Outside of a collector's vehicle, what truck that was built in 1979 is worth $80K? Being in Oklahoma, I see trucks that are that old; I also know they get less than 10MPG. My 2000 Jeep Cherokee Sport gets around 20MPG, my girlfriend's Prius can get over 50MPG on the highway. Spending $80K on a vehicle that costs 5X in gas doesn't make any sense to me...
My theory is that it's more "security related", as in certain systems are monitored and other's aren't on the same scrutiny levels. As his activities where enough to trip up the psychics...
Not that I'm disagreeing with the advertising critique, but HPE has a pretty decent line of "local storage" called 3Par. They are one of the few DoD approved storage systems on the market.
I only wish I could do this. However, my job required me to be on-call for a week at a time; it would be pretty impossible to program the phone with all the phone numbers of all potentials.
Really, Chernobyl was a "man caused" catastrophe. From it's very, er, "unique" design; purposely "disabling of automatic shutdown mechanisms", "peculiarity of the design of the control rods", a STILL UNKNOWN employee initiating an emergency shutdown...it wasn't an accident as in "oops how did that happen" but more of a "what the fuck are you thinking?!?" and completely avoidable.
First, I had to double-check my calender that it isn't April 1st. Then I double-checked NASA's website to make sure Apollo 18 never happened. I also RTFA, just to make sure it says "Apollo 18", and it sure does. Not sure just who to attribute this FAIL to; NYDN or Slashdot.
NASA better be careful, that bag is probably full of moon spiders.
Yes, this is NOT a real vulnerability. Neither CVE or NIST shows anything for Keepass 2.41; until something shows up here it's "unsubstantiated" aka like a "unpublished peer review".
So, open source products never do any updates, change libraries, new dependencies...your install of Debian is forever set in stone and is never updated? You personally vet every new dependencies that comes up when you yum update, and go in to and review all 50+ package's code to make sure it's all complaint with the Application Security and Development Secure Technical Implementation Guide? You can verify that absolutely none of the code violates V-70363? This requirement here is why Open Course isn't widely used in Federal systems, outside of very specific products and applications. If you can't call a toll-free line, open up a real support ticket (NOT just posting to a forum), etc then it's "Remove or decommission all unsupported software products in the application". Any libraries that use cryptography need to be FIPS compliant, listing their module that can be verified.
How do you specify a secure baseline for your open-source applications?
I'm sorry you've had such horrible support before, sounds like you should have vetted your vendors better. I've had pretty excellent results with real warranties from large companies, including Dell, VMWare, HPE, and so forth. I've had VMWare rebuild VMs pretty much by hand (we had VMware 6, not 6.5 with more advanced rebuild features), HPE support for blade servers, often they will open up support tickets FIRST when they see potential issues in various subsystems before we have time to go over the logs. Synology is pretty decent too; proactively helping with patching firmware across multiple SANS at multiple locations.
We can't just "change stuff", we have baseline secure configurations, proper change control, and have to abide by both 800-171 and SOX. My coworkers have a VERY deep understanding of our systems. For us to use most open-source products we would need to test all the dependencies, hire more people to do low-level code reviews, and still it wouldn't be regulatory compliant due to lack of real vendor support. I'm guessing my "corporate world" is probably vastly different than yours; if we have a massive equipment failure...well, I can't say exactly but CENTCOM isn't a customer you want to fail an audit for.
Even then, virtual particles aren't true "free energy". There is the theory of "vacuum collapse", which might happen if one started harvesting these particles. Hawking radiation is another form of virtual particle, but it slowly removes energy from insider the event horizon of a black hole.
Every new feature must also be evaluated if it makes baseline configuration changes. The software also needs to be able to have granular controls, and allow IT staff to BLOCK any upgrades that aren't vetted and authorized.
At my work, we are having to implement AppLocker and other mitigation because one of our core "business critical" applications needs Admin to run. And this is a paid-for application that has been around for many years, with a very deep support structure; but getting them to be 800-171 compliant has been like pulling teeth. We may have to also VLAN off the users who need PUA for this application, and even then on our next audit we may have several "findings" because of this.
If the risk assessment shows green, then this stuff would be in the federal enterprise more. When it's for federal purposes, support is one of the most important aspects. And I'm not talking about "jump on Stack Exchange and post a question", but the 3:00AM hyper-visor heartbeat failure that by 7:00AM has corrupted several critical VMs. I can pick up the phone, and have an expert team swarm down (virtually), and fix the problem, get the VMs back online, etc. Most government offices don't have large IT staffs with esoteric Docker knowledge and capabilities to troubleshoot the intricacies of such systems.
How robust are industry-standard baseline configurations? For DoD-ish systems, do DISA STIGs exist for said software? Has it been thoroughly vetted under NIST's various 800 publications? More important, can the end user effectively use open-source desktop software without major training? Can the agency obtain support techs who can also pass background checks?
For a smallish company, these aren't issues. For large enterprise critical federal systems, this is just the tip of the iceberg. Outside of systems like RHEL, very few open-source products have the required vendor support capabilities that are regulatory mandated. Fedramp, 800-53, 800-171...is a whole different ballgame.
They don't care about their E3 licensed users either. I'm really "glad" I read this; I've got three freshly-imaged PCs with Windows 7 that are now "not genuine" and won't properly validate against our valid KMS server. I've got several that haven't been turned on in awhile; I'll have to check them tomorrow and see what they do...but I have a bad feeling. SLMGR/ato just says they are in the "notification stage", and slui won't do anything except "go online to validate", and the URL it goes to at Microsoft is 404.
Yeah, that's why I use a GVoice number on it, and never post any real phone numbers anywhere. Since I own my own domain, I also have several email addresses like "linkedin@", "jobs@", "monster@", so I can easily filter out / ignore all the spam. I also have my own "internal database" of recruiters; and I try to work only with LOCAL people that have physical offices in my city. I honestly believe that many of the calls like you have "outlines" are also Infosys/Tata/Wipro style companies just trying to check off "I tried to source this to a US Citizen" so they can move on to an H1B or such. As much as I hate to admit it, this is one of the VERY FEW areas I agree with Trump's stated policies...I've found many "companies" even in my own state swapping out entire "local staff" for H1B people they can keep on a short leash and pay half as much while still charging MORE than what the now unemployed locals were making.
At my current job, doing security, I make it a point to tell people I actively do NOT use Facebook, I don't ever go there while at work, and rarely use it at home. If anyone really keeps bringing it up, I sometimes even will show them specific TLP:WHITE bulletins from US CERT that involve Facebook; then they start to understand.
I've found many of the phone interviews become video chat interviews; I've set up small hooks in the ceiling behind me so I can hang a white sheet, wear a suit and tie, etc. Keeping it quiet and on-point is VERY important; especially if the the job your trying for will involve talking to customers on the phone. Lock up any pets so their not making noises, make sure anyone else living there knows what's going on so they don't interrupt.
I actually have three different resumes. One is a single page, with a few tables. One job per line, split into "full-time" and "short-term contracts", a high-level overview of my skills and education. I then have a "federal resume" that has pretty much everything I've ever done on it for my whole life with as exact dates as I can get; this is super-useful for places that do more intensive backgrounds (like government contracts, DoD, etc) who want you to list your unemployed time ranges too (I don't know why, but they do). I then have a "portfolio" version, in a nice binder, that is almost like a "marketing brochure" for me. It has a detailed list of various technologies (down to differentiations like "Active Directory DNS - forwarding zones, reverse lookups, CNAME, AAA") split up into Software by OS, areas of expertise, versions of operating systems, specific types of hardware, and what I've done on said hardware. Listing softskills, using jargon like ITIL and ITSM, and I also include printouts of my endorsements, references, recommendations, a few well-formatted instructionals (relevant to the positions I'm seeking, of course), and even have pictures of network racks and equipment I've done. It ends up being about 10-15 pages; since I've started using them I've found that I might need a total of 5-10 of them to give out before I land a position.
On your physical job market, who your connections are in LinkedIN...and, I think more importantly, what you actually DO with the page. I found that getting a few actual "Reccomendations" or whatever they are called from real people helps quite a bit. Plus, I put up a few pages on it linking back to specific projects I was working on. I also have a website (running mediawiki) that I post how-to instructionals on for various projects, server installs, command line references, etc. It's info I use all the time, some are step-by-step install instructions, some of it is just useful command-line switches, or links to other sites. But when I was job hunting, being able to point to that site and say "I wrote all of this myself, from real-world deployments" was incredibly useful. Plus it's really useful to reference for myself; like I'll copy n paste sets of Cisco commands up to it so I can easily reference them later, or note some more esoteric procedures that show I can handle odd tasks stripping out AppX bloatware from Windows 10.
I keep my LinkedIN trimmed too; when I move to a new company I add new people as I meet them and I remove many people when I leave. But, I always keep the recruiters I work with up there. These are local recruiters I know in real life, people I have worked with and actually trust to find me (or other people I know who are looking) work...I have found working with non-local recruiters to be a non-viable path. Sometimes when I get a call from a non-local I will call my locals who I know might have a contact and ask them instead. I'm not trying to "get them more business", but I've found the local people actually follow-up, are more reachable, and will try harder since I'm a "real person" to them as opposed to a file.
At least it's better than "forced arbitration" by a company that the giant corp gets to pick for you! You know, like being eaten alive by a bear is better than being killed by a pack of dash hounds... because you die far quicker via the bear. Either way your still dead though.
We where repeatedly told NOT to say anything like this, except for specific fees that AT&T was allowed to do this with. Very few are "mandated" to be charged back, but the feds do allow ones like "Universal Service Fund" to be passed along. Like, AT&T doesn't HAVE to, but they CAN; so they do. We had certain items they said are "required" like data for a "smart phone", although technically this isn't true but in practicality "average joe" customer would flip out once they got the first data bill "by the KB/MB", and the phone looses quite a bit of functionality keeping it all wifi only or whatever. But we had to make it VERY CLEAR that this was a "technical and contractual requirement of your phone".
People got fired very quickly if they tried anything like this; even the CWA union would say "your an idiot, goodbye" and not help you out. AT&T has a very nice "knowledge base" called "MyCSP" that pretty much has everything you ever need to say on any support call. Oddly enough, compared to other companies knowledge repositories and "how to documentation", MyCSP was one of the best I'd ever seen...and I've done tier 1 support for huge clients at HPE, IBM, MCI, and dozens of non-500 firms. HPSM (Hewlett Packard Service Mangler) made my soul bleed and cry myself to a alcohol-induced coma at night; it's "java-based fake web page" front end is the stuff of nightmares.
Seems to be criminals who load up pre-made images of scanning / cracking distros; they run them for awhile then the instance disappears. I bet that a huge amount of these are also paid using someone else's stolen accounts. When I look at my firewall logs, many are from Azure, AWS, etc and the host no longer even exits.
Watch this short Youtube video of Adam ruins Everything. TL,DW: car manufactures made up "jaywalking" to clear the streets in the US of pedestrians and remove liability.
At least in China they aren't using drones to hunt down "criminal street users" yet. YET.
Slashdot Mirror
Outside of a collector's vehicle, what truck that was built in 1979 is worth $80K? Being in Oklahoma, I see trucks that are that old; I also know they get less than 10MPG. My 2000 Jeep Cherokee Sport gets around 20MPG, my girlfriend's Prius can get over 50MPG on the highway. Spending $80K on a vehicle that costs 5X in gas doesn't make any sense to me...
My theory is that it's more "security related", as in certain systems are monitored and other's aren't on the same scrutiny levels. As his activities where enough to trip up the psychics...
Not that I'm disagreeing with the advertising critique, but HPE has a pretty decent line of "local storage" called 3Par. They are one of the few DoD approved storage systems on the market.
I only wish I could do this. However, my job required me to be on-call for a week at a time; it would be pretty impossible to program the phone with all the phone numbers of all potentials.
Really, Chernobyl was a "man caused" catastrophe. From it's very, er, "unique" design; purposely "disabling of automatic shutdown mechanisms", "peculiarity of the design of the control rods", a STILL UNKNOWN employee initiating an emergency shutdown...it wasn't an accident as in "oops how did that happen" but more of a "what the fuck are you thinking?!?" and completely avoidable.
First, I had to double-check my calender that it isn't April 1st. Then I double-checked NASA's website to make sure Apollo 18 never happened. I also RTFA, just to make sure it says "Apollo 18", and it sure does. Not sure just who to attribute this FAIL to; NYDN or Slashdot.
NASA better be careful, that bag is probably full of moon spiders.
Yes, this is NOT a real vulnerability. Neither CVE or NIST shows anything for Keepass 2.41; until something shows up here it's "unsubstantiated" aka like a "unpublished peer review".
So, open source products never do any updates, change libraries, new dependencies...your install of Debian is forever set in stone and is never updated? You personally vet every new dependencies that comes up when you yum update, and go in to and review all 50+ package's code to make sure it's all complaint with the Application Security and Development Secure Technical Implementation Guide? You can verify that absolutely none of the code violates V-70363? This requirement here is why Open Course isn't widely used in Federal systems, outside of very specific products and applications. If you can't call a toll-free line, open up a real support ticket (NOT just posting to a forum), etc then it's "Remove or decommission all unsupported software products in the application". Any libraries that use cryptography need to be FIPS compliant, listing their module that can be verified.
How do you specify a secure baseline for your open-source applications?
I'm sorry you've had such horrible support before, sounds like you should have vetted your vendors better. I've had pretty excellent results with real warranties from large companies, including Dell, VMWare, HPE, and so forth. I've had VMWare rebuild VMs pretty much by hand (we had VMware 6, not 6.5 with more advanced rebuild features), HPE support for blade servers, often they will open up support tickets FIRST when they see potential issues in various subsystems before we have time to go over the logs. Synology is pretty decent too; proactively helping with patching firmware across multiple SANS at multiple locations.
We can't just "change stuff", we have baseline secure configurations, proper change control, and have to abide by both 800-171 and SOX. My coworkers have a VERY deep understanding of our systems. For us to use most open-source products we would need to test all the dependencies, hire more people to do low-level code reviews, and still it wouldn't be regulatory compliant due to lack of real vendor support. I'm guessing my "corporate world" is probably vastly different than yours; if we have a massive equipment failure...well, I can't say exactly but CENTCOM isn't a customer you want to fail an audit for.
Even then, virtual particles aren't true "free energy". There is the theory of "vacuum collapse", which might happen if one started harvesting these particles. Hawking radiation is another form of virtual particle, but it slowly removes energy from insider the event horizon of a black hole.
Maybe not worship him as some type of God, but their are occult practitioners in Belgrade using his ashes as a ritual component.
Every new feature must also be evaluated if it makes baseline configuration changes. The software also needs to be able to have granular controls, and allow IT staff to BLOCK any upgrades that aren't vetted and authorized.
At my work, we are having to implement AppLocker and other mitigation because one of our core "business critical" applications needs Admin to run. And this is a paid-for application that has been around for many years, with a very deep support structure; but getting them to be 800-171 compliant has been like pulling teeth. We may have to also VLAN off the users who need PUA for this application, and even then on our next audit we may have several "findings" because of this.
If the risk assessment shows green, then this stuff would be in the federal enterprise more. When it's for federal purposes, support is one of the most important aspects. And I'm not talking about "jump on Stack Exchange and post a question", but the 3:00AM hyper-visor heartbeat failure that by 7:00AM has corrupted several critical VMs. I can pick up the phone, and have an expert team swarm down (virtually), and fix the problem, get the VMs back online, etc. Most government offices don't have large IT staffs with esoteric Docker knowledge and capabilities to troubleshoot the intricacies of such systems.
How robust are industry-standard baseline configurations? For DoD-ish systems, do DISA STIGs exist for said software? Has it been thoroughly vetted under NIST's various 800 publications? More important, can the end user effectively use open-source desktop software without major training? Can the agency obtain support techs who can also pass background checks?
For a smallish company, these aren't issues. For large enterprise critical federal systems, this is just the tip of the iceberg. Outside of systems like RHEL, very few open-source products have the required vendor support capabilities that are regulatory mandated. Fedramp, 800-53, 800-171...is a whole different ballgame.
They don't care about their E3 licensed users either. I'm really "glad" I read this; I've got three freshly-imaged PCs with Windows 7 that are now "not genuine" and won't properly validate against our valid KMS server. I've got several that haven't been turned on in awhile; I'll have to check them tomorrow and see what they do...but I have a bad feeling. SLMGR /ato just says they are in the "notification stage", and slui won't do anything except "go online to validate", and the URL it goes to at Microsoft is 404.
Yeah, that's why I use a GVoice number on it, and never post any real phone numbers anywhere. Since I own my own domain, I also have several email addresses like "linkedin@", "jobs@", "monster@", so I can easily filter out / ignore all the spam. I also have my own "internal database" of recruiters; and I try to work only with LOCAL people that have physical offices in my city. I honestly believe that many of the calls like you have "outlines" are also Infosys/Tata/Wipro style companies just trying to check off "I tried to source this to a US Citizen" so they can move on to an H1B or such. As much as I hate to admit it, this is one of the VERY FEW areas I agree with Trump's stated policies...I've found many "companies" even in my own state swapping out entire "local staff" for H1B people they can keep on a short leash and pay half as much while still charging MORE than what the now unemployed locals were making.
At my current job, doing security, I make it a point to tell people I actively do NOT use Facebook, I don't ever go there while at work, and rarely use it at home. If anyone really keeps bringing it up, I sometimes even will show them specific TLP:WHITE bulletins from US CERT that involve Facebook; then they start to understand.
I've found many of the phone interviews become video chat interviews; I've set up small hooks in the ceiling behind me so I can hang a white sheet, wear a suit and tie, etc. Keeping it quiet and on-point is VERY important; especially if the the job your trying for will involve talking to customers on the phone. Lock up any pets so their not making noises, make sure anyone else living there knows what's going on so they don't interrupt.
I actually have three different resumes. One is a single page, with a few tables. One job per line, split into "full-time" and "short-term contracts", a high-level overview of my skills and education. I then have a "federal resume" that has pretty much everything I've ever done on it for my whole life with as exact dates as I can get; this is super-useful for places that do more intensive backgrounds (like government contracts, DoD, etc) who want you to list your unemployed time ranges too (I don't know why, but they do). I then have a "portfolio" version, in a nice binder, that is almost like a "marketing brochure" for me. It has a detailed list of various technologies (down to differentiations like "Active Directory DNS - forwarding zones, reverse lookups, CNAME, AAA") split up into Software by OS, areas of expertise, versions of operating systems, specific types of hardware, and what I've done on said hardware. Listing softskills, using jargon like ITIL and ITSM, and I also include printouts of my endorsements, references, recommendations, a few well-formatted instructionals (relevant to the positions I'm seeking, of course), and even have pictures of network racks and equipment I've done. It ends up being about 10-15 pages; since I've started using them I've found that I might need a total of 5-10 of them to give out before I land a position.
On your physical job market, who your connections are in LinkedIN...and, I think more importantly, what you actually DO with the page. I found that getting a few actual "Reccomendations" or whatever they are called from real people helps quite a bit. Plus, I put up a few pages on it linking back to specific projects I was working on. I also have a website (running mediawiki) that I post how-to instructionals on for various projects, server installs, command line references, etc. It's info I use all the time, some are step-by-step install instructions, some of it is just useful command-line switches, or links to other sites. But when I was job hunting, being able to point to that site and say "I wrote all of this myself, from real-world deployments" was incredibly useful. Plus it's really useful to reference for myself; like I'll copy n paste sets of Cisco commands up to it so I can easily reference them later, or note some more esoteric procedures that show I can handle odd tasks stripping out AppX bloatware from Windows 10.
I keep my LinkedIN trimmed too; when I move to a new company I add new people as I meet them and I remove many people when I leave. But, I always keep the recruiters I work with up there. These are local recruiters I know in real life, people I have worked with and actually trust to find me (or other people I know who are looking) work...I have found working with non-local recruiters to be a non-viable path. Sometimes when I get a call from a non-local I will call my locals who I know might have a contact and ask them instead. I'm not trying to "get them more business", but I've found the local people actually follow-up, are more reachable, and will try harder since I'm a "real person" to them as opposed to a file.
At least it's better than "forced arbitration" by a company that the giant corp gets to pick for you! You know, like being eaten alive by a bear is better than being killed by a pack of dash hounds... because you die far quicker via the bear. Either way your still dead though.
We where repeatedly told NOT to say anything like this, except for specific fees that AT&T was allowed to do this with. Very few are "mandated" to be charged back, but the feds do allow ones like "Universal Service Fund" to be passed along. Like, AT&T doesn't HAVE to, but they CAN; so they do. We had certain items they said are "required" like data for a "smart phone", although technically this isn't true but in practicality "average joe" customer would flip out once they got the first data bill "by the KB/MB", and the phone looses quite a bit of functionality keeping it all wifi only or whatever. But we had to make it VERY CLEAR that this was a "technical and contractual requirement of your phone".
People got fired very quickly if they tried anything like this; even the CWA union would say "your an idiot, goodbye" and not help you out. AT&T has a very nice "knowledge base" called "MyCSP" that pretty much has everything you ever need to say on any support call. Oddly enough, compared to other companies knowledge repositories and "how to documentation", MyCSP was one of the best I'd ever seen...and I've done tier 1 support for huge clients at HPE, IBM, MCI, and dozens of non-500 firms. HPSM (Hewlett Packard Service Mangler) made my soul bleed and cry myself to a alcohol-induced coma at night; it's "java-based fake web page" front end is the stuff of nightmares.
TOO MANY SECRETS. Quantum computing will be code-breaking box off Sneakers.
Cisco actually has a Visio icon for their Space Router. PACKETS!!! IN SPAAAAAACE!!
Seems to be criminals who load up pre-made images of scanning / cracking distros; they run them for awhile then the instance disappears. I bet that a huge amount of these are also paid using someone else's stolen accounts. When I look at my firewall logs, many are from Azure, AWS, etc and the host no longer even exits.
GM stock went up 5% after announcing the layoffs.
Watch this short Youtube video of Adam ruins Everything. TL,DW: car manufactures made up "jaywalking" to clear the streets in the US of pedestrians and remove liability.
At least in China they aren't using drones to hunt down "criminal street users" yet. YET.