This should prevent any name clashes and still move all the emails to one domain and even preserve the similar format the users already have. New users may not even need their own.subdomain after the email name, but you'll be adding them as you go forward and can check for clashes when they are added and maybe just add a.subdomain to them, or numbers to the end.
What happens when their subdomain changes because they change jobs or departments? This effectively re-instates one of the reasons to get away from 350 different domain/subdomain combinations in the first place, as the OP is doing.
Or you could, you know, conventionally assume the conventions of where your company is based, and treat special cases as special cases.
The key problem with this idea is the word "Automatically" in the title. Special cases are called "errors" in this scenario. And whether you plan to have a solution for them or just need code handling to catch and throw a meaningful, helpful exception when you encounter them, you need to try and predict what they will be. Humans are great at defining unforseen exceptions. Software isn't.
By "hindered development," do they mean "made it harder?" If so...fucking duh. That's what happens when you try a new approach to building something...but that's not necessarily a reason not to innovate, and the fact that mistakes were made isn't necessarily an indictment of the activities that took place in the course of that innovation.
Coming up with a new way of building a large commercial airliner is not going to be easy, and you're going to make mistakes. The article seems a little light on details; I don't buy the notion that Boeing simply told their subcontractors, without any details whatsoever, to build components. I would wager that the real truth is that the subcontractors were given specifications with regard to specific points of integration, but that Boeing underestimated the potential to stay within those specs and still deliver a component that was incompatible with the surrounding area of the aircraft. Whoops, mistake...but you make mistakes when you innovate, and then you learn and move forward. This article seems to imply that Boeing has no idea how to build aircraft at all, and that's just not true.
The 787 is a revolutionary aircraft on many levels, from features to construction technology to production methods. I would expect there to be unforseen issues resulting from interaction between different systems. What I'm curious about is whether Boeing will get them all sorted out quickly enough...in which case they will be superbly positioned to compete, having mastered the many challenges around making the 787 what it is. If they don't, then they will be in terrible trouble. I feel like I'm watching aeronautical history playing out before my eyes.
I hope they get it all fixed in time, personally. The 787 is a hell of a plane. Check it out here: http://www.newairplane.com/787/
Yes, and already it was being used widely in enterprise organizations. It was even more highly anticipated than NDS was under Novell 4.x, and companies jumped all over it because companies of medium size or larger were already struggling with using NT's domain architecture or jumping ship from Novell and going straight from NDS to AD. And again, this was a grad...not undergrad, a guy almost done with an MS in Computer Science...student, at a prestigious university. I wouldn't expect him to have been an MCSE capable of designing an AD forest that takes into account proper replication strategies over WAN links of different sorts, but he had never even heard the phrase "Active Directory" before. He was going to leave college to go work in the real world without knowing the first thing about something he was going to see in any enterprise environment. And that's just one of the many things that you'd encounter in many IT organizations that he didn't know anything about, it turned out.
...they should study things that are currently in use, too. I had a whip-smart friend who was a grad student at UMass Amherst in 2002. I described an approach to enterprise security monitoring that used relationship modeling so that you'd notice when a certain type of machine started interacting with systems that weren't really in its normal sphere of interaction. The approach I had in mind would use extensions to Active Directory. His first question: "What's Active Directory?" Again, this was in 2002.
I think you've confused potential address space with actual available RAM. While you're right that there will be an impact on performance from filling up a 32-bit address space in the larger confines of a 64-bit operating system, you'll cause an even greater impact if you fill up all the actual available RAM by running the exploit in 64-bit context. And it's not about address space; the point is not to fill the address space that is potential, but the actual available RAM, because that's the point where you hit the ceiling and can determine where you want to create the empty spot to load into. The address space doesn't come into it, really, except as a limitation on the amount of RAM that the 32-bit process is aware of.
This appears to be a 32-bit exploit, at least as tested.
That depends on what you mean by "32-bit exploit." He's doing it as 32-bit code because then you have a LOT less memory to fill up. Even better, you have a predictable amount of memory to fill. It affects operating systems which are 64-bit; he's not doing it in a way that makes those OS versions safe, but for his own convenience of exploitation. There's another added benefit as well...not only is it easier to fill up the RAM of a 32-bit memory space, but in a 64-bit environment you won't be as likely to slog the machine down overall while you do so.
My guess is it's far more common than you'd think. A lot of software is really awful when it comes to security, and a lot of places don't do much better.
I ran into a piece of software about 3-4 years back which lived in the DMZ to provide access to internal servers. The software in question stored passwords in plain text in the registry -- we're talking the admin password for the production database. I screamed bloody murder at how big of a risk that was, but eventually got told to STFU. Thankfully, it was a short contract and I wasn't around much longer.
You might be shocked to find out how often security is secondary to cost and convenience. I'm betting loads of people here on Slashdot have encountered things like this.
Look at all the stories we've seen about SCADA devices being on the internet -- people are regularly putting mission critical stuff directly onto the internet with no good security.
With the exception of the password storage using clear text, what you're describing has nothing to do with software insecurity but everything to do with architecture insecurity. SCADA devices, database servers, or any "back office" infrastructure that is exposed broadly to the Internet without a genuine business case for anyone and their dog to have direct access to it is a bad idea. It's not about the software, in that case, it's about how the infrastructure is designed to contain it (or not). And the really odd thing is that it's usually WAY easier to address this kind of insecurity than it is to fix problems in software, especially COTS products. You just have to try. Yes, it costs a bit, but it's not exactly exotic and it's not all that expensive. Firewalls are cheap, faster than ever and not terribly difficult to manage anymore.
And I never said "first or only cyberwar." I said that the DDoS attacks were neither the first nor the only thing the Iranians had done. They were well into CNA operations against the US before we hit them with Stuxnet. And I'm not sure which "other two" you mean, since I quoted six separate parts of the original post...
This is so incredibly wrong that it's astounding to me. A whole series of declarative statements that show a total lack of knowledge, and a total lack of understanding of the background material as well. Let's count them:
"The first shot was probably the release of Stuxnet sometime during or before 2009."
No. Cyber warfare did not start with Stuxnet...and common sense bears that out. Nobody can mount a successful and incredibly complex offensive the first time they field troops on the battlefield. Chinese thought leadership on cyber warfare goes back to the early 90s, when they seized upon it as an avenue to even the odds after witnessing our performance during Desert Storm...which, quite simply, made them wet themselves with shock at how effective we were at kinetic warfare.
"Even though no one has officially claimed responsibility everyone knows who was behind it."
Um, Obama took responsibility for it. At least read the headlines of what you're talking about? He was even called out for doing so, by others.
"Stuxnet hit with a bang and did a whole lot of damage to Iran's uranium-enrichment capabilities."
AWESOME! You FINALLY said something that was factually accurate! Too bad it took three sentences to get there.
"We followed up Stuxnet with Flame — the Ebola virus of spyware."
Uh, nope. Flame/Duqu, by all assessments, was actually a predecessor to Stuxnet, and I don't get the "Ebola" reference, since it's a data stealer and not designed to brick systems.
"What did the Iranians fire back with? A series of massive, on-going and ineffective DDoS attacks on American banks."
Okay, so first off, this is not the first thing...or the only thing...the Iranians have done. They've been in the cyber business a long, long time and are viewed as one of the big three actors in offensive cyber operations. Second of all, the attacks were not at all "ineffective"; ask any Bank of America customer who uses online banking. The site was down for weeks nonstop. And the banks have gone to the NSA asking for help in fending off the attacks as well.
"It's fascinating that Iran continues to do nothing more despite the fact that U.S. critical infrastructure currently has the defensive posture of a dog waiting for a belly rub."
See again, under Iranian cyber operations and how the banks fared during the DDoS attacks. Also keep in mind that the financial industry is at the top of industry sectors, when ranked in terms of cyber security maturity.
NOW, let me add the total way in which the OP ignores anything related to Russia or China, using only his incredibly faulty understanding of one country to justify his assessment of an entire form of warfare. Forget Red October (Russia, still in play but being shut down), forget Ghost Net (China), forget Aurora (also China), right? Forget what the Russians did in Georgia and Estonia. Forget North Korean actions against South Korea. Yeah...wow, good analysis dude. I bet Fox News would love you.
I think its a great idea. Corporations think they can collect and use any data they can get their hands on. Anything that'll make them slow down is a good thing.
I agree that anything that will "slow them down" is a good thing. But here's the problem: this will actually incent them to further monetize the data they collect. What does a corporation do if they invariably collect personal data as part of their normal business operations, with no intent to share it, but then find themselves taxed as a result? Beware the unintended consequences that usually arise when the public sector imposes economic impacts on the private sector in the attempt to control behavior.
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
I think you totally miss the point. Bigots don't really double-check their math; that's why there was a rash of hindus getting assaulted after 9/11. So any name that is based in Arabic or Farsi (or, if the bigot in question has been abroad, Pashtu, Urdu, or any number of languages used in Central Asia) is, by assumption, "Islamic," when you're discussing prejudice against Muslims.
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood, arguably vindictive.
Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
This can't be stated enough.
First of all, I have to wonder how he found the problem in the first place, if he used Acunetix to follow up later to see if it had been fixed. I doubt he just "stumbled" across it, frankly; when I want to check to see if a flaw has been fixed, I use the same method I used to discover the flaw in the first place. And they allude to this...that it's the second time they've seen him in their logs that way. So I get why they would have their doubts about purity of his intention, especially since Acunetix is commercial software that he probably would have pirated, given that the trial version would have expired between the first and second tests. A lot of malicious scanning is done with this tool; I've seen it showing up in the logs of many clients over time. So again, that's another thing to cast doubt on the notion that he was just writing an API and happened to stumble across bad coding. If I look at it from the school's perspective, I can see why they were spooked. And I definitely have to question the way he portrays things as having taken place. You don't run an application security scan against someone's infrastructure without their permission, period. And this is why.
As for the software company threatening with legal action, that's nothing to do with the university. Yes, vendors go off the deep end over vulnerabilities, especially when they smell blood in the water because the person reporting the vulnerability has unclean hands. But the actions of the university are one thing, and the actions of the vendor are another.
Okay, I don't get it. The companies in question are showing record profits...and what he's saying makes it sound like the capital expenditures necessary to have built out the networks in the first place are on some other set of books that don't come into effect. Isn't it the case that companies usually finance capital expenditures, and then pay off the debt over time? Under those circumstances, if the price of connectivity had to stay high in order to pay off that debt, the level of profitability wouldn't be rising the way it is. His argument sounds like bullshit to me.
Hey, if you've been watching the publishing industry lately, it looks like the publishers have been trying to remove simple math from their own industry!
Ebooks where the majority of publishing-related costs disappear, but where the publishers keep a larger percentage of the revenue from sales and pay authors a smaller percentage...
Trying to make it so that textbooks are no longer reusable, while attacking the used-book submarket...
You're complaining about Microsoft's patching with regards to IIS 5. IIS 5...which came out with Windows 2000, before they totally revamped their approach to both security and patching. That's like complaining about Ford, "because their cars blow up."
You haven't noticed how they handle patches and vulnerability management for their database products, have you...
"This is the Critical Patch Update for , which fixes a whole lot of stuff we aren't going to tell you about. It's nearly a gig in size and changes all kinds of things...but we aren't going to tell you about any of that, either. Good luck deploying this on your mission-critical applications. You can thank us for doing this in 3-month cycles instead of twice a year (like we used to do) later."
Actually, this sounds off to me. $5K for an exploitable Java vulnerability? That's waaaaaay too cheap for the exploit market...white, grey or black. I think this guy is selling a crock of shit, but he knows that the big-money purchasers would be able to tell. So he's offering it for chump change, which is exactly what a chump happens to have on hand to pay.
Background: One of the things that OTs (Occupational Therapists...like a physical therapist, but focused exclusively on hands and sometimes feet) will advise to defend against (not cure) carpal tunnel is to strengthen your grip, essentially. What they are really looking for is strengthening of the muscles and tendons that relate to hand motions using more natural (read: non-impactful, unlike typing) activities. I've been using a keyboard for over 30 years (young when I learned how to code), and have started developing carpal tunnel syndrome on several occasions. I'm currently not suffering from CT, nor have I for several years now.
Short Answer: I've used one of these, and it works for strengthening your muscles...REALLY works. It's actually really wild, and you'd never believe how much of a workout it is until you try it.
Caveat: But here's the catch: when you already have CT symptoms, more exercise is not what you need. You first need to recover a bit. It's like having a hurt ankle because you twisted it, due to weak stabilizing muscles...the exercise that will strengthen your muscles will also aggravate the injury. So you have to heal first, and then prevent it from happening again. If your tendons are already pissed off at you, subjecting them to extra exercise (usually on top of everything that has caused this problem to begin with) is not the solution.
They're not auto-matic indictments, they're just keywords to narrow things down when say... you have a tarball of a bazillion emails from wikileaks uploaded to some bitttorrent site. (Yes, I mean for you, not the government to use, it was an example.)
Oh, right...because when the FBI starts looking at your conversations in particular out of those bazillion emails in the middle of an investigation, there's no way they would ever, *ever* just get carried away and look for a problem where there isn't one...
Slashdot Mirror
I presume the old format looked like:
emailname@subdomain.domain.com
Make the new ones:
emailname.subdomain@domain.com
This should prevent any name clashes and still move all the emails to one domain and even preserve the similar format the users already have. New users may not even need their own .subdomain after the email name, but you'll be adding them as you go forward and can check for clashes when they are added and maybe just add a .subdomain to them, or numbers to the end.
What happens when their subdomain changes because they change jobs or departments? This effectively re-instates one of the reasons to get away from 350 different domain/subdomain combinations in the first place, as the OP is doing.
Or you could, you know, conventionally assume the conventions of where your company is based, and treat special cases as special cases.
The key problem with this idea is the word "Automatically" in the title. Special cases are called "errors" in this scenario. And whether you plan to have a solution for them or just need code handling to catch and throw a meaningful, helpful exception when you encounter them, you need to try and predict what they will be. Humans are great at defining unforseen exceptions. Software isn't.
By "hindered development," do they mean "made it harder?" If so...fucking duh. That's what happens when you try a new approach to building something...but that's not necessarily a reason not to innovate, and the fact that mistakes were made isn't necessarily an indictment of the activities that took place in the course of that innovation.
Coming up with a new way of building a large commercial airliner is not going to be easy, and you're going to make mistakes. The article seems a little light on details; I don't buy the notion that Boeing simply told their subcontractors, without any details whatsoever, to build components. I would wager that the real truth is that the subcontractors were given specifications with regard to specific points of integration, but that Boeing underestimated the potential to stay within those specs and still deliver a component that was incompatible with the surrounding area of the aircraft. Whoops, mistake...but you make mistakes when you innovate, and then you learn and move forward. This article seems to imply that Boeing has no idea how to build aircraft at all, and that's just not true.
The 787 is a revolutionary aircraft on many levels, from features to construction technology to production methods. I would expect there to be unforseen issues resulting from interaction between different systems. What I'm curious about is whether Boeing will get them all sorted out quickly enough...in which case they will be superbly positioned to compete, having mastered the many challenges around making the 787 what it is. If they don't, then they will be in terrible trouble. I feel like I'm watching aeronautical history playing out before my eyes.
I hope they get it all fixed in time, personally. The 787 is a hell of a plane. Check it out here: http://www.newairplane.com/787/
well CS IS NOT IT / NETWORKING / DESKTOP / SEVERS.
And this why that needs to be in a tech schools.
CS is not IT, or Networking? Um...who do you think developed AD? A person who studied metallurgy?
Yes, and already it was being used widely in enterprise organizations. It was even more highly anticipated than NDS was under Novell 4.x, and companies jumped all over it because companies of medium size or larger were already struggling with using NT's domain architecture or jumping ship from Novell and going straight from NDS to AD. And again, this was a grad...not undergrad, a guy almost done with an MS in Computer Science...student, at a prestigious university. I wouldn't expect him to have been an MCSE capable of designing an AD forest that takes into account proper replication strategies over WAN links of different sorts, but he had never even heard the phrase "Active Directory" before. He was going to leave college to go work in the real world without knowing the first thing about something he was going to see in any enterprise environment. And that's just one of the many things that you'd encounter in many IT organizations that he didn't know anything about, it turned out.
...they should study things that are currently in use, too. I had a whip-smart friend who was a grad student at UMass Amherst in 2002. I described an approach to enterprise security monitoring that used relationship modeling so that you'd notice when a certain type of machine started interacting with systems that weren't really in its normal sphere of interaction. The approach I had in mind would use extensions to Active Directory. His first question: "What's Active Directory?" Again, this was in 2002.
I think you've confused potential address space with actual available RAM. While you're right that there will be an impact on performance from filling up a 32-bit address space in the larger confines of a 64-bit operating system, you'll cause an even greater impact if you fill up all the actual available RAM by running the exploit in 64-bit context. And it's not about address space; the point is not to fill the address space that is potential, but the actual available RAM, because that's the point where you hit the ceiling and can determine where you want to create the empty spot to load into. The address space doesn't come into it, really, except as a limitation on the amount of RAM that the 32-bit process is aware of.
This appears to be a 32-bit exploit, at least as tested.
That depends on what you mean by "32-bit exploit." He's doing it as 32-bit code because then you have a LOT less memory to fill up. Even better, you have a predictable amount of memory to fill. It affects operating systems which are 64-bit; he's not doing it in a way that makes those OS versions safe, but for his own convenience of exploitation. There's another added benefit as well...not only is it easier to fill up the RAM of a 32-bit memory space, but in a 64-bit environment you won't be as likely to slog the machine down overall while you do so.
My guess is it's far more common than you'd think. A lot of software is really awful when it comes to security, and a lot of places don't do much better.
I ran into a piece of software about 3-4 years back which lived in the DMZ to provide access to internal servers. The software in question stored passwords in plain text in the registry -- we're talking the admin password for the production database. I screamed bloody murder at how big of a risk that was, but eventually got told to STFU. Thankfully, it was a short contract and I wasn't around much longer.
You might be shocked to find out how often security is secondary to cost and convenience. I'm betting loads of people here on Slashdot have encountered things like this.
Look at all the stories we've seen about SCADA devices being on the internet -- people are regularly putting mission critical stuff directly onto the internet with no good security.
With the exception of the password storage using clear text, what you're describing has nothing to do with software insecurity but everything to do with architecture insecurity. SCADA devices, database servers, or any "back office" infrastructure that is exposed broadly to the Internet without a genuine business case for anyone and their dog to have direct access to it is a bad idea. It's not about the software, in that case, it's about how the infrastructure is designed to contain it (or not). And the really odd thing is that it's usually WAY easier to address this kind of insecurity than it is to fix problems in software, especially COTS products. You just have to try. Yes, it costs a bit, but it's not exactly exotic and it's not all that expensive. Firewalls are cheap, faster than ever and not terribly difficult to manage anymore.
And I never said "first or only cyberwar." I said that the DDoS attacks were neither the first nor the only thing the Iranians had done. They were well into CNA operations against the US before we hit them with Stuxnet. And I'm not sure which "other two" you mean, since I quoted six separate parts of the original post...
This is so incredibly wrong that it's astounding to me. A whole series of declarative statements that show a total lack of knowledge, and a total lack of understanding of the background material as well. Let's count them:
"The first shot was probably the release of Stuxnet sometime during or before 2009."
No. Cyber warfare did not start with Stuxnet...and common sense bears that out. Nobody can mount a successful and incredibly complex offensive the first time they field troops on the battlefield. Chinese thought leadership on cyber warfare goes back to the early 90s, when they seized upon it as an avenue to even the odds after witnessing our performance during Desert Storm...which, quite simply, made them wet themselves with shock at how effective we were at kinetic warfare.
"Even though no one has officially claimed responsibility everyone knows who was behind it."
Um, Obama took responsibility for it. At least read the headlines of what you're talking about? He was even called out for doing so, by others.
"Stuxnet hit with a bang and did a whole lot of damage to Iran's uranium-enrichment capabilities."
AWESOME! You FINALLY said something that was factually accurate! Too bad it took three sentences to get there.
"We followed up Stuxnet with Flame — the Ebola virus of spyware."
Uh, nope. Flame/Duqu, by all assessments, was actually a predecessor to Stuxnet, and I don't get the "Ebola" reference, since it's a data stealer and not designed to brick systems.
"What did the Iranians fire back with? A series of massive, on-going and ineffective DDoS attacks on American banks."
Okay, so first off, this is not the first thing...or the only thing...the Iranians have done. They've been in the cyber business a long, long time and are viewed as one of the big three actors in offensive cyber operations. Second of all, the attacks were not at all "ineffective"; ask any Bank of America customer who uses online banking. The site was down for weeks nonstop. And the banks have gone to the NSA asking for help in fending off the attacks as well.
"It's fascinating that Iran continues to do nothing more despite the fact that U.S. critical infrastructure currently has the defensive posture of a dog waiting for a belly rub."
See again, under Iranian cyber operations and how the banks fared during the DDoS attacks. Also keep in mind that the financial industry is at the top of industry sectors, when ranked in terms of cyber security maturity.
NOW, let me add the total way in which the OP ignores anything related to Russia or China, using only his incredibly faulty understanding of one country to justify his assessment of an entire form of warfare. Forget Red October (Russia, still in play but being shut down), forget Ghost Net (China), forget Aurora (also China), right? Forget what the Russians did in Georgia and Estonia. Forget North Korean actions against South Korea. Yeah...wow, good analysis dude. I bet Fox News would love you.
Yes, but you'll have a bit of a problem when you try to install it on your system, won't you? The software is cognizant of having been there before.
I think its a great idea. Corporations think they can collect and use any data they can get their hands on. Anything that'll make them slow down is a good thing.
I agree that anything that will "slow them down" is a good thing. But here's the problem: this will actually incent them to further monetize the data they collect. What does a corporation do if they invariably collect personal data as part of their normal business operations, with no intent to share it, but then find themselves taxed as a result? Beware the unintended consequences that usually arise when the public sector imposes economic impacts on the private sector in the attempt to control behavior.
Just because he had an Islamic name
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
I think you totally miss the point. Bigots don't really double-check their math; that's why there was a rash of hindus getting assaulted after 9/11. So any name that is based in Arabic or Farsi (or, if the bigot in question has been abroad, Pashtu, Urdu, or any number of languages used in Central Asia) is, by assumption, "Islamic," when you're discussing prejudice against Muslims.
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.
Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
This can't be stated enough.
First of all, I have to wonder how he found the problem in the first place, if he used Acunetix to follow up later to see if it had been fixed. I doubt he just "stumbled" across it, frankly; when I want to check to see if a flaw has been fixed, I use the same method I used to discover the flaw in the first place. And they allude to this...that it's the second time they've seen him in their logs that way. So I get why they would have their doubts about purity of his intention, especially since Acunetix is commercial software that he probably would have pirated, given that the trial version would have expired between the first and second tests. A lot of malicious scanning is done with this tool; I've seen it showing up in the logs of many clients over time. So again, that's another thing to cast doubt on the notion that he was just writing an API and happened to stumble across bad coding. If I look at it from the school's perspective, I can see why they were spooked. And I definitely have to question the way he portrays things as having taken place. You don't run an application security scan against someone's infrastructure without their permission, period. And this is why.
As for the software company threatening with legal action, that's nothing to do with the university. Yes, vendors go off the deep end over vulnerabilities, especially when they smell blood in the water because the person reporting the vulnerability has unclean hands. But the actions of the university are one thing, and the actions of the vendor are another.
Okay, I don't get it. The companies in question are showing record profits...and what he's saying makes it sound like the capital expenditures necessary to have built out the networks in the first place are on some other set of books that don't come into effect. Isn't it the case that companies usually finance capital expenditures, and then pay off the debt over time? Under those circumstances, if the price of connectivity had to stay high in order to pay off that debt, the level of profitability wouldn't be rising the way it is. His argument sounds like bullshit to me.
Hey, if you've been watching the publishing industry lately, it looks like the publishers have been trying to remove simple math from their own industry!
Ebooks where the majority of publishing-related costs disappear, but where the publishers keep a larger percentage of the revenue from sales and pay authors a smaller percentage...
Trying to make it so that textbooks are no longer reusable, while attacking the used-book submarket...
Oh, and this gem...prosecuting someone for reselling the exact same book that was published for sale in another country.
You're complaining about Microsoft's patching with regards to IIS 5. IIS 5...which came out with Windows 2000, before they totally revamped their approach to both security and patching. That's like complaining about Ford, "because their cars blow up."
You haven't noticed how they handle patches and vulnerability management for their database products, have you...
"This is the Critical Patch Update for , which fixes a whole lot of stuff we aren't going to tell you about. It's nearly a gig in size and changes all kinds of things...but we aren't going to tell you about any of that, either. Good luck deploying this on your mission-critical applications. You can thank us for doing this in 3-month cycles instead of twice a year (like we used to do) later."
Actually, this sounds off to me. $5K for an exploitable Java vulnerability? That's waaaaaay too cheap for the exploit market...white, grey or black. I think this guy is selling a crock of shit, but he knows that the big-money purchasers would be able to tell. So he's offering it for chump change, which is exactly what a chump happens to have on hand to pay.
Background:
One of the things that OTs (Occupational Therapists...like a physical therapist, but focused exclusively on hands and sometimes feet) will advise to defend against (not cure) carpal tunnel is to strengthen your grip, essentially. What they are really looking for is strengthening of the muscles and tendons that relate to hand motions using more natural (read: non-impactful, unlike typing) activities. I've been using a keyboard for over 30 years (young when I learned how to code), and have started developing carpal tunnel syndrome on several occasions. I'm currently not suffering from CT, nor have I for several years now.
Short Answer:
I've used one of these, and it works for strengthening your muscles...REALLY works. It's actually really wild, and you'd never believe how much of a workout it is until you try it.
Caveat:
But here's the catch: when you already have CT symptoms, more exercise is not what you need. You first need to recover a bit. It's like having a hurt ankle because you twisted it, due to weak stabilizing muscles...the exercise that will strengthen your muscles will also aggravate the injury. So you have to heal first, and then prevent it from happening again. If your tendons are already pissed off at you, subjecting them to extra exercise (usually on top of everything that has caused this problem to begin with) is not the solution.
A company like Huawei (founded by former members of the PRA
People's Riberation Army? :p
(grin)
I was hoping someone would catch that :)
They're not auto-matic indictments, they're just keywords to narrow things down when say... you have a tarball of a bazillion emails from wikileaks uploaded to some bitttorrent site. (Yes, I mean for you, not the government to use, it was an example.)
Oh, right...because when the FBI starts looking at your conversations in particular out of those bazillion emails in the middle of an investigation, there's no way they would ever, *ever* just get carried away and look for a problem where there isn't one...
> There's a reason I only drink rain water and grain alcohol, you know.
You're a hick ?
Wow, someone isn't up on their Kubrick movies.