there's nothing in the post she pointed to that I find disturbing
Maybe, but you are not her. Different people have different comfort levels with threats of bodily harm. I am not sure that your post reflects an appropriate standard for all victims, and I suspect that you would change your tune fairly rapidly if you, yourself, (or, worse, someone you loved) were the target.
Going so far as to suggest this is something new that's being caused by the internet just seems ridiculous
I don't think anyone familiar with Usenet thinks this is anything new, but it must be acknowledged that the Internet has greatly facilitated this sort of anonymous abuse. What's different from Usenet in this situation is that it is entirely within the ability of individual bloggers to stop this sort of abuse by their participants.
trying to paint it as a byproduct of the culture of men in software development is even moreso.
I wish I could say that I agree with you, but I work in information security and have responded to a number of internal online sexual abuse cases over the years. Your assertion does not completely correlate with my personal experiences with software developers. As with any male-dominated culture, there's a certain percentage of men who think that behaving rudely, crudely, and threateningly towards women is just fine. This is true in any culture; what's important is the group's tolerance for repellent, abusive behavior towards a female minority, and a principal sign of a lack of cultural maturity in this regard is for those not directly involved to sit back, as you just did, and say, "oh come on, it's not so bad, she just needs to get a grip", which is really just a backhanded way of condoning such behavior.
The claim of poor retention is increasingly a stock claim made by plaintiff's lawyers. The Federal Rules of Civil Procedure increasingly place a discovery burden on all organizations. Anything and everything electronically stored is subject to electronic discovery, and if you don't have a retention policy that deals with what is subject to discovery when litigation is "reasonably foreseeable", you can be sure the opposing attorneys will point that out, even if it is BS.
There is nothing magical about a library. They started as private citizens- not as government entities.
Maybe, but now public libraries are chartered and have a specific mission. You are right that this would have prevented public libraries from ever forming, but now they are here and that fact can be taken into account in legislation. So in that sense, they are 'magical' in that they can be exempted.
The party shift in Congress won't change anything regarding the DCMA or copyright. Although fair use is certainly important to many Democrats, the concentration of IP rights in the hands of a few large companies at the expense of consumer rights has been a depressingly non-partisan issue.
When I was a lad, Heathkit marketed an educational analog circuit-building kit wherein the circuit elements (resistors, capacitors, transistors, etc.) were encased in Lego-like bricks and connected on a Lego-like board instead of a breadboard. It was great fun - my brother and I built every circuit in the book, and then some - but unfortunately the kit interoperated a little too well, using the exact same dot-matrix as real Legos. We could sanp real Legos right into the circuits. The kit came off the market very quickly and my understanding is that the settlement with Lego contributed to Heathkit's eventual demise. Oh well.
(If anyone out there has the kit and wants to sell it, drop me a line.)
He forgot the highly accurate Hollywood search engine, which enabled Tom Cruise to put a Bible verse into an Internet search engine in Mission Impossible and get three hits, yet not support Boolean searching until Deanna Troi invents it in Star Trek: the Next Generation.
Surely anything is worth testing so long as it's never been formally tested, if only because the exact nature of a given relationship can always been characterized more precisely.
What you say is technically true, but not necessarily economically viable. Also, I think you are assuming that these guys are doing new and unique work. They are not.
Likewise, I think it's a good idea to test all of this because yes, "Duh," people can make money hacking and it's been happening a lot more lately. How much more? How much money are they making? Is a script kiddie as likely to get approached to do a "job" as a more experienced hacker? Etc.
These are good things to know, but a lot of my comments are informed by the fact that I work in this field (information security) and have seen similar approaches fail for similar reasons. It was this sort of self-selecting survey approach that caused so many people to completely miss the rise in criminal motivation and activity in the so-called "hacker community" a few years ago. The fact was that the composition of the community (really a superposition of communities) changed but researchers were still focusing on the same people for cultural reasons, and because their methodologies and protocols were similarly weak.
Also, the blithe request for network forensics, with absolutely no information presented on methodology of analysis, or even the handling of the data, really stuck in my craw. Having reviewed these guy's website, I have no confidence that they know what they are doing.
There is actually some really interesting work being done in this same area (modeling hackers and so forth) by some of the bioinformatics crowd, but the approaches I've seen so far stress a bottom-up approach (e.g. observe them in chat rooms and on usenet, try to connect new exploit code with this developer or that, etc.). I imagine this would probably meet your requirements for rigor more than what we see in this article.
Agreed and agreed. It's not so much 'rigor' but that the line of enquiry bear fruit. The Kilger work cited earlier was 'mere' phenomenology, but leverages existing law enforcement profiling technique and has been shown to be practical. Arguably practicality is not the whole end goal of scientific enquiry, but, like physicists, I would hope that information security researchers bear in mind that they are constrained to reality. There's also some neat stuff being doing by analyzing social networks formally (i.e. mathematically).
The fact that they have given support to something we already "know" is not a valid grounds for critique, so I must assume you are criticizing their actual experimental methodology.
I'm criticizing both. I see your point re: first-stage methodology, but it sounds like they're handing out surveys to people who fit a preestablished profile through self-selection, which fails Psych Stat 101 as far as the validity of their results. Beyond that I cannot say, since their website is long on appeals for credibility and short on experimental protocols. I have no idea what they "could be" testing, but the tone suggests that their literature review has not yet been done.
As to the validity of critique: please. I can't imagine anyone with a background in profiling criminal behavior on the Internet finding value in the aforementioned statement, and I can't imagine anyone with a background in research seriously asserting that obvious hypothesis so obvious is worth testing.
Generally speaking, it comes out that hackers are usually brilliant, inventive, and determined. They generally feel anger and rebellion towards authorities and narrowmindedness, seen as a menace for civil liberties. Hacking is conceived as a technique and a way of life with curiosity and to put themselves through the hoops, or as a power tool useful for raising awareness among the general public about political and social issues. Normally, they are driven by the love for knowledge. Nevertheless, there are also hackers who have profit purposes and, therefore, practice phishing/pharming, carding, or industrial espionage. Their preferred targets are military and governmental systems, as well as information systems of corporations, telecommunication societies, schools, and universities, but also end users and SOHO.
You've got to be kidding.
What's the methodology for this profile? Googling the word "hacker"? Please. Tell me something I didn't know years ago. (For example, MEECES.
Seriously, these guys sound like they have a seriously flawed survey methodology, in that all they are doing is self-selecting their sample and parroting the results. Moreover, I don't see how they plan to create anything useful out of the forensic data they expect everyone to send them. In that regard, I see little difference between what they say they are going to do and what the Honeynet Project has been doing for years.
32 states have similar laws. Disclosure of identity data *only* may not be sufficient cause. But if you think there's an issue and you're in the proper jurisdiction, a letter to the firm copying the state attorney general might be helpful.
In the banking industry, the applicable regulation is fairly strict... the institution must "promptly" notify customers of a material breach and there are relatively few loopholes. So if your broker or whoever was part of a bank, then this would apply. However, if your e-mail address was all that was compromised, they don't really need to notify you. By definition, e-mail addresses are not private information, any more than your physical address is. A number of states, notably California, have privacy laws that can be invoked, but the trigger for a material breach is usually the compromise of a combination of personal identifying data such as name and address (including e-mail addresses) and sensitive nonpublic personal information such as login credentials, account numbers, etc. You might see whether there is a law in your state that applies.
Well said. This is why I tell my clients not to rely on lawyers for business advice. It's useful to come to them with technical questions about the law, but never ask them anything along the lines of "what should I do". Going on record with any sort of interpretation at all makes them very tongue-tied. That being said, these guys are really going out of their way not to elaborate on their answers. PR geniuses they ain't. (Perhaps that has a bearing on their stated lack of success in court?)
In order to get an answer from a lawyer, you have to have *exact* terminology. Now you know how normal people feel when they talk to computer geeks;)
Yes, and successful computer geeks (and, for that matter, successful lawyers) are those who can parse technical concepts and terminology for their clients. I have to agree with most of the above criticisms - if these guys had anything on the ball, they could easily have expended a little effort to interpolate the questions. Do these guys understand that this is one of the most popular sites on the Web; that thousands of people will read this? This is not the place for flippant snark, and they've basically reinforced some basic stereotypes of lawyers as well as blown a big chance.
Much of his advocacy against manned space exploration stemmed from the political reality that the budget for unmanned scientific missions was repeatedly gutted to pay for manned missions of negligible scientific value. This was certainly the case in the Reagan eighties.
He also publicly argued, less than a year before the Challenger disaster, that a catastrophic failure of the shuttle was inevitable due to its complexity. As I recall, he was pretty much alone in this at the time. I also recall that the Challenger mission was, in terms of numeric order for all shuttle flights, fairly close to the mean failure rate he calculated.
Ironically, the parent post and much of this thread neglect the third thing he should be remembered for: he was the godfather of the US space program. The International Geophysical Year international research effort, which began in his living room in 1950, was the key catalyst for obtaining governmental support for space science and led to pretty much everything else that NASA has ever done. Without him, space science might well have been sidlined in favor of militarization instead.
The regulatory action in the USA to encourage banks to improve authentication is an attempt to short-circuit the possibility of a major shift in liability, which could have a lot of unintended consequences for both banks and consumers.
I believe this kid-tracking service was previously (c. 2000) marketed to parents in Europe, then subsequently the ability to turn it off was marketed to the kids.
So, basically this is a press release for a security portal with ambition. This is fine, but did anybody other than these guys perceive a crying need for a new security portal? 'Cause I sure didn't. If I start one, will Slashdot post that story, too?
Microsoft gained a strong foothold in Arabic-speaking countries early on due to strong language support. Do you believe that Arabic language support in software and documentation from US and European vendors is all that it could currently be? What other advice would you give to software producers looking to penetrate the Arabic-speaking market?
Sandi Gibbons, spokeswoman for the Los Angeles County district attorney's office, refused to call Heller a "whistle-blower." "We call him a defendant," she said. "He's accused of breaking the law."
OK, Sandi, I refuse to call you a "prosecutor" or, for that matter, a "public servant". I call you a "thug".
Oh, wait, you're a PR flack. Perhaps "stooge" would be more appropriate.
IT insurance is one thing that just hasn't taken off
That's changing fairly rapidly as the cyberinsurance offerings mature and as the actuarial metrics improve. The emergence of generally accepted standards of due care is also helping. The folks I've talked to recently in the insurance industry (at AIG and Gallagher, to name two) are selling it hand over fist.
It's also worth noting that not all IT risk is covered by specialized insurance. A fair amount of IT-related business risk can be covered by general business insurance.
Slashdot Mirror
there's nothing in the post she pointed to that I find disturbing
Maybe, but you are not her. Different people have different comfort levels with threats of bodily harm. I am not sure that your post reflects an appropriate standard for all victims, and I suspect that you would change your tune fairly rapidly if you, yourself, (or, worse, someone you loved) were the target.
Going so far as to suggest this is something new that's being caused by the internet just seems ridiculous
I don't think anyone familiar with Usenet thinks this is anything new, but it must be acknowledged that the Internet has greatly facilitated this sort of anonymous abuse. What's different from Usenet in this situation is that it is entirely within the ability of individual bloggers to stop this sort of abuse by their participants.
trying to paint it as a byproduct of the culture of men in software development is even moreso.
I wish I could say that I agree with you, but I work in information security and have responded to a number of internal online sexual abuse cases over the years. Your assertion does not completely correlate with my personal experiences with software developers. As with any male-dominated culture, there's a certain percentage of men who think that behaving rudely, crudely, and threateningly towards women is just fine. This is true in any culture; what's important is the group's tolerance for repellent, abusive behavior towards a female minority, and a principal sign of a lack of cultural maturity in this regard is for those not directly involved to sit back, as you just did, and say, "oh come on, it's not so bad, she just needs to get a grip", which is really just a backhanded way of condoning such behavior.
The claim of poor retention is increasingly a stock claim made by plaintiff's lawyers. The Federal Rules of Civil Procedure increasingly place a discovery burden on all organizations. Anything and everything electronically stored is subject to electronic discovery, and if you don't have a retention policy that deals with what is subject to discovery when litigation is "reasonably foreseeable", you can be sure the opposing attorneys will point that out, even if it is BS.
There is nothing magical about a library. They started as private citizens- not as government entities.
Maybe, but now public libraries are chartered and have a specific mission. You are right that this would have prevented public libraries from ever forming, but now they are here and that fact can be taken into account in legislation. So in that sense, they are 'magical' in that they can be exempted.
The party shift in Congress won't change anything regarding the DCMA or copyright. Although fair use is certainly important to many Democrats, the concentration of IP rights in the hands of a few large companies at the expense of consumer rights has been a depressingly non-partisan issue.
So all this time I guess I should have put the tinfoil in my shoes.
When I was a lad, Heathkit marketed an educational analog circuit-building kit wherein the circuit elements (resistors, capacitors, transistors, etc.) were encased in Lego-like bricks and connected on a Lego-like board instead of a breadboard. It was great fun - my brother and I built every circuit in the book, and then some - but unfortunately the kit interoperated a little too well, using the exact same dot-matrix as real Legos. We could sanp real Legos right into the circuits. The kit came off the market very quickly and my understanding is that the settlement with Lego contributed to Heathkit's eventual demise. Oh well.
(If anyone out there has the kit and wants to sell it, drop me a line.)
He forgot the highly accurate Hollywood search engine, which enabled Tom Cruise to put a Bible verse into an Internet search engine in Mission Impossible and get three hits, yet not support Boolean searching until Deanna Troi invents it in Star Trek: the Next Generation.
Surely anything is worth testing so long as it's never been formally tested, if only because the exact nature of a given relationship can always been characterized more precisely.
What you say is technically true, but not necessarily economically viable. Also, I think you are assuming that these guys are doing new and unique work. They are not.
Likewise, I think it's a good idea to test all of this because yes, "Duh," people can make money hacking and it's been happening a lot more lately. How much more? How much money are they making? Is a script kiddie as likely to get approached to do a "job" as a more experienced hacker? Etc.
These are good things to know, but a lot of my comments are informed by the fact that I work in this field (information security) and have seen similar approaches fail for similar reasons. It was this sort of self-selecting survey approach that caused so many people to completely miss the rise in criminal motivation and activity in the so-called "hacker community" a few years ago. The fact was that the composition of the community (really a superposition of communities) changed but researchers were still focusing on the same people for cultural reasons, and because their methodologies and protocols were similarly weak.
Also, the blithe request for network forensics, with absolutely no information presented on methodology of analysis, or even the handling of the data, really stuck in my craw. Having reviewed these guy's website, I have no confidence that they know what they are doing.
There is actually some really interesting work being done in this same area (modeling hackers and so forth) by some of the bioinformatics crowd, but the approaches I've seen so far stress a bottom-up approach (e.g. observe them in chat rooms and on usenet, try to connect new exploit code with this developer or that, etc.). I imagine this would probably meet your requirements for rigor more than what we see in this article.
Agreed and agreed. It's not so much 'rigor' but that the line of enquiry bear fruit. The Kilger work cited earlier was 'mere' phenomenology, but leverages existing law enforcement profiling technique and has been shown to be practical. Arguably practicality is not the whole end goal of scientific enquiry, but, like physicists, I would hope that information security researchers bear in mind that they are constrained to reality. There's also some neat stuff being doing by analyzing social networks formally (i.e. mathematically).
The fact that they have given support to something we already "know" is not a valid grounds for critique, so I must assume you are criticizing their actual experimental methodology.
I'm criticizing both. I see your point re: first-stage methodology, but it sounds like they're handing out surveys to people who fit a preestablished profile through self-selection, which fails Psych Stat 101 as far as the validity of their results. Beyond that I cannot say, since their website is long on appeals for credibility and short on experimental protocols. I have no idea what they "could be" testing, but the tone suggests that their literature review has not yet been done.
As to the validity of critique: please. I can't imagine anyone with a background in profiling criminal behavior on the Internet finding value in the aforementioned statement, and I can't imagine anyone with a background in research seriously asserting that obvious hypothesis so obvious is worth testing.
Generally speaking, it comes out that hackers are usually brilliant, inventive, and determined. They generally feel anger and rebellion towards authorities and narrowmindedness, seen as a menace for civil liberties. Hacking is conceived as a technique and a way of life with curiosity and to put themselves through the hoops, or as a power tool useful for raising awareness among the general public about political and social issues. Normally, they are driven by the love for knowledge. Nevertheless, there are also hackers who have profit purposes and, therefore, practice phishing/pharming, carding, or industrial espionage. Their preferred targets are military and governmental systems, as well as information systems of corporations, telecommunication societies, schools, and universities, but also end users and SOHO.
You've got to be kidding.
What's the methodology for this profile? Googling the word "hacker"? Please. Tell me something I didn't know years ago. (For example, MEECES.
Seriously, these guys sound like they have a seriously flawed survey methodology, in that all they are doing is self-selecting their sample and parroting the results. Moreover, I don't see how they plan to create anything useful out of the forensic data they expect everyone to send them. In that regard, I see little difference between what they say they are going to do and what the Honeynet Project has been doing for years.
32 states have similar laws. Disclosure of identity data *only* may not be sufficient cause. But if you think there's an issue and you're in the proper jurisdiction, a letter to the firm copying the state attorney general might be helpful.
assuming that you live in or are doing business in the USA
In the banking industry, the applicable regulation is fairly strict... the institution must "promptly" notify customers of a material breach and there are relatively few loopholes. So if your broker or whoever was part of a bank, then this would apply. However, if your e-mail address was all that was compromised, they don't really need to notify you. By definition, e-mail addresses are not private information, any more than your physical address is. A number of states, notably California, have privacy laws that can be invoked, but the trigger for a material breach is usually the compromise of a combination of personal identifying data such as name and address (including e-mail addresses) and sensitive nonpublic personal information such as login credentials, account numbers, etc. You might see whether there is a law in your state that applies.
You are very good at responding to questions in such a way that it looks as though you have answered them, when in fact you have sidestepped them.
At the risk of being modded down, let me say that I tangled with daveschroeder myself awhile back and this was my experience as well.
No, you weren't.
Well said. This is why I tell my clients not to rely on lawyers for business advice. It's useful to come to them with technical questions about the law, but never ask them anything along the lines of "what should I do". Going on record with any sort of interpretation at all makes them very tongue-tied. That being said, these guys are really going out of their way not to elaborate on their answers. PR geniuses they ain't. (Perhaps that has a bearing on their stated lack of success in court?)
In order to get an answer from a lawyer, you have to have *exact* terminology. Now you know how normal people feel when they talk to computer geeks ;)
Yes, and successful computer geeks (and, for that matter, successful lawyers) are those who can parse technical concepts and terminology for their clients. I have to agree with most of the above criticisms - if these guys had anything on the ball, they could easily have expended a little effort to interpolate the questions. Do these guys understand that this is one of the most popular sites on the Web; that thousands of people will read this? This is not the place for flippant snark, and they've basically reinforced some basic stereotypes of lawyers as well as blown a big chance.
Much of his advocacy against manned space exploration stemmed from the political reality that the budget for unmanned scientific missions was repeatedly gutted to pay for manned missions of negligible scientific value. This was certainly the case in the Reagan eighties.
He also publicly argued, less than a year before the Challenger disaster, that a catastrophic failure of the shuttle was inevitable due to its complexity. As I recall, he was pretty much alone in this at the time. I also recall that the Challenger mission was, in terms of numeric order for all shuttle flights, fairly close to the mean failure rate he calculated.
Ironically, the parent post and much of this thread neglect the third thing he should be remembered for: he was the godfather of the US space program. The International Geophysical Year international research effort, which began in his living room in 1950, was the key catalyst for obtaining governmental support for space science and led to pretty much everything else that NASA has ever done. Without him, space science might well have been sidlined in favor of militarization instead.
The regulatory action in the USA to encourage banks to improve authentication is an attempt to short-circuit the possibility of a major shift in liability, which could have a lot of unintended consequences for both banks and consumers.
I believe this kid-tracking service was previously (c. 2000) marketed to parents in Europe, then subsequently the ability to turn it off was marketed to the kids.
Amir, if you want to refund my money you know where to contact me, and this page will disappear forever.
Waaaay too late for that.
So, basically this is a press release for a security portal with ambition. This is fine, but did anybody other than these guys perceive a crying need for a new security portal? 'Cause I sure didn't. If I start one, will Slashdot post that story, too?
Microsoft gained a strong foothold in Arabic-speaking countries early on due to strong language support. Do you believe that Arabic language support in software and documentation from US and European vendors is all that it could currently be? What other advice would you give to software producers looking to penetrate the Arabic-speaking market?
Sandi Gibbons, spokeswoman for the Los Angeles County district attorney's office, refused to call Heller a "whistle-blower." "We call him a defendant," she said. "He's accused of breaking the law."
OK, Sandi, I refuse to call you a "prosecutor" or, for that matter, a "public servant". I call you a "thug".
Oh, wait, you're a PR flack. Perhaps "stooge" would be more appropriate.
IT insurance is one thing that just hasn't taken off
That's changing fairly rapidly as the cyberinsurance offerings mature and as the actuarial metrics improve. The emergence of generally accepted standards of due care is also helping. The folks I've talked to recently in the insurance industry (at AIG and Gallagher, to name two) are selling it hand over fist.
It's also worth noting that not all IT risk is covered by specialized insurance. A fair amount of IT-related business risk can be covered by general business insurance.