There's no indication that it was accessed prior to disclosure, so it may or may not have been, strictly speaking, "leaked." I'd be interested in exactly what kind of data this is, as I'm struggling to think of who I would want to have marketing info on me less than one of the Big Two political parties.
From TFA
We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked," he said.
We've thought about training, but the three guys we did hire and train all left for higher paying jobs immediately after taking advantage of us.
The moral is that it doesn't matter if you trained them or not; pay them what they are worth. The companies they went to seem to have solved their staffing problems.
This attitude is why companies no longer train people. Paying people a large salary for months while they're not productive then having them backstab you is why companies stop training people.
Well there are really only two problems when it comes to training:
1) You train your people and they leave. 2) You don't train your people and they stay.
Many companies are advertising for senior positions which of course is beyond the experience level of someone breaking into the field. Its very difficult to slant an application to these requirements.
If it's not a pretty large company or a specialized security firm, they don't know what skill set they're looking for so they go way overboard on the listed qualifications.
It seems that all of the senior people would already have jobs.
Yep, and why would they want to work somewhere as the token security person anyway, when they could be somewhere with a budget and people who listen to their recommendations?
My personal feeling is that companies should train their own people but--let's be honest--they wouldn't pay them what they're worth at that point anyway.
Software engineers have largely failed at security. Even with the move toward more agile development and DevOps, vulnerabilities continue to take off. More than 10,000 issues will be reported to the Common Vulnerabilities and Exposures project this year.
How about you get what you pay for? Many management teams have decided that adding security costs money and it's more cost effective not to spend many cycles on it, but rather to just deal with problems as they pop up.
I don't think you can spin that as software engineers "failing." If the management wants security, they can pay for training, consultants, audits, bug bounties, etc. There are lots of ways to address this issue. Besides, perhaps the number of bugs is skyrocketing as a natural consequence of all of the new software projects and products.
It's a little bit like playing a freeform pen and paper RPG with a computer as DM. It's also a painful reminder of how simple the Adventure/Colossal Cave parser is.
What is bad is not upgrading the security of a protocol that is ON by default for 30 years.
It HAS been upgraded to version 3. This is not a neglected protocol, this is default backwards compatibility. They are now defaulting to NOT be backwards compatible, due to lack of security.
But I agree that it should have been turned off much sooner.
Get real. The millisecond an Apple CEO restructures the company so they start paying a reasonable tax rate the board will vote him or her out. As long as it is legal, corporations--and especially megacorps--will keep doing it.
lowest probability of injury(*) of any SUV it has ever tested
(*) of the person inside the SUV. People in the other vehicle are SOL.
What is the point of this comment? There is always a smaller or larger vehicle on the road. The smaller vehicle loses. A Honda Fit can tear up a Smart Car pretty badly.
[...] from the job-security-for-non-microsoft-it-workers dept
FTFY
You have it backwards. Who is going to apply these patches? Who is going to help businesses migrate off of old, unsupported versions of Windows (onto newer versions of Windows--let's be real here)?
Answer: Not non-Microsoft-IT-workers.
But don't worry, there is plenty of work for all, when you consider all of the upatched OpenSSL, ImageMagick and SAMBA out there. Or, you know, WordPress.
I don't know why people pay $700 for a device they only keep for 1-2 years.
That's less than a dollar a day. Hardly seems like much if you use it a lot. If you don't, you might as well get a dumbphone which works out to a couple bucks a year.
That's the kind of thinking that gets people suckered into buying expensive cars because of the financing options. The fact is, a phone that costs half or even one quarter as much does all of the same essential things, and usually does them nearly as well.
It's not a duopoly in the mobile phone market, it's a duopoly for the high end market, where the profit margins are. I suppose this will be good if this spurs price competition. I don't know why people pay $700 for a device they only keep for 1-2 years.
If you can find a software vulnerability and hack into one of their switches/routers, you can use this technique to extract data from their network without tripping any IDS sensors
I'm curious to learn about this IDS that can catch traffic from compromised network hardware but can't catch the act of compromising network hardware. This is an impractical POC for anything but the most outlandish spy movies. There are far easier ways to exfiltrate data.
My problem with this stems from the piss-poor job that has been done dealing with the king-of-the-hill mentality among frequent editors
What is your solution? Maybe it could earn you a nice salary and then a six-figure severance after you realize there is no reasonably easy way to deal with the problem and move on.
Not sure what's worse, managers who don't put in redundant power, or armchair engineers who just *assume* that they didn't because redundant power can't ever go out.
It isn't armchair engineering. The CEO should accept full responsibility because that's what it means to be at the top of the reporting chain when such a devastating preventable outage occurs. If he was misled by his direct reports, then he should fire them and take full responsibility for not firing them sooner. Maybe he resigns maybe he doesn't--the point is that he must own the failure, whatever the logical conclusion.
Review aggregators like Rotten Tomatoes and Metacritic are incredibly useful... yet also promote groupthink and over simplify the value of a film. I've really enjoyed some films that most critics panned, and I've really disliked films that most critics adored. By distilling the value of a film down to a fresh/rotten percentage (much like Siskel and Ebert's thumbs up or down system of yore) it encourages people to stop there and not read the reviews to find out what does or doesn't appeal to the reviewers.
Now, applying this logic to the apparent failure of yet another 'Pirates' movie seems like a major stretch. As for Baywatch, I don't know.
One of the valid possibilities can be that neither candidate is fit for office. Maybe the levels of fitness differ. And voting for the lesser of two evils might be better.
On its world, the people are people. The leaders are lizards. The people hate the lizards and the lizards rule the people."
"Odd," said Arthur, "I thought you said it was a democracy."
"I did," said Ford. "It is."
"So," said Arthur, hoping he wasn't sounding ridiculously obtuse, "why don't people get rid of the lizards?"
"It honestly doesn't occur to them," said Ford. "They've all got the vote, so they all pretty much assume that the government they've voted in more or less approximates to the government they want."
"You mean they actually vote for the lizards?"
"Oh yes," said Ford with a shrug, "of course."
"But," said Arthur, going for the big one again, "why?"
"Because if they didn't vote for a lizard," said Ford, "the wrong lizard might get in.
(From "So Long and Thanks for All the Fish" by Douglas Adams)
Sir, what you suggest might negatively affect the economies of several congressional districts.
Booz Allen is all over the place. I count 71 offices in 28 states (I counted quickly; I could be a bit off). Most of the stuff that applies to the Pentagon are going to naturally be in their DC, Maryland, and Virginia locations, I suspect. But there are sure to be a lot of wheels for them to grease nonetheless.
Slashdot Mirror
From TFA
We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked," he said.
We've thought about training, but the three guys we did hire and train all left for higher paying jobs immediately after taking advantage of us.
The moral is that it doesn't matter if you trained them or not; pay them what they are worth. The companies they went to seem to have solved their staffing problems.
This attitude is why companies no longer train people. Paying people a large salary for months while they're not productive then having them backstab you is why companies stop training people.
Well there are really only two problems when it comes to training:
1) You train your people and they leave.
2) You don't train your people and they stay.
Number one is much better. Much better.
Many companies are advertising for senior positions which of course is beyond the experience level of someone breaking into the field. Its very difficult to slant an application to these requirements.
If it's not a pretty large company or a specialized security firm, they don't know what skill set they're looking for so they go way overboard on the listed qualifications.
It seems that all of the senior people would already have jobs.
Yep, and why would they want to work somewhere as the token security person anyway, when they could be somewhere with a budget and people who listen to their recommendations?
My personal feeling is that companies should train their own people but--let's be honest--they wouldn't pay them what they're worth at that point anyway.
Right, and I don't think it would have been fair to say, at the time, "Ford engineers have really failed at safety..."
Software engineers have largely failed at security. Even with the move toward more agile development and DevOps, vulnerabilities continue to take off. More than 10,000 issues will be reported to the Common Vulnerabilities and Exposures project this year.
How about you get what you pay for? Many management teams have decided that adding security costs money and it's more cost effective not to spend many cycles on it, but rather to just deal with problems as they pop up.
I don't think you can spin that as software engineers "failing." If the management wants security, they can pay for training, consultants, audits, bug bounties, etc. There are lots of ways to address this issue. Besides, perhaps the number of bugs is skyrocketing as a natural consequence of all of the new software projects and products.
It's a little bit like playing a freeform pen and paper RPG with a computer as DM. It's also a painful reminder of how simple the Adventure/Colossal Cave parser is.
What is bad is not upgrading the security of a protocol that is ON by default for 30 years.
It HAS been upgraded to version 3. This is not a neglected protocol, this is default backwards compatibility. They are now defaulting to NOT be backwards compatible, due to lack of security.
But I agree that it should have been turned off much sooner.
Putin right now: We do not hack other nations, those are independent patriotic Russians.
Putin if he signed a treaty: We do not hack other nations, those are independent patriotic Russians.
Help Americans, sure you do Timmy.
Get real. The millisecond an Apple CEO restructures the company so they start paying a reasonable tax rate the board will vote him or her out. As long as it is legal, corporations--and especially megacorps--will keep doing it.
SCCM is the MS equivalent of what you are describing. It does a lot more, but it is commonly used for patching.
lowest probability of injury(*) of any SUV it has ever tested
(*) of the person inside the SUV. People in the other vehicle are SOL.
What is the point of this comment? There is always a smaller or larger vehicle on the road. The smaller vehicle loses. A Honda Fit can tear up a Smart Car pretty badly.
[...] from the job-security-for-non-microsoft-it-workers dept
FTFY
You have it backwards. Who is going to apply these patches? Who is going to help businesses migrate off of old, unsupported versions of Windows (onto newer versions of Windows--let's be real here)?
Answer: Not non-Microsoft-IT-workers.
But don't worry, there is plenty of work for all, when you consider all of the upatched OpenSSL, ImageMagick and SAMBA out there. Or, you know, WordPress.
How did flamebait from buzzfeed ever get posted to the front page of Slashdot?
Because msmash has had nothing better to do for the last, I don't know, four months.
That's less than a dollar a day. Hardly seems like much if you use it a lot. If you don't, you might as well get a dumbphone which works out to a couple bucks a year.
That's the kind of thinking that gets people suckered into buying expensive cars because of the financing options. The fact is, a phone that costs half or even one quarter as much does all of the same essential things, and usually does them nearly as well.
It's not a duopoly in the mobile phone market, it's a duopoly for the high end market, where the profit margins are. I suppose this will be good if this spurs price competition. I don't know why people pay $700 for a device they only keep for 1-2 years.
I can't think of anything noisier and more disruptive than one or more NICs constantly going up and down.
If you can find a software vulnerability and hack into one of their switches/routers, you can use this technique to extract data from their network without tripping any IDS sensors
I'm curious to learn about this IDS that can catch traffic from compromised network hardware but can't catch the act of compromising network hardware. This is an impractical POC for anything but the most outlandish spy movies. There are far easier ways to exfiltrate data.
My problem with this stems from the piss-poor job that has been done dealing with the king-of-the-hill mentality among frequent editors
What is your solution? Maybe it could earn you a nice salary and then a six-figure severance after you realize there is no reasonably easy way to deal with the problem and move on.
You don't a fair number of basketball fans shoot hoops in the backyard, or baseball fans throw the ball around?
There is a difference between "misrepresented" and "misunderstood."
Not sure what's worse, managers who don't put in redundant power, or armchair engineers who just *assume* that they didn't because redundant power can't ever go out.
It isn't armchair engineering. The CEO should accept full responsibility because that's what it means to be at the top of the reporting chain when such a devastating preventable outage occurs. If he was misled by his direct reports, then he should fire them and take full responsibility for not firing them sooner. Maybe he resigns maybe he doesn't--the point is that he must own the failure, whatever the logical conclusion.
Review aggregators like Rotten Tomatoes and Metacritic are incredibly useful... yet also promote groupthink and over simplify the value of a film. I've really enjoyed some films that most critics panned, and I've really disliked films that most critics adored. By distilling the value of a film down to a fresh/rotten percentage (much like Siskel and Ebert's thumbs up or down system of yore) it encourages people to stop there and not read the reviews to find out what does or doesn't appeal to the reviewers.
Now, applying this logic to the apparent failure of yet another 'Pirates' movie seems like a major stretch. As for Baywatch, I don't know.
One of the valid possibilities can be that neither candidate is fit for office. Maybe the levels of fitness differ. And voting for the lesser of two evils might be better.
On its world, the people are people. The leaders are lizards. The people hate the lizards and the lizards rule the people."
"Odd," said Arthur, "I thought you said it was a democracy."
"I did," said Ford. "It is."
"So," said Arthur, hoping he wasn't sounding ridiculously obtuse, "why don't people get rid of the lizards?"
"It honestly doesn't occur to them," said Ford. "They've all got the vote, so they all pretty much assume that the government they've voted in more or less approximates to the government they want."
"You mean they actually vote for the lizards?"
"Oh yes," said Ford with a shrug, "of course."
"But," said Arthur, going for the big one again, "why?"
"Because if they didn't vote for a lizard," said Ford, "the wrong lizard might get in.
(From "So Long and Thanks for All the Fish" by Douglas Adams)
Sir, what you suggest might negatively affect the economies of several congressional districts.
Booz Allen is all over the place. I count 71 offices in 28 states (I counted quickly; I could be a bit off). Most of the stuff that applies to the Pentagon are going to naturally be in their DC, Maryland, and Virginia locations, I suspect. But there are sure to be a lot of wheels for them to grease nonetheless.