> First off, the main alternative in the scripting world is the union of monotypes model, where a number could be a float, integer, or string depending on context,
True, in languages designed for writing quickie scripts, as opposed to significant applications such as a word processor, typing is sometimes an issue. It doesn't have to be so - even VBScript has a proper type system, as does Python as I recall.
Anyway, JavaScript is now being used to write office suites, and it's not well suited to such tasks.
In most companies, high-ranking technical personnel, such as this CIO, either have access to the backups or can get such access. At least that's my experience. Even when backups are handled by an external company, an IT person can call Iron Mountain and cancel the backup service (just before wiping the primary mail server).
Indeed here's the ranking of who has the power to decide how things actually work in a modern company, from least powerful to most powerful:
Line workers Line supervisors Mid management Directors / VPs C*O Board of directors System administrator
If the system administrator wants all of the CEO's documents to disappear, they can make that happen, during their employment or even after they are no longer employed. A company should be careful who they have doing system admin, because the admins can read all of your email, change your files, etc. That's one reason it's a *brilliant* idea to outsource this work to people you've never met, and who are in the other side of world, untouchable by your country's law enforcement.
They are counting pull requests, development. You won't find the kernel and Apache httpd pull requests on Github.
Yes somebody uploaded a copy of the code to Github. That's not where development is done, so this survey wouldn't count Apache httpd or kernel httpd development (except for a few people who didn't know the devel process and clicked pull request on Github).
*Why*, the *reason* they are better, is that the creators had more than 10 days to design, plan, implement, integrate, and test them. Several years, in most cases.
Netscape very much wanted a client-side programming language built into the browser for their big 2.0 release. The original plan (Scheme) didn't work out, so with just ten days left before the public beta release, Brendan Eich designed and implemented, and integrated Javascript.
It was a pretty amazing accomplishment - I rather doubt I could do that in ten days. Also, there are many areas where the ten-day schedule is apparent, such as inconsistencies in the naming and format of Javascript functions. In ten days there was no time to have a full complement of types, in fact Javascript can't handle integers. That's a problem because, for example it means 9999999999999999 is equal to 10000000000000000. Floating point comes with all kinds of errors. You're actually not supposed to ever compare to floating point numbers for equality, you're supposed to check whether the difference between them is small. Since JavaScript only HAS floating point numbers, it can't tell whether or not two numbers are equal, in the general case.
JavaScript generally ignores errors and carries on. If you're driving somewhere and you realize you're going the wrong direction, you'd stop and turn around, right? Not JavaScript. When JavaScript notices it's doing something wrong, it continues full speed ahead, intentionally continuing to screw more and more things up.
Type coercion in Javascript is nuts. In Javascript, 1 + 2 = 12, sometimes.
One of the four useable types Javascript does have is Number. But 1 is not a Number.
Number has properties MIN_VALUE and MAX_VALUE. Keep in mind, though, -1 is less than Number.MIN_VALUE, and MAX_VALUE is less than MIN_VALUE.
Again, I couldn't write a better language in 10 days. Give me 60 days, though, and I might have built something better than Javascript.
Reading this, perhaps we should keep in mind it is based on pull requests on public Github repositories; that's counting how much these languages are *shared*, not how much they are *used*.
Since the full source code most Javascript is generally distributed to the public anyway, it's not the language of choice for proprietary applications. You may as well put it on Github, since you're already putting the source code on your web site. Proprietary software is most commonly written for Windows, and therefore written in C#. Github pull requests will over represent Javascript, and under represent C# in terms of actual usage.
Github also very much over represents new projects that were started in only the last few years, after Github became popular. You won't find Linux or Apache on Github, for example, or most other software that has been around a long time. A lot of software had their development processes in place before Github even existed. Along the same lines, Github is used more by people who choose to newer, "trendier" options versus time-tested methods.
This survey will therefore under represent older languages and over represent newer, trendier languages.
Measuring Github pull requests might be a better measure of which languages are popular in recent open source packages, vs overall usage.
> I just made a non-privileged user account to see if I could modify the registry.
Meaning the account you normally use is a member of the Administrators group? According to the article, that's the type of account this targets, a member of the admin group.
> Uh, isn't the bank the one who is responsible for credit card fraud?
Yes, in most cases the bank loses the money. That doesn't mean the thief isn't prosecuted for the crime. This story is about the police investigation to prosecute the criminal. It has nothing whatsoever to do with who loses the money (thank bank). Also, this case isn't about credit card fraud, but similar enough.
> Someone stole $30k from the guy's bank.
Yeah and the cops are trying to put the thief in jail.
> I'm pretty sure the bank wants to force the guy to cough up the money
Huh?!?! Do you have some *reason* to even suspect that, much less be "pretty sure" of it. I don't see anything in the article that even HINTS that there might be any question that the bank is the victim of the theft, that the bank, not the customers, are suffering the loss. Did I miss something, or did you completely make that up out of thin air? Did you just imagine something and you're pretty sure it's true because you were able to imagine it, or do you have some reason think that?
> Regulations that protect the environment are provably good and are a cost to a corporation, tough shit for the corporation.
You don't actually mean exactly what you said, do you? I sure hope you were in a hurry when you typed that, that you're thinking is deeper than a bumper sticker slogan. You don't actually think labeling something "for the environment" or "for the children" or "for the economy" makes it a good idea, do you?
All regulations have costs. Most also have some benefits. Some costs are concentrated on a few people. For example, right now a bunch of people are suing the government because on his way out, Obama's EPA chief declared they can't build a house on their land they bought *in case an endangered species might want to live in the area some day*. There is no endangered species on their land now, there hasn't been in the past, but who knows, maybe someday some animal might decide to live near where the people where planning to build their house. In that case, the cost is borne by the people who just spent $50,000 buying a lot to build their house on. On the other hand, the costs of regulations that affect "major corporations" are of course paid by most everyone equally. If General Mills is required to do some X that's more expensive, everyone pays more for their groceries. For any new regulation related to gasoline, the cost is paid by everyone who buys gas.
In this instance, one cost of the regulation is that the educational videos are no longer available to the public. The benefit is - nothing. The lawyers got a nice chunk of change, and maybe the people suing got paid, but there's no benefit to society whatsoever. You know Uber and Lyft are ~illegal under regulations in many cities, and in many states regulations prevent Tesla from selling cars to consumers. Most people here understand these regulations don't benefit the public, they benefit the taxi companies and car dealerships. They are overall bad for society (or at least arguably so). You don't think that slapping the label "green" on an expensive regulation which does little to no good magically makes it good, do you?
> Or, lets get rid of all monopolies on medication; no drug patents
You could do that, the problem is 90% of the cost of new medication is R&D and testing. Suppose a company spends $800 million and and finally has a good medication to show for it. It costs $1/pill to produce. (Which means they can recover their costs by selling 800 million pills at $2 each). Since producing the pills costs $1, other companies will happily produce and sell them for $1.25. Without patents, new medications are pretty much impossible, unless you remove all of the regulation of testing and disclosure and everything, allowing companies to sell medications without revealing what's in them, or without expensive regulatory compliance including all the testing. personally, I prefer well-tested medication and full disclosure of their contents. That makes R&D expensive compared to production. And that basically means no new meds without patents.
> What was allegedly illegal was UC failing to make the content accessible
Apparently not, because the (perfectly legal) solution is to make it *inaccessible*. They can "fail to make it accessible" all the want. That's perfectly legal.
What's *illegal* is to make the videos, as-is, accessible to the public. The video is illegal for the school to give away until it is altered through special processes for blind people.
> There is no way to fully secure shared data. You can only mitigate as much risk as possible.
This is true. In our case, it's not in the cloud. It's a physical machine. An old machine worth about $30 because all it needs to do is store the encrypted data and when needed send it to the credit card network.
Orginally access was via the console only, you had to physically touch the keyboard to do anything on the system, with all ports blocked on the firewall. Later we enabled only ssh from the internal network. Of course to ssh you also habe to have an approved ssh key, then seperately you need the encryption key to unlock the credit card data.
For physical security, nobody goes into the server room without permission and most of our employees carry Glocks. At least one is a state licensed security officer (me). Once, a friend barged into the office - two employees drew their pistols before he made it to the door.
It's unlikely that anyone will get our customer's credit card information. Possible, but unlikely.
If the "tokenized forms of the CC number" can be used to charge the card, it probably shouldn't be made public.
If many customers will legitimately want to do further purchases, and for some reason entering the CC number is a major hurdle (both propositions that should be proved, not assumed) you can actually store it without storing it, in a way.
Certain customers can make purchases from us without re-entering their CC, but the CC number isn't stored on the web server, nor in the database that drives the web site, nor in any other system that stores data to be retrieved by these systems. None of our customer-facing systems, or systems that allow data retrieval of any kind, store credit card data. Instead, credit card information is stored on an isolated system which only accepts commands and returns "ok" or "failed". All other systems in the company can only send a command "please charge the card for customer #312" - there is no mechanism to retrieve data from that system. So our database and systems in general don't store CC data or other sensitive information, but we can still use customer CCs because it's stored only in, and can be accessed only by, the one hardened system. So that's an extension of "don't store sensitive data you don't need to store - and don't sensitive data in systems you don't need to store it in".
> > avoid storing all of this sort of data to begin with!
> Gawd what a stupid suggestion.
Based on my 20 years in information security, I'd say that's the very BEST suggestion to start with. Not only is it very effective, it's very COST EFFECTIVE. Twenty years ago, a great many companies used social security number as a handy identifier for people. Now we don't do that so much - there is no need to use SSN as a customer ID or employee ID, and there is great risk in doing that. So just don't store anybody's SSN, and you can never leak their SSN. The government agency I worked at before my current job was finishing up the process of removing SSNs from all databases when I left.
Companies who take payments by credit card only need the card number once, at the time of payment. Yet many of them kept the CC number laying around in a database for no good reason. Smart companies prevent big leaks of credit card numbers by simply not storing credit card numbers. Charge the card and be done with it - no need to store the number.
The average cost to a company that's breached is already well over $1 per record, so no that doesn't "quickly remedy this problem". It IS slowly getting things fixed. A lot of companies have a Chief Security Officer now, a C-suite executive responsible for security. That wasn't the case ten years ago.
The issue is, the likelihood of a major breach is low (for each conpany). People, including executives, aren't good at reasoning about unlikely events. On the other hand, insurance companies are very good at it. Risk assessment and risk reduction is their business and they've gotten quite good at it. Insurance companies created the fire code, UL labs, etc to reduce the risk of fire. They hold companies responsible for properly mitigating all kinds of risks, as a condition of issuing insurance. The cost of the insurance, which shows up on the balance sheet, is based on the risk-reduction methods that the insured uses. (Just like installing monitored fire and burglary alarms reduces the cost of your homeowners insurance). I think we'll see a major shift in information security when the insurance companies get more involved, requiring companies they insure to follow certain standards.
For many people, having kids makes you care a lot more about your life expectancy. You want to be around to meet your grandchildren.
I had my daughter when I was 40 in out of shape. A smoker who never exercised, I hadn't run since I was a teenager (and then because the cops were chasing me). I wanted to be able to run and play with my daughter. I want to be alive for her wedding, and dance with her at her wedding. My life expectancy matters to me much more than it used to. So my priorities have changed and so have my habits (still working on some of them).
One of my best friends was similar - he was a typical beer-belly guy. He had a kid and now runs marathons.
Technically it's not exactly *ownership* that matters. The law is "possession, custody, or control". Basically, a subpoena can be directed at whomever has the ability to produce the item. (Note I didn't write the law, I only read it, so please don't yell at me if you don't like the wording of the law.)
Imagine I leave my gun at your house. Police can get a court order ordering you to hand over the gun (assuming 4th and 5th amendment issues are satisfied). You don't own the gun, but you have the ability to hand it over - possession, custody, or control.
This can create an issue when a foreign nation (Ireland in this case) has privacy laws that conflict with US law (which applies to US corporations). A subpoena can be defended by citing legally-recognized confidentiality. It's not clear if a confidentiality under Irish law is a valid defense to a supoena directed at a US corporation under US law.
Ideally, perhaps the countries should by treaty try respect each other's legal process to the extent practicable - the US should attempt to meet any reasonable Irish requirements for a valid subpoena, and Ireland should then recognize the information has been lawfully subpoenaed.
It's tricky because on the one hand perhaps in some ways you don't want US law to apply to US-based corporations around the world; on the other hand US corporations shouldn't be able to hide whatever they want by using servers across the border.
Marketers trying to sell you something don't send a SWAT team if you tell them no. Say "no" to the government (and stick to that answer), they'll send a heavily armed squad for you, after they confiscate your bank account etc. The government is by far the worst of the goon squads.
Me thinks we're going to need some definitions here.
surveillance: Keeping an eye on what someone does. Facebook: A way to keep an eye on what people do.
Never mind marketing, though that's a good point too, the whole purpose of Facebook is to see what people are up to. On Twitter they even use the word "follow someone". Just like if you're doing surveillance on foot you might follow someone.
> Has anyone ever used both MLC and TLC drives and care to comment about whether the differences in performance justify the cost?
That completely depends on you - what you're using them for and how much you value money and performance. Also your operating system, to a lesser extent.
My wife loves her $200 mini laptop. She wouldn't want anything else. The cheap mini-laptop replaced her Chromebook when it broke and she wanted something very much like a Chromebook. On the other hand, I cost my employer about $150/hour. If they can spend $200 to upgrade hardware and thereby save me 30 seconds per day, it's worth it to upgrade the hardware. (30 seconds X 250 work days per year = 125 minutes @ $2.50 / minute = $312.50 to pay me to wait 30 seconds per day.)
For some tasks, it's not worth using anything more than a Raspberry Pi, or even an Arduino (16 Mhz). For use cases where it's not worth more than a 16 Mhz CPU, it's definitely not worth SLC or MLC. On the other hand, I've put dual 8-core CPUs on a motherboard. Multiple SLC drives make sense in some applications.
You can look at your usage and see how often you are waiting on your drive. Is that while working or only while booting/opening large applications for the first time? If you're using Linux especially, you can make sure you've maxed out your RAM first. Linux works hard to avoid using the drive, caching things in RAM instead. With enough RAM, drive performance may be largely a moot point - the drive may only used when starting up and when saving changed parts of files, which may not happen often.
Email has different design priorities than instant messaging, which is why all of these instant mesaaging protocols were created after email was already popular. Possibly the biggest difference is that email is designed to be reliable rather than instant - when a hop is down, it'll keep trying for hours or days. Your email client checks for new messages every ten minutes or so - that's much more efficient, and obviously very much not instant.
You mention a field something like "preference: instant" which would presumably cause all of the servers involved to use some different protocol. At that point it's no longer email.
You didn't bother to read my post before replying to it, and claiming that it's wrong, did you. Here's the attention deficit disorder version for you:
Tuition: $4500 / year after tax Starting salary of a CNNA + MCSA etc (achieved within 2 years of starting school): $50,000 - $60,000
So at the end of four years of school, you've spent $18K and earned at least $100K. Explain to me how you are forced to have debt when you make more than you spend?
A person can CHOOSE a university that costs a lot, and choose not to work, and they will have chosen to have debt. Or they can choose a course of study that two years in, increases their income far beyond what they are spending for school. Sometimes, people choose stupid because they first chose not to know any better - they chose to not research their options. That sucks.
Thanks for that link. I wasn't not too concerned about the wording on degree because when I talk to people I can choose how to phrase it, mentioning "Harvard" and "Information Security" before stating the exact title of the degree, but automated filters are something to be aware of.
The comments in that link mentioned Johns Hopkins has a similar program, without the unclear wording of the degree itself.
I see that Sam Houston State University offers *exactly* the degree I want, at a cost of $10K (about $3,300/year). The Sam Houston brand isn't nearly as strong as Harvard or Johns Hopkins, but it's something to consider.
It doesn't guarantee a job, and it doesn't guarantee debt either. The summary says "education only guarantees debt, not a stable job." That's compete bullocks. Debt is 100% optional. Common, but entirely optional. I'll graduate with more money in the bank than when I started school.
I chose a state school in Texas. Actually it's state school in many states - Western Governor's University was started by 19 state governors. I originally chose WGU because a) I could do the work on my own schedule - there are no scheduled class times and b) it's cheap, $6000 / year, minus $1500 tax credit = $4500 / year. After I started I found out that it's even better than that. For many courses, the final exam is an industry certification such as Cisco CCNA. Two years into school, my certifications led to a job making almost twice as much as I was making when I started school.
My employer reimbursed $1500 / year of tuition, so after the tax credit my out-of-pocket cost for school is $1,500 / year meanwhile my income has already increased by $50,000 / year, so the day I graduate I'll have a lot more money than I did the day I started school.
I could have actually gotten the first year or so free, or for about $500. What you can do is study the material, such as CCNA material, before enrolling. You can watch YouTube courses, get books from eBay, etc. Then enroll after you've studied and get a year of credits in your first few weeks by taking the exams. In fact, for industry exams like CCNA you can take the exams before enrolling and WGU will give you credit for the course - you've already passed the final exam.
The other good surprise with WGU is that I can do most of my school work 10 minutes at a time, when I have nothing better to do for a few minutes. I study while I'm on the toilet or whatever. 10 minutes per day, three times a day, seven days per week will cover a good portion of the material. In other words - I get my degree by spending half as much time on Slashdot as I used to.:)
I may get my masters degree from Harvard Extension. That would cost me $20K, but I'd end up with a Harvard Master's degree. A master's from Harvard may increase my income by $10K-$20K per year, meaning it would pay for itself in just 1-2 years. https://www.extension.harvard....
Slashdot Mirror
> First off, the main alternative in the scripting world is the union of monotypes model, where a number could be a float, integer, or string depending on context,
True, in languages designed for writing quickie scripts, as opposed to significant applications such as a word processor, typing is sometimes an issue. It doesn't have to be so - even VBScript has a proper type system, as does Python as I recall.
Anyway, JavaScript is now being used to write office suites, and it's not well suited to such tasks.
In most companies, high-ranking technical personnel, such as this CIO, either have access to the backups or can get such access. At least that's my experience. Even when backups are handled by an external company, an IT person can call Iron Mountain and cancel the backup service (just before wiping the primary mail server).
Indeed here's the ranking of who has the power to decide how things actually work in a modern company, from least powerful to most powerful:
Line workers
Line supervisors
Mid management
Directors / VPs
C*O
Board of directors
System administrator
If the system administrator wants all of the CEO's documents to disappear, they can make that happen, during their employment or even after they are no longer employed. A company should be careful who they have doing system admin, because the admins can read all of your email, change your files, etc. That's one reason it's a *brilliant* idea to outsource this work to people you've never met, and who are in the other side of world, untouchable by your country's law enforcement.
They are counting pull requests, development. You won't find the kernel and Apache httpd pull requests on Github.
Yes somebody uploaded a copy of the code to Github. That's not where development is done, so this survey wouldn't count Apache httpd or kernel httpd development (except for a few people who didn't know the devel process and clicked pull request on Github).
> why are they better?
*Why*, the *reason* they are better, is that the creators had more than 10 days to design, plan, implement, integrate, and test them. Several years, in most cases.
Netscape very much wanted a client-side programming language built into the browser for their big 2.0 release. The original plan (Scheme) didn't work out, so with just ten days left before the public beta release, Brendan Eich designed and implemented, and integrated Javascript.
It was a pretty amazing accomplishment - I rather doubt I could do that in ten days. Also, there are many areas where the ten-day schedule is apparent, such as inconsistencies in the naming and format of Javascript functions. In ten days there was no time to have a full complement of types, in fact Javascript can't handle integers. That's a problem because, for example it means 9999999999999999 is equal to 10000000000000000. Floating point comes with all kinds of errors. You're actually not supposed to ever compare to floating point numbers for equality, you're supposed to check whether the difference between them is small. Since JavaScript only HAS floating point numbers, it can't tell whether or not two numbers are equal, in the general case.
JavaScript generally ignores errors and carries on. If you're driving somewhere and you realize you're going the wrong direction, you'd stop and turn around, right? Not JavaScript. When JavaScript notices it's doing something wrong, it continues full speed ahead, intentionally continuing to screw more and more things up.
Type coercion in Javascript is nuts. In Javascript, 1 + 2 = 12, sometimes.
One of the four useable types Javascript does have is Number. But 1 is not a Number.
Number has properties MIN_VALUE and MAX_VALUE.
Keep in mind, though, -1 is less than Number.MIN_VALUE, and MAX_VALUE is less than MIN_VALUE.
Again, I couldn't write a better language in 10 days. Give me 60 days, though, and I might have built something better than Javascript.
Reading this, perhaps we should keep in mind it is based on pull requests on public Github repositories; that's counting how much these languages are *shared*, not how much they are *used*.
Since the full source code most Javascript is generally distributed to the public anyway, it's not the language of choice for proprietary applications. You may as well put it on Github, since you're already putting the source code on your web site. Proprietary software is most commonly written for Windows, and therefore written in C#. Github pull requests will over represent Javascript, and under represent C# in terms of actual usage.
Github also very much over represents new projects that were started in only the last few years, after Github became popular. You won't find Linux or Apache on Github, for example, or most other software that has been around a long time. A lot of software had their development processes in place before Github even existed. Along the same lines, Github is used more by people who choose to newer, "trendier" options versus time-tested methods.
This survey will therefore under represent older languages and over represent newer, trendier languages.
Measuring Github pull requests might be a better measure of which languages are popular in recent open source packages, vs overall usage.
> I just made a non-privileged user account to see if I could modify the registry.
Meaning the account you normally use is a member of the Administrators group? According to the article, that's the type of account this targets, a member of the admin group.
> Uh, isn't the bank the one who is responsible for credit card fraud?
Yes, in most cases the bank loses the money. That doesn't mean the thief isn't prosecuted for the crime. This story is about the police investigation to prosecute the criminal. It has nothing whatsoever to do with who loses the money (thank bank). Also, this case isn't about credit card fraud, but similar enough.
> Someone stole $30k from the guy's bank.
Yeah and the cops are trying to put the thief in jail.
> I'm pretty sure the bank wants to force the guy to cough up the money
Huh?!?! Do you have some *reason* to even suspect that, much less be "pretty sure" of it. I don't see anything in the article that even HINTS that there might be any question that the bank is the victim of the theft, that the bank, not the customers, are suffering the loss. Did I miss something, or did you completely make that up out of thin air? Did you just imagine something and you're pretty sure it's true because you were able to imagine it, or do you have some reason think that?
> Regulations that protect the environment are provably good and are a cost to a corporation, tough shit for the corporation.
You don't actually mean exactly what you said, do you? I sure hope you were in a hurry when you typed that, that you're thinking is deeper than a bumper sticker slogan. You don't actually think labeling something "for the environment" or "for the children" or "for the economy" makes it a good idea, do you?
All regulations have costs. Most also have some benefits. Some costs are concentrated on a few people. For example, right now a bunch of people are suing the government because on his way out, Obama's EPA chief declared they can't build a house on their land they bought *in case an endangered species might want to live in the area some day*. There is no endangered species on their land now, there hasn't been in the past, but who knows, maybe someday some animal might decide to live near where the people where planning to build their house. In that case, the cost is borne by the people who just spent $50,000 buying a lot to build their house on. On the other hand, the costs of regulations that affect "major corporations" are of course paid by most everyone equally. If General Mills is required to do some X that's more expensive, everyone pays more for their groceries. For any new regulation related to gasoline, the cost is paid by everyone who buys gas.
In this instance, one cost of the regulation is that the educational videos are no longer available to the public. The benefit is - nothing. The lawyers got a nice chunk of change, and maybe the people suing got paid, but there's no benefit to society whatsoever. You know Uber and Lyft are ~illegal under regulations in many cities, and in many states regulations prevent Tesla from selling cars to consumers. Most people here understand these regulations don't benefit the public, they benefit the taxi companies and car dealerships. They are overall bad for society (or at least arguably so). You don't think that slapping the label "green" on an expensive regulation which does little to no good magically makes it good, do you?
> Or, lets get rid of all monopolies on medication; no drug patents
You could do that, the problem is 90% of the cost of new medication is R&D and testing. Suppose a company spends $800 million and and finally has a good medication to show for it. It costs $1/pill to produce. (Which means they can recover their costs by selling 800 million pills at $2 each). Since producing the pills costs $1, other companies will happily produce and sell them for $1.25. Without patents, new medications are pretty much impossible, unless you remove all of the regulation of testing and disclosure and everything, allowing companies to sell medications without revealing what's in them, or without expensive regulatory compliance including all the testing. personally, I prefer well-tested medication and full disclosure of their contents. That makes R&D expensive compared to production. And that basically means no new meds without patents.
They already used "automatic text-to-speech software". The jackasses who sued said that isn't good enough (for a free video), and the court agreed.
> What was allegedly illegal was UC failing to make the content accessible
Apparently not, because the (perfectly legal) solution is to make it *inaccessible*. They can "fail to make it accessible" all the want. That's perfectly legal.
What's *illegal* is to make the videos, as-is, accessible to the public. The video is illegal for the school to give away until it is altered through special processes for blind people.
Well yes, anyone could claim anything. I hereby claim that you're a giraffe. So what? Since nobody believes you're a giraffe, my claim is pointless.
9% of the people Slashdot agree this case is in fact "going apeshit". There seems to be strong indications that is true.
> There is no way to fully secure shared data. You can only mitigate as much risk as possible.
This is true. In our case, it's not in the cloud. It's a physical machine. An old machine worth about $30 because all it needs to do is store the encrypted data and when needed send it to the credit card network.
Orginally access was via the console only, you had to physically touch the keyboard to do anything on the system, with all ports blocked on the firewall. Later we enabled only ssh from the internal network. Of course to ssh you also habe to have an approved ssh key, then seperately you need the encryption key to unlock the credit card data.
For physical security, nobody goes into the server room without permission and most of our employees carry Glocks. At least one is a state licensed security officer (me). Once, a friend barged into the office - two employees drew their pistols before he made it to the door.
It's unlikely that anyone will get our customer's credit card information. Possible, but unlikely.
If the "tokenized forms of the CC number" can be used to charge the card, it probably shouldn't be made public.
If many customers will legitimately want to do further purchases, and for some reason entering the CC number is a major hurdle (both propositions that should be proved, not assumed) you can actually store it without storing it, in a way.
Certain customers can make purchases from us without re-entering their CC, but the CC number isn't stored on the web server, nor in the database that drives the web site, nor in any other system that stores data to be retrieved by these systems. None of our customer-facing systems, or systems that allow data retrieval of any kind, store credit card data. Instead, credit card information is stored on an isolated system which only accepts commands and returns "ok" or "failed". All other systems in the company can only send a command "please charge the card for customer #312" - there is no mechanism to retrieve data from that system. So our database and systems in general don't store CC data or other sensitive information, but we can still use customer CCs because it's stored only in, and can be accessed only by, the one hardened system. So that's an extension of "don't store sensitive data you don't need to store - and don't sensitive data in systems you don't need to store it in".
> > avoid storing all of this sort of data to begin with!
> Gawd what a stupid suggestion.
Based on my 20 years in information security, I'd say that's the very BEST suggestion to start with. Not only is it very effective, it's very COST EFFECTIVE. Twenty years ago, a great many companies used social security number as a handy identifier for people. Now we don't do that so much - there is no need to use SSN as a customer ID or employee ID, and there is great risk in doing that. So just don't store anybody's SSN, and you can never leak their SSN. The government agency I worked at before my current job was finishing up the process of removing SSNs from all databases when I left.
Companies who take payments by credit card only need the card number once, at the time of payment. Yet many of them kept the CC number laying around in a database for no good reason. Smart companies prevent big leaks of credit card numbers by simply not storing credit card numbers. Charge the card and be done with it - no need to store the number.
> $1 penalty per leaked / stolen record
The average cost to a company that's breached is already well over $1 per record, so no that doesn't "quickly remedy this problem". It IS slowly getting things fixed. A lot of companies have a Chief Security Officer now, a C-suite executive responsible for security. That wasn't the case ten years ago.
The issue is, the likelihood of a major breach is low (for each conpany). People, including executives, aren't good at reasoning about unlikely events. On the other hand, insurance companies are very good at it. Risk assessment and risk reduction is their business and they've gotten quite good at it. Insurance companies created the fire code, UL labs, etc to reduce the risk of fire. They hold companies responsible for properly mitigating all kinds of risks, as a condition of issuing insurance. The cost of the insurance, which shows up on the balance sheet, is based on the risk-reduction methods that the insured uses. (Just like installing monitored fire and burglary alarms reduces the cost of your homeowners insurance). I think we'll see a major shift in information security when the insurance companies get more involved, requiring companies they insure to follow certain standards.
For many people, having kids makes you care a lot more about your life expectancy. You want to be around to meet your grandchildren.
I had my daughter when I was 40 in out of shape. A smoker who never exercised, I hadn't run since I was a teenager (and then because the cops were chasing me). I wanted to be able to run and play with my daughter. I want to be alive for her wedding, and dance with her at her wedding. My life expectancy matters to me much more than it used to. So my priorities have changed and so have my habits (still working on some of them).
One of my best friends was similar - he was a typical beer-belly guy. He had a kid and now runs marathons.
Technically it's not exactly *ownership* that matters. The law is "possession, custody, or control". Basically, a subpoena can be directed at whomever has the ability to produce the item. (Note I didn't write the law, I only read it, so please don't yell at me if you don't like the wording of the law.)
Imagine I leave my gun at your house. Police can get a court order ordering you to hand over the gun (assuming 4th and 5th amendment issues are satisfied). You don't own the gun, but you have the ability to hand it over - possession, custody, or control.
This can create an issue when a foreign nation (Ireland in this case) has privacy laws that conflict with US law (which applies to US corporations). A subpoena can be defended by citing legally-recognized confidentiality. It's not clear if a confidentiality under Irish law is a valid defense to a supoena directed at a US corporation under US law.
Ideally, perhaps the countries should by treaty try respect each other's legal process to the extent practicable - the US should attempt to meet any reasonable Irish requirements for a valid subpoena, and Ireland should then recognize the information has been lawfully subpoenaed.
It's tricky because on the one hand perhaps in some ways you don't want US law to apply to US-based corporations around the world; on the other hand US corporations shouldn't be able to hide whatever they want by using servers across the border.
Marketers trying to sell you something don't send a SWAT team if you tell them no. Say "no" to the government (and stick to that answer), they'll send a heavily armed squad for you, after they confiscate your bank account etc. The government is by far the worst of the goon squads.
Me thinks we're going to need some definitions here.
surveillance: Keeping an eye on what someone does.
Facebook: A way to keep an eye on what people do.
Never mind marketing, though that's a good point too, the whole purpose of Facebook is to see what people are up to. On Twitter they even use the word "follow someone". Just like if you're doing surveillance on foot you might follow someone.
> Has anyone ever used both MLC and TLC drives and care to comment about whether the differences in performance justify the cost?
That completely depends on you - what you're using them for and how much you value money and performance. Also your operating system, to a lesser extent.
My wife loves her $200 mini laptop. She wouldn't want anything else. The cheap mini-laptop replaced her Chromebook when it broke and she wanted something very much like a Chromebook. On the other hand, I cost my employer about $150/hour. If they can spend $200 to upgrade hardware and thereby save me 30 seconds per day, it's worth it to upgrade the hardware. (30 seconds X 250 work days per year = 125 minutes @ $2.50 / minute = $312.50 to pay me to wait 30 seconds per day.)
For some tasks, it's not worth using anything more than a Raspberry Pi, or even an Arduino (16 Mhz). For use cases where it's not worth more than a 16 Mhz CPU, it's definitely not worth SLC or MLC. On the other hand, I've put dual 8-core CPUs on a motherboard. Multiple SLC drives make sense in some applications.
You can look at your usage and see how often you are waiting on your drive. Is that while working or only while booting/opening large applications for the first time? If you're using Linux especially, you can make sure you've maxed out your RAM first. Linux works hard to avoid using the drive, caching things in RAM instead. With enough RAM, drive performance may be largely a moot point - the drive may only used when starting up and when saving changed parts of files, which may not happen often.
Email has different design priorities than instant messaging, which is why all of these instant mesaaging protocols were created after email was already popular. Possibly the biggest difference is that email is designed to be reliable rather than instant - when a hop is down, it'll keep trying for hours or days. Your email client checks for new messages every ten minutes or so - that's much more efficient, and obviously very much not instant.
You mention a field something like "preference: instant" which would presumably cause all of the servers involved to use some different protocol. At that point it's no longer email.
You didn't bother to read my post before replying to it, and claiming that it's wrong, did you. Here's the attention deficit disorder version for you:
Tuition: $4500 / year after tax
Starting salary of a CNNA + MCSA etc (achieved within 2 years of starting school): $50,000 - $60,000
So at the end of four years of school, you've spent $18K and earned at least $100K. Explain to me how you are forced to have debt when you make more than you spend?
A person can CHOOSE a university that costs a lot, and choose not to work, and they will have chosen to have debt. Or they can choose a course of study that two years in, increases their income far beyond what they are spending for school. Sometimes, people choose stupid because they first chose not to know any better - they chose to not research their options. That sucks.
Thanks for that link. I wasn't not too concerned about the wording on degree because when I talk to people I can choose how to phrase it, mentioning "Harvard" and "Information Security" before stating the exact title of the degree, but automated filters are something to be aware of.
The comments in that link mentioned Johns Hopkins has a similar program, without the unclear wording of the degree itself.
Investigating Johns Hopkins led me to this article:
https://www.usnews.com/educati...
I see that Sam Houston State University offers *exactly* the degree I want, at a cost of $10K (about $3,300/year). The Sam Houston brand isn't nearly as strong as Harvard or Johns Hopkins, but it's something to consider.
It doesn't guarantee a job, and it doesn't guarantee debt either. The summary says "education only guarantees debt, not a stable job." That's compete bullocks. Debt is 100% optional. Common, but entirely optional. I'll graduate with more money in the bank than when I started school.
I chose a state school in Texas. Actually it's state school in many states - Western Governor's University was started by 19 state governors. I originally chose WGU because a) I could do the work on my own schedule - there are no scheduled class times and b) it's cheap, $6000 / year, minus $1500 tax credit = $4500 / year. After I started I found out that it's even better than that. For many courses, the final exam is an industry certification such as Cisco CCNA. Two years into school, my certifications led to a job making almost twice as much as I was making when I started school.
My employer reimbursed $1500 / year of tuition, so after the tax credit my out-of-pocket cost for school is $1,500 / year meanwhile my income has already increased by $50,000 / year, so the day I graduate I'll have a lot more money than I did the day I started school.
I could have actually gotten the first year or so free, or for about $500. What you can do is study the material, such as CCNA material, before enrolling. You can watch YouTube courses, get books from eBay, etc. Then enroll after you've studied and get a year of credits in your first few weeks by taking the exams. In fact, for industry exams like CCNA you can take the exams before enrolling and WGU will give you credit for the course - you've already passed the final exam.
The other good surprise with WGU is that I can do most of my school work 10 minutes at a time, when I have nothing better to do for a few minutes. I study while I'm on the toilet or whatever. 10 minutes per day, three times a day, seven days per week will cover a good portion of the material. In other words - I get my degree by spending half as much time on Slashdot as I used to. :)
I may get my masters degree from Harvard Extension. That would cost me $20K, but I'd end up with a Harvard Master's degree. A master's from Harvard may increase my income by $10K-$20K per year, meaning it would pay for itself in just 1-2 years.
https://www.extension.harvard....