Farhad completely misses the opportunity. He sees only two worlds...a world where Google completely tries to change the whole paradigm of how cable service is provisioned and delivered, or just selling off the set-top division of Motorola Mobility. I agree with him that for Google to attempt to make the cable companies let people buy their own boxes is madness. I also think, however, that Google realizes this. Not only is there the history of the CableCard, but also the problems with support, the fact that cable companies would need to come up with a way to provision boxes not under their direct control, and so on. Competitors to Motorola in the space would have Google's lunch; Motorola's division is a major player, but if the cable companies no longer wish to buy their products or support them, that will disappear instantly.
What is possible, however, is for Google to infuse their expertise into the box. To improve the user experience, to potentially make the boxes more interactive by leveraging Android as a set-top OS, to make them more green so that they not only use less power, but don't heat up the inside of our entertainment centers do damned much. Farhad starts out describing a plethora of shortcomings these devices have, but then fails to make the leap of realizing just how easy it would be to fix almost all of them, without having to replumb an entire industry. And even more to the point...if Google can make a much better cable box, they will get even more market share in the space.
"And that's pretty high margin."...and also, the very definition of something that will eventually lose out to cheaper, lower-margin outlets, unless it maintains some niche specialization. And last I saw, cable companies weren't really "pushing the envelope" on porn.
(Which I think I'm grateful for...some of the descriptions of what's on kind of blow my mind. One channel used to draw my interest just for reading the descriptions. You could tell that the poor soul who was writing the synopses had kind of given up on life...it was hilarious. A movie had the phrase "frankly, defies explanation" in its summary.)
NIAP certification and DoD testing are not at all required; the vast majority of IT products in use by the government lack these tests. The term for what you described is Common Criteria certification, which is expensive and cumbersome for a vendor to undergo (and only relates to a specific version of a product as well). Also, while you got it right that a FIPS 140-2 certification only applies to a cryptographic module or modules, you also miss that the majority of products that are FIPS 140-2 certified use the modules of another company; the most commonly used one is put out by RSA. In this case, though, Blackberry wrote their own, and it's on the list.
The important thing about FIPS 140-2 to remember is that only cryptographic modules are certified; if a product does not natively perform encryption in the first place, it's impossible for it to be FIPS 140-2 compliant...but it's also impossible for it to be noncompliant as well.
"Last year, State Police obtained 100 arrest warrants for fraudulent identity, and 1,860 licenses were revoked as a result of the software, according to Procopio."
Okay, so that sounds to me like a 94.7% error rate among the positives. Unless they just kind of said, to over a thousand people with fraudulent licenses, "Oh, that's okay...just stop doing it, and we'll let it slide"?
Suicide by cop is almost always done without an effective (as in real, or loaded) weapon. And more to the point, people who choose that route get the cops to shoot them, rather than shooting themselves; that's the whole point of it. So this is a little more of a case of really bad project planning and failing to do one's requirements analysis up front.
Why do people ask "is this technology ethical"? Ethics is about application of choice; the technology itself is not inherently good or evil. One example of a nudging technology is the fact that the operating handle for a garbage truck's compactor is nowhere near the rear opening of the compactor; this actually arose from a lawsuit where a man lost part of his foot because he stood on the back while operating the compactor. As a result now, it's a lot easier to operate garbage trucks safely than in a dangerous manner. I don't see any way to argue that this is unethical, even though it's a nudging technology. But what about technologies intended to drive sales and control purchasing choices by consumers? That seems like a much different question, and I'm not so sure you could say across the board that it's ethical. It's not about the technology, it's about the use.
"It's very persistent and it keeps evolving," the official said. "You're constantly seeing new, better versions of it. So it's a challenge to keep ahead of it."
That's not an old worm. That's new worms based on an old worm. And let's face it; this is the activity of a foreign nation, using highly sophisticated methods including, invariably, human agents who are willing to deliberately introduce the malware into military computing environments. It's not the standard "PREEZE CRICKY HERE!!!!" attacks that are behind this. Why is it surprising that there's an effect? Just as bullets and IEDs cause casualties, cyber attacks cause effects. It's how war works. Don't fall into the ridiculous frame of mind of imagining a world where the enemy cannot reach out and harm you, even in a cyber realm...it's never been that way with any form of warfare, and never will be. There's always going to be a newer sword, a sharper arrow, a bigger gun.
So, when it comes to Slashdot entries related to patents, I see three categories:
1, Patent applications for new interfaces for things like iPhones, where the patent app gives us insight into what a company is working on, 2, Following the actions and behavior of patent trolls, 3, Reporting on (and usually condemning) the way that corporations patent everything they possibly can.
Now, I'm not a fan of the behavior represented in category 3, but you'd think that there'd be a bit more understanding of how it's an inevitably consequence of the behavior in category 2. As for category 1...that's awesome, I dig it.:) But can we get in tune with the reality that organizations *have* to patent the hell out of everything, if only to protect themselves against some dickhead patenting it himself and trying to extort them?
OMG, fucking DUH! A television network producing TV commercials! Producing PSAs is media production. [sarcasm]What a goddamn shock that is. "Oh, why doesn't DHS just use a camcorder and do it in an office?"[/sarcasm] This is how PSAs get made, people. What's the problem? It's not like DHS doesn't direct the content.
You know that just about none of this information is at all helpful or relevant, right? It's a hosted solution; he has no control over any of this. Furthermore, he's asking about database security from the perspective of the hosting provider; 'sanitize all input' isn't something they can do for him. And finally, if your PHP hardening advice consists of "Turn register globals off in PHP. Use safe mode," I really have to wonder if you are just quoting something you heard in a seminar once during your 3-year stint as a web developer...oy.
So, from what I saw, you're asking about the security of the MySQL backend, which is the place where the hosting provider has the most control and you have the least. All the talk about hardening standards that you should read up on is rubbish; you don't get to harden the systems, they're already as hard as they will ever be (whether hard or not) because of the way the hosting provider has provisioned the system. So what you're really into is a situation where you need to know how to spot a secure architecture and good standards, and then get them to show you their architecture and provisioning standards so you can see for yourself how solid they are.
All the talk about PHP hardening, pen-testing, etc. is fine, but the main concern I would have is about what happens if someone gets to their backend database(s) via someone else's insecure website...becuase that website exists today among their customers, has been there already, and will continue to be there in the future. What protections are there to ensure that an attacker who gets through to the database backend of "Insecure Website Inc." won't also be able to leverage their way laterally to your backend? This is as much an architectural design question as a security hardening standards question; both come into play. I'd look for things like reuse of passwords (if they provision every MySQL database separately, are there any credentials that are common to all of them?) and ways they make sure that getting control of the database won't result in gaining access to the things like the underlying operating system or provisioning infrastructure.
Oh, another thing...the security guidelines that a lot of people are bandying about in earlier responses aren't necessarily enough. There are a whole set of other concerns for a multitenant environment, as found in a hosting center...so make sure that whatever you work with contains that bit of awareness. They'll call it out explicitly, if they cover it.
One big thing has happened since 2007: Windows has started shipping with the Windows Firewall turned on by default and blocking inbound requests. Since network-spreading worms were the primary contagion factor back in 2007, this made a huge impact all by itself. Also, the growing prevalence of dynamic NAT in households (usually from the wireless routers that everyone has these days) also contributes to this.
Holy crap...the most batshit-crazy theory yet to explain Roswell, and it doesn't even point to a consipracy by our own government, or a shadow organization? Who would have thought?
If the original claim was dismissed "without prejudice," that doesn't preclude Righthaven from starting it all over again. If that's what has happened, then what they're doing isn't defiance of the court as much as trying to buy their way out of a bluff, proverbially speaking. Granted, it's not too likely that they'll succeed, but the idea of asking for all the "offending" infrastructure along with the domain name is to put a Sword of Damocles over the heads of the defendants so that if they lose, they'll lose everything.
The real headache of integrating a system so that it can control home entertainment systems is the tremendous number of systems with which one must integrate..and the ongoing maintenance of that integration. Every new Blu-ray player, tv set, cable box, etc. means at the very least a sanity check on remote settings and at the very most a whole effort around producing a set of new commands. Multiply that by every vendor of note, and then add the update feature. Even Logitech had to buy another company to get this right; it's a HUGE pain in the ass.
Once upon a time, I was a bicycle messenger for a while. It was a fascinating job, but even all that time ago, the industry (profession?) was clearly at the start of its twilight days. This was before the advent of commercial Internet use, mind you...the fax machine was already taking a toll. Now, there are almost no bike messengers at all...electronic transactions, signatures, filing of information, email, etc. have all supplanted the need to move physical documents at high speed and high cost. Never mind the fact (as stated above, at length) that all those documents needed to be printed on paper, which in turn caused emissions, the paper made from wood pulp (again, more carbon), or the cutting down of the trees (more carbon, and some loss of carbon-absorbing plant life). Just think about the bicycle messengers, and even more importantly, the car messengers (of which there were just as many, they just don't stand out in traffic). And then, compare that to a posting on a web site, an electronic filing, or an email. Really?
Greenpeace, if you love the earth so much...why not actually act like you're FROM here? Jeez...
Jet Propulsion Laboratories has come out with a 3D camera, for brain surgery (developed in conjunction with a brain surgeon). It's not as small as this, but it's the size of a coffee bean. The constraint was 4mm; that's the largest passage they can make in a brain without causing serious harm.
Hey, Pope Barnhard...Bernard...Fernan...whatever. Dude, come over here for a minute .
Okay, yeah, that's better.
Alright...so I have some helpful advice for you here, when it comes to how to get people's attention and how to get them to get behind you on a cause like this.
You listening?
STOP PROTECTING THE PRIESTS THAT FUCK LITTLE BOYS, YOU DUMB FUCK!!!! NOBODY GIVES A SHIT ABOUT YOUR BELIEFS THAT THE INTERNET IS BOOSTING SALES AT HOT TOPIC UNTIL YOU GUYS STOP RAPING LITTLE BOYS!
With the increase in population and vice, there are so many people walking around that it's hard for a single homesteader to protect their land and family all by themselves these days. It used to be that when someone walked onto your property you could see them coming from a mile away, and you could get a pretty good idea of what they was a-hankerin' to do by the way they looked and what they had with'em. These days, in Silver Gulch, with every kind of person around, and so many people walkin' about, it just doesn't do to have everyone have to look after their own. Which is why we need a sheriff, to keep law and order! The only way to keep the miscreants from overrunnin' the town is for the good, law-abidin' citizens to work together!....same thing, different century, essentially.
Implementing HTTPS isn't quite as simple as just turning something on and walking away. For larger web-based infrastructure, the best practice involves use of SSL terminators to maintain performance at scale; the encryption load of doing SSL or TLS at the actual web server itself is a Very Bad Idea when you're handling a lot of traffic. But those devices are not cheap, and there's a substantial amount of effort in both architecting them into an environment and keeping them running well; it's like any other IT infrastructure, in that it adds cost and complexity. In some cases, other aspects of the environment would have to grow as well...if the IDS and/or IPS sensors, for example, wouldn't see traffic in that section that is 'in the clear' between the web servers and the SSL accelerators, the organization would have to decide between purchasing more of these (much more expensive) security devices and giving up visibility into attacks over what is likely their highest-risk bit of attack surface. For smaller sites, the complexity is lower but cost is a more significant factor, as (for much smaller sites) the challenge and uncertainty of maintaining certificates. And for what? For most sites I can think of, I would be hard-pressed to make a business case in support of ubiquitous SSL...why should the New York Times spend so much just to make sure someone else can't see what news I'm reading? Even if they sniff my account credentials off the wire, what harm could really be done with it that would justify the expense?
Simply put, it's not free, and in most cases, the cost of security would be greater than the cost of the risk being mitigated.
Slashdot Mirror
Farhad completely misses the opportunity. He sees only two worlds...a world where Google completely tries to change the whole paradigm of how cable service is provisioned and delivered, or just selling off the set-top division of Motorola Mobility. I agree with him that for Google to attempt to make the cable companies let people buy their own boxes is madness. I also think, however, that Google realizes this. Not only is there the history of the CableCard, but also the problems with support, the fact that cable companies would need to come up with a way to provision boxes not under their direct control, and so on. Competitors to Motorola in the space would have Google's lunch; Motorola's division is a major player, but if the cable companies no longer wish to buy their products or support them, that will disappear instantly.
What is possible, however, is for Google to infuse their expertise into the box. To improve the user experience, to potentially make the boxes more interactive by leveraging Android as a set-top OS, to make them more green so that they not only use less power, but don't heat up the inside of our entertainment centers do damned much. Farhad starts out describing a plethora of shortcomings these devices have, but then fails to make the leap of realizing just how easy it would be to fix almost all of them, without having to replumb an entire industry. And even more to the point...if Google can make a much better cable box, they will get even more market share in the space.
"And that's pretty high margin." ...and also, the very definition of something that will eventually lose out to cheaper, lower-margin outlets, unless it maintains some niche specialization. And last I saw, cable companies weren't really "pushing the envelope" on porn.
(Which I think I'm grateful for...some of the descriptions of what's on kind of blow my mind. One channel used to draw my interest just for reading the descriptions. You could tell that the poor soul who was writing the synopses had kind of given up on life...it was hilarious. A movie had the phrase "frankly, defies explanation" in its summary.)
"The water, equivalent to 140 trillion times all the water in the world's ocean, surrounds a huge, feeding black hole"
Sounds like the business model of the movie "Waterworld," if you ask me...
NIAP certification and DoD testing are not at all required; the vast majority of IT products in use by the government lack these tests. The term for what you described is Common Criteria certification, which is expensive and cumbersome for a vendor to undergo (and only relates to a specific version of a product as well). Also, while you got it right that a FIPS 140-2 certification only applies to a cryptographic module or modules, you also miss that the majority of products that are FIPS 140-2 certified use the modules of another company; the most commonly used one is put out by RSA. In this case, though, Blackberry wrote their own, and it's on the list.
The important thing about FIPS 140-2 to remember is that only cryptographic modules are certified; if a product does not natively perform encryption in the first place, it's impossible for it to be FIPS 140-2 compliant...but it's also impossible for it to be noncompliant as well.
"Last year, State Police obtained 100 arrest warrants for fraudulent identity, and 1,860 licenses were revoked as a result of the software, according to Procopio."
Okay, so that sounds to me like a 94.7% error rate among the positives. Unless they just kind of said, to over a thousand people with fraudulent licenses, "Oh, that's okay...just stop doing it, and we'll let it slide"?
Suicide by cop is almost always done without an effective (as in real, or loaded) weapon. And more to the point, people who choose that route get the cops to shoot them, rather than shooting themselves; that's the whole point of it. So this is a little more of a case of really bad project planning and failing to do one's requirements analysis up front.
Why do people ask "is this technology ethical"? Ethics is about application of choice; the technology itself is not inherently good or evil. One example of a nudging technology is the fact that the operating handle for a garbage truck's compactor is nowhere near the rear opening of the compactor; this actually arose from a lawsuit where a man lost part of his foot because he stood on the back while operating the compactor. As a result now, it's a lot easier to operate garbage trucks safely than in a dangerous manner. I don't see any way to argue that this is unethical, even though it's a nudging technology. But what about technologies intended to drive sales and control purchasing choices by consumers? That seems like a much different question, and I'm not so sure you could say across the board that it's ethical. It's not about the technology, it's about the use.
"It's very persistent and it keeps evolving," the official said. "You're constantly seeing new, better versions of it. So it's a challenge to keep ahead of it."
That's not an old worm. That's new worms based on an old worm. And let's face it; this is the activity of a foreign nation, using highly sophisticated methods including, invariably, human agents who are willing to deliberately introduce the malware into military computing environments. It's not the standard "PREEZE CRICKY HERE!!!!" attacks that are behind this. Why is it surprising that there's an effect? Just as bullets and IEDs cause casualties, cyber attacks cause effects. It's how war works. Don't fall into the ridiculous frame of mind of imagining a world where the enemy cannot reach out and harm you, even in a cyber realm...it's never been that way with any form of warfare, and never will be. There's always going to be a newer sword, a sharper arrow, a bigger gun.
So, when it comes to Slashdot entries related to patents, I see three categories:
1, Patent applications for new interfaces for things like iPhones, where the patent app gives us insight into what a company is working on,
2, Following the actions and behavior of patent trolls,
3, Reporting on (and usually condemning) the way that corporations patent everything they possibly can.
Now, I'm not a fan of the behavior represented in category 3, but you'd think that there'd be a bit more understanding of how it's an inevitably consequence of the behavior in category 2. As for category 1...that's awesome, I dig it. :) But can we get in tune with the reality that organizations *have* to patent the hell out of everything, if only to protect themselves against some dickhead patenting it himself and trying to extort them?
This is the IMF. What's a foreign government, in that context...Martians?
OMG, fucking DUH! A television network producing TV commercials! Producing PSAs is media production. [sarcasm]What a goddamn shock that is. "Oh, why doesn't DHS just use a camcorder and do it in an office?"[/sarcasm] This is how PSAs get made, people. What's the problem? It's not like DHS doesn't direct the content.
You know that just about none of this information is at all helpful or relevant, right? It's a hosted solution; he has no control over any of this. Furthermore, he's asking about database security from the perspective of the hosting provider; 'sanitize all input' isn't something they can do for him. And finally, if your PHP hardening advice consists of "Turn register globals off in PHP. Use safe mode," I really have to wonder if you are just quoting something you heard in a seminar once during your 3-year stint as a web developer...oy.
So, from what I saw, you're asking about the security of the MySQL backend, which is the place where the hosting provider has the most control and you have the least. All the talk about hardening standards that you should read up on is rubbish; you don't get to harden the systems, they're already as hard as they will ever be (whether hard or not) because of the way the hosting provider has provisioned the system. So what you're really into is a situation where you need to know how to spot a secure architecture and good standards, and then get them to show you their architecture and provisioning standards so you can see for yourself how solid they are.
All the talk about PHP hardening, pen-testing, etc. is fine, but the main concern I would have is about what happens if someone gets to their backend database(s) via someone else's insecure website...becuase that website exists today among their customers, has been there already, and will continue to be there in the future. What protections are there to ensure that an attacker who gets through to the database backend of "Insecure Website Inc." won't also be able to leverage their way laterally to your backend? This is as much an architectural design question as a security hardening standards question; both come into play. I'd look for things like reuse of passwords (if they provision every MySQL database separately, are there any credentials that are common to all of them?) and ways they make sure that getting control of the database won't result in gaining access to the things like the underlying operating system or provisioning infrastructure.
Oh, another thing...the security guidelines that a lot of people are bandying about in earlier responses aren't necessarily enough. There are a whole set of other concerns for a multitenant environment, as found in a hosting center...so make sure that whatever you work with contains that bit of awareness. They'll call it out explicitly, if they cover it.
One big thing has happened since 2007: Windows has started shipping with the Windows Firewall turned on by default and blocking inbound requests. Since network-spreading worms were the primary contagion factor back in 2007, this made a huge impact all by itself. Also, the growing prevalence of dynamic NAT in households (usually from the wireless routers that everyone has these days) also contributes to this.
Don't worry...soon, Steve will reveal that Einhorn is Finkle.
Holy crap...the most batshit-crazy theory yet to explain Roswell, and it doesn't even point to a consipracy by our own government, or a shadow organization? Who would have thought?
So, in other words, at the rate we're going investigative journalism is going to look much like Trade chat in World of Warcraft? That's hardly news...
If the original claim was dismissed "without prejudice," that doesn't preclude Righthaven from starting it all over again. If that's what has happened, then what they're doing isn't defiance of the court as much as trying to buy their way out of a bluff, proverbially speaking. Granted, it's not too likely that they'll succeed, but the idea of asking for all the "offending" infrastructure along with the domain name is to put a Sword of Damocles over the heads of the defendants so that if they lose, they'll lose everything.
The real headache of integrating a system so that it can control home entertainment systems is the tremendous number of systems with which one must integrate..and the ongoing maintenance of that integration. Every new Blu-ray player, tv set, cable box, etc. means at the very least a sanity check on remote settings and at the very most a whole effort around producing a set of new commands. Multiply that by every vendor of note, and then add the update feature. Even Logitech had to buy another company to get this right; it's a HUGE pain in the ass.
Once upon a time, I was a bicycle messenger for a while. It was a fascinating job, but even all that time ago, the industry (profession?) was clearly at the start of its twilight days. This was before the advent of commercial Internet use, mind you...the fax machine was already taking a toll. Now, there are almost no bike messengers at all...electronic transactions, signatures, filing of information, email, etc. have all supplanted the need to move physical documents at high speed and high cost. Never mind the fact (as stated above, at length) that all those documents needed to be printed on paper, which in turn caused emissions, the paper made from wood pulp (again, more carbon), or the cutting down of the trees (more carbon, and some loss of carbon-absorbing plant life). Just think about the bicycle messengers, and even more importantly, the car messengers (of which there were just as many, they just don't stand out in traffic). And then, compare that to a posting on a web site, an electronic filing, or an email. Really?
Greenpeace, if you love the earth so much...why not actually act like you're FROM here? Jeez...
Jet Propulsion Laboratories has come out with a 3D camera, for brain surgery (developed in conjunction with a brain surgeon). It's not as small as this, but it's the size of a coffee bean. The constraint was 4mm; that's the largest passage they can make in a brain without causing serious harm.
Hey, Pope Barnhard...Bernard...Fernan...whatever. Dude, come over here for a minute .
Okay, yeah, that's better.
Alright...so I have some helpful advice for you here, when it comes to how to get people's attention and how to get them to get behind you on a cause like this.
You listening?
STOP PROTECTING THE PRIESTS THAT FUCK LITTLE BOYS, YOU DUMB FUCK!!!! NOBODY GIVES A SHIT ABOUT YOUR BELIEFS THAT THE INTERNET IS BOOSTING SALES AT HOT TOPIC UNTIL YOU GUYS STOP RAPING LITTLE BOYS!
...Google "Comcast bittorrent throttling." LOL, n00b.
With the increase in population and vice, there are so many people walking around that it's hard for a single homesteader to protect their land and family all by themselves these days. It used to be that when someone walked onto your property you could see them coming from a mile away, and you could get a pretty good idea of what they was a-hankerin' to do by the way they looked and what they had with'em. These days, in Silver Gulch, with every kind of person around, and so many people walkin' about, it just doesn't do to have everyone have to look after their own. Which is why we need a sheriff, to keep law and order! The only way to keep the miscreants from overrunnin' the town is for the good, law-abidin' citizens to work together! ....same thing, different century, essentially.
Implementing HTTPS isn't quite as simple as just turning something on and walking away. For larger web-based infrastructure, the best practice involves use of SSL terminators to maintain performance at scale; the encryption load of doing SSL or TLS at the actual web server itself is a Very Bad Idea when you're handling a lot of traffic. But those devices are not cheap, and there's a substantial amount of effort in both architecting them into an environment and keeping them running well; it's like any other IT infrastructure, in that it adds cost and complexity. In some cases, other aspects of the environment would have to grow as well...if the IDS and/or IPS sensors, for example, wouldn't see traffic in that section that is 'in the clear' between the web servers and the SSL accelerators, the organization would have to decide between purchasing more of these (much more expensive) security devices and giving up visibility into attacks over what is likely their highest-risk bit of attack surface. For smaller sites, the complexity is lower but cost is a more significant factor, as (for much smaller sites) the challenge and uncertainty of maintaining certificates. And for what? For most sites I can think of, I would be hard-pressed to make a business case in support of ubiquitous SSL...why should the New York Times spend so much just to make sure someone else can't see what news I'm reading? Even if they sniff my account credentials off the wire, what harm could really be done with it that would justify the expense?
Simply put, it's not free, and in most cases, the cost of security would be greater than the cost of the risk being mitigated.