Also not making sense are the reference to the "1 GHz quantum encrypter" and the statement that they're holding back information about how it works for security reasons. Either it's vulnerable or it isn't. And gigahertz are the wrong units of measure. And quantum key exchange doesn't work that fast.
Dan Kaminsky has done some research into this. If you combine Flash with a DNS rebinding attack, interesting things can happen that wouldn't happen without Flash (which is to blame for a fire, the fuel or the air?).
It's a CSRF, not XSS: XSS would mean a bug in Google's code, CSRF simply means they didn't take the additional security measure of putting a nonce into the form.
>Our company has all our generators (and many other things) remotely controlled, and none of those systems are available to the public internet. We have it all captive on our own infrastructure.
Are you sure? I just went to a presentation by someone who's been examining SCADA systems. He said his typical conversation with engineers goes like "We're completely isolated" (pause) "Except for $GADGET, that has a modem for vendor maintenance" (pause) "And except for $OTHEROPENING". (pause) "Oh, and there's $YETANOTHEROPENING".
If you're sure, good for you, but what happens when someone hooks up their pwned laptop? ATMs have gotten viruses from a technician's laptop even though they were isolated from the Internet.
>One can not argue both sides of this issue and keep credibility. If a control system misbehaves, it matters not whether the problem is inadvertent or malevolent.
An ingenious attacker can come up with tricks that a Y2K bug could never think of.
Consider the difference between a plain crash and a buffer overflow exploit.
>Normally, each generator, transformer and other equipment has safety devices that shut the machine down BEFORE any damage happens. Whatever happened to those? Do they depend on computers for that safety function now, that a simple relay or circuit breaker used to provide?
The term you're looking for is "ladder logic". It used to be implemented with banks of relays and now involves a microcontroller. It's designed to prevent accidents, not attacks.
Ladder logic applies to the SCADA interface. The gadgets themselves have their own protective features, but the trend is to save money and hassle by reducing those in favor of computer control.
If a power plant engineer contradicts me, believe him/her: I'm going off a presentation on SCADA hacking by Jason Larsen.
This was a science fiction story in which anyone could create a law. The visitor from Earth created a law saying that only qualified people could create new laws, arguing that otherwise someone might create a stupid one. The native said "Someone just did, in fact". The revert happened almost immediately, and the visitor was advised not to start a revert war: the reverter was described as "very good with the ritual sword".
"When Phishing Protection is used in default mode, no information about the sites you visit is sent to Mozilla or anti-phishing partners. Rather, sites are checked against a local list that is downloaded to your computer and updated on a regular basis."
>it puts the power company in the position of standing by ready to supply energy at night and when the sun doesn't shine but meanwhile when the sun is shinning their expensive infrastructure sits idle
It's good for the utility company to shave their peak daytime loads, which they meet with expensive natural gas, and transfer that load to the nighttime when they can use cheaper base load capacity.
Women who are already sacrificing to pursue a computer interest run into problem after problem.
See the book Unlocking the Clubhouse for real-life experiences of hundreds of students at the highly competitive CMU. There are many obstacles, none a deal breaker in itself, but it adds up to the death of a thousand cuts.
CMU's CS program lost many hard-working enthusiasts, for a variety of reasons, mostly cultural.
The NSA changed the S-boxes without explaining why. When the white world re-invented differential cryptanalysis, it turned out that the NSA had strengthened DES with the changes.
The only realistic weakness in DES was the short key length, which the whole world knew about. To this day, triple DES is an accepted if slow cipher.
>Look at the Morris worm in 88. There was no code exploit, or coding mistake. It took advantage of an unauthenticated backdoor to sendmail, which was running as root.
This doesn't affect the point you're making, but one of the multiple vectors the Morris worm used was a buffer overflow in fingerd.
HP Labs hacked some sandboxing into Windows (PDF, sorry) including a few capability-based ideas, e.g. the only way for an application to write outside its temp directory is if the user grants a capability implicitly via the open file dialog.
A lot of the work my computer does for me happens via Google's Javascript. Will I have to whitelist it all over again every time the gmail implementation changes? If it's whitelisted by domain, then you still have to protect against cross-site scripting attacks somehow (all hail NoScript!)
The whole idea of a program being a quasi-static executable installed locally is starting to seem quaint.
According to the scientists, the program misrepresented what they said.
>the concept of CO2 warming was a fairly small area of research that wasn't taken very seriously
On the contrary, it goes back to Arrhenius and is generally agreed to be the reason the oceans aren't frozen over. The existence of a "greenhouse" effect was in science textbooks decades ago.
>CO2 levels rose about 800 years AFTER the temperature rose.
After the temperature BEGAN to rise. Temperature and CO2 feed on each other in a positive feedback cycle. The Milankovitch cycles, by themselves, aren't enough to account for the temperature swings in the geological record. There needs to be some mechanism that amplifies the temperature swings, and CO2 accounts for it.
That positive feedback implies some important things for making policy. In particular, it means warming will go further than you'd expect -- CO2 production leads to more CO2 production, rising temperatures cause temperature to go up further.
We know from the lab that CO2 absorbs certain wavelengths, we know from thermodynamics that the earth reradiates at those wavelengths, and we know from satellite measurements that less energy is reaching space from the surface at those wavelengths.
We also know what solar output has been doing, for the last ~30 years quite precisely.
Slashdot Mirror
The ResearchBuzz blog has proposed "nerdstick". I've standardized on that for my own use.
Everyone remember that Senator Kennedy was denied boarding? Even as a powerful Senator he had real trouble getting off the no-fly list.
More insight into how Microsoft thinks about these things at Larry Osterman's blog.
Personally I'd point the finger at the idea of using ShellExecute on inadequately filtered data from the Internet.
Also not making sense are the reference to the "1 GHz quantum encrypter" and the statement that they're holding back information about how it works for security reasons. Either it's vulnerable or it isn't. And gigahertz are the wrong units of measure. And quantum key exchange doesn't work that fast.
Quasi-Universal Anonymous Tender Low Orbit Object
Try thousands.
Microsoft had an email storm that took down companywide email
Dan Kaminsky has done some research into this. If you combine Flash with a DNS rebinding attack, interesting things can happen that wouldn't happen without Flash (which is to blame for a fire, the fuel or the air?).
Scary web threats (HTML version)
Scary web threats (Powerpoint)
How confident can we be that there are no more remote command execution vulnerabilities in the Flash player?
The designed security measures are only part of the puzzle when something is in the field.
It's a CSRF, not XSS: XSS would mean a bug in Google's code, CSRF simply means they didn't take the additional security measure of putting a nonce into the form.
>Our company has all our generators (and many other things) remotely controlled, and none of those systems are available to the public internet. We have it all captive on our own infrastructure.
Are you sure? I just went to a presentation by someone who's been examining SCADA systems. He said his typical conversation with engineers goes like
"We're completely isolated"
(pause)
"Except for $GADGET, that has a modem for vendor maintenance"
(pause)
"And except for $OTHEROPENING".
(pause)
"Oh, and there's $YETANOTHEROPENING".
If you're sure, good for you, but what happens when someone hooks up their pwned laptop? ATMs have gotten viruses from a technician's laptop even though they were isolated from the Internet.
>One can not argue both sides of this issue and keep credibility. If a control system misbehaves, it matters not whether the problem is inadvertent or malevolent.
An ingenious attacker can come up with tricks that a Y2K bug could never think of.
Consider the difference between a plain crash and a buffer overflow exploit.
Which still leaves room for your skepticism.
>Normally, each generator, transformer and other equipment has safety devices that shut the machine down BEFORE any damage happens. Whatever happened to those? Do they depend on computers for that safety function now, that a simple relay or circuit breaker used to provide?
The term you're looking for is "ladder logic". It used to be implemented with banks of relays and now involves a microcontroller. It's designed to prevent accidents, not attacks.
Ladder logic applies to the SCADA interface. The gadgets themselves have their own protective features, but the trend is to save money and hassle by reducing those in favor of computer control.
If a power plant engineer contradicts me, believe him/her: I'm going off a presentation on SCADA hacking by Jason Larsen.
This was a science fiction story in which anyone could create a law. The visitor from Earth created a law saying that only qualified people could create new laws, arguing that otherwise someone might create a stupid one. The native said "Someone just did, in fact". The revert happened almost immediately, and the visitor was advised not to start a revert war: the reverter was described as "very good with the ritual sword".
The Payment Card Industry (PCI) standards require you to change default passwords in the part of your network that handles credit card data.
>A "blacklist" of phishing sites needs to be stored somewhere, and you need to be able to do queries against it.
>It changes too fast, and is too large, for it to be stored locally.
That's plausible, but in practice the option of local storage has proven usable:
What information is sent to Mozilla or anti-phishing partners when Phishing Protection is enabled?
"When Phishing Protection is used in default mode, no information about the sites you visit is sent to Mozilla or anti-phishing partners. Rather, sites are checked against a local list that is downloaded to your computer and updated on a regular basis."
>it puts the power company in the position of standing by ready to supply energy at night and when the sun doesn't shine but meanwhile when the sun is shinning their expensive infrastructure sits idle
It's good for the utility company to shave their peak daytime loads, which they meet with expensive natural gas, and transfer that load to the nighttime when they can use cheaper base load capacity.
Women who are already sacrificing to pursue a computer interest run into problem after problem.
See the book Unlocking the Clubhouse for real-life experiences of hundreds of students at the highly competitive CMU. There are many obstacles, none a deal breaker in itself, but it adds up to the death of a thousand cuts.
CMU's CS program lost many hard-working enthusiasts, for a variety of reasons, mostly cultural.
The NSA changed the S-boxes without explaining why. When the white world re-invented differential cryptanalysis, it turned out that the NSA had strengthened DES with the changes.
The only realistic weakness in DES was the short key length, which the whole world knew about. To this day, triple DES is an accepted if slow cipher.
>Look at the Morris worm in 88. There was no code exploit, or coding mistake. It took advantage of an unauthenticated backdoor to sendmail, which was running as root.
This doesn't affect the point you're making, but one of the multiple vectors the Morris worm used was a buffer overflow in fingerd.
HP Labs hacked some sandboxing into Windows (PDF, sorry) including a few capability-based ideas, e.g. the only way for an application to write outside its temp directory is if the user grants a capability implicitly via the open file dialog.
Here's a resource for that which Bruce Schneier pointed to and which I've recommended to the non-technical:
http://www.securitycartoon.com/
A lot of the work my computer does for me happens via Google's Javascript. Will I have to whitelist it all over again every time the gmail implementation changes? If it's whitelisted by domain, then you still have to protect against cross-site scripting attacks somehow (all hail NoScript!)
The whole idea of a program being a quasi-static executable installed locally is starting to seem quaint.
>According to the scientists
According to the scientists, the program misrepresented what they said.
>the concept of CO2 warming was a fairly small area of research that wasn't taken very seriously
On the contrary, it goes back to Arrhenius and is generally agreed to be the reason the oceans aren't frozen over. The existence of a "greenhouse" effect was in science textbooks decades ago.
>CO2 levels rose about 800 years AFTER the temperature rose.
After the temperature BEGAN to rise. Temperature and CO2 feed on each other in a positive feedback cycle. The Milankovitch cycles, by themselves, aren't enough to account for the temperature swings in the geological record. There needs to be some mechanism that amplifies the temperature swings, and CO2 accounts for it.
That positive feedback implies some important things for making policy. In particular, it means warming will go further than you'd expect -- CO2 production leads to more CO2 production, rising temperatures cause temperature to go up further.
>I am able to view every video file that comes my way on both of my Ubuntu systems (even the 500 mHz one)
I am awed by Ubuntu's ability to play video on a system running at 500 milliHertz.
>"Hiding porn on an office PC, using unlicensed software, and abusing e-mail all count as security incidents,"
That's an easy way to rack up a lot of security incidents, just classify every policy violation as a security incident.
Those all should be a lot cheaper than the six-figure average response cost the survey claims.
>Correlation is not causation.
Correct. Longwave absorption is causation.
We know from the lab that CO2 absorbs certain wavelengths, we know from thermodynamics that the earth reradiates at those wavelengths, and we know from satellite measurements that less energy is reaching space from the surface at those wavelengths.
We also know what solar output has been doing, for the last ~30 years quite precisely.