There are plenty of companies that pay good money for red team exercises, and even have their own red teams (Microsoft has a very highly rated one for example). So if breaking in to systems and networks is what interests you, you can do it legitimately, make good money doing it, and even get sponsored training doing it. SANS has a whole track of courses for red team training.
Thing is, you don't get called a hacker in popular media when you do that since the term "hacker" is used to mean someone breaking the law with computer related things. You are an Information Assurance/Information Security professional. Your skills are the same as what they call a hacker, even your methods, the difference is you have been hired.
Now combine that with the fact that the US has more functional law enforcement than Russia and does at least make some attempt to squash cyber crime and is it any surprise we don't see as many in the US?
Password resets don't send plain text passwords. They send a link that can be used to reset the password, a link with a short life generally.
That aside you think it is easy to pay off someone at Google to access e-mail? Try it. What you'd discover is that first most people are fairly moral, you may not be, but most are but second that places like Google have some pretty series security controls in place. A random employee can't just go and access someone's mail. I don't mean they aren't allowed to, I mean there are controls in place to keep them from doing so. Such a thing is monitored and requires authorization. You'd need to compromise more than one person, and that's pretty hard, certainly more than a "mild challenge". Particularly given that your target it a password reset for some random person's account.
You seem to be applying 20 year old thinking to the modern IA landscape. Yes, back in the 90s it might have been easier to compromise someone at the local ISP that had all of 10 people working at it and no security controls at all to get in to the mail server. Well part of the changing world and the "cloud" nature of modern services is that's not your target anymore. By and large mail is hosted by big providers, who have some of the best blue and red teams in the business working for them. They are hard targets.
While e-mailed password reset links are not the best way of doing security, they are plenty good enough for the value of what they are protecting. The resources required to compromise such a thing are way in excess of the value you'd gain. So people aren't going to try.
Well first off forgive me if I don't believe your "I'm such a l33t haxor" stories without a bit of proof. I have encountered more than a few people in my career who have supposedly done all kinds of nifty shit, yet have trouble doing even the most basic IA related tasks.
Second, things have gotten more secure than since the Internet started. Source routing is something blocked on almost all networks, switches have replaced hubs (and switches are hardened against things like ARP poisoning now), most systems and networks have stateful firewalls sitting on them, and so on. What worked in 1995 is not very likely to work today.
However the biggest of all is as I noted in my first post: E-mail is generally encrypted between provider and person today. The biggest e-mail platforms, Gmail, Office 365, etc do encryption to the endpoint. When you check Gmail, be it via web browser or your phone, Google encrypts the session with TLS and your browser/app decrypts it. That means any data theft on the target's network or the ISP is out, it is encrypted.
So you are then left with the e-mail host, the company sending the mail, and maybe the transit providers supposing those companies don't encrypt e-mail between them (which they often do). If you really think you can hit Google, well then let's hear how that would go. Lay out the theoretical framework for how you'd get in to their systems to be able to monitor data in transit.
So no, sorry, this isn't an easy task to accomplish. You'd be far more likely to succeed in attacking the target's computer (as ever) in which case crypto doesn't matter since it is decrypted on their system. Of course neither would a reset e-mail since you could just capture the passwords directly.
I know there's this idea that anything not encrypted is super vulnerable but really, then about what you are saying: How to you mount such an attack? Suppose that someone requests an account reset from Amazon and it is going to their Gmail account. Where do you propose to intercept the message? You think you can realistically hack in to the servers or network at either company? If not there you'd have to get in to one of the tier-1 transit providers. These are some pretty hard targets. Other than that the only thing you could target is the lines themselves. Of course it is a bit difficult to physically tap fiber, in a conduit, and is a bit conspicuous.
It is far less feasible to intercept plain text traffic than many geeks make it out to be. It is not impossible, a state actor can do it, or the ISPs themselves of course. But for J. Random Hacker? Pretty close to impossible. Particularly if you are talking e-mail which these days is normally only plain text between providers, and is sent encrypted to the end user. Getting to tap that traffic would be very difficult, and I'd argue someone that did would ahve higher value targets than a password reset e-mail.
It probably varies state to state but in AZ, your car is listed on your insurance. While the liability insurance is for you operating a vehicle, and applies even if you drive another car, your car is still listed on your insurance paperwork. It also helps determine the rate. If you have a high performance car, you are going to pay higher liability insurance than someone with an econobox.
So if you found a car driving around, and couldn't find a record for its insurance, good chance the owner is uninsured. It is possible that they are and just neglected to add this particular car (though that could mean the policy wouldn't cover them, which would make them effectively uninsured) but more likely they don't have insurance.
Not saying I support this spy cam crap (particularly since a private company is running and as with speed cameras they'll try to game it) but it would be something where if you run a car's plate and it comes back as not in the system 99%+ of the time it is being driven by an uninsured driver.
Look the metric prefixes up: Giga, tera, etc are base 10. Giga means 10^9, not 2^30. They always have, they predated widespread base 2 usage. The standard SI prefixes are for base 10 as that's one of the big ideas behind the SI system is using base 10 for all units.
Now there are base-2 prefixes that have been introduced, those are Gibi, tebi and so on. If you want to talk base 2 orders of magnitude, you use those.
However using regular base-10 SI prefixes makes sense since basically everythign else in our computers uses that. When a processor says 3GHz it means 3 billion cycles per second, not 3,221,225,472. When a network is "gigabit" it means 10^9 bits per second, not 2^30. When we say DVDs are sampled at 48kHz we mean 48,000Hz not 49,152Hz. It makes sense to display our storage likewise. About the only area where the base-2 prefixes make sense is RAM, since it is actually sold along base-2 boundaries.
There are lots of things in the world with stupid names that are not accurate tot heir actual traits for various reasons. However when it specifies a given item then it makes sens to KEEP USING IT rather than to try and change things and screw people up.
An area you see this all the time in is ammunition. Many, many bullets have names that don't match their actual size. For example.380 auto isn't.380 caliber. The bullet is.355, the case is.373. So no matter which measurement you are using, it is wrong. However the round is called.380 auto, so we keep calling it that because people know what it is.
If you really care about isolation, like the kind we are talking about for SIPRnet and so on then you need to use data diodes and controls.
A data diode is a hardware device that only allows transfers in one direction. That way you can make sure that when you are bringing data in to the network, no egress can happen, and such. They are very specialty, and very expensive.
However more important than that is proper controls. That means policies and procedures that are followed rigorously. You have to make sure that people are extremely careful with how data is moved from one network to another and what data is moved. You need a process that specifies things like who can decide data to be moved, who approves it, who reviews it, how this is all done and so on.
If this is really important, well don't try to do it yourself based on some posts on Slashdot, you need to hire some experts. You also need to spend lots of time in the design and planning stages, you need to careful consider and document how everything will be set up and all the controls in place.
The reason they might not bother in Phoenix is most of the time, it isn't a problem. Also it isn't a problem for the bigger jets with bigger engines, it seems, just the small ones. Well those are a somewhat new phenomena. 20 years ago if you wanted to do a jet a 737 was about as small as they got. You either used that or went with a prop plane for really short routes.
The last big expansion to Sky Harbor was in 1989, before those little regional jets were a thing.
While HEVC is probably going to be useful in the future, since it does offer good compression and the licensing is likely to get sorted one way or another, VP9 is useful NOW. Google will send you videos in VP9 format if it can since not only is VP9 Google's format, but it gets better per-bit quality than MP4/AVC. Well given that Youtube is, by far, the big name in video hosting for the 'net, makes sense to support it. On top of that, Netflix has started making use of it as well. They are the very biggest commercial streaming service. So between the two it is a massive amount of use.
I can't see why you'd want to add HEVC, which is brand new, still having licensing issues and thus has next to zero adoption before VP9 which is already a major force. I mean shit even Edge supports VP9 these days. Safari and IE are basically the only browsers that don't these days (and IE is deprecated).
When you take something that wasn't designed with security in mind and try to expand and adapt it, you have a lot of issues. Better to start with something designed for the purpose it is being used from the start.
HTTP is a good example. It was designed as a stateless protocol for transferring text documents with markup. We now rely on it to do stateful transactions for things like shopping carts online and this has lead to tons of security issues since you have to hack on state to a protocol that isn't designed to support it using things like cookies. It would be much more secure had it been designed from the ground up to handle stateful transactions with people.
IP is another great example. There's all kinds of shit in IPv4 that is completely stupid from the perspective of a protocol used on the Internet. Like source routing, where you can specify the routers that a packet must go through, or the fact that you can just claim to be from any IP you want. This is a bad design for a global communications network. However it is that way because IP wasn't designed for a global communications network, it was designed for an ARPA project and it grew. IPv6 fixes a lot of this because it was designed later, around how IP is actually used these days.
Also talking about Xwindows is funny because man you wanna talk security risk, X is a huge. If you have an X server that talks on the network any system on the network can just draw to your local display, and you have no easy way of knowing that it isn't your system. Someone can phish passwords in a very hard to detect way using it. Now of course most distros are smart enough to block remote X using the firewall, and you do something like tunnel it over SSH. However that is a hack, it is putting up barriers around something insecure. If those barriers are bypassed, the insecurity is still there. Better if it were designed secure from the ground up. Then you still put the barriers in place as well so that you aren't relying on any one level of security.
Discontinuing the use of older protocols is a good idea for security, when possible. It isn't always possible, of course, I mean IPv4 is still far and away the most widely used IP spec. But you stop using them when you can (and indeed modern OSes will prefer IPv6 when they have both available).
The reason big government contractors get so much work is not because most government agencies would prefer it that way. Most would rather do things in house. any efficiency arguments aside, it makes their little empire bigger. Rather it is because there is pressure at the top to do business with contractors who, unsurprisingly, are big donors.
Particularly since cellphones as they actually were/are, meaning phones that work with individuals radio "cells" and move between them need computers to work. They don't have to be amazing computers, but they need some computer logic to handle dealing with dynamic frequency assignment and handoff between towers.
That one piece of a technology, even an important piece, existed at a given time doesn't mean the tech could happen. Many devices require a confluence of a number of technologies before they can happen.
Smartphones are an example. They aren't particularly a novel idea, we've seen shit like them in sci fi for a long time. However to actually be a thing on the market we needed a lot of shit:
--Processors had to get fast enough at a small enough size --Displays had to get small, light, and low energy --Batteries had to get sufficient energy density --Silicon based storage had to evolve to usable levels --We needed wireless digital communication --We needed the Internet (or something like it to have something worth connection to)
Without any one of those things, you don't have a workable smartphone. That they started to rise to prominence when they did isn't some amazing stroke of genius or luck, it was because the various technologies had reached the needed point.
Google's short support is also amusing to me since they love to snipe at Microsoft about security issues, yet the security situation on Android is garbage.
When we bring someone on, they do NOT get root/admin to critical servers their first day. They have to be off probation first, which is 6 months where I work. Even then, credentials for things are not on a document. That is just asking for them to get lost or stolen. They are given on a wallet sized card, written specially for that person, and they are instructed to keep them safe until memorized.
The reason is, of course, to prevent fuckups, as well as to make sure we trust them fully. The idea of giving someone full access to critical stuff on day one is stupid. Shit it sometimes takes more than a day for them to get access to e-mail and all that just because of all the other things they need to do.
This is 100% on the company. Have working backups, CHECK YOUR BACKUPS, and don't give a new hire a sheet with access to your critical data.
It is fairly easy to set up and supports new protocols. Linux seems to support it reasonably well and its Windows implementation isn't totally retarded.
However really, it is worth your while to invest time and effort in learning IPSec. I know it is a pain in the ass, I've done a ton with it. However it is powerful. The reason it is complex is that it can be used for basically everything. It is a general purpose encryption and authentication method for IP. It is also a mandatory part of the IPv6 spec so going forward it is just going to be a thing that all systems will have.
It also has the benefit of being widely supported. While not a lot talks OpenVPN, nearly everything already talked IPSec.
Motive can determine what kind of crime something is. So let's say you hit someone with your car and killed them. Suppose you did it because:
--You were swerving to avoid hitting someone else, your motive was to avoid hurting another person, not to hurt them. That would likely be no charge, but at most Involuntary Manslaughter since there was no malice, no intent to kill.
--You swerve to hit them because you believe you see them strangling an animal, and it makes you fly in to a rage and want to hurt them (but not necessarily kill them). That would be First Degree Manslaughter.
--You swerve to hit them because they are a person you hate and they flip you off and you decide that fuck it, they deserve to die for disrespecting you. That would be Second Degree Murder.
--You swerve to hit them because you set out to kill them, you were looking for this particular person with the express intent of killing them when you found them. That would be First Degree Murder.
In all cases they are dead because you swerved in to them with your car. However the law can treat you very different based on your intent in the case. It is codified in to law that why someone did something matters, a whole lot.
It is not like it is mandatory, and I don't see it going that way either. I know a lot of people who use Facebook all the time, who are glued to it. I know a lot of people who use it occasionally but don't give much of a fuck. I know a lot of people that don't use it at all (I'm one of those). This spans all ages too. There is this false idea that every single younger person is glued to Facebook so in the future it'll be the only way to communicate. Nope. Plenty of our students don't give a fuck about FB, whereas others love it. Same shit with older people.
So far I've seen no indication that not using Facebook makes you an outcast, unable to get jobs, unable to travel, or anything like that. As such if you don't trust it, don't feel what you give up is worth it, or just plain don't care, then don't use it.
Generic chips that can be programmed in to anything you want in the field. It's a huge industry, they get used in everything from your car to your TV, but they have limitations that means they are never going to be a be-all, end-all.
There's a place for processors, FPGAs and ASICs, usually all combined.
And told me to get a home unit, and bring it in to test it. His assessment differed from this in that he said that "most home blood pressure monitors are accurate". I brought in mine, the nurse tested it, and said it was accurate. The readings weren't 100% the same as what she got, but then they normally vary second to second anyhow.
Also of note is that she was much more careful with the test when testing my unit as opposed to normal. For both their and my unit she had me sit quiet and still, she made sure to place the cuff in the same place, and she took the reading slowly on their manual unit. On a normal physical she places the cuff over my shirt and and drops the pressure quite fast.
Now I would guess this is because they aren't that worried. My BP is normal to the high end of normal, but is normal, when measured at home and is on the high end of normal up to just at the bottom of the pre-hypertension range at the office. So I would guess she's not that concerned with having it right down to the mmHg, with in 10 is probably good enough. If it hasn't changed much since last time, no need to worry and no need to spend a bunch of time being super precise.
Now maybe my doctor is just lax and stupid, but he doesn't seem that way (and his background.credentials don't indicate that). However maybe this journal has a bit of a bias in wanting to over-diagnose hypertension and/or push that physician measurements are the One True Way(tm).
To me it seems silly to worry about 5% or less error on a test like this. The fact that BP ranges neatly line up on clear decimal lines should tell you that the specific numbers are guidelines only, not maxims. It isn't like the did some measurements and said "My god at precisely 140mmHg blood pressure becomes unhealthy and at precisely 120mmHg it becomes a complete non-factor!" Of course not, rather based on medical knowledge they established the normal, pre-hypertension, hypertension, and hypertensive crisis ranges and set them along base 10 boundaries because we like that.
It is a guide to trained professionals, not a stress point past which there is a sudden failure. Your doctor isn't going to treat it radically different if your BP is 141/91 vs 137/89. They'll evaluate what kind of treatment (if any) they think you should have based on a number of factors about you.
While I'm not ready to go all in on AI controlled planes yet (or let's call them something else like Expert Systems, they aren't real AIs) I think starting to test is very valid. We are able to design systems with very good decision making capabilities these days. It is conceivable that we will soon be able to make them on par with humans, even for extreme cases like 1549.
Lynch is no longer a federal employee, and unless she tries to return to government or run for office, it doesn't matter much. President Obama has served his term, he's done now and he won't be coming back. So how does it matter what happened during her tenure? She and her boss are out, that's it, it's over.
Or do you mean because you think Clinton should be prosecuted? Well guess what? She lost the election, and is also likely done. That aside Donald "Lock her up" Trump is now President and controls the justice department. He could push for it, if he wanted, yet he has publicly said he isn't going to.
So how is it in any way they "key takeaway"? You are as bad as the liberals who kept pointing to shit President Bush did to try and excuse things President Obama did. The important takeaways are about the administration in power NOW. They are the ones that can cause problems, they are the ones that need to be looked at. The old administration is old news. The bad shit they did is done. Worry about the present.
Well then you don't like bitcoin because it has built in deflation. You should in general like fiat currency as it has moderate inflation overall. Gold had alternating periods of large inflation and deflation.
First is that gold bugs hate inflation. They see it as the ultimate evil. They like deflation. Well gold can lead to deflation, and likely would in the long run due to its limited supply, but bitcoin is guaranteed to have deflation given its design. So they like it because if it is used it would guarantee deflation.
The second is something you might have guessed from the first, it is because they don't know shit about money. They don't really have an understanding of what makes money what it is, or what makes a given currency good or bad. They see big amounts = good, big gains = good. Since both gold and bitcoin have been on a run as of late, that makes them good.
UAC is not a sudo replicant, it is a tool for easily escalating to a privileged user. It is akin to what you see in many modern Linux GUIs when you try to run something, it asks for escalation and then runs as root, often for a period of time thereafter. Also your understanding of how UAC works is incorrect, you can have it change user contexts if you wish to set it up that way. You can tell UAC how to operate. Normally what it does is present even administrators with a restricted security token until they escalate.
Fine grained sudo control is more akin to Just Enough Administration (https://msdn.microsoft.com/en-us/library/dn896648.aspx) though that is even finer grained sudo.
Much like the original poster, please don't spout off if you don't know what you are talking about. There's a lot of documentation on the Windows security model out there, if you want to look in to it. However trying to criticize it when you don't understand its functionality is silly.
Slashdot Mirror
There are plenty of companies that pay good money for red team exercises, and even have their own red teams (Microsoft has a very highly rated one for example). So if breaking in to systems and networks is what interests you, you can do it legitimately, make good money doing it, and even get sponsored training doing it. SANS has a whole track of courses for red team training.
Thing is, you don't get called a hacker in popular media when you do that since the term "hacker" is used to mean someone breaking the law with computer related things. You are an Information Assurance/Information Security professional. Your skills are the same as what they call a hacker, even your methods, the difference is you have been hired.
Now combine that with the fact that the US has more functional law enforcement than Russia and does at least make some attempt to squash cyber crime and is it any surprise we don't see as many in the US?
Password resets don't send plain text passwords. They send a link that can be used to reset the password, a link with a short life generally.
That aside you think it is easy to pay off someone at Google to access e-mail? Try it. What you'd discover is that first most people are fairly moral, you may not be, but most are but second that places like Google have some pretty series security controls in place. A random employee can't just go and access someone's mail. I don't mean they aren't allowed to, I mean there are controls in place to keep them from doing so. Such a thing is monitored and requires authorization. You'd need to compromise more than one person, and that's pretty hard, certainly more than a "mild challenge". Particularly given that your target it a password reset for some random person's account.
You seem to be applying 20 year old thinking to the modern IA landscape. Yes, back in the 90s it might have been easier to compromise someone at the local ISP that had all of 10 people working at it and no security controls at all to get in to the mail server. Well part of the changing world and the "cloud" nature of modern services is that's not your target anymore. By and large mail is hosted by big providers, who have some of the best blue and red teams in the business working for them. They are hard targets.
While e-mailed password reset links are not the best way of doing security, they are plenty good enough for the value of what they are protecting. The resources required to compromise such a thing are way in excess of the value you'd gain. So people aren't going to try.
Well first off forgive me if I don't believe your "I'm such a l33t haxor" stories without a bit of proof. I have encountered more than a few people in my career who have supposedly done all kinds of nifty shit, yet have trouble doing even the most basic IA related tasks.
Second, things have gotten more secure than since the Internet started. Source routing is something blocked on almost all networks, switches have replaced hubs (and switches are hardened against things like ARP poisoning now), most systems and networks have stateful firewalls sitting on them, and so on. What worked in 1995 is not very likely to work today.
However the biggest of all is as I noted in my first post: E-mail is generally encrypted between provider and person today. The biggest e-mail platforms, Gmail, Office 365, etc do encryption to the endpoint. When you check Gmail, be it via web browser or your phone, Google encrypts the session with TLS and your browser/app decrypts it. That means any data theft on the target's network or the ISP is out, it is encrypted.
So you are then left with the e-mail host, the company sending the mail, and maybe the transit providers supposing those companies don't encrypt e-mail between them (which they often do). If you really think you can hit Google, well then let's hear how that would go. Lay out the theoretical framework for how you'd get in to their systems to be able to monitor data in transit.
So no, sorry, this isn't an easy task to accomplish. You'd be far more likely to succeed in attacking the target's computer (as ever) in which case crypto doesn't matter since it is decrypted on their system. Of course neither would a reset e-mail since you could just capture the passwords directly.
I know there's this idea that anything not encrypted is super vulnerable but really, then about what you are saying: How to you mount such an attack? Suppose that someone requests an account reset from Amazon and it is going to their Gmail account. Where do you propose to intercept the message? You think you can realistically hack in to the servers or network at either company? If not there you'd have to get in to one of the tier-1 transit providers. These are some pretty hard targets. Other than that the only thing you could target is the lines themselves. Of course it is a bit difficult to physically tap fiber, in a conduit, and is a bit conspicuous.
It is far less feasible to intercept plain text traffic than many geeks make it out to be. It is not impossible, a state actor can do it, or the ISPs themselves of course. But for J. Random Hacker? Pretty close to impossible. Particularly if you are talking e-mail which these days is normally only plain text between providers, and is sent encrypted to the end user. Getting to tap that traffic would be very difficult, and I'd argue someone that did would ahve higher value targets than a password reset e-mail.
It probably varies state to state but in AZ, your car is listed on your insurance. While the liability insurance is for you operating a vehicle, and applies even if you drive another car, your car is still listed on your insurance paperwork. It also helps determine the rate. If you have a high performance car, you are going to pay higher liability insurance than someone with an econobox.
So if you found a car driving around, and couldn't find a record for its insurance, good chance the owner is uninsured. It is possible that they are and just neglected to add this particular car (though that could mean the policy wouldn't cover them, which would make them effectively uninsured) but more likely they don't have insurance.
Not saying I support this spy cam crap (particularly since a private company is running and as with speed cameras they'll try to game it) but it would be something where if you run a car's plate and it comes back as not in the system 99%+ of the time it is being driven by an uninsured driver.
Look the metric prefixes up: Giga, tera, etc are base 10. Giga means 10^9, not 2^30. They always have, they predated widespread base 2 usage. The standard SI prefixes are for base 10 as that's one of the big ideas behind the SI system is using base 10 for all units.
Now there are base-2 prefixes that have been introduced, those are Gibi, tebi and so on. If you want to talk base 2 orders of magnitude, you use those.
However using regular base-10 SI prefixes makes sense since basically everythign else in our computers uses that. When a processor says 3GHz it means 3 billion cycles per second, not 3,221,225,472. When a network is "gigabit" it means 10^9 bits per second, not 2^30. When we say DVDs are sampled at 48kHz we mean 48,000Hz not 49,152Hz. It makes sense to display our storage likewise. About the only area where the base-2 prefixes make sense is RAM, since it is actually sold along base-2 boundaries.
There are lots of things in the world with stupid names that are not accurate tot heir actual traits for various reasons. However when it specifies a given item then it makes sens to KEEP USING IT rather than to try and change things and screw people up.
An area you see this all the time in is ammunition. Many, many bullets have names that don't match their actual size. For example .380 auto isn't .380 caliber. The bullet is .355, the case is .373. So no matter which measurement you are using, it is wrong. However the round is called .380 auto, so we keep calling it that because people know what it is.
If you really care about isolation, like the kind we are talking about for SIPRnet and so on then you need to use data diodes and controls.
A data diode is a hardware device that only allows transfers in one direction. That way you can make sure that when you are bringing data in to the network, no egress can happen, and such. They are very specialty, and very expensive.
However more important than that is proper controls. That means policies and procedures that are followed rigorously. You have to make sure that people are extremely careful with how data is moved from one network to another and what data is moved. You need a process that specifies things like who can decide data to be moved, who approves it, who reviews it, how this is all done and so on.
If this is really important, well don't try to do it yourself based on some posts on Slashdot, you need to hire some experts. You also need to spend lots of time in the design and planning stages, you need to careful consider and document how everything will be set up and all the controls in place.
The reason they might not bother in Phoenix is most of the time, it isn't a problem. Also it isn't a problem for the bigger jets with bigger engines, it seems, just the small ones. Well those are a somewhat new phenomena. 20 years ago if you wanted to do a jet a 737 was about as small as they got. You either used that or went with a prop plane for really short routes.
The last big expansion to Sky Harbor was in 1989, before those little regional jets were a thing.
While HEVC is probably going to be useful in the future, since it does offer good compression and the licensing is likely to get sorted one way or another, VP9 is useful NOW. Google will send you videos in VP9 format if it can since not only is VP9 Google's format, but it gets better per-bit quality than MP4/AVC. Well given that Youtube is, by far, the big name in video hosting for the 'net, makes sense to support it. On top of that, Netflix has started making use of it as well. They are the very biggest commercial streaming service. So between the two it is a massive amount of use.
I can't see why you'd want to add HEVC, which is brand new, still having licensing issues and thus has next to zero adoption before VP9 which is already a major force. I mean shit even Edge supports VP9 these days. Safari and IE are basically the only browsers that don't these days (and IE is deprecated).
When you take something that wasn't designed with security in mind and try to expand and adapt it, you have a lot of issues. Better to start with something designed for the purpose it is being used from the start.
HTTP is a good example. It was designed as a stateless protocol for transferring text documents with markup. We now rely on it to do stateful transactions for things like shopping carts online and this has lead to tons of security issues since you have to hack on state to a protocol that isn't designed to support it using things like cookies. It would be much more secure had it been designed from the ground up to handle stateful transactions with people.
IP is another great example. There's all kinds of shit in IPv4 that is completely stupid from the perspective of a protocol used on the Internet. Like source routing, where you can specify the routers that a packet must go through, or the fact that you can just claim to be from any IP you want. This is a bad design for a global communications network. However it is that way because IP wasn't designed for a global communications network, it was designed for an ARPA project and it grew. IPv6 fixes a lot of this because it was designed later, around how IP is actually used these days.
Also talking about Xwindows is funny because man you wanna talk security risk, X is a huge. If you have an X server that talks on the network any system on the network can just draw to your local display, and you have no easy way of knowing that it isn't your system. Someone can phish passwords in a very hard to detect way using it. Now of course most distros are smart enough to block remote X using the firewall, and you do something like tunnel it over SSH. However that is a hack, it is putting up barriers around something insecure. If those barriers are bypassed, the insecurity is still there. Better if it were designed secure from the ground up. Then you still put the barriers in place as well so that you aren't relying on any one level of security.
Discontinuing the use of older protocols is a good idea for security, when possible. It isn't always possible, of course, I mean IPv4 is still far and away the most widely used IP spec. But you stop using them when you can (and indeed modern OSes will prefer IPv6 when they have both available).
The reason big government contractors get so much work is not because most government agencies would prefer it that way. Most would rather do things in house. any efficiency arguments aside, it makes their little empire bigger. Rather it is because there is pressure at the top to do business with contractors who, unsurprisingly, are big donors.
Particularly since cellphones as they actually were/are, meaning phones that work with individuals radio "cells" and move between them need computers to work. They don't have to be amazing computers, but they need some computer logic to handle dealing with dynamic frequency assignment and handoff between towers.
That one piece of a technology, even an important piece, existed at a given time doesn't mean the tech could happen. Many devices require a confluence of a number of technologies before they can happen.
Smartphones are an example. They aren't particularly a novel idea, we've seen shit like them in sci fi for a long time. However to actually be a thing on the market we needed a lot of shit:
--Processors had to get fast enough at a small enough size
--Displays had to get small, light, and low energy
--Batteries had to get sufficient energy density
--Silicon based storage had to evolve to usable levels
--We needed wireless digital communication
--We needed the Internet (or something like it to have something worth connection to)
Without any one of those things, you don't have a workable smartphone. That they started to rise to prominence when they did isn't some amazing stroke of genius or luck, it was because the various technologies had reached the needed point.
Google's short support is also amusing to me since they love to snipe at Microsoft about security issues, yet the security situation on Android is garbage.
When we bring someone on, they do NOT get root/admin to critical servers their first day. They have to be off probation first, which is 6 months where I work. Even then, credentials for things are not on a document. That is just asking for them to get lost or stolen. They are given on a wallet sized card, written specially for that person, and they are instructed to keep them safe until memorized.
The reason is, of course, to prevent fuckups, as well as to make sure we trust them fully. The idea of giving someone full access to critical stuff on day one is stupid. Shit it sometimes takes more than a day for them to get access to e-mail and all that just because of all the other things they need to do.
This is 100% on the company. Have working backups, CHECK YOUR BACKUPS, and don't give a new hire a sheet with access to your critical data.
It is fairly easy to set up and supports new protocols. Linux seems to support it reasonably well and its Windows implementation isn't totally retarded.
However really, it is worth your while to invest time and effort in learning IPSec. I know it is a pain in the ass, I've done a ton with it. However it is powerful. The reason it is complex is that it can be used for basically everything. It is a general purpose encryption and authentication method for IP. It is also a mandatory part of the IPv6 spec so going forward it is just going to be a thing that all systems will have.
It also has the benefit of being widely supported. While not a lot talks OpenVPN, nearly everything already talked IPSec.
Motive can determine what kind of crime something is. So let's say you hit someone with your car and killed them. Suppose you did it because:
--You were swerving to avoid hitting someone else, your motive was to avoid hurting another person, not to hurt them. That would likely be no charge, but at most Involuntary Manslaughter since there was no malice, no intent to kill.
--You swerve to hit them because you believe you see them strangling an animal, and it makes you fly in to a rage and want to hurt them (but not necessarily kill them). That would be First Degree Manslaughter.
--You swerve to hit them because they are a person you hate and they flip you off and you decide that fuck it, they deserve to die for disrespecting you. That would be Second Degree Murder.
--You swerve to hit them because you set out to kill them, you were looking for this particular person with the express intent of killing them when you found them. That would be First Degree Murder.
In all cases they are dead because you swerved in to them with your car. However the law can treat you very different based on your intent in the case. It is codified in to law that why someone did something matters, a whole lot.
It is not like it is mandatory, and I don't see it going that way either. I know a lot of people who use Facebook all the time, who are glued to it. I know a lot of people who use it occasionally but don't give much of a fuck. I know a lot of people that don't use it at all (I'm one of those). This spans all ages too. There is this false idea that every single younger person is glued to Facebook so in the future it'll be the only way to communicate. Nope. Plenty of our students don't give a fuck about FB, whereas others love it. Same shit with older people.
So far I've seen no indication that not using Facebook makes you an outcast, unable to get jobs, unable to travel, or anything like that. As such if you don't trust it, don't feel what you give up is worth it, or just plain don't care, then don't use it.
Generic chips that can be programmed in to anything you want in the field. It's a huge industry, they get used in everything from your car to your TV, but they have limitations that means they are never going to be a be-all, end-all.
There's a place for processors, FPGAs and ASICs, usually all combined.
And told me to get a home unit, and bring it in to test it. His assessment differed from this in that he said that "most home blood pressure monitors are accurate". I brought in mine, the nurse tested it, and said it was accurate. The readings weren't 100% the same as what she got, but then they normally vary second to second anyhow.
Also of note is that she was much more careful with the test when testing my unit as opposed to normal. For both their and my unit she had me sit quiet and still, she made sure to place the cuff in the same place, and she took the reading slowly on their manual unit. On a normal physical she places the cuff over my shirt and and drops the pressure quite fast.
Now I would guess this is because they aren't that worried. My BP is normal to the high end of normal, but is normal, when measured at home and is on the high end of normal up to just at the bottom of the pre-hypertension range at the office. So I would guess she's not that concerned with having it right down to the mmHg, with in 10 is probably good enough. If it hasn't changed much since last time, no need to worry and no need to spend a bunch of time being super precise.
Now maybe my doctor is just lax and stupid, but he doesn't seem that way (and his background.credentials don't indicate that). However maybe this journal has a bit of a bias in wanting to over-diagnose hypertension and/or push that physician measurements are the One True Way(tm).
To me it seems silly to worry about 5% or less error on a test like this. The fact that BP ranges neatly line up on clear decimal lines should tell you that the specific numbers are guidelines only, not maxims. It isn't like the did some measurements and said "My god at precisely 140mmHg blood pressure becomes unhealthy and at precisely 120mmHg it becomes a complete non-factor!" Of course not, rather based on medical knowledge they established the normal, pre-hypertension, hypertension, and hypertensive crisis ranges and set them along base 10 boundaries because we like that.
It is a guide to trained professionals, not a stress point past which there is a sudden failure. Your doctor isn't going to treat it radically different if your BP is 141/91 vs 137/89. They'll evaluate what kind of treatment (if any) they think you should have based on a number of factors about you.
While I'm not ready to go all in on AI controlled planes yet (or let's call them something else like Expert Systems, they aren't real AIs) I think starting to test is very valid. We are able to design systems with very good decision making capabilities these days. It is conceivable that we will soon be able to make them on par with humans, even for extreme cases like 1549.
It is certainly an area worth putting R&D in to.
Lynch is no longer a federal employee, and unless she tries to return to government or run for office, it doesn't matter much. President Obama has served his term, he's done now and he won't be coming back. So how does it matter what happened during her tenure? She and her boss are out, that's it, it's over.
Or do you mean because you think Clinton should be prosecuted? Well guess what? She lost the election, and is also likely done. That aside Donald "Lock her up" Trump is now President and controls the justice department. He could push for it, if he wanted, yet he has publicly said he isn't going to.
So how is it in any way they "key takeaway"? You are as bad as the liberals who kept pointing to shit President Bush did to try and excuse things President Obama did. The important takeaways are about the administration in power NOW. They are the ones that can cause problems, they are the ones that need to be looked at. The old administration is old news. The bad shit they did is done. Worry about the present.
Well then you don't like bitcoin because it has built in deflation. You should in general like fiat currency as it has moderate inflation overall. Gold had alternating periods of large inflation and deflation.
First is that gold bugs hate inflation. They see it as the ultimate evil. They like deflation. Well gold can lead to deflation, and likely would in the long run due to its limited supply, but bitcoin is guaranteed to have deflation given its design. So they like it because if it is used it would guarantee deflation.
The second is something you might have guessed from the first, it is because they don't know shit about money. They don't really have an understanding of what makes money what it is, or what makes a given currency good or bad. They see big amounts = good, big gains = good. Since both gold and bitcoin have been on a run as of late, that makes them good.
UAC is not a sudo replicant, it is a tool for easily escalating to a privileged user. It is akin to what you see in many modern Linux GUIs when you try to run something, it asks for escalation and then runs as root, often for a period of time thereafter. Also your understanding of how UAC works is incorrect, you can have it change user contexts if you wish to set it up that way. You can tell UAC how to operate. Normally what it does is present even administrators with a restricted security token until they escalate.
Fine grained sudo control is more akin to Just Enough Administration (https://msdn.microsoft.com/en-us/library/dn896648.aspx) though that is even finer grained sudo.
Much like the original poster, please don't spout off if you don't know what you are talking about. There's a lot of documentation on the Windows security model out there, if you want to look in to it. However trying to criticize it when you don't understand its functionality is silly.