I gotta say, if Australian banks are LESS responsive than PayPal...holy crap. I'd rather keep my money stashed up a crocodile's butt than give it to PayPal. It'd certainly be easier to get at.
- It's in South Carolina (A redneck's last words? "Hey, y'all...watch this!")
- It involves explosives (ibid.)
- It's being held at a HIGH SCHOOL, for God's sake. What about a high school is the best place to hold EOD activities, even simulated ones?
It's not about censorship at all. And, in related news, book burning isn't, either...it's about saving fuel via efficiencies of scale when raising large quantities of individual objects made of layered cellulose to temperatures above 451 degrees fahrenheit.
One, a black screen, and music playing...but then, one by one, the instruments in the band stop playing, each cessation accompanied by the sound of a blade moving through the air.
...how a game in the alpha stage by an independent developer that a lot of use haven't heard of before has managed to make close to a million dollars in such an incredibly short amount of time? Don't get me wrong; I have had my share of headaches with PayPal, and I definitely agree that they suck ass on an epic level. But something about this seems a little odd to me. His account was suspended just a couple of weeks ago, and there's now 600,000 euros in it, which means that (at the exchange rate at time when I'm typing this) he's got 763,800 USD in there now. So either he was using his PayPal account as a bank and just letting the money sit over a period of time (which doesn't seem likely...who the hell lets that much cash just sit in an account without spending or investing it?) or most of it came in within a span of about 2-3 weeks. An indie game, in alpha, pulling in $250K a week in sales? Really?
I'll be honest; I don't know the solution to your problem. But I've been reading the replies, and between people giving you career advice (without any concept of what your job is, how much you love it, how hard it may be to change it, etc.), disregarding the flamingly, ass-poundingly obvious (normal IM won't work because you have to be close to the laptop, it times out on its own, etc.), or simply telling you that what you're asking about is creepy, I can see you have your work cut out for you.
Hang in there, man...and remember, this very thing that you are doing, this clear and persistent description and communication of a need, is what drives innovation in the IT and consumer electronics industries. Go for it, and keep it up until you get what you want!
Right...because nobody puts out web applications, right? Everything is client-server, with specialized pieces of software that have to be installed on every endpoint. It's not like mail, CRM, or even the configuration interfaces of network devices have any kind of web-driven front-end...although, even if they did, I'm sure the code needed for that functionality would write itself.
Sure, it's fine if they stop patching their systems. Just so long as they keep patching the systems that belong to their employers before they decide to screw around.
It would seem to me that, since most malware writers are essentially in competition with each other (as can be seen by past examples of malware that removes other, competing forms) that using a service like this would be against the best wishes of the attacker. I can only imagine that anyone who would provide a service like this would also be diversified enough to have their own stable of malware, and would gain value from having a copy of everything that gets submitted to them.
After seeing the words "Minister Robert Maroni," all I can picture in my mind is a man with dark eyebrows seeing the Facebook page and then ranting about "iceholes" and "fargin' bastiges."
At the moment, there's a power struggle around Cyber Security in the Federal government. The consolidation of cyber warfare capability at the NSA is one aspect of that; the other is the desire by the NSA to get control over domestic cyber security as well, which officially (if ineffectively) resides with the DHS at the moment. As a result, there's a blitz of activity, largely headed up with McConnell, towards that end. I saw him speak at the NDIA Cyber Security Symposium in San Diego a couple of weeks ago, and directly asked him (after he gave a long talk saying nothing was being done about the security of the power grid...which is entirely false, as I'll describe below) about his observations related to the regulatory actions being driven by NERC.
So, let me explain that. NERC stands for the "North American Electricity Reliability Corporation." It is a cross-national organization responsible for making sure the lights stay on, basically. It regulates a wide variety of things, including the operation of Balancing Authorities, but the most important thing it does with regard to this news item is mandate IT security controls and measures for what are known as "Critical Assets." In other words, it works a little bit like PCI, but for the power grid. The requirements are known as Critical Infrastructure Protection standards, or "CIP Standards," and there are 9 of them. The penalties for failing to meet these standards are enormous; the standard fine is $10,000 per day per violation, and the max fine is $1 million dollars, USD, per day.
With fines like these, power companies are scrambling to meet these standards, obviously. I've been involved in efforts at several companies throughout the United States, at places where the efforts are of varying maturity and scale. But I have seen first hand that there is a LOT of activity around NERC, and even more pressure being put down on the utilities from NERC. Many companies have taken advantage of a loophole to state that they have no Critical Assets, but that loophole is being closed, and the CEO of NERC has issued a letter to the industry, basically calling the guilty parties out on their abuse of it. Meanwhile, I've seen many major power companies spending millions in the last year alone, working hard to get things in order.
So, it was astonishing to me to hear former DNI McConnell state that NERC wasn't doing anything except blocking when FERC (which is a U.S.-only regulatory body) wanted to make things more secure. Especially since FERC helped create NERC, and eagerly handed over authority to them, so that there'd be regulatory authority across borders. (The power grid's interdependencies know no national boundaries; when the lights went out in 2003, it took down both parts of the US and Canadian grid, together.) I didn't want to argue with the man; the audience was made up of a lot of potential customers, and so that wouldn't exactly have been a winning strategy in terms of the larger picture. But either he was full of shit, or he thought I was talking about the NRC (Nuclear Regulatory Council) when I pronounced 'NERC'.
And then comes 60 Minutes...and there he is, saying things along similar lines. We're super-vulnerable...nothing is being done...hackers did this...hackers can do that. And it's just making me crazy, because there are a lot of people working very hard at this. There's a lot to do, don't get me wrong; most power infrastructure is in need of an IT overhaul. But it's also highly segmented, often airgapped, and the work has begun to secure all of it.
Well, of course it's useless to most of them...but that has nothing to do with whether or not COFEE is any good. Let's face it; how many casual downloaders are going to need a forensics toolkit? They already have access to all of their own files, and already know what they've been doing with their system. And COFEE is not meant to be a "point and shoot" system; it's really meant for professionals that know what they're looking for to some degree. So getting a copy and using it doesn't instantly give you some insight into how computer forensics work.
I agree; look at any commodity...in this case, let's say the home computer...and then look backwards in history. Early on, the progeny of such items were expensive, and there's a reason for that. It takes a hell of a lot of money to solve the early challenges, and only after they get solved do issues of producing something more cheaply get worked out. In addition to that, if you look at normal automotive development, you'll see that a lot of the R&D actually takes place in the F1 circuit. Talk about expensive, but it's what gave us a lot of the features we now have for ordinary cars, like ABS. But even then, it was only the most expensive cars that got those features first, before it became cheaper and cheaper. At this point, every Chevrolet made has ABS, and it's been like that for years.
Steve Topletz and Jonathan Logan gave a fascinating talk at the BlackHat Briefings this past July, where among other things they discussed how one Chinese tactic in dealing with privacy groups is to set up their own organizations...a darker kind of astroturfing, if you will...that compete against legitimate privacy-focused groups. They also detailed their analysis of UltraSurf, which revealed some fairly horrifying things. For one, it's not just the code itself that historically has been trojan-esque in nature, but the behavior as well. Once they fired it up, it started probing a multitude of networks, all belonging to either Western governments, the financial sector, or the military. Also, it demonstrated that it was listening in within SSL sessions, as demonstrated by its behavior when browsing within SSL would return an error page (even a custom one, that wouldn't be of the normal size expected for a 404 response, for example). So, I'm not too likely to believe a guy just because he works for NASA; NASA is not an organization that was founded to provide bona fides for security researchers, so it really doesn't add any mantle of credibility for this topic.
The whole "Bad Stuff in the water supply" bit. The problem with every scenario that I've ever seen for poisoning the water supply was that the sheer volume of toxin that would be needed to bring the concentration to anything near a harmful amount is always just plain enormous. Even if you used strychnine, you'd need to pull up to the reservoir with multiple tanker trucks and start dumpin'. You don't need fiber optics and infrared light to see guys dumping thousands of gallons of something into a large lake.
Okay, let's sort something out here. They didn't get hacked by "backups," which would imply that somehow the backups themselves got trojaned or modified to cause compromise. They got hacked normally; the backup servers were just the means by which this took place. This is nothing new or exotic, since backup software is software like any other, and prone to vulnerability. In fact, there have been a lot of issues found with software from many vendors. Unfortunately, companies rarely patch their backup systems, and so these vulnerablities tend to stick around a while.
What makes it all worse is the fact that backup servers have access to read just about everything as a matter of necessity. After all, if they can't access the whole filesystem, they can't back it up. So you have the combination of durable vulnerabilities with a system that pretty much has the keys to the kingdom.
Oh, and earlier suggestions related to offsite backup storage? Irrelevant.
They approached the company I work for quite some time ago, looking for help to get things under control. They have networks in ~100 different countries, mind you, and wanted absolutes: all vulnerabilities found, all problems fixed, all breaches found and cleaned up. They provided almost no details of their environment, were not open to answering questions, and gave a ridiculously short timeline to scope it all out. And the maximum allowed timeline for this insane uber-project? Six weeks. They need to grow the fuck up and treat IT security as a business function that can protect them, not as whipping boys that they grudgingly acknowledge now that they've been smacked around by bad people. In the meanwhile, they deserve the news coverage...better that they serve as an example to others of what not to do.
I mean, COME ON...couldn't they have tried for detecting something that at least just might be absent in the content they're testing? How about spin in the news, for example? Oh, wait...uh...
So, the question that comes to mind for me is this: what if I were a database architecture guru who had been asked to build this system (or its replacement)? At first, my thought is that I'd refuse on grounds of my opposition to the whole thing...but now I'm suddenly wondering if some of the better options did just that, and then it got designed and built by the knob who would take the job. Unlikely, sure, but it's something that I've never thought about before. Is the ethical cost of not doing something like this (that's going to get done anyways one way or another) when you're the right guy for the job potentially higher than the ethical cost of doing it?
First off, let me say that I admire your stance on not posting as Anonymous Coward. I wish more people would associate themselves with their views when they know that they're saying something that will be unpopular.
Okay...I'm not sure where sexual acts have been demeaned for 60+ years. Depending on the threshold for "demean," it's either been 10+ years or 3500+ years (when you consider that the "+" is not like a price bid on "The Price is Right," so that you've got the best guess as long as you don't go over the real number). If you're referring to the prevalence of pornography on the Internet, and the explosion of variety that can be found there, then I'd go with the lower number. If you're talking about pornography in general, including group sex, homosexual acts or even acts with humans and animals together, then I'd go with the latter. There are depictions of sexual acts going back to ancient Chinese dynasties and even before that would certainly be considered more extreme than what is being put forth on trial here.
The real question in my mind is this: if civilizations have been depicting sexual activity for thousands of years, then what's the problem? Last I saw, every aspect of mankind has managed to advance during that time...what's the problem that some people are claiming exists?
Slashdot Mirror
I gotta say, if Australian banks are LESS responsive than PayPal...holy crap. I'd rather keep my money stashed up a crocodile's butt than give it to PayPal. It'd certainly be easier to get at.
The opportunities just defy belief...
- It's in South Carolina (A redneck's last words? "Hey, y'all...watch this!")
- It involves explosives (ibid.)
- It's being held at a HIGH SCHOOL, for God's sake. What about a high school is the best place to hold EOD activities, even simulated ones?
It's not about censorship at all. And, in related news, book burning isn't, either...it's about saving fuel via efficiencies of scale when raising large quantities of individual objects made of layered cellulose to temperatures above 451 degrees fahrenheit.
Yeah, but so is jaywalking. I don't think anyone really cares if Steve Jobs has throwing stars.
I can imagine two such commercials in my mind.
One, a black screen, and music playing...but then, one by one, the instruments in the band stop playing, each cessation accompanied by the sound of a blade moving through the air.
Two..."Hi, I'm a PC...AIEEEE!"
...how a game in the alpha stage by an independent developer that a lot of use haven't heard of before has managed to make close to a million dollars in such an incredibly short amount of time? Don't get me wrong; I have had my share of headaches with PayPal, and I definitely agree that they suck ass on an epic level. But something about this seems a little odd to me. His account was suspended just a couple of weeks ago, and there's now 600,000 euros in it, which means that (at the exchange rate at time when I'm typing this) he's got 763,800 USD in there now. So either he was using his PayPal account as a bank and just letting the money sit over a period of time (which doesn't seem likely...who the hell lets that much cash just sit in an account without spending or investing it?) or most of it came in within a span of about 2-3 weeks. An indie game, in alpha, pulling in $250K a week in sales? Really?
I'll be honest; I don't know the solution to your problem. But I've been reading the replies, and between people giving you career advice (without any concept of what your job is, how much you love it, how hard it may be to change it, etc.), disregarding the flamingly, ass-poundingly obvious (normal IM won't work because you have to be close to the laptop, it times out on its own, etc.), or simply telling you that what you're asking about is creepy, I can see you have your work cut out for you.
Hang in there, man...and remember, this very thing that you are doing, this clear and persistent description and communication of a need, is what drives innovation in the IT and consumer electronics industries. Go for it, and keep it up until you get what you want!
Right...because nobody puts out web applications, right? Everything is client-server, with specialized pieces of software that have to be installed on every endpoint. It's not like mail, CRM, or even the configuration interfaces of network devices have any kind of web-driven front-end...although, even if they did, I'm sure the code needed for that functionality would write itself.
Ask them if they truly love LAMP or if they're just saying that.
Sure, it's fine if they stop patching their systems. Just so long as they keep patching the systems that belong to their employers before they decide to screw around.
It must be time for me to cut back on my WoW. All I could think of when I saw the headline, was "MORE DOTS! MORE DOTS!"
No doubt Allah will show his gratitude to the people of Bangladesh this summer, as monsoon/tropical storm/hurricane season arrives.
It would seem to me that, since most malware writers are essentially in competition with each other (as can be seen by past examples of malware that removes other, competing forms) that using a service like this would be against the best wishes of the attacker. I can only imagine that anyone who would provide a service like this would also be diversified enough to have their own stable of malware, and would gain value from having a copy of everything that gets submitted to them.
After seeing the words "Minister Robert Maroni," all I can picture in my mind is a man with dark eyebrows seeing the Facebook page and then ranting about "iceholes" and "fargin' bastiges."
At the moment, there's a power struggle around Cyber Security in the Federal government. The consolidation of cyber warfare capability at the NSA is one aspect of that; the other is the desire by the NSA to get control over domestic cyber security as well, which officially (if ineffectively) resides with the DHS at the moment. As a result, there's a blitz of activity, largely headed up with McConnell, towards that end. I saw him speak at the NDIA Cyber Security Symposium in San Diego a couple of weeks ago, and directly asked him (after he gave a long talk saying nothing was being done about the security of the power grid...which is entirely false, as I'll describe below) about his observations related to the regulatory actions being driven by NERC.
So, let me explain that. NERC stands for the "North American Electricity Reliability Corporation." It is a cross-national organization responsible for making sure the lights stay on, basically. It regulates a wide variety of things, including the operation of Balancing Authorities, but the most important thing it does with regard to this news item is mandate IT security controls and measures for what are known as "Critical Assets." In other words, it works a little bit like PCI, but for the power grid. The requirements are known as Critical Infrastructure Protection standards, or "CIP Standards," and there are 9 of them. The penalties for failing to meet these standards are enormous; the standard fine is $10,000 per day per violation, and the max fine is $1 million dollars, USD, per day.
With fines like these, power companies are scrambling to meet these standards, obviously. I've been involved in efforts at several companies throughout the United States, at places where the efforts are of varying maturity and scale. But I have seen first hand that there is a LOT of activity around NERC, and even more pressure being put down on the utilities from NERC. Many companies have taken advantage of a loophole to state that they have no Critical Assets, but that loophole is being closed, and the CEO of NERC has issued a letter to the industry, basically calling the guilty parties out on their abuse of it. Meanwhile, I've seen many major power companies spending millions in the last year alone, working hard to get things in order.
So, it was astonishing to me to hear former DNI McConnell state that NERC wasn't doing anything except blocking when FERC (which is a U.S.-only regulatory body) wanted to make things more secure. Especially since FERC helped create NERC, and eagerly handed over authority to them, so that there'd be regulatory authority across borders. (The power grid's interdependencies know no national boundaries; when the lights went out in 2003, it took down both parts of the US and Canadian grid, together.) I didn't want to argue with the man; the audience was made up of a lot of potential customers, and so that wouldn't exactly have been a winning strategy in terms of the larger picture. But either he was full of shit, or he thought I was talking about the NRC (Nuclear Regulatory Council) when I pronounced 'NERC'.
And then comes 60 Minutes...and there he is, saying things along similar lines. We're super-vulnerable...nothing is being done...hackers did this...hackers can do that. And it's just making me crazy, because there are a lot of people working very hard at this. There's a lot to do, don't get me wrong; most power infrastructure is in need of an IT overhaul. But it's also highly segmented, often airgapped, and the work has begun to secure all of it.
Well, of course it's useless to most of them...but that has nothing to do with whether or not COFEE is any good. Let's face it; how many casual downloaders are going to need a forensics toolkit? They already have access to all of their own files, and already know what they've been doing with their system. And COFEE is not meant to be a "point and shoot" system; it's really meant for professionals that know what they're looking for to some degree. So getting a copy and using it doesn't instantly give you some insight into how computer forensics work.
I agree; look at any commodity...in this case, let's say the home computer...and then look backwards in history. Early on, the progeny of such items were expensive, and there's a reason for that. It takes a hell of a lot of money to solve the early challenges, and only after they get solved do issues of producing something more cheaply get worked out. In addition to that, if you look at normal automotive development, you'll see that a lot of the R&D actually takes place in the F1 circuit. Talk about expensive, but it's what gave us a lot of the features we now have for ordinary cars, like ABS. But even then, it was only the most expensive cars that got those features first, before it became cheaper and cheaper. At this point, every Chevrolet made has ABS, and it's been like that for years.
Steve Topletz and Jonathan Logan gave a fascinating talk at the BlackHat Briefings this past July, where among other things they discussed how one Chinese tactic in dealing with privacy groups is to set up their own organizations...a darker kind of astroturfing, if you will...that compete against legitimate privacy-focused groups. They also detailed their analysis of UltraSurf, which revealed some fairly horrifying things. For one, it's not just the code itself that historically has been trojan-esque in nature, but the behavior as well. Once they fired it up, it started probing a multitude of networks, all belonging to either Western governments, the financial sector, or the military. Also, it demonstrated that it was listening in within SSL sessions, as demonstrated by its behavior when browsing within SSL would return an error page (even a custom one, that wouldn't be of the normal size expected for a 404 response, for example). So, I'm not too likely to believe a guy just because he works for NASA; NASA is not an organization that was founded to provide bona fides for security researchers, so it really doesn't add any mantle of credibility for this topic.
The whole "Bad Stuff in the water supply" bit. The problem with every scenario that I've ever seen for poisoning the water supply was that the sheer volume of toxin that would be needed to bring the concentration to anything near a harmful amount is always just plain enormous. Even if you used strychnine, you'd need to pull up to the reservoir with multiple tanker trucks and start dumpin'. You don't need fiber optics and infrared light to see guys dumping thousands of gallons of something into a large lake.
Okay, let's sort something out here. They didn't get hacked by "backups," which would imply that somehow the backups themselves got trojaned or modified to cause compromise. They got hacked normally; the backup servers were just the means by which this took place. This is nothing new or exotic, since backup software is software like any other, and prone to vulnerability. In fact, there have been a lot of issues found with software from many vendors. Unfortunately, companies rarely patch their backup systems, and so these vulnerablities tend to stick around a while.
What makes it all worse is the fact that backup servers have access to read just about everything as a matter of necessity. After all, if they can't access the whole filesystem, they can't back it up. So you have the combination of durable vulnerabilities with a system that pretty much has the keys to the kingdom.
Oh, and earlier suggestions related to offsite backup storage? Irrelevant.
...named Oprah?
They approached the company I work for quite some time ago, looking for help to get things under control. They have networks in ~100 different countries, mind you, and wanted absolutes: all vulnerabilities found, all problems fixed, all breaches found and cleaned up. They provided almost no details of their environment, were not open to answering questions, and gave a ridiculously short timeline to scope it all out. And the maximum allowed timeline for this insane uber-project? Six weeks. They need to grow the fuck up and treat IT security as a business function that can protect them, not as whipping boys that they grudgingly acknowledge now that they've been smacked around by bad people. In the meanwhile, they deserve the news coverage...better that they serve as an example to others of what not to do.
"Software spots water in ocean!"
I mean, COME ON...couldn't they have tried for detecting something that at least just might be absent in the content they're testing? How about spin in the news, for example? Oh, wait...uh...
So, the question that comes to mind for me is this: what if I were a database architecture guru who had been asked to build this system (or its replacement)? At first, my thought is that I'd refuse on grounds of my opposition to the whole thing...but now I'm suddenly wondering if some of the better options did just that, and then it got designed and built by the knob who would take the job. Unlikely, sure, but it's something that I've never thought about before. Is the ethical cost of not doing something like this (that's going to get done anyways one way or another) when you're the right guy for the job potentially higher than the ethical cost of doing it?
First off, let me say that I admire your stance on not posting as Anonymous Coward. I wish more people would associate themselves with their views when they know that they're saying something that will be unpopular.
Okay...I'm not sure where sexual acts have been demeaned for 60+ years. Depending on the threshold for "demean," it's either been 10+ years or 3500+ years (when you consider that the "+" is not like a price bid on "The Price is Right," so that you've got the best guess as long as you don't go over the real number). If you're referring to the prevalence of pornography on the Internet, and the explosion of variety that can be found there, then I'd go with the lower number. If you're talking about pornography in general, including group sex, homosexual acts or even acts with humans and animals together, then I'd go with the latter. There are depictions of sexual acts going back to ancient Chinese dynasties and even before that would certainly be considered more extreme than what is being put forth on trial here.
The real question in my mind is this: if civilizations have been depicting sexual activity for thousands of years, then what's the problem? Last I saw, every aspect of mankind has managed to advance during that time...what's the problem that some people are claiming exists?