That's just a deterrant against the ones who don't want to cause trouble.
Faced against a black hat you know to be an adversary (maybe they threatened to break in), it could fall short.
Changed passwords won't stop an evil black hat from getting in using other methods, and in that respect, changing pws maybe isn't sufficient.
Example method a black hat might: use acquired knowledge of certain coworkers to guess their credentials.
Use 'shared' credentials on some system or account that is oft-neglected to get in.
E.g. sometimes the firewall will just have a shared login password. If the firewall never gets checked, IT may have forgotten to get its passwords changed.
Pretend to be another admin, and ask someone to change a certain password, providing a plausible reason and excuse they couldn't do it themselves..
A black hat: might have an access method (covert backdoor) in place somewhere you aren't aware of, and that simply changing pws won't stop.
I'd like for the new definition of broadband to not just be a single number, but to include more qualifications, including minimal qualification of the manner in which "broadband service" is advertised:
Maximum distance between the greater of 'minimum connection speed' OR user's 95-th percentile bandwidth usage, and advertised service speed: 25% of the advertised speed.
(Meaning: if you are selling a service that averages 760k/second, you can't advertise or bill it as 3 meg service, unless the customer actually achieves 95-th percentile usage of 2.25M, OR, the ISP used a qualified testing procedure to verify the average throughput of their connection to be 2.25)
Minimum throughput (under worst conditions): 768k or higher
* The minimum throughput is the worst data rate a broadband customer's internet connection will ever provide, when service is considered to be functioning correctly: e.g. the threshold below which their service is considered by the provider to be malfunctioning.
Minimum average connection speed (the average throughput to internet exchange points achieved by the connection technology and provider network design): 1M or higher
Minimum peak data rate (e.g. when network is not congested): 1.2M or higher
Maximum peak latency to some common internet exchange points: 600ms
Maximum average latency to some common internet exchange points: 200ms
Maximum average jitter to some common internet exchange points: 20ms/s
This article seems to be anti-hacker
on
How To Hire a Hacker
·
· Score: 4, Informative
I consider this blatant hacker discrimination morally reprehensible.
Is hacker culture so bad that anyone who identifies as a hacker needs to pass special scrutiny?
Isn't it a bit insulting to the hacker community to say they shouldn't be hired, unless they've "reformed", and imply they have arrest records, suggesting they are all criminals ?
(Without getting pwned by her/him or his/her friends)
Because (let's face it), there's a chance you hired one on accident, without realizing it, and that they don't have an arrest record, for one reason or another.
I tried yelling really loudly into an electric socket... then I put my ear up close to it..
I didn't hear anything breaking at all, I just heard a strange voice say "Hello, did you try turning it off and on again" followed by some static "Hey, watch out, we know where you live"
Any ideas what I could have done wrong? Is there a tuning knob somewhere on this thing? (EG)
You get bonus points for finding a way to do it without breaking the law, or doing anything really evil...
(As long as you don't post the URL for the purpose of melting the hardware, and you did indeed find it when searching for something in Google, that is.:))
Which is what firewalls are for. Portknocking doesn't work if your traffic doesn't get past the firewall.
I would expect a security review would include checking the firewalls and reviewing the justification for every accessible port on every accessible host.
Also, your servers that the outside can ever connect to live in a DMZ, so even if you get in through portknocking, you are now trapped, and have set off a bunch of alarms by trying to SSH, telnet, or probe addresses beyond the DMZ.
it's not at all inconceivable that Childs could cause damage to that network if he chose to do so.
It's not at all inconceivable that the average slashdot reader could damage the network if he chose to do so (with some basic research + social engineering, to gather some general info).
If they can't inventory and find all the equipment in their facilities, that's not Child's problem, they've had 2 years to do all the legwork, bookkeeping and maintenance they need, there are no valid excuses for management to not have a handle on things after such a long period of time.
Hardly anyone is good enough to remember lists of equipment in their head, especially not after two years.
They don't necessarily have to know what all the equipment is, also: they just need to restrict access.
For example: there's no reason people on the internet should be allowed to telnet to routers.
Beyond that, they just need to identify all other ingres points to their network: every network connection they're paying for, every phone line/modem attached to core gear for OOB management, and make sure suitable access restrictions are in place at various control points.
Security is not hard. And it's absolutely essential in an important network, even with no "Childs".
Their claim he could damage the network are absurd. They would be negligent if they couldn't get a handle on their network and secure all its management points within 14 months.
It's small comfort, but on the bright side; if one of their new admins breaks things, they can't pin the blame for their incompetence on him; e.g. "The network broke... that's odd... he must've sabotaged it while awaiting trial!".
Since he's in jail, other maybe less-qualified admins that follow him, will have noone to blame but themselves for any outage that occurs to the SF network as a result of their action or inaction, as they've had plenty of time to fix anything that's broken now.
If the charges against him ever finally get dismissed, and he gets released as a result (without further obligation to appear in court): frankly, I think he ought to consider fleeing the jurisdiction for fear of unjust reprisal.
Pursuing action against the DA and such is good and all, but trying legal action against politically powerful people who think they've got noone to answer to can also be dangerous, and they've already demonstrated ability to inflict physical harm -- by jailing him.
The pedestrian has no control over you and your cell phone, the absolute only thing he can nearly rely on about you is that you follow the law.
Much like the driver travelling perpendicular to you from the left when you reach an intersection and see a green light, you're going straight through. You can't even see the guy coming... how the hell do you know he's going to stop at his red light and not just keep plowing away at 45mph, right into your driver side door?
The "yield" sign is a reminder for drivers; you always look for pedestrians at a cross walk, and always yield to them, period, it's the law in most states, and you'll be at fault if you crash into them.
The bottom line, is as a pedestrian with a destination on the other side, you've got to get across the street. If it's a busy intersection, you're going to have to pick a time to do it, preferably the safest time possible, but within reason.
If you're on a crosswalk on a busy 4-lane roadway, and the only car you see moving is 30 feet+ away, and everyone else's stopped for you, you haul a** to get to the other side.
If someone talking on a cellphone turns into you, or that guy 30+ feet away doesn't slow down like he should, and he hits you, you bet the driver's at fault.
And there's nothing the pedestrian can do about it either... without having been psychic, and knowing this one guy wasn't going to follow the rules that 98% of drivers do follow.
For all anyone who was unaware of the test is concerned, they could have been forwarding the letter to the very person at the NCUA who was an insider sending the fraudulent letter.
It means that someone in the organization reported a suspected breach to someone outside the organization.
Either their security incident response team wasn't properly informed of the "test" that was being conducted, to avoid sending frivolous and illegal security reports to law enforcement and others, OR, someone leaked the information improperly.
And now you have the administrative overhead of somehow having to divvy up your network and provide some type of mechanism to allow your "IDS" to randomly cycle between the pieces....
Not to mention, the costs required to implement "walled gardens". And "churn" costs caused by customer attrition (customers leaving, and switching to another provider, after the 1st or 2nd time they got placed in a walled garden).
I didn't say that it was impossible, only that it was expensive.
Whether that means SPs charge more for internet service, or somehow fine the people who got infected.
One-time-charge $80 Spam detection and Computer quarantine service
One-time-charge $20 Online anti-virus/anti-malware service and update downloads for quarantined computer
One-time-charge $10 Quarantined computer re-connection charge
One-time-charge $150 15,000 spam messages at $0.01 per message
If re-imaging is the issue, don't re-image them. Prepare a patch to disable Word, and apply the patch to PCs before they ship out.
If the court orders you to do it, you do it.
"Months of testing" is Dell's normal procedure, not a physical requirement. They can obey the court's order by taking action to disable the software without months of testing.
A simple patch would be to delete the.EXE file required to start word (for example)
Hard drives are addressed in 512 byte sectors, which is a power of 2. You can't have a usable "half of a sector"
The reason to refer to HD memory this way, is for consistency. kB and mB have accepted defintions, they should not be changed, just because hard drives were introduced, and weren't thus constrained. RAM definitely was used in computers a long time before the other popular storage technologies were used.
Hard drives are just an extension of computer memory, especially with SSDs replacing mechanical devices.
Do you also recommend that we will suddenly measure disk drive capacity in a different unit if/when we all move to using quantum computers or computers based on some other new currently unfamiliar technology?
Actually, yes. The measures of 'bits' and 'bytes' will no longer make any sense, when systems are not operating on base-2, and each native digit can hold more selectable values.
However, users of legacy systems may have some problems. Manufacturers might quote quantum storage in BECs (Binary Equivalent Capacity) at first, so they might say "56712864 zettabytes BEC", initially, before users learn the new units.
The problem is the "standards" came after there was already another convention, and the standards didn't support what people were actually doing, they instead tried to dictate people do one particular thing.
The reasons people haven't changed could be similar to the reasons the OOXML standard being published haven't made all the word processors begin efforts to switch from RTF to OOXML.
Computer scientists defined matters this way, because computers operate on discrete units, there is no such thing as having 5.3 bytes, for example.
The units used aren't true units of measure, they're not like other SI units; a bit is a mathematical structure, a binary digit.
Perhaps what's confusing is a "byte" is not a measure of storage at all; anymore than "this book has 500 pages" is a measure of the book's length, size, or number of words (it could in fact be a very short book). Bits or "number of addressable units" of a pre-defined size measure storage, bytes don't.
The same stick of memory represents half as many units of addressable storage on a 64-bit platform as on a 32-bit platform.
A bit is by definition a 'binary digit' that can be one of 2^1 possible values; it is a discrete mathematical structure, not a physical one.
There is no mathematical definition of a byte; in the past, some people have used 7-bit bytes, others used 8-bit or larger bytes. 8-bits is common nowadays.
In any case, a byte represents a value that have 2^n possible values, where n is the number of bits per byte. When n=8, 256.
Now this leaves the size of the other units "inherently" vague.
one kilobyte = the number of bytes you would have when representing n+2 bits as one byte.
one megabyte = the number of kilobytes you would have when representing n+2 bits as one byte.
Lots of people who aren't acquainted with the field use electricity too, that doesn't mean they get to define what a kilovolt means.
When it comes to RAM, computers use the base-2 number system. The only way to accurately measure large amounts of capacity accurately and use a whole number to do it is using base 2.
Unless you feel comfortable having 1.0737418240 "gigabytes" (1073741824 bytes) of memory instead of 1 gigabyte of memory.
Oh, by the way, the average person is going to take the "1.0737418240" figure from the manufacture and truncate it to something like "1.07" and say they have that much memory, which results in the figure actually being incorrect.
http://web.archive.org/web/19960512212113/http://www.infoseek.com/
That's just a deterrant against the ones who don't want to cause trouble. Faced against a black hat you know to be an adversary (maybe they threatened to break in), it could fall short.
Changed passwords won't stop an evil black hat from getting in using other methods, and in that respect, changing pws maybe isn't sufficient.
Example method a black hat might: use acquired knowledge of certain coworkers to guess their credentials.
Use 'shared' credentials on some system or account that is oft-neglected to get in. E.g. sometimes the firewall will just have a shared login password. If the firewall never gets checked, IT may have forgotten to get its passwords changed.
Pretend to be another admin, and ask someone to change a certain password, providing a plausible reason and excuse they couldn't do it themselves..
A black hat: might have an access method (covert backdoor) in place somewhere you aren't aware of, and that simply changing pws won't stop.
Sure... I suppose: either they're a white/gray hat and never did anything really illegal.
Or they were a black hat and successfully covered their tracks
The trouble is, if they're in the second category, they could hurt you..
Let's just say blackhat, then.
I'd like for the new definition of broadband to not just be a single number, but to include more qualifications, including minimal qualification of the manner in which "broadband service" is advertised:
Maximum distance between the greater of 'minimum connection speed' OR user's 95-th percentile bandwidth usage, and advertised service speed: 25% of the advertised speed. (Meaning: if you are selling a service that averages 760k/second, you can't advertise or bill it as 3 meg service, unless the customer actually achieves 95-th percentile usage of 2.25M, OR, the ISP used a qualified testing procedure to verify the average throughput of their connection to be 2.25)
Minimum throughput (under worst conditions): 768k or higher
* The minimum throughput is the worst data rate a broadband customer's internet connection will ever provide, when service is considered to be functioning correctly: e.g. the threshold below which their service is considered by the provider to be malfunctioning.
Minimum average connection speed (the average throughput to internet exchange points achieved by the connection technology and provider network design): 1M or higher
Minimum peak data rate (e.g. when network is not congested): 1.2M or higher
Maximum peak latency to some common internet exchange points: 600ms
Maximum average latency to some common internet exchange points: 200ms
Maximum average jitter to some common internet exchange points: 20ms/s
I consider this blatant hacker discrimination morally reprehensible.
Is hacker culture so bad that anyone who identifies as a hacker needs to pass special scrutiny?
Isn't it a bit insulting to the hacker community to say they shouldn't be hired, unless they've "reformed", and imply they have arrest records, suggesting they are all criminals ?
Perhaps you mean cracker
How to Fire a Hacker
(Without getting pwned by her/him or his/her friends)
Because (let's face it), there's a chance you hired one on accident, without realizing it, and that they don't have an arrest record, for one reason or another.
I tried yelling really loudly into an electric socket... then I put my ear up close to it..
I didn't hear anything breaking at all, I just heard a strange voice say "Hello, did you try turning it off and on again" followed by some static "Hey, watch out, we know where you live"
Any ideas what I could have done wrong? Is there a tuning knob somewhere on this thing? (EG)
You get bonus points for finding a way to do it without breaking the law, or doing anything really evil...
(As long as you don't post the URL for the purpose of melting the hardware, and you did indeed find it when searching for something in Google, that is. :))
Which is what firewalls are for. Portknocking doesn't work if your traffic doesn't get past the firewall.
I would expect a security review would include checking the firewalls and reviewing the justification for every accessible port on every accessible host.
Also, your servers that the outside can ever connect to live in a DMZ, so even if you get in through portknocking, you are now trapped, and have set off a bunch of alarms by trying to SSH, telnet, or probe addresses beyond the DMZ.
it's not at all inconceivable that Childs could cause damage to that network if he chose to do so.
It's not at all inconceivable that the average slashdot reader could damage the network if he chose to do so (with some basic research + social engineering, to gather some general info).
If they can't inventory and find all the equipment in their facilities, that's not Child's problem, they've had 2 years to do all the legwork, bookkeeping and maintenance they need, there are no valid excuses for management to not have a handle on things after such a long period of time.
Hardly anyone is good enough to remember lists of equipment in their head, especially not after two years.
They don't necessarily have to know what all the equipment is, also: they just need to restrict access.
For example: there's no reason people on the internet should be allowed to telnet to routers.
Beyond that, they just need to identify all other ingres points to their network: every network connection they're paying for, every phone line/modem attached to core gear for OOB management, and make sure suitable access restrictions are in place at various control points.
Security is not hard. And it's absolutely essential in an important network, even with no "Childs".
Their claim he could damage the network are absurd. They would be negligent if they couldn't get a handle on their network and secure all its management points within 14 months.
It's small comfort, but on the bright side; if one of their new admins breaks things, they can't pin the blame for their incompetence on him; e.g. "The network broke... that's odd... he must've sabotaged it while awaiting trial!".
Since he's in jail, other maybe less-qualified admins that follow him, will have noone to blame but themselves for any outage that occurs to the SF network as a result of their action or inaction, as they've had plenty of time to fix anything that's broken now.
If the charges against him ever finally get dismissed, and he gets released as a result (without further obligation to appear in court): frankly, I think he ought to consider fleeing the jurisdiction for fear of unjust reprisal.
Pursuing action against the DA and such is good and all, but trying legal action against politically powerful people who think they've got noone to answer to can also be dangerous, and they've already demonstrated ability to inflict physical harm -- by jailing him.
The pedestrian has no control over you and your cell phone, the absolute only thing he can nearly rely on about you is that you follow the law.
Much like the driver travelling perpendicular to you from the left when you reach an intersection and see a green light, you're going straight through. You can't even see the guy coming... how the hell do you know he's going to stop at his red light and not just keep plowing away at 45mph, right into your driver side door?
The "yield" sign is a reminder for drivers; you always look for pedestrians at a cross walk, and always yield to them, period, it's the law in most states, and you'll be at fault if you crash into them.
The bottom line, is as a pedestrian with a destination on the other side, you've got to get across the street. If it's a busy intersection, you're going to have to pick a time to do it, preferably the safest time possible, but within reason.
If you're on a crosswalk on a busy 4-lane roadway, and the only car you see moving is 30 feet+ away, and everyone else's stopped for you, you haul a** to get to the other side.
If someone talking on a cellphone turns into you, or that guy 30+ feet away doesn't slow down like he should, and he hits you, you bet the driver's at fault.
And there's nothing the pedestrian can do about it either... without having been psychic, and knowing this one guy wasn't going to follow the rules that 98% of drivers do follow.
Exactly: The bogus alert was forwarded to NCUA
For all anyone who was unaware of the test is concerned, they could have been forwarding the letter to the very person at the NCUA who was an insider sending the fraudulent letter.
It means that someone in the organization reported a suspected breach to someone outside the organization.
Either their security incident response team wasn't properly informed of the "test" that was being conducted, to avoid sending frivolous and illegal security reports to law enforcement and others, OR, someone leaked the information improperly.
And now you have the administrative overhead of somehow having to divvy up your network and provide some type of mechanism to allow your "IDS" to randomly cycle between the pieces....
Not to mention, the costs required to implement "walled gardens". And "churn" costs caused by customer attrition (customers leaving, and switching to another provider, after the 1st or 2nd time they got placed in a walled garden).
I didn't say that it was impossible, only that it was expensive.
Whether that means SPs charge more for internet service, or somehow fine the people who got infected.
One-time-charge $80 Spam detection and Computer quarantine service
One-time-charge $20 Online anti-virus/anti-malware service and update downloads for quarantined computer
One-time-charge $10 Quarantined computer re-connection charge
One-time-charge $150 15,000 spam messages at $0.01 per message
They ship with old versions. I would guess they don't bother to update all that often.
This isn't a sold or imported product. It's a temporary trial that will become invalid if MS isn't allowed to sell the license to use it.
You can't stop in time at 30mph, if you were looking at your cell phone.
Also, i've seen such yield signs on roads of speed limits up to 55mph.
If re-imaging is the issue, don't re-image them. Prepare a patch to disable Word, and apply the patch to PCs before they ship out.
If the court orders you to do it, you do it.
"Months of testing" is Dell's normal procedure, not a physical requirement. They can obey the court's order by taking action to disable the software without months of testing.
A simple patch would be to delete the .EXE file required to start word (for example)
Actually, they are both moving (in opposite directions).
Hard drives are addressed in 512 byte sectors, which is a power of 2. You can't have a usable "half of a sector"
The reason to refer to HD memory this way, is for consistency. kB and mB have accepted defintions, they should not be changed, just because hard drives were introduced, and weren't thus constrained. RAM definitely was used in computers a long time before the other popular storage technologies were used.
Hard drives are just an extension of computer memory, especially with SSDs replacing mechanical devices.
Do you also recommend that we will suddenly measure disk drive capacity in a different unit if/when we all move to using quantum computers or computers based on some other new currently unfamiliar technology?
Actually, yes. The measures of 'bits' and 'bytes' will no longer make any sense, when systems are not operating on base-2, and each native digit can hold more selectable values.
However, users of legacy systems may have some problems. Manufacturers might quote quantum storage in BECs (Binary Equivalent Capacity) at first, so they might say "56712864 zettabytes BEC", initially, before users learn the new units.
The problem is the "standards" came after there was already another convention, and the standards didn't support what people were actually doing, they instead tried to dictate people do one particular thing.
The reasons people haven't changed could be similar to the reasons the OOXML standard being published haven't made all the word processors begin efforts to switch from RTF to OOXML.
Computer scientists defined matters this way, because computers operate on discrete units, there is no such thing as having 5.3 bytes, for example. The units used aren't true units of measure, they're not like other SI units; a bit is a mathematical structure, a binary digit.
Perhaps what's confusing is a "byte" is not a measure of storage at all; anymore than "this book has 500 pages" is a measure of the book's length, size, or number of words (it could in fact be a very short book). Bits or "number of addressable units" of a pre-defined size measure storage, bytes don't. The same stick of memory represents half as many units of addressable storage on a 64-bit platform as on a 32-bit platform.
A bit is by definition a 'binary digit' that can be one of 2^1 possible values; it is a discrete mathematical structure, not a physical one.
There is no mathematical definition of a byte; in the past, some people have used 7-bit bytes, others used 8-bit or larger bytes. 8-bits is common nowadays.
In any case, a byte represents a value that have 2^n possible values, where n is the number of bits per byte. When n=8, 256.
Now this leaves the size of the other units "inherently" vague.
one kilobyte = the number of bytes you would have when representing n+2 bits as one byte.
one megabyte = the number of kilobytes you would have when representing n+2 bits as one byte.
...
Lots of people who aren't acquainted with the field use electricity too, that doesn't mean they get to define what a kilovolt means.
When it comes to RAM, computers use the base-2 number system. The only way to accurately measure large amounts of capacity accurately and use a whole number to do it is using base 2.
Unless you feel comfortable having 1.0737418240 "gigabytes" (1073741824 bytes) of memory instead of 1 gigabyte of memory.
Oh, by the way, the average person is going to take the "1.0737418240" figure from the manufacture and truncate it to something like "1.07" and say they have that much memory, which results in the figure actually being incorrect.