalities and assurances are in place. However, I'd worry about the non-technical issues before working on a technical solution.
There are a number of issues to be resolved before worrying about how to get the data transferred. Has the consultant and/or their firm verified their security and controls to your firm's satisfaction with something like a SAS 70? Are there legal agreements in place concerning the proper controls of this data, the explanations or responsibilities in case of a disclosure, etc.? Has the idea been proposed to create bogus data for testing so that live data isn't used? Can the application be loaded on-site, so that a machine outside of your firm's control will not contain highly-sensitive employee data?
I'd ask a lot of questions like these and get answers to my satisfaction before I sent out any data. I would greatly prefer to have to explain to my management why I'm "holding up the train" than have to explain to my coworkers why I was involved in the disclosure of their personal information and mine.
I may be wrong, but I don't remember anyone claiming that OpenBSD is the "highest security OS." The last I checked, it wasn't on the list for A1. It's likely to be one of the most secure open source operating systems, but it's by no means the ultimate.
Not trying to trivialize too much, but it's the same requirements that businesses have to meet due to e-discovery rules. If they can do it, one would think the White House could.
A 28-year-old and a 29-year-old snag some passwords and access the PeopleSoft system. These aren't kids, they're grown adults with unauthorized access into the school's system. Why, exactly, shouldn't they be punished?
The owner of property doesn't own the radio frequencies through which both cell phones and jammers operate. He can legally put up the infrastructure to passively stop those radio waves from entering his building. Putting up a device that actively transmits on a frequency for which he doesn't privately own and isn't licensed for isn't legal.
You mean like the horde of folks who were discussing VMware 10 days ago?
/ 1618241
http://linux.slashdot.org/article.pl?sid=07/08/14
An assertion is made that VMware infringes on Linux-related copyrights held by others, but no concrete proof has been shown. Why should they have to disprove an as-yet unproven allegation, regardless of who made it? When SCO made a statement about Linux without concrete proof, the overriding opinion was "Prove it." Why wouldn't the same standard be applied to someone making a statement about VMware? Shouldn't they be given the assumption of innocence until proven guilty?
I'm not saying they infringed and I'm not saying they didn't, as I honestly don't know. Regardless, shouldn't the impetus on the accuser to prove their case?
Didn't he also say that he was going to be the CEO President and run the government like a business? That's why I voted for him in 2000. I didn't vote for him in 2004, because I realized that the business he meant was Enron.....
As far as classes go, SANS (www.sans.org) is a great place. That's actually where the Red Team came from. Shoot, the students might have lucked out. At least they didn't unleash Ed Skoudis and Kevin Liston on them too. This might have been a dramatically shorted program. :)
True, but they're also not normally tasked with running firewalls and installing IDS. That usually falls on those who actually are trained in network security. They gave two groups of complete noobs a PIX? Hell, no wonder they were rooted. I know guys who ran them professionally and still had problems borking the rules on occasion.
This just seems like a completely pointless exercise. Taking a group of college students, giving them an unrealistically short time, and then turning some experienced hackers on them just seems like a waste of time. It's like taking a high school football team, having them play the New England Patriots, and then saying "You can make a lot of money in a year playing football, but it's not as easy as it sounds." Duh.
Actually, the purpose of the IT Department is to provide information technology services to the users so they can perform their jobs. Do I care if you bring in your iPod and listen to it at work? Nope. Shoot, I bring in mine (which is _never_ connected to a corporate machine). I _do_ care if you connect your iPod to your PC, use it as a USB hard drive, and download sensitive information to be taken outside. I care what software you install, so you don't download a Trojan that records all of your keystrokes and uploads them to a server in Eastern Europe. I care if you use IM and intentionally or unwittingly send sensitive data to the outside or (just as bad) get a worm on your PC via your IM client.
Companies have to follow various regulations (PCI, HIPAA, SOX, GLBA, etc.) that the users often don't know or have even heard of. There can be major detriments to the company if they don't follow these and something bad happens (T.J. Maxx, anyone?) There are rules and policies in place within IT. Some are stupid, some are not. Don't paint all policies and IT Depts with the same brush. You may not understand or agree with the policies, but there is usually a very good reason for them (usually, not always).
Sprawl didn't make me fat. Eating more calories than I burn made me fat.
If the developers wanted a larger percentage of the sales, then they should have negotiated for that. If Macheist wouldn't agree to that, then the developers could have said, "No." I have no problem with the distribution of money and don't see why anyone else does. The owners of the rights to the software packages agreed to received a certain amount of money and in exchange allowed Macheist to sell their products. Where is the problem?
If it's disgraceful, then why did they agree to the terms?
I would disagree. I think Morse Code is a pretty cool and quite useful communications method. Having said that, I think that forcing potential hams to learn it really sucks.
The biggest values of Morse Code are that it can be used pretty well on a noisy or congested band and that it doesn't take a lot of power. One can do voice or computer-based communications via battery power, but it's hard to operate as long as someone with a CW (Morse) rig.
This sounds interesting, but is it truly a usable idea? Most of the folks who I've seen use macros wouldn't be comfortable with and/or capable of writing such an application. This means that the responsibility for creating, maintaining, and supporting this would likely fall to the web development or programming groups. They likely have the talent to do this, but do they have the manpower to do this in a reasonable timeframe? The business folks are used to creating this stuff as needed and having it done. This new method would require them to decide exactly what they want, open a request with the group to create it, have QA check out the app, and then it would be released to them. Don't get me wrong, I think this is the right thing to do for important things (budgets, strategic projections, HR benefits enrollment, etc.), but it's not necessarily feasible in today's business environment.
It's interesting, I don't live in "the frontier West" but I live in a society where people carry guns with them almost all the time. With the exceptions of certain places (bars, schools, places where the owner specifically says no) they carry a firearm on them at all times.
Yes, but the possession of these devices is already prohibited in many violent inner cities. It's not legal for the average person to possess a working firearm in Washington, DC. That has obviously helped a tremendous amount in lowering the crime rate there....
They can. That is exactly how things went for a friend who bought their first iMac.
Not all of us. I actually do the actual firewall, IDS, pen testing, etc. work. I tell you why something is insecure, but I'm expected to help fix it.
That whirring sound you hear is Thomas Jefferson spinning in his grave.