Finance, population statistics, various biological modeling applications, and basically all weather modeling works this way.
Take the 2008 credit crunch. At the time, the finance industry was using a market model that abstracted all risk to a single variable.
So an investment would have a risk number and the higher that risk number the riskier the investment.
The problem with it was that it over simplified risk and it could only boil it down to a single variable by making a lot of assumptions. Mostly that certain economic conditions would remain unchanged. If they did change then the number wouldn't mean anything anymore because all the starting premises wouldn't be valid.
You run into other issues with economic productivity... Take the predictions about China's economic future. They just take china's growth over the last 20 years and abstract that out for another 20 or 50 years... just draw the trend line out.
The problem is that it over simplifies the picture and you have to factor things like demographics, capital input, market demand, etc. And if you do that, then you realize that the simplified trend line is wrong. Not just over simplified but in error.
You can talk about population statistics... one of the best known examples of this mistake was Malthus's theories on population. He was all about trend lines. His argument was that populations expand geometrically and land can only be exploited arithmetically. Therefore when the population doubles enough that all the resources are consumed there will be a giant die off. The problem with the theory is that human populations don't grow that way and neither do we exploit resources that way. Neither one is that predictable. Populations can slowly decline, they can rapidly double, they can hold stable... there is no simple equation that describes what they do because the variables that influence population growth are many and very complicated. Resource acquisition and utilization is if anything even more complicated. Suggesting that you can brush off the entire thing as being additive effectively is asinine.
Really almost anything you can represent statistically has been misrepresented statistically at some point. It is very common.
A point that has to be made here is that the computers are not doing anything that we couldn't do before. They're just making it more practical to do really tedious calculations.
As to long trends versus short trends, that's all subjective. What is long or short is arbitrary. What you need to understand is not duration but circumstance.
Lets say you lived on a planet that rotated on its axis about once every 10,000 years. And your people only lived in one little valley and you never left it. Would it be true that the sun would always be over head even if your statistics showed it had been over head for the last 5000 years? A long trend line doesn't mean something will always be a certain way. It just means that is how it has been.
If I put a ball on a table and you graph the position of that ball over time... the ball will consistently sit there from now until the end of time unless circumstances change.
And it is those circumstances that actually tell you something. Consider newton's laws of motion. That tells you something about balls on tables. It tells you a lot more than a tend line of where the ball was for the last how ever long.
And that is another big problem with trend lines, they do not show causation. They show correlation. Getting causation from a trend line is almost impossible.
To the extent that models are useful, they show you a probability based on the past. They are however extremely unsatisfying if you want to actually predict the future with any accuracy. This is why proper financial analysis probes lots of other variables that are harder to graph but which do a better job of describing WHY the numbers do one thing or another.
And you'll find that is the case with most models. The graphs are nifty power points. But they're not really going to tell you what is actually going on.
Doxx myself? First, I don't own the systems so I have no right to do such a thing. Second, only an idiot would doxx themselves... just because some AC dared him to? Comical.
I'd do it if I had permission and if I were getting paid... ideally by you... lots of money.
Short of that... you're basically asking me to betray my employer, subject myself to real life harassment from internet trolls, and for... nothing?
I can't disagree... the thing fucking pissed me off with all its problems. The web admin told me that it couldn't be secured without completely rewriting the whole site and upgrading lots of crap in it along the way.
And I thought to my self... "and how long will that work?"... and I concluded that I'd be having the same conversation with the guy in two years.
So I tried to draw him into a discussion about securing the site without bothering with Wordpress's endless bullshit. And he basically had no idea what I was talking about.
So I contacted someone else that I work with a lot and ran the situation by him and we both basically came to the same conclusion pretty fast. And so we basically treated the wordpress site like a black box of broken bullshit. Locked it down the only way you can lock down a black box. Security issue solved.
Web admin has to VPN into the webserver, unlock the file system, and then he can mess with it. Beyond that, the site itself has all its configurations, scripts, passwords, etc locked. It can do things... it isn't entirely static. But it can't be reprogrammed without unlocking the configuration files which control how it works. "people" do still try to hack the thing. I can see the intrusion attempts in the logfiles. But there isn't anything they can do even if they do use an exploit. Its locked.
What I like about little solutions like that is that they're very bruteforce, simple, and from what I've seen totally unexpected. No one sees that coming.
Is there a way around it? I'm struggling to see how. The webserver doesn't have permissions to unlock files. So even if you took control of the web software the OS still wouldn't unlock the files.
I grant the point you're making. However, I would argue that someone with a bigger practical background in hacking would be better. I also don't agree that they should be pulling people from other branches to run the NSA or CIA. The intelligence branches should be run by people from the intelligence branches.
My central thesis however is not damaged by this point. We could spend years trading examples and counter examples.
Your position rests on the notion that computer systems are not subject to judgments from people that don't understand them.
My position rests on the notion that computer systems are routinely subjected to judgements from people that don't understand them.
If I made an error, was in underestimating the tenacity with which people will sometimes defend stupid arguments.
You were saying you would run an active hack from inside a high security network.
If you don't think such facilities have men with guns then you know less about such networks than you think.
Ever tried to walk into an investment bank? You wouldn't leave the lobby. You need an ID card at a minimum to get the elevator to go to the right floor. And that assumes there aren't four or five other security systems being used in correlation with that.
I'm always amazed at what people think is "actual" security.
Take something as rudimentary as a night club. They have a big guy standing out front that will twist your head off and shit down your neck if you decide to challenge him. And that's a fucking night club.
The security situations you're familiar with apparently have LESS security than a night club... meant to kept drunks and people girls don't want to dance with out of the club.
Doesn't that raise a red flag for you as to what you consider valid security?
Believe me. You physically intrude into a secure network and spook the admin... A men with guns will be there. Whether they draw them and point them will be their discretion. But they'll have them.
The movies? No... sadly there are no 20 something chicks that work in the building with huge tits, puffy lips, and run way make up. However, high security environments are high security because the stakes are high. You cannot let people breach them.
In the corporate environments, billions of dollars ride on the security. In national security you're talking about the fate of nations.
If you think someone wouldn't raspberry jam your brains all over the walls with those stakes on the line you're kidding yourself.
and what would I learn?... Seems like the lesson you want to teach is despair.
Why would I want to learn that lesson when I can just win? I'm fine thanks.
Look, I'm not saying perfect security is practical in all cases. I'm just saying it is possible. And when you are dealing with high security environments you can secure them so that they do not get hacked.
Saying you can't do it because how would we check our facebook is itself naive, soft, and frankly irresponsible.
As to self determination of ethnic minorities, you're ignoring the complicating factors.
1. They're not loyal to Ukraine but rather to Russia. This means they are effectively a fifth column. They're being used by the Russians in that way. Russian special forces are being embedded to train and lead them. And Russian arms and resources are being funneled into their groups.
2. The Russian government is embracing them and using them. This is something like the anode and cathode of a circuit. Without either one you don't have a flow of current. But when both are there a circuit is completed. The Russian response makes this group dangerous to the Ukrainian government.
3. These people have already sided with a foreign power in many cases. That is treason by any definition. And the punishments for actual treason... which this is... are generally quite serious. Exile from the country is actually relatively a mercy. Execution could be justified. On a massive sweeping scale? No... but ring leaders... people that were known to personally have taken up arms... etc.
Once you acknowledge the variables you were not addressing before:
1. Lack of loyality. 2. Russia supporting that lack of loyality. 3. Literal treason having happened.
It changes things.
Lets look at the US for an example so you can see where I'm coming from here.
Lets say the Mexican population flowing into the US were principally loyal to Mexico. Is that a problem? Not in and of itself. Its just the ground for a possible circuit.
Then lets say the Mexico government actively encouraged and supported hostile actions against the US using its immigrant population as a fifth column... This is just theoretical. I'm not saying any of this is happening. I'm just trying to put the situation in a different context so you can see the variables in a new light.
Then lets say the mexicans in the US start actively taking up arms against Americans trying to effectively help mexico annex a portion of the united states.
Okay that is basically what is happening In Ukraine.
Now, if that happened in the US... there would be mass deportations. Not the fake ones we do just to pretend like we're doing it. But millions of people would be forced out of the country.
It would not be tolerated.
And if you want to put that in any other context... think of whether any european country would put up with similar variables?
They wouldn't.
Take the basque people which the Spaniards tolerate. They don't have loyality to Spain but they have no external country that supports them that they'd like to be annexed by... and while some of them have taken up arms it is a very very small portion of the whole.
And you can see Spain's troubled history with them regardless. That's just with ONE variable in place.
In Ukraine you have ALL THREE. If the Basques did what the ethnic Russians did in Ukraine... the Spainards would crack down HARD on them. And I'm talking about modern liberal EU Spain.
Blaming Ukraine for taking a hard line on the ethnic Russians makes no sense.
They don't have a choice.
They can either surrender territory and allow portions of the country to be Annexed or they have to remove the rebels. And if they surrender territory, they have to know that there will be no more concessions made. It has to be a final settlement.
And that means those three variables have to be dealt with:
1. Existing Ethnic Russians that are in western Ukraine if there is a concession of territory would have to become Ukrainian to remove the threat of the issue coming up again as a result of any population friendly to Russia in Ukraine.
2. Russia would have to foreswear any further claims to Ukrainian territory.
3. Anyone that actually took up arms would either need to live in eastern Ukraine which would be annexed by Russia or would have to serve some prison time in western Ukraine.
This is not unreasonable or harsh or intolerant. This is how you resolve this si
Show me the chinese enterprise router you want to install.
Cite it.
CIsco is currently playacting a lot of buyers by adopting spycraft tactics to ship networking equipment to some buyers.
They're using false addresses, boobytrapped boxes that have secret telltales if they're opened, etc.
The role of chinese manufacturing is often misunderstood. They are mostly doing assembly work. The design is mostly US, European, or Japanese.
The core components tend to be fabricated in Japan, South Korea, the US, or Europe.
They are shipped to china for assembly. When something says "made in"... it refers to the final step which is often a lot less important than previous steps.
A good way of tracking value added is by seeing how much each step costs minus additional input resources which have to be factored separately.
When you do that, China's overall share is about 30 percent. so when you buy something that says "made in china" ROUGHLY 30 percent of that went to china. The remaining 70 percent went to the owners of the IP and other people outside of china that were relevant to the supply chain.
China is not what many people think it is...
Every buy a kit that makes something? Anything from a box of legos to an Ikea table or something? That process you go through to turn that box of stuff into whatever is on the picture is mostly what China does.
They're not as well positioned to compete as you might believe.
The US dominates a great many products, industries, and sciences despite many countries trying very hard to steal market share. The US holds on to those markets by producing a superior product or sometimes the only viable product.
The NSA shitting all over the computer software and hardware industries is a problem. But losing market share to China is not the threat. Losing market share to Europe and Japan is the threat.
Making it illegal without due process followed by some sort of auditing program into any domestic operations followed by a whistle blower protection law would do it.
Then if the NSA starts doing it again, either the oversight board or the whistleblower will reveal it.
Understand, this sort of thing is fine with due process. We allow the police to raid buildings with a warrant. The biggest violations by the NSA are that it is operating in the US without bothering to get warrants.
Another thing they should probably do is be required to subcontract all their domestic field operations through the FBI. The FBI knows how to obey the law. The CIA and NSA so rarely have to worry about it that they get sloppy with it.
As I said, they work fine when people understand the data and they understand what they're talking about.
You do that and you understand that the kid isn't going to keep growing at the same rate for the next 10,000 years.
The trend lines are mostly useful for showing what happened not what will happen.
As Mark Twain said, there are lies, damned dirty lies, and statistics.
And that is just to explain that specious manipulation of numbers has been a thing in political and economic discourse for generations. It is nothing new. Computer models just automate a lot of the statistical calculations.
Don't get me wrong, statistics are MASSIVELY useful but only for people in the know. For anyone outside the know they're almost useless because you can fuck with the numbers in any of a million ways and have them output any result you want.
The unemployment numbers is just a simple non-controversial example. Would we argue that unemployment is ACTUALLY going down? No. Because we know that that statistic doesn't count anyone that has been out of work for X time as being unemployed. If you don't get a job again you're flagged as not in the work force. So structurally unemployed people are not counted as unemployed.
All stats can be manipulated that way. Unless you know the methodology, the data collection method, etc etc etc... you don't know what the data actually says. Often these numbers are presented in an oversimplified fashion that tells you literally nothing about how the data was collected or processed prior to the output.
Is crime going up or are you counting things as crime that you weren't counting as crime before? Are education scores improving or did you exclude everyone that failed horribly from the statistics?
Another fun one is infant mortality. That one most people assume is universally tallied the same way around the world. But it isn't. Children in the US that die in child birth count against the infant mortality rate. In some countries, they have to be alive for a few days before they count as "alive" in the first place. The birth isn't counted effectively until that point.
You'll see bias very frequently in politics or anything that is politically sensitive with one side biasing the numbers one way and the other side biasing the numbers the other. Sometimes the number lies between the two of them and sometimes they're both full of shit and sometimes one of them is lying and the other is telling the truth. There is no way to know without doing an independent audit.
I saw something about Japanese unsolved murders being labeled as "accidental deaths" in the statistics because it is organizationally unacceptable to have unsolved murders. So if they don't know who did it, then it is recorded for the crime statistics as an "accidental death." I'm guessing some of the Japanese "suicides" are also unsolved murders.
Your run into similar stuff in the middle east with homosexual stuff. Most Islamic countries will say that there are no homosexuals in their countries. At all. First they don't collect the statistics. And second, I think Iran has the second highest population of transsexuals... submissive homosexuals walk around in drag and then the masculine homosexuals act as the man to the other's woman. That's how you live as a homosexual in those parts of the world. And as a result... no homosexuals according to the statistics.
That's just the political crap. You can go through the economics as well... not even the political economics but just the pure economics statistics are often full of shit. GDP, GNP, trade imbalance, stock trends, bear market, bull market... you don't know by looking at that what is going on. You have to know how the information is collected and the output calculated. And you have to know the blind spots and then you have to check those blind spots. THEN it can mean something. Otherwise, it just gives a false sense of security.
I do quite well actually... and if everything is locked down and I'm alerted when there is an issue... then what exactly do I have to do?
A lot of bad administration is a lack of automation. Its why the security gets lax half the time. They say "well we'd need more IT people to handle that"... for security you really don't need that many. You just need to the systems to be set up to call for help when something happens. And then have them be fool proof enough that only rarely does anything happen.
Your point about what is and is not historic Russia is about a sensible as China's opinion on Taiwan. Does China have a right to annex Taiwan at will?
By your logic they do apparently.
As to Russians in Ukraine... we're going to have to agree to disagree. Again, consider the Taiwan argument... they're all chinese ethnically. But what if there were a subgroup that was sympathetic to the mainland and ultimately hostile to the Republic? What then?
You can't tolerate it. They either integrate or they are an unacceptable liability.
As to ethnic cleansing, this term is generally associated with mass killing. That is why it has a strongly negative moral connotation. To conflate that with simply having people LEAVE without killing is not a sensible argument.
it is also a highly emotional argument that I don't find especially credible.
As to splitting Ukraine, I think I already offered that option. It required that Russia formally renounce any claim on any additional land and that any remaining ethnic Russians in Ukraine either become culturally Ukrainian or cross to the Russian side.
This has been done many times in history and has a very good track record of stability afterwards.
Are all the systems on the network secure? Yes. In so many ways. The workstations are locked down. You can't run un-authorized code on them.
Are the appliances secure as well? Yep. This one is actually easier. The appliances are either non-programmable or they're firewalled.
What is more, when I was talking about things being unhackable, I meant from the outside. If you're in the building then things become difficult because I have to start fighting the first law of computer security, which is physical security.
I have to keep you from physically touching some systems. If I can keep your hands off them then even from within you can't get access without authorization or using someone else's authorization. I mean, if some user left their machine logged in... then you could have access to that.
that would be about it.
Could you get into the management infrastructure... I don't see how. You can't even open a command prompt unless you're logged in on an admin account much less run executable code. How are you going to hack my system if you can't run non-authorized code? Those machines can't even run scripts under the user account.
As to you owning me if you're on the network, I'll point out again that any sort of activity like that is going to start creating a lot of security logs and the serious ones get immediately sent to me by text message. So... do you think you could do it before four people come up behind you with fire arms and put a pistol to the back of your head?
You underestimate the situation. You don't have the access or the time. You couldn't even stick an unknown machine into the network without getting flagged. The router would create a security log of an unknown system and I'd be notified immediately.
As to active defenses... That's me. The system is full of traps and alarms. You're not going to avoid them. They all operate on the principle that if you don't do everything JUST so things either don't work or it doesn't work and it triggers a security log. If you're sitting there physically inside my network going through possible vulnerabilities one at a time... you're going to create a serious security log very quickly... and best case I'll check on you first. Worst case I'll come with "help" to deal with you. Depends on the type of alarm you set off. Set off something I see a lot that is sort of innnocent and I'll eye ball you. Set off something that can't be innocent and I'll assume it isn't innocent.
As to write protecting all files... that was just one stop gap on one system because I was tired of it getting fucked with. I was also annoyed that the guy responsible for it was telling me that he couldn't secure it because it was impossible. So I just did something brute force that made a point.
As to the attack surface of a machine extending beyond the reach of the admin... depends on what you mean by "the machine"... a single machine is stupidly easy to secure... I can kick the power cord out of the wall... I mean you can't attack something if it isn't connected and if you can't find it.
I have home court advantage which counts for everything in this game.
Systems like mine are not breached electronically. You get into my system by physically infiltrating and getting physically too close to certain assets. Short of that, you can beat your brains in on it.
If you want to have people that are outside the bubble... then you just give them their own network that is outside the bubble. They can virus the fuck out of themselves and that is their own problem. They won't infect the other systems because they're segregated.
If they need access to those systems then they can either specify their needs or pound sand.
having lots of IT people is not required. You just need to be really good at saying "no" when they ask for shit they don't need. Which is pretty much always.
You say you have little pockets of people doing odd stuff. Fine... but what are they actually doing? Lets go through some test cases. I'm telling you... if you're systematic about it, then you can boil everything down to a few core applications.
I have a peer that works for a corporate bank and he does it the same way. The bank has a million departments. But they all need access to the same stuff.
He gives users access to whatever on the internet. Even facebook or porn sites. He does track everything though so when they go to those sites he can leverage the fact to get them to stop acting like assholes.
But he only allows specific programs to access specific ports. And there is no executable code permitted to run that is not approved.
So his security is lower than mine normally. But it is vastly higher than what is getting busted in these articles.
Look, if you don't lock the systems down, then you deserve the consequences. Good, hard, and from behind.
As to the proper response to idiots in real situations... I've found its best to just humor them and then quietly negate the damage they could possibly do when they're not paying attention.
To understand how to make something unhackable you have to understand how hacking works.
The whole strategy is basically using the adaptability of the system against the owner. You reprogram the system to do what you want instead of what the owner wanted.
That's hacking. Can you hack non-programmable systems? Nope. Can you hack something that might be programmable but which you cannot access because it literally doesn't communicate bidirectionally over exposed IP addresses? The ability to hack something like that is pretty limited... if possible at all. And that is with just one security change.
If you compound a lot of really solid security concepts on top of each other that means the hacker has to break through each successive step to actually get to the meat.
Now there is technically a way to get through each of these steps and the final probability is still non-zero. That said, there are some very extreme steps you can take that can move the probability from.0000000000000001 to 0.
Some people don't like to use the terms like impossible or perfect because they feel that is arrogant and that it might just mean you haven't thought of something.
I concede the possibility of godlike powers rewriting time and space to make what would appear to be physically impossible possible.
However, excluding godlike redefinitions of basic physical law, there are security protocols that are unbeatable.
It is important to note that hte security being breached is not even good security. Fuck perfect... it isn't even good. The good security isn't getting breached. Its the shitty security that is getting breached. And the stuff I'm talking about is a damn sight better than "good"... its fucking exceptional to perfect. No one is getting through that. the way you get through this kind of security is by throwing a black bag over the head of the admin and then attaching electrodes to his nuts. That's how you get through.
And who cares what the G anything said so much as 10 years ago? This more worthless than when China said they'd cut the GROWTH of their PROJECTED CO2 increase and that they would be the only ones permitted to determine if they were in compliance with their non-binding agreement.
85 fucking years? Who here thinks that anyone will even remember what the G anything said in 85 years? None of it is binding. It is all gentleman's agreements.
Which means you can rebut any of them with this argument "well you see... ehm... I wanted to do that... so... I ehm... I just did."
Totally valid response by any G anything member to any other G anything member about whatever.
So... allow me to calculate the number of shits anyone should give about this little announcement... carry the one... divide by zero... and... yes, that works out to exactly zero shits.
Slashdot Mirror
examples of trend line based modeling...
Finance, population statistics, various biological modeling applications, and basically all weather modeling works this way.
Take the 2008 credit crunch. At the time, the finance industry was using a market model that abstracted all risk to a single variable.
So an investment would have a risk number and the higher that risk number the riskier the investment.
The problem with it was that it over simplified risk and it could only boil it down to a single variable by making a lot of assumptions. Mostly that certain economic conditions would remain unchanged. If they did change then the number wouldn't mean anything anymore because all the starting premises wouldn't be valid.
You run into other issues with economic productivity... Take the predictions about China's economic future. They just take china's growth over the last 20 years and abstract that out for another 20 or 50 years... just draw the trend line out.
The problem is that it over simplifies the picture and you have to factor things like demographics, capital input, market demand, etc. And if you do that, then you realize that the simplified trend line is wrong. Not just over simplified but in error.
You can talk about population statistics... one of the best known examples of this mistake was Malthus's theories on population. He was all about trend lines. His argument was that populations expand geometrically and land can only be exploited arithmetically. Therefore when the population doubles enough that all the resources are consumed there will be a giant die off. The problem with the theory is that human populations don't grow that way and neither do we exploit resources that way. Neither one is that predictable. Populations can slowly decline, they can rapidly double, they can hold stable... there is no simple equation that describes what they do because the variables that influence population growth are many and very complicated. Resource acquisition and utilization is if anything even more complicated. Suggesting that you can brush off the entire thing as being additive effectively is asinine.
Really almost anything you can represent statistically has been misrepresented statistically at some point. It is very common.
A point that has to be made here is that the computers are not doing anything that we couldn't do before. They're just making it more practical to do really tedious calculations.
As to long trends versus short trends, that's all subjective. What is long or short is arbitrary. What you need to understand is not duration but circumstance.
Lets say you lived on a planet that rotated on its axis about once every 10,000 years. And your people only lived in one little valley and you never left it. Would it be true that the sun would always be over head even if your statistics showed it had been over head for the last 5000 years? A long trend line doesn't mean something will always be a certain way. It just means that is how it has been.
If I put a ball on a table and you graph the position of that ball over time... the ball will consistently sit there from now until the end of time unless circumstances change.
And it is those circumstances that actually tell you something. Consider newton's laws of motion. That tells you something about balls on tables. It tells you a lot more than a tend line of where the ball was for the last how ever long.
And that is another big problem with trend lines, they do not show causation. They show correlation. Getting causation from a trend line is almost impossible.
To the extent that models are useful, they show you a probability based on the past. They are however extremely unsatisfying if you want to actually predict the future with any accuracy. This is why proper financial analysis probes lots of other variables that are harder to graph but which do a better job of describing WHY the numbers do one thing or another.
And you'll find that is the case with most models. The graphs are nifty power points. But they're not really going to tell you what is actually going on.
Doxx myself? First, I don't own the systems so I have no right to do such a thing. Second, only an idiot would doxx themselves... just because some AC dared him to? Comical.
I'd do it if I had permission and if I were getting paid... ideally by you... lots of money.
Short of that... you're basically asking me to betray my employer, subject myself to real life harassment from internet trolls, and for... nothing?
No thanks.
I can't disagree... the thing fucking pissed me off with all its problems. The web admin told me that it couldn't be secured without completely rewriting the whole site and upgrading lots of crap in it along the way.
And I thought to my self... "and how long will that work?"... and I concluded that I'd be having the same conversation with the guy in two years.
So I tried to draw him into a discussion about securing the site without bothering with Wordpress's endless bullshit. And he basically had no idea what I was talking about.
So I contacted someone else that I work with a lot and ran the situation by him and we both basically came to the same conclusion pretty fast. And so we basically treated the wordpress site like a black box of broken bullshit. Locked it down the only way you can lock down a black box. Security issue solved.
Web admin has to VPN into the webserver, unlock the file system, and then he can mess with it. Beyond that, the site itself has all its configurations, scripts, passwords, etc locked. It can do things... it isn't entirely static. But it can't be reprogrammed without unlocking the configuration files which control how it works. "people" do still try to hack the thing. I can see the intrusion attempts in the logfiles. But there isn't anything they can do even if they do use an exploit. Its locked.
What I like about little solutions like that is that they're very bruteforce, simple, and from what I've seen totally unexpected. No one sees that coming.
Is there a way around it? I'm struggling to see how. The webserver doesn't have permissions to unlock files. So even if you took control of the web software the OS still wouldn't unlock the files.
The effect is not the issue here. What actually happened is the issue.
Furthermore, the DNS effects only systems effected by the DNS hack.
If you use a private DNS system... which you should if it is high security... then you would completely ignore the issue.
What some jerkoff sees when he connects to your system is one thing. What actually happened to your systems is another.
I grant the point you're making. However, I would argue that someone with a bigger practical background in hacking would be better. I also don't agree that they should be pulling people from other branches to run the NSA or CIA. The intelligence branches should be run by people from the intelligence branches.
My central thesis however is not damaged by this point. We could spend years trading examples and counter examples.
Your position rests on the notion that computer systems are not subject to judgments from people that don't understand them.
My position rests on the notion that computer systems are routinely subjected to judgements from people that don't understand them.
If I made an error, was in underestimating the tenacity with which people will sometimes defend stupid arguments.
You were saying you would run an active hack from inside a high security network.
If you don't think such facilities have men with guns then you know less about such networks than you think.
Ever tried to walk into an investment bank? You wouldn't leave the lobby. You need an ID card at a minimum to get the elevator to go to the right floor. And that assumes there aren't four or five other security systems being used in correlation with that.
I'm always amazed at what people think is "actual" security.
Take something as rudimentary as a night club. They have a big guy standing out front that will twist your head off and shit down your neck if you decide to challenge him. And that's a fucking night club.
The security situations you're familiar with apparently have LESS security than a night club... meant to kept drunks and people girls don't want to dance with out of the club.
Doesn't that raise a red flag for you as to what you consider valid security?
Believe me. You physically intrude into a secure network and spook the admin... A men with guns will be there. Whether they draw them and point them will be their discretion. But they'll have them.
The movies? No... sadly there are no 20 something chicks that work in the building with huge tits, puffy lips, and run way make up. However, high security environments are high security because the stakes are high. You cannot let people breach them.
In the corporate environments, billions of dollars ride on the security. In national security you're talking about the fate of nations.
If you think someone wouldn't raspberry jam your brains all over the walls with those stakes on the line you're kidding yourself.
and what would I learn?... Seems like the lesson you want to teach is despair.
Why would I want to learn that lesson when I can just win? I'm fine thanks.
Look, I'm not saying perfect security is practical in all cases. I'm just saying it is possible. And when you are dealing with high security environments you can secure them so that they do not get hacked.
Saying you can't do it because how would we check our facebook is itself naive, soft, and frankly irresponsible.
You lock it down and you don't get touched.
As to self determination of ethnic minorities, you're ignoring the complicating factors.
1. They're not loyal to Ukraine but rather to Russia. This means they are effectively a fifth column. They're being used by the Russians in that way. Russian special forces are being embedded to train and lead them. And Russian arms and resources are being funneled into their groups.
2. The Russian government is embracing them and using them. This is something like the anode and cathode of a circuit. Without either one you don't have a flow of current. But when both are there a circuit is completed. The Russian response makes this group dangerous to the Ukrainian government.
3. These people have already sided with a foreign power in many cases. That is treason by any definition. And the punishments for actual treason... which this is... are generally quite serious. Exile from the country is actually relatively a mercy. Execution could be justified. On a massive sweeping scale? No... but ring leaders... people that were known to personally have taken up arms... etc.
Once you acknowledge the variables you were not addressing before:
1. Lack of loyality.
2. Russia supporting that lack of loyality.
3. Literal treason having happened.
It changes things.
Lets look at the US for an example so you can see where I'm coming from here.
Lets say the Mexican population flowing into the US were principally loyal to Mexico. Is that a problem? Not in and of itself. Its just the ground for a possible circuit.
Then lets say the Mexico government actively encouraged and supported hostile actions against the US using its immigrant population as a fifth column... This is just theoretical. I'm not saying any of this is happening. I'm just trying to put the situation in a different context so you can see the variables in a new light.
Then lets say the mexicans in the US start actively taking up arms against Americans trying to effectively help mexico annex a portion of the united states.
Okay that is basically what is happening In Ukraine.
Now, if that happened in the US... there would be mass deportations. Not the fake ones we do just to pretend like we're doing it. But millions of people would be forced out of the country.
It would not be tolerated.
And if you want to put that in any other context... think of whether any european country would put up with similar variables?
They wouldn't.
Take the basque people which the Spaniards tolerate. They don't have loyality to Spain but they have no external country that supports them that they'd like to be annexed by... and while some of them have taken up arms it is a very very small portion of the whole.
And you can see Spain's troubled history with them regardless. That's just with ONE variable in place.
In Ukraine you have ALL THREE. If the Basques did what the ethnic Russians did in Ukraine... the Spainards would crack down HARD on them. And I'm talking about modern liberal EU Spain.
Blaming Ukraine for taking a hard line on the ethnic Russians makes no sense.
They don't have a choice.
They can either surrender territory and allow portions of the country to be Annexed or they have to remove the rebels. And if they surrender territory, they have to know that there will be no more concessions made. It has to be a final settlement.
And that means those three variables have to be dealt with:
1. Existing Ethnic Russians that are in western Ukraine if there is a concession of territory would have to become Ukrainian to remove the threat of the issue coming up again as a result of any population friendly to Russia in Ukraine.
2. Russia would have to foreswear any further claims to Ukrainian territory.
3. Anyone that actually took up arms would either need to live in eastern Ukraine which would be annexed by Russia or would have to serve some prison time in western Ukraine.
This is not unreasonable or harsh or intolerant. This is how you resolve this si
No... I'm not.
Show me the chinese enterprise router you want to install.
Cite it.
CIsco is currently playacting a lot of buyers by adopting spycraft tactics to ship networking equipment to some buyers.
They're using false addresses, boobytrapped boxes that have secret telltales if they're opened, etc.
The role of chinese manufacturing is often misunderstood. They are mostly doing assembly work. The design is mostly US, European, or Japanese.
The core components tend to be fabricated in Japan, South Korea, the US, or Europe.
They are shipped to china for assembly. When something says "made in"... it refers to the final step which is often a lot less important than previous steps.
A good way of tracking value added is by seeing how much each step costs minus additional input resources which have to be factored separately.
When you do that, China's overall share is about 30 percent. so when you buy something that says "made in china" ROUGHLY 30 percent of that went to china. The remaining 70 percent went to the owners of the IP and other people outside of china that were relevant to the supply chain.
China is not what many people think it is...
Every buy a kit that makes something? Anything from a box of legos to an Ikea table or something? That process you go through to turn that box of stuff into whatever is on the picture is mostly what China does.
They're not as well positioned to compete as you might believe.
The US dominates a great many products, industries, and sciences despite many countries trying very hard to steal market share. The US holds on to those markets by producing a superior product or sometimes the only viable product.
The NSA shitting all over the computer software and hardware industries is a problem. But losing market share to China is not the threat. Losing market share to Europe and Japan is the threat.
Saying you didn't know means little when your response when you do know is to do nothing.
Making it illegal without due process followed by some sort of auditing program into any domestic operations followed by a whistle blower protection law would do it.
Then if the NSA starts doing it again, either the oversight board or the whistleblower will reveal it.
Understand, this sort of thing is fine with due process. We allow the police to raid buildings with a warrant. The biggest violations by the NSA are that it is operating in the US without bothering to get warrants.
Another thing they should probably do is be required to subcontract all their domestic field operations through the FBI. The FBI knows how to obey the law. The CIA and NSA so rarely have to worry about it that they get sloppy with it.
If Chinese equipment were competitive for that sort of thing your CPU would be Chinese.
It isn't because it isn't.
You might see competition from europe or japan. China isn't really trusted for their design and chops.
As I said, they work fine when people understand the data and they understand what they're talking about.
You do that and you understand that the kid isn't going to keep growing at the same rate for the next 10,000 years.
The trend lines are mostly useful for showing what happened not what will happen.
As Mark Twain said, there are lies, damned dirty lies, and statistics.
And that is just to explain that specious manipulation of numbers has been a thing in political and economic discourse for generations. It is nothing new. Computer models just automate a lot of the statistical calculations.
Don't get me wrong, statistics are MASSIVELY useful but only for people in the know. For anyone outside the know they're almost useless because you can fuck with the numbers in any of a million ways and have them output any result you want.
The unemployment numbers is just a simple non-controversial example. Would we argue that unemployment is ACTUALLY going down? No. Because we know that that statistic doesn't count anyone that has been out of work for X time as being unemployed. If you don't get a job again you're flagged as not in the work force. So structurally unemployed people are not counted as unemployed.
All stats can be manipulated that way. Unless you know the methodology, the data collection method, etc etc etc... you don't know what the data actually says. Often these numbers are presented in an oversimplified fashion that tells you literally nothing about how the data was collected or processed prior to the output.
Is crime going up or are you counting things as crime that you weren't counting as crime before? Are education scores improving or did you exclude everyone that failed horribly from the statistics?
Another fun one is infant mortality. That one most people assume is universally tallied the same way around the world. But it isn't. Children in the US that die in child birth count against the infant mortality rate. In some countries, they have to be alive for a few days before they count as "alive" in the first place. The birth isn't counted effectively until that point.
You'll see bias very frequently in politics or anything that is politically sensitive with one side biasing the numbers one way and the other side biasing the numbers the other. Sometimes the number lies between the two of them and sometimes they're both full of shit and sometimes one of them is lying and the other is telling the truth. There is no way to know without doing an independent audit.
I saw something about Japanese unsolved murders being labeled as "accidental deaths" in the statistics because it is organizationally unacceptable to have unsolved murders. So if they don't know who did it, then it is recorded for the crime statistics as an "accidental death." I'm guessing some of the Japanese "suicides" are also unsolved murders.
Your run into similar stuff in the middle east with homosexual stuff. Most Islamic countries will say that there are no homosexuals in their countries. At all. First they don't collect the statistics. And second, I think Iran has the second highest population of transsexuals... submissive homosexuals walk around in drag and then the masculine homosexuals act as the man to the other's woman. That's how you live as a homosexual in those parts of the world. And as a result... no homosexuals according to the statistics.
That's just the political crap. You can go through the economics as well... not even the political economics but just the pure economics statistics are often full of shit. GDP, GNP, trade imbalance, stock trends, bear market, bull market... you don't know by looking at that what is going on. You have to know how the information is collected and the output calculated. And you have to know the blind spots and then you have to check those blind spots. THEN it can mean something. Otherwise, it just gives a false sense of security.
I do quite well actually... and if everything is locked down and I'm alerted when there is an issue... then what exactly do I have to do?
A lot of bad administration is a lack of automation. Its why the security gets lax half the time. They say "well we'd need more IT people to handle that"... for security you really don't need that many. You just need to the systems to be set up to call for help when something happens. And then have them be fool proof enough that only rarely does anything happen.
Your point about what is and is not historic Russia is about a sensible as China's opinion on Taiwan. Does China have a right to annex Taiwan at will?
By your logic they do apparently.
As to Russians in Ukraine... we're going to have to agree to disagree. Again, consider the Taiwan argument... they're all chinese ethnically. But what if there were a subgroup that was sympathetic to the mainland and ultimately hostile to the Republic? What then?
You can't tolerate it. They either integrate or they are an unacceptable liability.
As to ethnic cleansing, this term is generally associated with mass killing. That is why it has a strongly negative moral connotation. To conflate that with simply having people LEAVE without killing is not a sensible argument.
it is also a highly emotional argument that I don't find especially credible.
As to splitting Ukraine, I think I already offered that option. It required that Russia formally renounce any claim on any additional land and that any remaining ethnic Russians in Ukraine either become culturally Ukrainian or cross to the Russian side.
This has been done many times in history and has a very good track record of stability afterwards.
They were reprogrammed otherwise the worm would not have been able to imprint itself on them.
My understanding further is that the Iranian worm situation was caused by spreading malware from unsecured systems to the centrifuges.
Are you suggesting that it is impossible to keep a secure network isolated from the facebook and porn network?
Are all the systems on the network secure? Yes. In so many ways. The workstations are locked down. You can't run un-authorized code on them.
Are the appliances secure as well? Yep. This one is actually easier. The appliances are either non-programmable or they're firewalled.
What is more, when I was talking about things being unhackable, I meant from the outside. If you're in the building then things become difficult because I have to start fighting the first law of computer security, which is physical security.
I have to keep you from physically touching some systems. If I can keep your hands off them then even from within you can't get access without authorization or using someone else's authorization. I mean, if some user left their machine logged in... then you could have access to that.
that would be about it.
Could you get into the management infrastructure... I don't see how. You can't even open a command prompt unless you're logged in on an admin account much less run executable code. How are you going to hack my system if you can't run non-authorized code? Those machines can't even run scripts under the user account.
As to you owning me if you're on the network, I'll point out again that any sort of activity like that is going to start creating a lot of security logs and the serious ones get immediately sent to me by text message. So... do you think you could do it before four people come up behind you with fire arms and put a pistol to the back of your head?
You underestimate the situation. You don't have the access or the time. You couldn't even stick an unknown machine into the network without getting flagged. The router would create a security log of an unknown system and I'd be notified immediately.
As to active defenses... That's me. The system is full of traps and alarms. You're not going to avoid them. They all operate on the principle that if you don't do everything JUST so things either don't work or it doesn't work and it triggers a security log. If you're sitting there physically inside my network going through possible vulnerabilities one at a time... you're going to create a serious security log very quickly... and best case I'll check on you first. Worst case I'll come with "help" to deal with you. Depends on the type of alarm you set off. Set off something I see a lot that is sort of innnocent and I'll eye ball you. Set off something that can't be innocent and I'll assume it isn't innocent.
As to write protecting all files... that was just one stop gap on one system because I was tired of it getting fucked with. I was also annoyed that the guy responsible for it was telling me that he couldn't secure it because it was impossible. So I just did something brute force that made a point.
As to the attack surface of a machine extending beyond the reach of the admin... depends on what you mean by "the machine"... a single machine is stupidly easy to secure... I can kick the power cord out of the wall... I mean you can't attack something if it isn't connected and if you can't find it.
I have home court advantage which counts for everything in this game.
Systems like mine are not breached electronically. You get into my system by physically infiltrating and getting physically too close to certain assets. Short of that, you can beat your brains in on it.
The losses won't stop until either the clients have confidence in their ability to secure the systems or the NSA learns boundaries.
The companies can't afford to blow this off. They are losing too much money to not resolve the issue.
Wrong.
To be hackable it has to be reprogrammable through the web portal.
If it isn't for any reason then it isn't hackable.
Depends... I'm not familiar with their system. I know lots of exploits and bugs. So maybe.
I know I could secure it though.
It works in any application.
If you want to have people that are outside the bubble... then you just give them their own network that is outside the bubble. They can virus the fuck out of themselves and that is their own problem. They won't infect the other systems because they're segregated.
If they need access to those systems then they can either specify their needs or pound sand.
having lots of IT people is not required. You just need to be really good at saying "no" when they ask for shit they don't need. Which is pretty much always.
You say you have little pockets of people doing odd stuff. Fine... but what are they actually doing? Lets go through some test cases. I'm telling you... if you're systematic about it, then you can boil everything down to a few core applications.
I have a peer that works for a corporate bank and he does it the same way. The bank has a million departments. But they all need access to the same stuff.
He gives users access to whatever on the internet. Even facebook or porn sites. He does track everything though so when they go to those sites he can leverage the fact to get them to stop acting like assholes.
But he only allows specific programs to access specific ports. And there is no executable code permitted to run that is not approved.
So his security is lower than mine normally. But it is vastly higher than what is getting busted in these articles.
Look, if you don't lock the systems down, then you deserve the consequences. Good, hard, and from behind.
As to the proper response to idiots in real situations... I've found its best to just humor them and then quietly negate the damage they could possibly do when they're not paying attention.
You're apparently not familiar with give-o-fuck mathematics.
What do they teach you kids these days?
To understand how to make something unhackable you have to understand how hacking works.
The whole strategy is basically using the adaptability of the system against the owner. You reprogram the system to do what you want instead of what the owner wanted.
That's hacking. Can you hack non-programmable systems? Nope. Can you hack something that might be programmable but which you cannot access because it literally doesn't communicate bidirectionally over exposed IP addresses? The ability to hack something like that is pretty limited... if possible at all. And that is with just one security change.
If you compound a lot of really solid security concepts on top of each other that means the hacker has to break through each successive step to actually get to the meat.
Now there is technically a way to get through each of these steps and the final probability is still non-zero. That said, there are some very extreme steps you can take that can move the probability from .0000000000000001 to 0.
Some people don't like to use the terms like impossible or perfect because they feel that is arrogant and that it might just mean you haven't thought of something.
I concede the possibility of godlike powers rewriting time and space to make what would appear to be physically impossible possible.
However, excluding godlike redefinitions of basic physical law, there are security protocols that are unbeatable.
It is important to note that hte security being breached is not even good security. Fuck perfect... it isn't even good. The good security isn't getting breached. Its the shitty security that is getting breached. And the stuff I'm talking about is a damn sight better than "good"... its fucking exceptional to perfect. No one is getting through that. the way you get through this kind of security is by throwing a black bag over the head of the admin and then attaching electrodes to his nuts. That's how you get through.
Absent that... it isn't happening.
And who cares what the G anything said so much as 10 years ago? This more worthless than when China said they'd cut the GROWTH of their PROJECTED CO2 increase and that they would be the only ones permitted to determine if they were in compliance with their non-binding agreement.
85 fucking years? Who here thinks that anyone will even remember what the G anything said in 85 years? None of it is binding. It is all gentleman's agreements.
Which means you can rebut any of them with this argument "well you see... ehm... I wanted to do that... so... I ehm... I just did."
Totally valid response by any G anything member to any other G anything member about whatever.
So... allow me to calculate the number of shits anyone should give about this little announcement... carry the one... divide by zero... and... yes, that works out to exactly zero shits.