At least, for consumers in metropolitan areas. This is a big deal now, but as ISP's begin offering wireless access in metropolitan areas, there won't be a monopoly-controlled medium like the cable or telecomm infrastructure to wrestle over. Verizon is already doing this over their cellular network. It's not exactly the same, but it marks a move in that direction, IMO.
Among the most important, IMO, are: 1) More news coverage. As we've seen with many things in the past few years, only if it's on the news a lot will US citizens get upset. It's a sad commentary on the education of our population, but it's true. See also: Terri Schaivo. 2) Legislation. Time and time again, corporations (and indeed entire industries) prove that when their bottom line is involved, they will not self-police.
While other things in the world are certainly news-worthy, I hope this one doesn't get overlooked. If you're upset, write your senator or representative. Urge them to support Dianne Feinstein's legislation on tougher data-leak laws. I would, but I live in DC, which means I'm taxed but have no representation.
I couldn't agree more. Many midwestern cities like Dayton and Cincinnati are experiencing a major problem getting people into their downtown entertainment districts outside of the 8-5, M-F work-week due to explosions in the suburbs. Offering something like this is a great way to improve publicity of the struggling city-centres and attract more revenue downtown. Even if it isn't heavily-used, its mere presence will be a boon to the downtown merchants.
This is definitely beatable, but the individual being monitored would have to know he/she is being monitored. For catching less computer-savvy criminals, it might help.
However, I share one concern with you: just because my clock skew is 2.138ms doesn't preclude someone else from having the same skew. Not having had time to read the whole paper, I would like to see data on the probability that two computers may have the same clock skew. If it's 1 in 1000, that doesn't get you far considering the number of unique hosts sending packets across the ether. Also, remember this is only limited to IP protocols that can provide time data.
I agree. What seems to be happening here is that Symantec is patenting a domain-specific framework for creating code that will analyze files for malicious patterns. While it is a bit broad, at the same time it's innovative and certainly useful.
I'm as big of a critic of the US patent process as anyone, but there are plenty of legitimate patents out there, and on the surface this appears to be one. If they try to enforce it in an overly-broad manner, shame on them, but the patent itself sounds legit.
It doesn't matter. If "Guns don't kill people, people kill people" works as an argument, then so does "software doesn't violate copyright, people do" should also work.
Ask anyone seriously into electronic music, indie music, or anything else not created by an RIAA profit algorithm how much copyrighted music they download, and you'll find it's very little.
I get many mixes and tracks by DJ's/producers off of P2P networks because there is no other place to get them, the albums are out of print, or they're not copyrighted.
P2P is a tool. Just because others use it for illegal purposes doesn't mean you should punish me as well.
I'm in the exact situation you are in, and in a week I'll start classes for the first time in 4 years working for my MS in CS.
A number of friends of mine who have already been to graduate school all highly recommended this book: Getting what you came for... by Robert Peters. I haven't even started my first semester yet and I've found it to be enormously helpful.
Users need to learn not to assume their computer and the Internet are safe and instead educate themselves on how to recognize scams themselves.
The problem with this logic is that the phishing scams are so good, many "educated" users can't tell the difference. Take for instance the phishing scams that pop-up an image over the URL bar (with no borders) that makes the page look like http://www.citibank.com/ with a login page identical to the real thing. Of course, in the real URL bar, www.hackers-r-us.com shows up, but it's covered with the image of a legitimate URL. You can't expect users to be able to identify this, and you can't really call this user ignorance...
What I wonder is how long this will be effective, before phishers find ways around the toolbars (assuming they catch on in the first place). This arms race continues to underscore what I see as the root of the problem: poor coding that allows many of these tricks like the one mentioned above to happen in the first place.
We aren't talking about a national ID card, people. It's like having a badge for work, except it works in multiple physical locations.
It's absolutely ridiculous that access is controlled at each facility by a completely separate system. Contractors that have to go between contracts, or have a client spread across multiple buildings, currently have to carry a valid ID for each building they access. It's a major pain.
People always complain about government inefficiencies. This is a good way to limit one aspect of that problem.
I've worked with too many companies whose products *do not* scale the way they claim, or whose products will techincally scale, but are at that point virtually useless. Use bogus data, who cares, but test the data volume, throughput, storage, archival, etc. to the limits and make sure the product is still useful. This is the single biggest problem I've had with enterprise installations, and the problem as an architect is that it's difficult to test on a very tight timeline for product evaluation. I've had egg on my face more than once because I had to take the vendor's word for it.
Second, install the application yourself. Don't let the vendor do it for you. And when you install it, install it as an enterprise would. That is, if it's an n-tier application, or has multiple components, don't take the "default" installation and put all of the components on one system. Of course this will work. Try distributing the components over multiple systems like an enterprise would. Often this is where the complexity comes in and products falter.
One company I worked for purchased some software from Tivoli. After 6 months, and a team of engineers onsite from the vendor, they still couldn't get the components to talk for more than a day without problems (after weeks of installation), and still couldn't get useful data out of the database due to its size, so we took our $500mil back and bought something else. Having an evaluation that would've tested this would've saved us a bundle.
But what is the difference between a man marrying a woman, a man marrying a man, and a woman marrying a woman? [snip] We're not talking about polygamy here, or animal husbandry
I was a P2P convert. Started buying music on iTunes and everything. I enjoyed quickly downloading something when I had the urge, without the hassle, even if it set me back $10. I don't *enjoy* pirating music. Hell, I'm an artist myself.
But I'm also not willing to be a financier to an industry that stifles musical creativity and gouges consumers. When I got music at a fair price, it solved half of that problem, so I supported the technology. Now, it's back to square one, and so am I.
Congrats, RIAA, you just made another P2P music pirate out of a paying consumer.
there's an inherent problem in the "regulations" in the banking industry: the audits are a joke. Having been there, worked that, I can tell you it's really a joke. The "pre-audit, create some procedures so it *looks* like we're secure, real-audit" process is a farce. Nobody ever let me take a practice test in college that was identical to the real test so I got a second chance to pass. And my tests never consisted of exams like "do you know the material? Oh, you do? Great, you pass!"
The auditing is there but there's very little enforcement... UNTIL the institution in question screws up and costs investors a load of cash. Only then is anything enforced. The integrity of these audits and the people involved should be called into question.
I'm an experienced *NIX admin who just got his first Mac (a Powerbook, and I'm hooked), and I'm struggling through what exactly *does* and *doesn't* translate from BSD to OS-X 10.3. I'd love to see a book that covers - to some degree - the differences. Anyone have a recommendation? Perhaps this book will be a close fit...
Give our HUGE check to the woman fighting the RIAA, that would be good:)
Why not donate your check to the EFF? Not that individuals can't have noble causes, but your money might be better spent at an NPO or similar organization that fights for your rights as a consumer...
A very big deal is going to be made about this. Feel free to correct me (or mod me down) if I'm wrong, BUT:
From my understanding, this is a heap overflow. Given the nature of the heap, I could see this resulting in a DoS condition, but what is the likelihood that a practical exploit can be developed, given that the heap generally contains data in random locations?
Anyone else find it a horrible affront to society and the constituents of these congressmen that they make this an issue when the RIAA whines about their damned copyrights, but have sat idly by while other REAL crimes take place - like defauding said constituents out of millions of dollars?
...sounds like someone forgot to mount/var on its own partition...:-)
c'mon, what *NIX admin hasn't made that mistake at some point? Process goes apesh*t, fills up/tmp or/var, which is mounted with/, and BAM it's a walk down to the datacenter.
I worked for a nameless financial institution. We had a certain number of Diebold Windows XP ATM's. 100% got infected with a virus that exploited a well-known vulnerability. We demanded Diebold agree to forfeit admin control of the systems or patch them within a short window of patch release.
Their response: "We'll put firewall software on the machines."
Since the contract was already signed we had no leverage and that ended up being the solution. Nice, eh?
Slashdot Mirror
At least, for consumers in metropolitan areas. This is a big deal now, but as ISP's begin offering wireless access in metropolitan areas, there won't be a monopoly-controlled medium like the cable or telecomm infrastructure to wrestle over. Verizon is already doing this over their cellular network. It's not exactly the same, but it marks a move in that direction, IMO.
Among the most important, IMO, are:
1) More news coverage. As we've seen with many things in the past few years, only if it's on the news a lot will US citizens get upset. It's a sad commentary on the education of our population, but it's true. See also: Terri Schaivo.
2) Legislation. Time and time again, corporations (and indeed entire industries) prove that when their bottom line is involved, they will not self-police.
While other things in the world are certainly news-worthy, I hope this one doesn't get overlooked. If you're upset, write your senator or representative. Urge them to support Dianne Feinstein's legislation on tougher data-leak laws. I would, but I live in DC, which means I'm taxed but have no representation.
This is a great idea.
I couldn't agree more. Many midwestern cities like Dayton and Cincinnati are experiencing a major problem getting people into their downtown entertainment districts outside of the 8-5, M-F work-week due to explosions in the suburbs. Offering something like this is a great way to improve publicity of the struggling city-centres and attract more revenue downtown. Even if it isn't heavily-used, its mere presence will be a boon to the downtown merchants.
This is definitely beatable, but the individual being monitored would have to know he/she is being monitored. For catching less computer-savvy criminals, it might help.
However, I share one concern with you: just because my clock skew is 2.138ms doesn't preclude someone else from having the same skew. Not having had time to read the whole paper, I would like to see data on the probability that two computers may have the same clock skew. If it's 1 in 1000, that doesn't get you far considering the number of unique hosts sending packets across the ether. Also, remember this is only limited to IP protocols that can provide time data.
I agree. What seems to be happening here is that Symantec is patenting a domain-specific framework for creating code that will analyze files for malicious patterns. While it is a bit broad, at the same time it's innovative and certainly useful.
I'm as big of a critic of the US patent process as anyone, but there are plenty of legitimate patents out there, and on the surface this appears to be one. If they try to enforce it in an overly-broad manner, shame on them, but the patent itself sounds legit.
But 99% of the time, it's not.
It doesn't matter. If "Guns don't kill people, people kill people" works as an argument, then so does "software doesn't violate copyright, people do" should also work.
Ask anyone seriously into electronic music, indie music, or anything else not created by an RIAA profit algorithm how much copyrighted music they download, and you'll find it's very little.
I get many mixes and tracks by DJ's/producers off of P2P networks because there is no other place to get them, the albums are out of print, or they're not copyrighted.
P2P is a tool. Just because others use it for illegal purposes doesn't mean you should punish me as well.
I'm in the exact situation you are in, and in a week I'll start classes for the first time in 4 years working for my MS in CS.
A number of friends of mine who have already been to graduate school all highly recommended this book: Getting what you came for... by Robert Peters. I haven't even started my first semester yet and I've found it to be enormously helpful.
Best of luck!
Users need to learn not to assume their computer and the Internet are safe and instead educate themselves on how to recognize scams themselves.
The problem with this logic is that the phishing scams are so good, many "educated" users can't tell the difference. Take for instance the phishing scams that pop-up an image over the URL bar (with no borders) that makes the page look like http://www.citibank.com/ with a login page identical to the real thing. Of course, in the real URL bar, www.hackers-r-us.com shows up, but it's covered with the image of a legitimate URL. You can't expect users to be able to identify this, and you can't really call this user ignorance...
What I wonder is how long this will be effective, before phishers find ways around the toolbars (assuming they catch on in the first place). This arms race continues to underscore what I see as the root of the problem: poor coding that allows many of these tricks like the one mentioned above to happen in the first place.
I'm not sure, to be honest. This fiasco is partially why I left that organization, and it was replaced after I left.
A correction: I obviously wasn't taying appention when I posted this comment - It was $500K, not $500M... d'oh.
We aren't talking about a national ID card, people. It's like having a badge for work, except it works in multiple physical locations.
It's absolutely ridiculous that access is controlled at each facility by a completely separate system. Contractors that have to go between contracts, or have a client spread across multiple buildings, currently have to carry a valid ID for each building they access. It's a major pain.
People always complain about government inefficiencies. This is a good way to limit one aspect of that problem.
I've worked with too many companies whose products *do not* scale the way they claim, or whose products will techincally scale, but are at that point virtually useless. Use bogus data, who cares, but test the data volume, throughput, storage, archival, etc. to the limits and make sure the product is still useful. This is the single biggest problem I've had with enterprise installations, and the problem as an architect is that it's difficult to test on a very tight timeline for product evaluation. I've had egg on my face more than once because I had to take the vendor's word for it.
Second, install the application yourself. Don't let the vendor do it for you. And when you install it, install it as an enterprise would. That is, if it's an n-tier application, or has multiple components, don't take the "default" installation and put all of the components on one system. Of course this will work. Try distributing the components over multiple systems like an enterprise would. Often this is where the complexity comes in and products falter.
One company I worked for purchased some software from Tivoli. After 6 months, and a team of engineers onsite from the vendor, they still couldn't get the components to talk for more than a day without problems (after weeks of installation), and still couldn't get useful data out of the database due to its size, so we took our $500mil back and bought something else. Having an evaluation that would've tested this would've saved us a bundle.
But what is the difference between a man marrying a woman, a man marrying a man, and a woman marrying a woman? [snip] We're not talking about polygamy here, or animal husbandry
No, we're talking about the penis, stupid.
to the bible of all IDS analysts, Network Intrusion Detection by Stephen Northcutt & Judy Novak (ISBN# 0735712654)?
Would you consider this a compliment to, or overlap of aforementioned text? If so, in what ways?
since one of XM's primary investors is ClearChannel, burglar of musical culture. That's why I bought Sirius Satellite Radio, which has comparable programming.
I'm still shocked that Howard Stern, now-perennial ClearChannel hater, is even entertaining the notion of going to XM...
No kidding. I'd hate to see our troops bomb the crap out of, then occupy Mars under suspicion of "weapons of mass destruction".
I was a P2P convert. Started buying music on iTunes and everything. I enjoyed quickly downloading something when I had the urge, without the hassle, even if it set me back $10. I don't *enjoy* pirating music. Hell, I'm an artist myself.
But I'm also not willing to be a financier to an industry that stifles musical creativity and gouges consumers. When I got music at a fair price, it solved half of that problem, so I supported the technology. Now, it's back to square one, and so am I.
Congrats, RIAA, you just made another P2P music pirate out of a paying consumer.
*digs up old Gnutella client*
drifting a bit off topic, but...
there's an inherent problem in the "regulations" in the banking industry: the audits are a joke. Having been there, worked that, I can tell you it's really a joke. The "pre-audit, create some procedures so it *looks* like we're secure, real-audit" process is a farce. Nobody ever let me take a practice test in college that was identical to the real test so I got a second chance to pass. And my tests never consisted of exams like "do you know the material? Oh, you do? Great, you pass!"
The auditing is there but there's very little enforcement... UNTIL the institution in question screws up and costs investors a load of cash. Only then is anything enforced. The integrity of these audits and the people involved should be called into question.
And you DO know his wife's maiden name, right? A well known condiment.
Relish? Nope, never heard of her...
I'm an experienced *NIX admin who just got his first Mac (a Powerbook, and I'm hooked), and I'm struggling through what exactly *does* and *doesn't* translate from BSD to OS-X 10.3. I'd love to see a book that covers - to some degree - the differences. Anyone have a recommendation? Perhaps this book will be a close fit...
Give our HUGE check to the woman fighting the RIAA, that would be good :)
Why not donate your check to the EFF? Not that individuals can't have noble causes, but your money might be better spent at an NPO or similar organization that fights for your rights as a consumer...
A very big deal is going to be made about this. Feel free to correct me (or mod me down) if I'm wrong, BUT:
From my understanding, this is a heap overflow. Given the nature of the heap, I could see this resulting in a DoS condition, but what is the likelihood that a practical exploit can be developed, given that the heap generally contains data in random locations?
Anyone else find it a horrible affront to society and the constituents of these congressmen that they make this an issue when the RIAA whines about their damned copyrights, but have sat idly by while other REAL crimes take place - like defauding said constituents out of millions of dollars?
I do.
Off-topic mostly:
No, I'm not a huge trekkie. Just a casual, watch-it-when-I-surf-by-it fan.
And, obviously, WinXP on ATM's was not cleared by any internal infosec ppl before it was implemented at the organization.
Business Line::InfoSec
-as-
Marketing::Engineering
...sounds like someone forgot to mount /var on its own partition... :-)
/tmp or /var, which is mounted with /, and BAM it's a walk down to the datacenter.
c'mon, what *NIX admin hasn't made that mistake at some point? Process goes apesh*t, fills up
I worked for a nameless financial institution. We had a certain number of Diebold Windows XP ATM's. 100% got infected with a virus that exploited a well-known vulnerability. We demanded Diebold agree to forfeit admin control of the systems or patch them within a short window of patch release.
Their response: "We'll put firewall software on the machines."
Since the contract was already signed we had no leverage and that ended up being the solution. Nice, eh?