Quotation marks are also used for slang, jargon, and similar unusual words, including ordinary words used for an unusual meaning, in a context in which the reader may be unfamiliar with the meaning. In this usage, quotes take the place of the phrase "what is called". Essentially you're quoting a group, rather than a person.
For example, a newspaper article written for the general public, one might write "he met up with his 'homeboy' or "Intel's Pentium computer processors had a bug in the 'floating point unit', the part of the processor which handles fractions."
> HTTPS everywhere protects against the mass surveillance
To some extent it does. For simplicity, let's assume it did, completely. Your choices then are:
A) The NSA can tell that someone in your company viewed catvideos.com. B) The NSA can't tell that someone viewed catvideos.com, and you get infected with malware that somebody put on catvideos.com.
It's not clear that (A) is always preferable. Obviously that doesn't mean you should never use TLS. It means there is a tradeoff.
> there's always a way to get around the firewall
No, that's the difference between an actual real firewall, which is installed on the network at the demarc, and "personal privacy software", which runs on the host. A firewall has two network ports. One connects to the internet (or other "outside" network) one connects to the internal network. There is literally no physical path for signals to travel except through the firewall. There's physically no way around a hardware firewall, no wires for packets to travel through. All packets go *through* the firewall.
You can also do some checks on the local host, but given you must assume the local host is compromised, you don't trust the local host to identify the malware that it's infected by. Any anti-virus anti-malware on the host is *always* auxiliary to monitoring from a trusted system. Also, the local host obviously can't detect anomalous botnet traffic when a worm infects your network, sweeps trying default and common passwords across your network, etc.
You get much better security by having dedicated security appliances (some of which cost $20,000 or more, not practical to run one for each desktop and laptop), managed and monitored 24/7 by the SOC, looking at a holistic view of the entire network, rather than trusting a potentially infected laptop, run by an accountant, clerk or manager, to protect itself. Frankly, your perspective of security is very much that a typical home user in 1995. That's not how it's done in the enterprise, and that's not how its done in 2017. Our SOC, as an example, employees about 200 security specialists. CorpSec is probably another 40 specialists. We've moved a bit beyond installing McAfee and thinking we're protected. Those 200 specialists in the SOC can't monitor and manage things nearly as well if they can't see anything, though. 10,000 encrypted TLS connections doesn't provide many actionable events. Btw, you mentioned "(as opposed to IP / site blocking)". Where do you think the IP blacklists come from? They come from the SOC, both ours and Cisco TALOS. They are based on what we learn about traffic flows from those IP addresses - because we can *see* the malware being delivered from those IPs.
> But why the FUCK do I have to do it on someone's stupid WordPress or Joomla site? > Hell, even company sites. If all they're serving is flat HTML content who gives a shit about HTTPS? > But NO! Their website is now SUSPECT! Are you REALLY sure you want to ENDANGER yourself?
Its worse than that. The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS, is a very common vector for malware. The kind of malware that your company's firewall is set up to block. But of course it can't see and block the malware encrypted via https. A lot of security, protection from malware, phishing, etc, requires visibility into what's happening on the network. Encryption is very useful when applied properly in the proper places, but https everywhere also has a very real security *cost*. Every security-related decision will have both costs and benefits.
It is wise to consider both costs and benefits and apply the right tools for each situation. *Anything* "everywhere" is probably less than ideal.
That's a bit of a broad question. At a broad level, I suppose the answer is: Tasks are decomposed into chunks of a manageable size, chunks that will be done be one person, and might take anywhere from 30 to minutes to 3 days to do.
Then based on experience each member of the team says how many points they would say for each, where the allowed values for points are: 1, 3, 5, 8, 13. The "missing" numbers help avoid getting bogged down in deciding whether it's a five or six; six isn't even an option.
> I don't know any easy solution to that: mind-reading machines don't exist.
I came across a solution that works really well, whenever you can possibly do it. First, let's be clear about the most common method, which does NOT work. Most commonly, the users' boss talks to someone, maybe a product manager, about what they think the users need. Then the product manager or whoever talks to the developers about what they think the users' manager said. That doesn't work very well most of the time.
Most of the time, new software is needed to handle a process that is currently being done by hand, perhaps on paper or in Excel. Maybe you're replacing legacy software. Normally, the job is getting done *somehow*. So go *watch* the job being done. If it's being done on paper, watch thr person do it on paper. Follow the piece of paper as it is filed with another department and they type the information into some computer system. While watching the person do the job manually or via the legacy software, ask questions and take notes. Then if possible try to do it once with them watching you and correcting your mistakes. Now you know pretty much exactly what's required to get that task done, because you've just done it by hand. Ask what kind of exceptional conditions come up - what kinds of weird things happen that cause a change in the process? Obviously you'll code for those specific exceptional conditions, but also that lets you know what general *types* of variation there might be, meaning where you should try to build some flexibility into your system. When you discover there are three different types of X, you'll build X modularly, knowing that another type of X may come up.
If it's not possible to actually watch the line people doing the job, at least try very hard to get them on the phone. Talking to the actual users, asking them what's frustrating about their current process, will tell you a lot about the requirements that you won't get from listening to your boss talk about what their boss said.
> In practice, it is hard to remember to clock into the task that you are working on, and to clock out of the task you are working on
What has worked much better for us has been tracking what we actually accomplish in a two-week sprint. We estimate each task using "points", which are a completely artificial construct designed solely to indicate one job will probably take about the same amount of time as some other job, while a third one will take twice as long. At the end of each two-week sprint, we can see that we usually accomplish about 65 "points" of work. So we can assign points to a group of tasks, divide by 30, and that's how many weeks. But we don't think about weeks when assigning points - a task is a 5 point task if it should take about as long as previous 5 point tasks.
That's similar to what I've experienced and seen reported in studies. When I say "10 hours", that really means "10 times X hours", but that X factor is relatively consistent. Each of my teammates are similar - they are always wrong, but normally by the same multiplier each time.
Developers tend to be reasonably good at estimating the RELATIVE amount of work, they can say "job A will probably take twice as long as job B". This assumes the work is broken down into pieces small enough to estimate. What they tend to NOT be good at is saying how many hours, days, or weeks.
That's where Scrum "story points" come in. We assign each task a number of points. Historical data shows that we can complete 65 points in a two-week sprint. That's relatively consistent.
Some tasks will take longer than expected, some less, but that tends to average out over two weeks of a four-man team. The four of us complete 65 points per sprint.
That's the overall long term average US stock market return net of inflation. As you might expect*, returns tend to be higher when inflation is higher, and lower when inflation is lower. Therefore the net-of-inflation return is actually fairly steady at 7%-8%.
Obviously a late 2008 early 2009 time period causes people to worry, but we're talking about 30 years of saving followed by 30 years of withdrawals. That will surely include some good times and some bad times. 2008 AND 2002-2007, AND 2009-2017. In the last 20 years, the Dow has gone from 11,000 to 21,000. In the last 10 years, from 15,000 to 21,000.
* Consider that bonds compete with stocks on price, aka discount, aka return. Obviously bonds must pay high rates when inflation is high. When bonds pay higher net rates, buyers go to bonds, and leave stocks cheap in terms of PE, increasing stock returns.
There's something called a "mutual fund". It's a way to invest in lots of companies at ounce. A specific type, the "index mutual fund" means you are investing in 200 of the largest companies. That's pretty damn safe long term - Coke, Walmart, Toyota, etc aren't all going to go bankrupt any time soon. By investing in an index fund, you'll get paid about 8% per year more than inflation. So if you invest $100, every year you'll get paid about $7-$8 plus a bit more that covers inflation.
If you want to spend about $60K / year in retirement, that means you need to have about $850K invested. (7% of $850K is $60K). In other words, $850K invested will provide a PERMANENT income of about $60K.
That does NOT mean you need to put $850K into your investments, because your investment (your index fund) is growing *while* you're working. To have $850K 30 years from now, about $580/month needs to go into your index fund. That doesn't mean *you* have to put in $580 each month, though. Most employers match retirement savings (that match is basically free money for you). Typically, you need to put in about $373 / month and your employer will match half of that, $186 / month.
So you put in $373 / month, your employer puts in $186, and after 30 years you have a *permanent* source of income that produces $60K / year forever.
Everything I can find that actually cites a source indicates that the President's proposal directs the EPA to look into the possibility of spinning it off to operate like Underwriters Laboratories (UL) operates - with actual testing, and self-funding rather than taxpayer funded and government run.
The very next sentence after the one you quoted is:
-- Through the use of some other title implies that the person is an engineer or a registered professional engineer --
Note the "or". Engineer *or* registered...
Bad law, IMHO, but law. Except to whatever extent the first and fourteenth amendments bar the state from enacting such a law. The Oregon statute is null and void when applied in a way the conflicts with the first amendmwnt.
Code review and pentesting are two very different, yet complementary things. As you suggested, code review is likely to find a lot more, including things some people don't typically think of as "security" - points of fragility, for example. Code review is very useful, especially when done by people trained in security.
Pen testing *after* code review is also very useful. It isn't unusual for code review to have a lot of detailed findings. As an analogy, looking at the internals (code review) might find that the deadbolt is is only held in with two half-inch screws, it's a cheap, crappy lock, and the gap between the door and the frame allows the lock to be shimmed. After you address those a pen tester looking at things from a different perspective walks right in through the side door. A concrete example is the OS. You might code review the application extremely well, then I shellshock right past it. "But the OS is out of scope!", you exclaim. So what. The bad guy and the pentester don't care about your review scope. We just walked right into your database.
True, it would be much more secure (in one way) if administration was only possible from the local, lan-side port. However, that's neither practical nor sufficient.
First, some people can't effectively and reliably admin their own modem. They need the cable ISP to manage it. The ISP is on the external side. So the ISP needs access from the outside. That *should* be secured reasonably well, though.
Putting that into any web page will cause the browser, which is on the internal network, to access the router or modem. So restricting access to be from the local network only is insufficient for security.
> The 1st amendment does not legally "protect" you for lying. When you are saying "I'm an engineer", but the law defines
Donald Trump is an asshole and incompetent.
Do you think Trump would consider that statement untrue? A lie? There are all sorts of things that government officials have called "lying" (including the allegation that Clinton had sexual contact with Monica - Hillary called that a lie). Did King George and his government consider the things that Jefferson, Jackson, and Franklin said about him to be true, or would King George say Thomas Jefferson was lying?
It is precisely BECAUSE government defines words and tries to define truth that freedom of speech MUST protect statements that the politicians consider "lying". If you are only allowed to say things that the government agrees are true, that's not freedom of speech at all.
Think about that for a moment. The two options are:
A) Free speech only means you can say things that the government agrees are true.
B) Free speech includes the right to say things that the government doesn't consider true (including 9/11 theories).
Option A is no freedom at all - even without the first amendment, the government wouldn't prosecute anyone for statements they agree with. If 1st amendment only covered government-approved "truth", it would be pointless to even write the amendment down at all.
There is, however, a slight glimmer of truth to what you've said. The first amendment prohibits *government* from making speech a *crime*. It does not prohibit a private person from suing for damages caused by libelous speech. In a libel suit, truth is a defense. So truth matters - but that's in a civil suit, where some other citizen is suing based on damages - the first amendment's restriction on the government doesn't directly apply.
That's why most states don't have a criminal libel offense, and those that do rarely prosecute, because in most instances prosecution by the government is barred by the first amendment.
I just read ORS 672.007. Under Oregon law saying "I'm an engineer" counts as "practicing engineering". There is still a first amendment issue. https://www.oregonlaws.org/ors...
Still, I must say: I'm the tooth fairy. I'm an engineer. I'm a unicorn. Fuck you, Oregon.
The Oregon statute also defines what practicing engineering means under the law. The statutory definition, while overbroad, covers *working* as as engineer, not *saying* you're an engineer.
1) "Practice of engineering" or "practice of professional engineering" means doing any of the following: (a) Performing any professional service or creative work requiring engineering education, training and experience. (b) Applying special knowledge of the mathematical, physical and engineering sciences to such *professional services* or creative work as consultation, investigation, testimony, evaluation, planning, design and services during construction...
To any Oregon bureacrats who happen to be reading this: I'm an engineer. I'm also a train conductor. And a unicorn. Fuck you, Oregon.
Knowing how citizens of the left coast tend to think, they'll decide that the solution to this abuse of an overbroad regulation by power-hungry bureaucrats is to create more regulations, to be wielded by more power-hungry bureacrats.
High speed cache is good for data that is accessed, then accessed again a few seconds later. Web servers are a good example - the same page may be loaded many thousands of times per hour, or even thousands of times per minute.
For backup, each sector of data is accessed no more than about once per day. In my experience, backup is where you want sustained throughout, caching doesn't help. We use wide arrays.
My team and I do something similar periodically. Our experience is that luck is a short term phenomenon in the face of skill. Daniel may happen to find something pretty good in the morning, while I don't find much until the afternoon. Zach might find two interesting bits on Monday, none on Tuesday; Immad finds one on Monday and one on Tuesday. Over the course of a few days, our performance tends toward what you'd expect from our resume. Luck is very short term, skill is the controlling factor over the course of even days, and certainly over years.
For example, guy who knows how to analyze a system to divide it into its components then focuses on the interactions between those components will find many more vulnerabilities than someone who focuses on one component and tries to find vulnerabilities within that component, internal to it. It's the interfaces between systems where most of the weaknesses are. Looking in the right places, the most likely places, is a skill, not luck.
A first-pass screening test is to see if TCP port 445 is open. Most hosts will have 445 blocked by the firewall, thereby providing a degree of protection for the vulnerable SMB.
If 445 is open, that does not mean the host is compromised, but it is likely to vulnerable. This Metasploit module is one check that can be run:
More information can be found on the Alert Logic blog and our various teams will continue to post there and elsewhere as more information is made available. https://www.alertlogic.com/res...
I know Alert Logic has other resources posted elsewhere, but unfortunately I don't know the exact URLs off hand. My team sends technical details to another team, who aggregates it with information developed by other teams, then they forward it to the PR people who post it for you to read, with other, more detailed information provided to customers. So personally I only know where I send the information internally, but not where you can read all of it.
> I'm not sure if the problem is me or the explainers.
I'm fairly sure it's the explanations, which tend to mathematically define them, rather than showing what the heck they are are what they are good for.
I noticed that the other day looking for good explanations of the normal forms in relational databases (sql). Most of the explanations I found were crap. Rigorously correct, and entirely useless to someone who doesn't already fully understand them.
My kid is two. When I wanted her to know what a "horse" is, I didn't start with a rigourous, formal definition of "horse" as distinct from all other species. I showed her a horse, so she could see what it is, then I showed her someone riding a horse, so she can see how it's used. I wish more comp sci people had basic competence in explaining or teaching.
The summary says: --
one of the platform's white hat hackers has already earned over $600,000 in just two years. --
From that you got: > So the world's best (or at least, best-paid) white-hat makes $150k/year?
Over $600K in two years is over $300K per year. No, that's not "the world's best paid white-hat". That seems to be how much one freelancer made from Hackerone - he or she may have made just as much from other avenues, and there is no reason to think this person is "the world's best-paid white hat - in fact there is good reason to think they are not.
That is roughly the range of someone highly qualified, though - without pairing it with management or other fields such as writing. (Think Bruce Schneier - trained as a cryptologist, paid as an author and nerd-famous media personality).
Slashdot Mirror
Quotation marks are also used for slang, jargon, and similar unusual words, including ordinary words used for an unusual meaning, in a context in which the reader may be unfamiliar with the meaning. In this usage, quotes take the place of the phrase "what is called". Essentially you're quoting a group, rather than a person.
For example, a newspaper article written for the general public, one might write "he met up with his 'homeboy' or "Intel's Pentium computer processors had a bug in the 'floating point unit', the part of the processor which handles fractions."
http://www.writingwithclarity....
http://blog.apastyle.org/apast...
> HTTPS everywhere protects against the mass surveillance
To some extent it does. For simplicity, let's assume it did, completely. Your choices then are:
A) The NSA can tell that someone in your company viewed catvideos.com.
B) The NSA can't tell that someone viewed catvideos.com, and you get infected with malware that somebody put on catvideos.com.
It's not clear that (A) is always preferable. Obviously that doesn't mean you should never use TLS. It means there is a tradeoff.
> there's always a way to get around the firewall
No, that's the difference between an actual real firewall, which is installed on the network at the demarc, and "personal privacy software", which runs on the host. A firewall has two network ports. One connects to the internet (or other "outside" network) one connects to the internal network. There is literally no physical path for signals to travel except through the firewall. There's physically no way around a hardware firewall, no wires for packets to travel through. All packets go *through* the firewall.
You can also do some checks on the local host, but given you must assume the local host is compromised, you don't trust the local host to identify the malware that it's infected by. Any anti-virus anti-malware on the host is *always* auxiliary to monitoring from a trusted system. Also, the local host obviously can't detect anomalous botnet traffic when a worm infects your network, sweeps trying default and common passwords across your network, etc.
You get much better security by having dedicated security appliances (some of which cost $20,000 or more, not practical to run one for each desktop and laptop), managed and monitored 24/7 by the SOC, looking at a holistic view of the entire network, rather than trusting a potentially infected laptop, run by an accountant, clerk or manager, to protect itself. Frankly, your perspective of security is very much that a typical home user in 1995. That's not how it's done in the enterprise, and that's not how its done in 2017. Our SOC, as an example, employees about 200 security specialists. CorpSec is probably another 40 specialists. We've moved a bit beyond installing McAfee and thinking we're protected. Those 200 specialists in the SOC can't monitor and manage things nearly as well if they can't see anything, though. 10,000 encrypted TLS connections doesn't provide many actionable events.
Btw, you mentioned "(as opposed to IP / site blocking)". Where do you think the IP blacklists come from? They come from the SOC, both ours and Cisco TALOS. They are based on what we learn about traffic flows from those IP addresses - because we can *see* the malware being delivered from those IPs.
> > of course it can't see and block the malware encrypted via https
> your company's firewall is MITM-ing all https traffic
I see you're still working on your English language skills. "Can't" means "can not". Much like "isn't", for "is not".
> But why the FUCK do I have to do it on someone's stupid WordPress or Joomla site?
> Hell, even company sites. If all they're serving is flat HTML content who gives a shit about HTTPS?
> But NO! Their website is now SUSPECT! Are you REALLY sure you want to ENDANGER yourself?
Its worse than that. The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS, is a very common vector for malware. The kind of malware that your company's firewall is set up to block. But of course it can't see and block the malware encrypted via https. A lot of security, protection from malware, phishing, etc, requires visibility into what's happening on the network. Encryption is very useful when applied properly in the proper places, but https everywhere also has a very real security *cost*. Every security-related decision will have both costs and benefits.
It is wise to consider both costs and benefits and apply the right tools for each situation. *Anything* "everywhere" is probably less than ideal.
That's a bit of a broad question. At a broad level, I suppose the answer is:
Tasks are decomposed into chunks of a manageable size, chunks that will be done be one person, and might take anywhere from 30 to minutes to 3 days to do.
Then based on experience each member of the team says how many points they would say for each, where the allowed values for points are: 1, 3, 5, 8, 13. The "missing" numbers help avoid getting bogged down in deciding whether it's a five or six; six isn't even an option.
> I don't know any easy solution to that: mind-reading machines don't exist.
I came across a solution that works really well, whenever you can possibly do it. First, let's be clear about the most common method, which does NOT work. Most commonly, the users' boss talks to someone, maybe a product manager, about what they think the users need. Then the product manager or whoever talks to the developers about what they think the users' manager said. That doesn't work very well most of the time.
Most of the time, new software is needed to handle a process that is currently being done by hand, perhaps on paper or in Excel. Maybe you're replacing legacy software. Normally, the job is getting done *somehow*. So go *watch* the job being done. If it's being done on paper, watch thr person do it on paper. Follow the piece of paper as it is filed with another department and they type the information into some computer system. While watching the person do the job manually or via the legacy software, ask questions and take notes. Then if possible try to do it once with them watching you and correcting your mistakes. Now you know pretty much exactly what's required to get that task done, because you've just done it by hand. Ask what kind of exceptional conditions come up - what kinds of weird things happen that cause a change in the process? Obviously you'll code for those specific exceptional conditions, but also that lets you know what general *types* of variation there might be, meaning where you should try to build some flexibility into your system. When you discover there are three different types of X, you'll build X modularly, knowing that another type of X may come up.
If it's not possible to actually watch the line people doing the job, at least try very hard to get them on the phone. Talking to the actual users, asking them what's frustrating about their current process, will tell you a lot about the requirements that you won't get from listening to your boss talk about what their boss said.
I've used Fogbugz. I totally agree with this:
> In practice, it is hard to remember to clock into the task that you are working on, and to clock out of the task you are working on
What has worked much better for us has been tracking what we actually accomplish in a two-week sprint. We estimate each task using "points", which are a completely artificial construct designed solely to indicate one job will probably take about the same amount of time as some other job, while a third one will take twice as long. At the end of each two-week sprint, we can see that we usually accomplish about 65 "points" of work. So we can assign points to a group of tasks, divide by 30, and that's how many weeks. But we don't think about weeks when assigning points - a task is a 5 point task if it should take about as long as previous 5 point tasks.
That's similar to what I've experienced and seen reported in studies. When I say "10 hours", that really means "10 times X hours", but that X factor is relatively consistent. Each of my teammates are similar - they are always wrong, but normally by the same multiplier each time.
Developers tend to be reasonably good at estimating the RELATIVE amount of work, they can say "job A will probably take twice as long as job B". This assumes the work is broken down into pieces small enough to estimate. What they tend to NOT be good at is saying how many hours, days, or weeks.
That's where Scrum "story points" come in. We assign each task a number of points. Historical data shows that we can complete 65 points in a two-week sprint. That's relatively consistent.
Some tasks will take longer than expected, some less, but that tends to average out over two weeks of a four-man team. The four of us complete 65 points per sprint.
That's the overall long term average US stock market return net of inflation. As you might expect*, returns tend to be higher when inflation is higher, and lower when inflation is lower. Therefore the net-of-inflation return is actually fairly steady at 7%-8%.
Obviously a late 2008 early 2009 time period causes people to worry, but we're talking about 30 years of saving followed by 30 years of withdrawals. That will surely include some good times and some bad times. 2008 AND 2002-2007, AND 2009-2017. In the last 20 years, the Dow has gone from 11,000 to 21,000. In the last 10 years, from 15,000 to 21,000.
* Consider that bonds compete with stocks on price, aka discount, aka return. Obviously bonds must pay high rates when inflation is high. When bonds pay higher net rates, buyers go to bonds, and leave stocks cheap in terms of PE, increasing stock returns.
That's an interesting idea.
Here's the real quick run down for you.
There's something called a "mutual fund". It's a way to invest in lots of companies at ounce. A specific type, the "index mutual fund" means you are investing in 200 of the largest companies. That's pretty damn safe long term - Coke, Walmart, Toyota, etc aren't all going to go bankrupt any time soon. By investing in an index fund, you'll get paid about 8% per year more than inflation. So if you invest $100, every year you'll get paid about $7-$8 plus a bit more that covers inflation.
If you want to spend about $60K / year in retirement, that means you need to have about $850K invested. (7% of $850K is $60K). In other words, $850K invested will provide a PERMANENT income of about $60K.
That does NOT mean you need to put $850K into your investments, because your investment (your index fund) is growing *while* you're working. To have $850K 30 years from now, about $580/month needs to go into your index fund. That doesn't mean *you* have to put in $580 each month, though. Most employers match retirement savings (that match is basically free money for you). Typically, you need to put in about $373 / month and your employer will match half of that, $186 / month.
So you put in $373 / month, your employer puts in $186, and after 30 years you have a *permanent* source of income that produces $60K / year forever.
Everything I can find that actually cites a source indicates that the President's proposal directs the EPA to look into the possibility of spinning it off to operate like Underwriters Laboratories (UL) operates - with actual testing, and self-funding rather than taxpayer funded and government run.
The very next sentence after the one you quoted is:
--
Through the use of some other title implies that the person is an engineer or a registered professional engineer
--
Note the "or". Engineer *or* registered ...
Bad law, IMHO, but law. Except to whatever extent the first and fourteenth amendments bar the state from enacting such a law. The Oregon statute is null and void when applied in a way the conflicts with the first amendmwnt.
Code review and pentesting are two very different, yet complementary things. As you suggested, code review is likely to find a lot more, including things some people don't typically think of as "security" - points of fragility, for example. Code review is very useful, especially when done by people trained in security.
Pen testing *after* code review is also very useful. It isn't unusual for code review to have a lot of detailed findings. As an analogy, looking at the internals (code review) might find that the deadbolt is is only held in with two half-inch screws, it's a cheap, crappy lock, and the gap between the door and the frame allows the lock to be shimmed. After you address those a pen tester looking at things from a different perspective walks right in through the side door. A concrete example is the OS. You might code review the application extremely well, then I shellshock right past it. "But the OS is out of scope!", you exclaim. So what. The bad guy and the pentester don't care about your review scope. We just walked right into your database.
Two different, complementary things, both useful.
True, it would be much more secure (in one way) if administration was only possible from the local, lan-side port. However, that's neither practical nor sufficient.
First, some people can't effectively and reliably admin their own modem. They need the cable ISP to manage it. The ISP is on the external side. So the ISP needs access from the outside. That *should* be secured reasonably well, though.
Second, iframe src=http://192.168.1.1/admin/changepasswd.php?newpass=yourfucked
Putting that into any web page will cause the browser, which is on the internal network, to access the router or modem. So restricting access to be from the local network only is insufficient for security.
> The 1st amendment does not legally "protect" you for lying. When you are saying "I'm an engineer", but the law defines
Donald Trump is an asshole and incompetent.
Do you think Trump would consider that statement untrue? A lie? There are all sorts of things that government officials have called "lying" (including the allegation that Clinton had sexual contact with Monica - Hillary called that a lie). Did King George and his government consider the things that Jefferson, Jackson, and Franklin said about him to be true, or would King George say Thomas Jefferson was lying?
It is precisely BECAUSE government defines words and tries to define truth that freedom of speech MUST protect statements that the politicians consider "lying". If you are only allowed to say things that the government agrees are true, that's not freedom of speech at all.
Think about that for a moment. The two options are:
A) Free speech only means you can say things that the government agrees are true.
B) Free speech includes the right to say things that the government doesn't consider true (including 9/11 theories).
Option A is no freedom at all - even without the first amendment, the government wouldn't prosecute anyone for statements they agree with. If 1st amendment only covered government-approved "truth", it would be pointless to even write the amendment down at all.
There is, however, a slight glimmer of truth to what you've said. The first amendment prohibits *government* from making speech a *crime*. It does not prohibit a private person from suing for damages caused by libelous speech. In a libel suit, truth is a defense. So truth matters - but that's in a civil suit, where some other citizen is suing based on damages - the first amendment's restriction on the government doesn't directly apply.
That's why most states don't have a criminal libel offense, and those that do rarely prosecute, because in most instances prosecution by the government is barred by the first amendment.
I just read ORS 672.007. Under Oregon law saying "I'm an engineer" counts as "practicing engineering". There is still a first amendment issue.
https://www.oregonlaws.org/ors...
Still, I must say:
I'm the tooth fairy.
I'm an engineer.
I'm a unicorn.
Fuck you, Oregon.
The Oregon statute also defines what practicing engineering means under the law. The statutory definition, while overbroad, covers *working* as as engineer, not *saying* you're an engineer.
https://www.oregonlaws.org/ors...
1) "Practice of engineering" or "practice of professional engineering" means doing any of the following: ...
(a) Performing any professional service or creative work requiring engineering education, training and experience.
(b) Applying special knowledge of the mathematical, physical and engineering sciences to such *professional services* or creative work as consultation, investigation, testimony, evaluation, planning, design and services during construction
To any Oregon bureacrats who happen to be reading this:
I'm an engineer. I'm also a train conductor. And a unicorn. Fuck you, Oregon.
Knowing how citizens of the left coast tend to think, they'll decide that the solution to this abuse of an overbroad regulation by power-hungry bureaucrats is to create more regulations, to be wielded by more power-hungry bureacrats.
> are SANs that are designed for backups
High speed cache is good for data that is accessed, then accessed again a few seconds later. Web servers are a good example - the same page may be loaded many thousands of times per hour, or even thousands of times per minute.
For backup, each sector of data is accessed no more than about once per day. In my experience, backup is where you want sustained throughout, caching doesn't help. We use wide arrays.
My team and I do something similar periodically. Our experience is that luck is a short term phenomenon in the face of skill. Daniel may happen to find something pretty good in the morning, while I don't find much until the afternoon. Zach might find two interesting bits on Monday, none on Tuesday; Immad finds one on Monday and one on Tuesday. Over the course of a few days, our performance tends toward what you'd expect from our resume. Luck is very short term, skill is the controlling factor over the course of even days, and certainly over years.
For example, guy who knows how to analyze a system to divide it into its components then focuses on the interactions between those components will find many more vulnerabilities than someone who focuses on one component and tries to find vulnerabilities within that component, internal to it. It's the interfaces between systems where most of the weaknesses are. Looking in the right places, the most likely places, is a skill, not luck.
A first-pass screening test is to see if TCP port 445 is open. Most hosts will have 445 blocked by the firewall, thereby providing a degree of protection for the vulnerable SMB.
If 445 is open, that does not mean the host is compromised, but it is likely to vulnerable. This Metasploit module is one check that can be run:
https://github.com/rapid7/meta...
More information can be found on the Alert Logic blog and our various teams will continue to post there and elsewhere as more information is made available.
https://www.alertlogic.com/res...
I know Alert Logic has other resources posted elsewhere, but unfortunately I don't know the exact URLs off hand. My team sends technical details to another team, who aggregates it with information developed by other teams, then they forward it to the PR people who post it for you to read, with other, more detailed information provided to customers. So personally I only know where I send the information internally, but not where you can read all of it.
40 watts? Should be closer to 4 watts.
http://www.tpcdb.com/list.php?...
What's the maximum power rating marked on the wall wart?
> I'm not sure if the problem is me or the explainers.
I'm fairly sure it's the explanations, which tend to mathematically define them, rather than showing what the heck they are are what they are good for.
I noticed that the other day looking for good explanations of the normal forms in relational databases (sql). Most of the explanations I found were crap. Rigorously correct, and entirely useless to someone who doesn't already fully understand them.
My kid is two. When I wanted her to know what a "horse" is, I didn't start with a rigourous, formal definition of "horse" as distinct from all other species. I showed her a horse, so she could see what it is, then I showed her someone riding a horse, so she can see how it's used. I wish more comp sci people had basic competence in explaining or teaching.
The summary says:
--
one of the platform's white hat hackers has already earned over $600,000 in just two years.
--
From that you got:
> So the world's best (or at least, best-paid) white-hat makes $150k/year?
Over $600K in two years is over $300K per year. No, that's not "the world's best paid white-hat". That seems to be how much one freelancer made from Hackerone - he or she may have made just as much from other avenues, and there is no reason to think this person is "the world's best-paid white hat - in fact there is good reason to think they are not.
That is roughly the range of someone highly qualified, though - without pairing it with management or other fields such as writing. (Think Bruce Schneier - trained as a cryptologist, paid as an author and nerd-famous media personality).
> All you need to show are the same general design and feasibility studies as you'd need for an approval next week.
Rotfl.