If you don't have any anti-virus software installed, or at least a scanner, how would you know whether your computer is infected or not?
How would he if he had? Anti-virus software is designed to appear successful: when it finds something, it will post big messages to your screen regardless of the real danger. If it doesn't, it won't tell you. Not having seen any warning from the virus scanner doesn't mean your computer is clean, and seeing one doesn't imply there was any real danger.
As do worms, viruses, Trojan horses, spyware, or a knife in your back. I don't think this discussion is about the implementation deviating from the design.
It's not google "overstepping the mark" it's incompetant users changing settings they don't understand.
Any security mechanism or policy that is built upon the assumption that users are competent and make the right decisions is doomed to fail. Don't blame the users for it, they are just humans.
It took a bit to dig this up, but it turns out that if you set the registry key...
If they really do not want to be evil, they should:
Provide security documentation, and make it easily accessible to everyone (as opposed to "hard to dig up"). Security documentations means a detailed and complete description of what the software does, how it communicates, and how to prevent it from doing what the operator of a machine or network might not want it to do.
Offer multiple documented ways in which typical security policies could be enforced. For instance there should be an alternative for situations where group policies aren't an option, like communicating with Google's servers in such a way that perimeter filtering (read: firewall rules) can easily be used to suppress communications.
Make sure that the administrators of a network remain in control over individual functions and services. Enforcement of a security policy, in whichever way it may be implemented, should not have side effects on other services. It should not be necessary e.g. to block all Google access or to route all Web access through a mandatory proxy in order to suppress one particular function of Google Desktop.
In other words, I would like to see Google Desktop use e.g. a specific source and/or destination port that can be blocked at packet filter level, and I would like to see this documented. I haven't verified whether it does so already, though.
If I'm running service on TCP80, does that mean you're invited to scan UDP10000-65535 to see what doors may be inadvertently unlocked?
If you were not running any service on TCP port 80, would it be ok to... try different URLs? After all, the URL is a user interface and the only way to learn more about the resource a URL points to is to give it a try and access it.
I work for a lab that does seurity reviews and evaluations. There are a few things you might want to consider:
There is nothing wrong with the bank's request. Think of it as additional quality assurance: your customer requests that your product provides a certain level of quality, and that you prove that.
Having the security of your product certified in whichever way can gain you a considerable advantage in the market. Make sure that after successfully passing the review you get some written document that certifies the evaluation and can be used elsewhere.
If you do not fully trust your customer, involve an independent party. Check whether your customer would accept a review by someone else if properly documented.
Plan ahead for worst case. Everyone makes mistakes so the review may find issues. Make sure that you can fix them and reevaluate.
If your company does not employ mature development processes and quality assurance, don't even think about passing a code review.
As pointed out by others already, not handing over the source code may not really protect you. One can find out a lot about the inner workings of a system even in a black-box test, and there is no effective protection against reverse engineering.
There may be easier places to steal your source code than a properly operated security lab. Make sure that the security precautions of whoever is going to review your software match those of your own company. You do have security management, don't you?
If you really don't like to hand over the source code to anybody, there may be an alternative: indemnify your customer against all damages that may emerge from security issues in your product. This may be costly, though.
Once this information was systematically compiled, the Germans had an unprecedented knowledge of their future enemy's infrastructure, enabling them to plan troop and weapon deployments with an incredible level of detail.
Yet in the end they failed to conquer Russia. And not having access this information most likely wouldn't have dem stopped from trying.
Police need to use common sense- if people are wearing dark clothing, and hiding in the woods taking long range telephoto lens pics of stuff, then maybe they are suspicious.
Or maybe not. Even those might be engaged in something as harmless as wildlife or forest photography.
Say ICANN refused to allow the new.EU TLD. What then?
There would be one less string for European companies to acquire and defend besides their national domain name(s). In the long run this may save us two or three lawyers, Europe-wide.
I think it's pretty ridiculous to argue that the governance of the Internet should remain in the hands of any one government, even the US.
The Internet is governed by us, the hackers, with the help of a couple of multinational enterprises. I guess those "governments" are just trying to raise the price a little for not being too much of a hassle to us.
Indeed the rest of the world can set up their own DNS servers for a new TLD (say '.earth'), but they can't force anyone to contact the root server for that domain. The result will be chaos.
While I can understand why America (well some American politicians) wants to hold on to the governance of the Internet I think it's about time it was handed over to a multi-nation body (maybe the UN maybe a separate entity completely).
"Governance of the Internet" does not exist. The Internet is nothing more than a set of protocols (which anyone could implement), and a set of entitites using these protocols to exchange data. Although you and me seem to be connected to the same Internet at this time, there is definitely no way for you to govern how I use the Internet set of protocols to communicate with the Internet set of entitites, including Slashdot. You just can't. What you call "the Internet" is nothing more than a silent agreement between me, Slashdot, and a couple of service providers. You may participate in a different agreement involving different parties, yet be able to reach the same Slashdot.
H5N1 the strain of avian flu that has people so worried has been infecting humans since 1997 and has a mortality rate of over 50% (after having infected a total of around 120 people).
So there is a 1-in-50,000,000 chance that I will die from H5N1 within the next 8 years? Scary!
Informed rumour in the UK scene / community has it that the "unauthorised access" of which he was accused consisted of adding "../ " to the end of an URL.
Which, according to usability enigneering expert Jakob Nielsen, constitutes interaction with a user interface of the Web site. Nielsen recommends site owners to support URL "hacking" for the sake of usability.
Bureaucrats trying to take over the Net? Or at least to create the impression that there were a "debate" regarding the "alternative theory" that the Net must have been created by an intelligent designer?
Slashdot Mirror
How would he if he had? Anti-virus software is designed to appear successful: when it finds something, it will post big messages to your screen regardless of the real danger. If it doesn't, it won't tell you. Not having seen any warning from the virus scanner doesn't mean your computer is clean, and seeing one doesn't imply there was any real danger.
Groupthink, perhaps?
Perhaps they should have read this Slashdot story, which was about Netgear routers DoS-ing innocent time servers.
As do worms, viruses, Trojan horses, spyware, or a knife in your back. I don't think this discussion is about the implementation deviating from the design.
Any security mechanism or policy that is built upon the assumption that users are competent and make the right decisions is doomed to fail. Don't blame the users for it, they are just humans.
If they really do not want to be evil, they should:
In other words, I would like to see Google Desktop use e.g. a specific source and/or destination port that can be blocked at packet filter level, and I would like to see this documented. I haven't verified whether it does so already, though.
If you were not running any service on TCP port 80, would it be ok to ... try different URLs? After all, the URL is a user interface and the only way to learn more about the resource a URL points to is to give it a try and access it.
There is. Check your spam folder.
I work for a lab that does seurity reviews and evaluations. There are a few things you might want to consider:
Yet in the end they failed to conquer Russia. And not having access this information most likely wouldn't have dem stopped from trying.
Or maybe not. Even those might be engaged in something as harmless as wildlife or forest photography.
There would be one less string for European companies to acquire and defend besides their national domain name(s). In the long run this may save us two or three lawyers, Europe-wide.
The Internet is governed by us, the hackers, with the help of a couple of multinational enterprises. I guess those "governments" are just trying to raise the price a little for not being too much of a hassle to us.
So how exactly would this change the way we access Web sites ?
"Governance of the Internet" does not exist. The Internet is nothing more than a set of protocols (which anyone could implement), and a set of entitites using these protocols to exchange data. Although you and me seem to be connected to the same Internet at this time, there is definitely no way for you to govern how I use the Internet set of protocols to communicate with the Internet set of entitites, including Slashdot. You just can't. What you call "the Internet" is nothing more than a silent agreement between me, Slashdot, and a couple of service providers. You may participate in a different agreement involving different parties, yet be able to reach the same Slashdot.
More importantly: What will the terrorist do if he can't?
So what?
And the problem to be solved is what, exactly?
So there is a 1-in-50,000,000 chance that I will die from H5N1 within the next 8 years? Scary!
They don't. Otherwise they would have noticed by now that almost everyone in Europe ignores them and everything they do. Notable exceptions are:
- Everyone who can profit from compliance with bureaucratic procedures, e.g. farmers or scientists expecting EU funding, and
- Lobbyists and politicians trying to get push idea of what the law should be like into national parliaments from above.
Just get them their own Internet as a place to play their games. They won't even notice.Shouldn't system security tell me what I am allowed to access and what not? How could I know if it didn't?
Which, according to usability enigneering expert Jakob Nielsen, constitutes interaction with a user interface of the Web site. Nielsen recommends site owners to support URL "hacking" for the sake of usability.
Bureaucrats trying to take over the Net? Or at least to create the impression that there were a "debate" regarding the "alternative theory" that the Net must have been created by an intelligent designer?
Works fine from Germany.
So all a terrorist needs in order to remain unsearched is a fake note describing the terrorist and his bomb? Great security.