Why even sacrifice downtime trying to troubleshoot an issue that could be resolved within minutes?!
Now, if it happens again the following night, you do have a deeper problem and should investigate it further, because constantly restoring the machine is now the inefficient part in the process.
It's like we've lost common sense in favor of our technical ego.
You make a fair point. However, the fundamental question is more complex than you're giving it credit for. There's always the question of tradeoffs between immediate, fast fixes and long-term advantage. That has to be balanced with the situation at hand, of course. But there are times when the initial time / effort investment pays off in the long run. And that trade-off as much a philosophical question within the admin world as a technical one.
Quite a few years ago, we were migrating our institutional firewalls from one product to an entirely different product. Large institution. Very large and complex rule sets consisting of a lot of legacy. We paired down the rules a bit by taking advantage of the effort to audit out some legacy cruft. But we still had a pretty impressive configuration to convert between legacy and new environments. Eventually the rules got split between two of us - I got one firewall boundary and a co-worker took the another.
My co-worker got immediately to work on his portion of the rule-set. He was a very hands-on kind of guy. His tactic was to read a given rule from the legacy system and manually write up the equivalent rule (including various objects, groups, etc.) for the new system.
My tactic was different. I created a few test files based on a sampling of legacy objects. I then went to work creating several scripts that could be run in sequence to do specific tasks that would convert our legacy configuration files to a configuration file for the new environment as well as a simple expect script that would load that configuration in to the target devices when the time came.
I have to admit that I was knocking off a fair bit of rust during my scripting exercise; my script development was far from efficient. So I wasn't too surprised that my co-worker was churning through configuration well before I had a functional, error-free script. It was a little disconcerting when he announced his config. file was complete before I had my script. Which had me questioning whether I was doing the Right Thing by spending time developing scripts instead of just banging out a config. file. But shortly after my co-worker's announcement, I had my script converting legacy to new configurations. Even if I had wasted time writing scripts, I hadn't wasted TOO much time.
Then came the sanity checking. We swapped config files and went over each other's configurations with new eyes. He manually spot-checked my work. I ran his legacy config file through my scripts and then compared my script's config to his manually written config. That was the first dividend. I uncovered numerous typos very quickly.
Then came the implementation. I won't go in to details and make an already long story longer. But in the middle of a massive down-time, we discovered some fundamental mistakes in how the firewall was being deployed. We would have to rework the firewall configurations. We were already past the half-way mark, everyone was tired, and it seemed like we'd have to pull the plug and go back to legacy while we re-grouped and scheduled another major outage to try again at some future date. It wasn't Fun Happy Time. I pondered over the situation. I realized that if I made a few adjustments to the outputs of my configurations in between running the various stages of my conversion scripts, we'd have our new configuration adapted to the new reality. I ran my scripts. And despite the limited time and our fatigue, I was able to produce the config we needed to press forward. The deployment was a success.
Really. What branch of law enforcement? HB Geary Federal is a private company selling services and products (and no small amount of snake oil from what's being described).
One of their big customers appears to be the FBI. So, that's who I'm talking about. And yes, HB Geary is more than just a contractor for the FBI, but it seems that being a contractor for the FBI is a big part of their business.
True enough. But how many of these blue-sky ideas did the FBI buy in to? Nothing indicates that HB Gary Federal is that large of a company. And although the FBI might be a major part of their business, keep in mind that at this point it appears that they were having trouble drumming up enough business to keep going. I still find it quite a stretch to consider them as any equivalence to law enforcement. And even if they are providing tools to law enforcement, it makes them no more law enforcement that the manufacturer of guns, handcuffs, or squad cars. And none of that touches on the original assertion that vigilantes are besting law enforcement at what law enforcement is supposed to be doing.
But the organization itself appears to be run by incompetent good old boys who have no clue what they're doing or how to run an organization like that.
True. But then, name an industry that doesn't have examples of this.
*nod* This is true. I always assume that when government really wants to do something, there's an off chance somebody competent will be put in charge and you'll be dealing with someone who really knows what they're doing. While I don't think that chance is not high, I think it's certainly higher than, say, your 1024-bit RSA key being broken.
In my experience, the wildcard is bureaucracy. A certain amount of it is required to communicate and manage large groups as well as keep a check on the public trust (both power and resources / fraud). Too much tends to stifle technical competence (or perhaps reward bureaucrats at the expense of other fields of competency). One never can tell where the balance is from the outside of an organization. And the balance shifts over time.
It just seems that when law enforcement really does have something to investigate, they don't, or they don't do a decent job. These HBGeary people were basically a branch of law enforcement. A particularly dirty branch even. But they are basically complete incompetents. They are little better than an organized band of script kiddies.
Really. What branch of law enforcement? HB Geary Federal is a private company selling services and products (and no small amount of snake oil from what's being described). As for being script kiddies - there's some individuals within that organization that have considerably higher abilities than script kiddies.
Having worked infosec within several government organizations myself, I share a general dim tone towards government capability. But one still has to maintain a realistic view - and a focused one at that.
One that is competent at computer security would be nice.
Non-sequitur. Nothing in this thread mentions the competence of law enforcement with computer security. The parent claims that vigilantes are doing better than law enforcement which demonstrates a lack of consideration for what the actual events have been so far.
Being able to break into something isn't just about breaking into stuff. It's also about making sure your stuff doesn't get broken into.
Breaking in to something and defending against intrusion are two very different, albeit related activities. In information security, the attacker tends to have the advantage.
It is really sad when we have vigilantes who are better and more capable than our own law enforcement at just about every aspect of what law enforcement is supposed to do.
So what you're saying is you expect a branch of law enforcement who is good at harassment and illegal computer access?
As much as people want to think otherwise, there is a direct causal link between marketshare and the amount of malware for a given OS.
The problem with this is that there isn't much to back up the assertion. What proves that marketshare is the driver for malware? And before you trot out some numbers, can you be sure that marketshare is the reason?
It's not that I can't accept the concept. And, in fact, I agree with your couching the idea by noting a "casual" relationship. Marketshare has to be part of the equation. Unless you have a very specific target, it stands to reason that an attacker going after targets of convenience is going to want a suitable enough pool of victims or the attacks won't be convenient. But what makes up that pool is the question.
Sometimes being a big fish in a little pool is very attractive. Yes - OS X stil commands a smaller marketshare than Windows (in it's various versions). But even then, we're talking about something on the order of 36 million targets (adding estimated sales since 2007). If OS X is an easy target, there's an entire pool just waiting to be exploited. Consider that we're counting infections in units of 10k with notable botnets in millions. OS X could easily provide a suitable pool for new (or existing if one wanted to extend a botnet) malware to flourish. But that has yet to happen to any great effect.
People persecuting MS for poor security are living in the past. Windows is now a fine secure OS, while OS X doesn't even have basic protections in place and claims to be secure, simply taking advantage of the fact that they are not targeted as much.
I agree with this point as well. I'm not a Windows or Microsoft fan. But Microsoft has been getting on board. Although I would be cautious with how generous one hands out that credit. Not everything Microsoft has done as been well executed or as effective as their PR would have one believe.
Hopefully as marketshare increases they will take responsibility and secure their OS, if for no other reason than to maintain their image.
This has been the ongoing theme for the past few years. The doom and gloom has yet to descend (despite some pretty horrible mis-steps on Apple's part).
Hilariously, Paypal was actually started by a libertarian as some sort of "resist the man and his fiat currency's dead hand on trade." kind of thing. Now it voluntarily licks the boots of those who would suppress the entirely legal efforts of an advocacy group to secure a man a fair trial(rather than the present detention-without-trial-of-indefinite-length...)
I'm no fan of Bradley Manning. I think he's a fool and not worth all the hero worship and calls to rally a defense. But in so far as said rally is legal, I can't abide by Paypal interfering with it.
So what - you're saying soldiers should lie? You're saying that we should go back to the fiction of romantic war?
Uh no. What I'm saying is that soldiers DO enjoy killing, and I'm saying that we should stop making war for profit. You have to take a fairly obtuse read of my comment to get out of it what you got, deliberately or not. The sibling to my comment has it figured out.
Fair enough. However, I believe you're simply muddying the waters. To talk about the rush of adrenaline during combat does not imply over-all enjoyment of the exercise. One can feel the thrill of the moment and, after it passes, realize and feel the negative aspects of those actions. Making war for profit has no place in this conversation.
I should note that I suspect the entire conversational thread is based on a somewhat disingenuous pretext. I don't believe Assange claimed that "killing is fun" in so many words - his claim is that civilian deaths were because of taking "pleasure by getting a high score." I don't doubt body counts are a part of the reality of that environment. But I find this claim to be ignorant on Assange's part.
Your quip about false pretenses has no place in this discussion. That's politics.
It does have a place in this discussion. As I see it, the soldiers have two choices. They can learn to enjoy killing, or they can be bad at a very important aspect of their job; doing it badly can result in them not coming home. I do believe that there are ethical considerations beyond such simplifications, but I further believe that the real failure in ethics is made not at the military level, but at the civilian one that puts them in such a position in the first place when it is unwarranted. That's politics.
Again - these are two separate issues. The soldier having to go against norms of civilized society to be effective in (much less survive) an uncivilized situation has little to do with society choosing to put a soldier in that situation. You're confusing the two by trying to link them. And you're doing an injustice to society and soldiers by doing so. Society should understand that war is always hellish no matter what reasons are involved. And with that understanding, there should be much gravity to the decision to wage it.
I agree that this is all rather over-simplified. But that's part of my criticism of quips made by Assange. The issues Assange bring up are complex. But Assange is either ignorant of that complexity or realizes that complex doesn't make very good propaganda.
When you want to talk about the horrors and inhumanity of warfare, politics are moot.
Politics are never moot. Any and every action has political ramifications.
In the right context - yes, political ramifications are important. This is not that context. The politics of a situation does not make the battlefield any cleaner.
War is just as horrible when "justified" as when it isn't.
It is far more horrible when it is unnecessary than when it isn't.
To the soldier on the battlefield, feeling justified may be an important factor in maintaining motivation. But war does not get any less ugly for it. The situation is just as dangerous. Weapons still do horrible things to human bodies no matter what politics launched them. People still die.
You have obviously never taken part in an actual combat situation. The one displaying ignorance is you.
And neither has Assange. But that didn't stop him from claiming the only reason for the "collateral murder" incident was for the gunship crew to get a high score.
When soldiers stop talking to us about the rush of combat then we'll stop assuming that a significant percentage of them enjoy it. It is fairly reasonable for a soldier to adopt a personality which enjoys killing to avoid cracking under the strain of their actions, and not unusual. What is unreasonable is to go to war for false pretenses and create a situation where humans for whose wellbeing you are responsible have to become schizophrenics to continue functioning.
So what - you're saying soldiers should lie? You're saying that we should go back to the fiction of romantic war?
Your quip about false pretenses has no place in this discussion. That's politics. When you want to talk about the horrors and inhumanity of warfare, politics are moot. War is just as horrible when "justified" as when it isn't.
When Assange said "Killing people is fun" he very obviously meant that the American soldiers massacring civilians found the killing to be fun.
And what you don't seem to understand is that people understand this and find it to reflect Assange's level of ignorance. But don't let that get in the way of your asserting yourself as so far above all the sheep.
I've noticed a few article lately about how 'real men' login as root at all times, but I've worked in Unix/Linux since the 90's, and this seems to be a recent phenomena.
I saw one article with this sentiment and I thought the guy was an idiot - or playing one for comedic effect.:P
When I need to do something like this, I use a several character cookie that resides in different positions of the passwords. The cookie is a placeholder for an additional sequence of characters - remove cookie and insert sequence (character count of cookie and sequence should not match). I never write the cookie down. When I need to use the password, I look it up on the slip in my wallet and then mentally replace the cookie with the actual sequence of characters. This allows for strong passwords unique to each system / environment that can be changed on a regular basis. I only have to remember a smaller sequence that is commonly used - less to remember and a better chance of repetition to help enforce / refresh that memory.
Granted - an observant attacker who got possession of my password list might notice the cookie repeated in each password listed. But it does present an additional hurdle.
This just shows that it's hard to build these highly available, low latency, massive usergroup systems. Previously there was a lot of chatter about the platforms (.NET, MSSQL 2003, etc...)
Yes. And let us not forget that a lot of that chatter came from Microsoft's PR department.
Which sounds all nice and fine. Unless you start really looking at where the lines of "good" and "evil" are drawn and who's drawing them. I'm wary of anyone who wants to put the signs of "good" and "evil" above any of these actors.
I'd sooner place my bets they're in the Long Con to paint "Anonymous" (there can be only one, right?) as a Threat. Then everyone in power profits when draconian measures come along.
Right - and some Machiavellian government bureaucrat is sitting back in his high-backed chair, petting a white cat, repeatedly saying "excellent."
I'd call it differently. Barr has an idea - using public information gleaned to expose relationships and additional information. It's not entirely a bad idea. However, plenty of good ideas have met a sudden end when implementing them effectively proves to be difficult. Barr ignores warnings that his implementation is lacking and generates publicity. As things ratchet up, he discovers that his implementation isn't as good as he thought. But by now too many people are watching to simply bow out. He invokes the Anonymous boogie man to provide himself a way out of the corner he's painted himself in to. Anonymous complies because being scary boogie men appeals to them.
So I am curious how this evolved into this form. How did this get implemented? How did you get the buy in that you should actually take the time to do this assessment?
It was the job description. The employer was dealing with a number of major security incidents and was trying to get a handle on the situation. They wanted to change how things were operating but they didn't want to kill the golden goose.
I have to admit, the environment was different than others. It was corporate but had more of a research feel to it. Unlike, say, banking environments where locking things down is a part of the culture. Yet this culture allowed for personal responsibility as management put their reputation on the line to support a business case. Taking risks was a part of that culture but you had to be able to justify those risks. So in effect, the security group was working as consultants to the various business units (while still being Masters of the Firewall and therefore holding the kill-switch to external network access).
I believe this would work in other environments. I've applied some of this to Government as well. I championed getting ourselves involved as problem solvers and not simply They Who Know You Surf Porn or Masters of the Firewall. I attended a number of meetings where we acted as consultants to help the group identify and mitigate security problems. Sometimes it was with existing or about-to-be-deployed solutions. Sometimes we got involved at the requirements stage and were able to help the organization start on the right path from the very beginning (which tended to make everyone happy). Come to think of it, this was another environment with a history of high-visibility security incidents.
And that is the point of getting executive buy-in. to bypass the security guys that say by default "no way, if it does not meet NSA security specs it's not on my network" and actually getting work done in the company.
The problem here is having to bypass the security guys. In that environment, we were constantly coming in to a meeting and putting the breaks on the Big Idea as presented. There were often huge risks due to absolutely no consideration or understanding of security or even the underlying technology. Our job was to not only find these problems, but help the business unit come up with solutions to those problems. That was the usual outcome. Sometimes the business unit just didn't want to change their direction or the Big Idea was fundamentally risky. And thats when we had the face-off between business gains and business risk.
That doesn't mean we didn't have people doing the end-run game you're describing. But they were often exposing our mutual employer to pretty significant risks - often completely unaware of what they were doing. Granted - your environment might be different. Your security group might be setting up their own headaches by being viewed as a problem rather than part of IT solutions. Or you might be setting yourself up to be part of the next big security incident for your employer.
Yeah, those "personal responsibility" contracts are just proof that you allowed senior management to do something unbelievably stupid and attempted to absolve yourself of the duties you were hired for. When it hits the fan, you'll be canned because you weren't doing your job (senior management might or might not be fired depending on cronyism).
I invite you to re-read my post. My job was to identify and outline the risks. Which I did in my report that was distributed to the team and all management involved in the decision process (always CYA with documentation). At that point, it is management's job to make the decision. That's what management does. If you're in a position where you can do your job, get ignored, and still get fired then you should cut your losses and get a different employer (or be a contractor with sufficient fees to cover the service of being a scapegoat).
I'll point out that in this environment, it was exceedingly rare for a management showdown. People tended to back down instead of taking the risk assessment to their managers. Managers would often come back with more questions and directions for their team to adopt recommendations. When it went up to the next level, it wasn't a given who would "win" the argument. If management over-ride was a trivial and common-day practice, I wouldn't have viewed my environment as being "one of the best." I agree that not every environment is like this. Heck - many environments seem to have little concept of accountability. But that doesn't mean it is impossible to do.
Slashdot Mirror
Why even sacrifice downtime trying to troubleshoot an issue that could be resolved within minutes?! Now, if it happens again the following night, you do have a deeper problem and should investigate it further, because constantly restoring the machine is now the inefficient part in the process. It's like we've lost common sense in favor of our technical ego.
You make a fair point. However, the fundamental question is more complex than you're giving it credit for. There's always the question of tradeoffs between immediate, fast fixes and long-term advantage. That has to be balanced with the situation at hand, of course. But there are times when the initial time / effort investment pays off in the long run. And that trade-off as much a philosophical question within the admin world as a technical one.
Quite a few years ago, we were migrating our institutional firewalls from one product to an entirely different product. Large institution. Very large and complex rule sets consisting of a lot of legacy. We paired down the rules a bit by taking advantage of the effort to audit out some legacy cruft. But we still had a pretty impressive configuration to convert between legacy and new environments. Eventually the rules got split between two of us - I got one firewall boundary and a co-worker took the another.
My co-worker got immediately to work on his portion of the rule-set. He was a very hands-on kind of guy. His tactic was to read a given rule from the legacy system and manually write up the equivalent rule (including various objects, groups, etc.) for the new system.
My tactic was different. I created a few test files based on a sampling of legacy objects. I then went to work creating several scripts that could be run in sequence to do specific tasks that would convert our legacy configuration files to a configuration file for the new environment as well as a simple expect script that would load that configuration in to the target devices when the time came.
I have to admit that I was knocking off a fair bit of rust during my scripting exercise; my script development was far from efficient. So I wasn't too surprised that my co-worker was churning through configuration well before I had a functional, error-free script. It was a little disconcerting when he announced his config. file was complete before I had my script. Which had me questioning whether I was doing the Right Thing by spending time developing scripts instead of just banging out a config. file. But shortly after my co-worker's announcement, I had my script converting legacy to new configurations. Even if I had wasted time writing scripts, I hadn't wasted TOO much time.
Then came the sanity checking. We swapped config files and went over each other's configurations with new eyes. He manually spot-checked my work. I ran his legacy config file through my scripts and then compared my script's config to his manually written config. That was the first dividend. I uncovered numerous typos very quickly.
Then came the implementation. I won't go in to details and make an already long story longer. But in the middle of a massive down-time, we discovered some fundamental mistakes in how the firewall was being deployed. We would have to rework the firewall configurations. We were already past the half-way mark, everyone was tired, and it seemed like we'd have to pull the plug and go back to legacy while we re-grouped and scheduled another major outage to try again at some future date. It wasn't Fun Happy Time. I pondered over the situation. I realized that if I made a few adjustments to the outputs of my configurations in between running the various stages of my conversion scripts, we'd have our new configuration adapted to the new reality. I ran my scripts. And despite the limited time and our fatigue, I was able to produce the config we needed to press forward. The deployment was a success.
In the end, there were two competing strateg
So should we give this horse corpse another few kicks or do you think we've gone about as far as we can go with it?
Really. What branch of law enforcement? HB Geary Federal is a private company selling services and products (and no small amount of snake oil from what's being described).
One of their big customers appears to be the FBI. So, that's who I'm talking about. And yes, HB Geary is more than just a contractor for the FBI, but it seems that being a contractor for the FBI is a big part of their business.
True enough. But how many of these blue-sky ideas did the FBI buy in to? Nothing indicates that HB Gary Federal is that large of a company. And although the FBI might be a major part of their business, keep in mind that at this point it appears that they were having trouble drumming up enough business to keep going. I still find it quite a stretch to consider them as any equivalence to law enforcement. And even if they are providing tools to law enforcement, it makes them no more law enforcement that the manufacturer of guns, handcuffs, or squad cars. And none of that touches on the original assertion that vigilantes are besting law enforcement at what law enforcement is supposed to be doing.
But the organization itself appears to be run by incompetent good old boys who have no clue what they're doing or how to run an organization like that.
True. But then, name an industry that doesn't have examples of this.
*nod* This is true. I always assume that when government really wants to do something, there's an off chance somebody competent will be put in charge and you'll be dealing with someone who really knows what they're doing. While I don't think that chance is not high, I think it's certainly higher than, say, your 1024-bit RSA key being broken.
In my experience, the wildcard is bureaucracy. A certain amount of it is required to communicate and manage large groups as well as keep a check on the public trust (both power and resources / fraud). Too much tends to stifle technical competence (or perhaps reward bureaucrats at the expense of other fields of competency). One never can tell where the balance is from the outside of an organization. And the balance shifts over time.
It just seems that when law enforcement really does have something to investigate, they don't, or they don't do a decent job. These HBGeary people were basically a branch of law enforcement. A particularly dirty branch even. But they are basically complete incompetents. They are little better than an organized band of script kiddies.
Really. What branch of law enforcement? HB Geary Federal is a private company selling services and products (and no small amount of snake oil from what's being described). As for being script kiddies - there's some individuals within that organization that have considerably higher abilities than script kiddies.
Having worked infosec within several government organizations myself, I share a general dim tone towards government capability. But one still has to maintain a realistic view - and a focused one at that.
One that is competent at computer security would be nice.
Non-sequitur. Nothing in this thread mentions the competence of law enforcement with computer security. The parent claims that vigilantes are doing better than law enforcement which demonstrates a lack of consideration for what the actual events have been so far.
Being able to break into something isn't just about breaking into stuff. It's also about making sure your stuff doesn't get broken into.
Breaking in to something and defending against intrusion are two very different, albeit related activities. In information security, the attacker tends to have the advantage.
It is really sad when we have vigilantes who are better and more capable than our own law enforcement at just about every aspect of what law enforcement is supposed to do.
So what you're saying is you expect a branch of law enforcement who is good at harassment and illegal computer access?
As much as people want to think otherwise, there is a direct causal link between marketshare and the amount of malware for a given OS.
The problem with this is that there isn't much to back up the assertion. What proves that marketshare is the driver for malware? And before you trot out some numbers, can you be sure that marketshare is the reason? It's not that I can't accept the concept. And, in fact, I agree with your couching the idea by noting a "casual" relationship. Marketshare has to be part of the equation. Unless you have a very specific target, it stands to reason that an attacker going after targets of convenience is going to want a suitable enough pool of victims or the attacks won't be convenient. But what makes up that pool is the question.
Sometimes being a big fish in a little pool is very attractive. Yes - OS X stil commands a smaller marketshare than Windows (in it's various versions). But even then, we're talking about something on the order of 36 million targets (adding estimated sales since 2007). If OS X is an easy target, there's an entire pool just waiting to be exploited. Consider that we're counting infections in units of 10k with notable botnets in millions. OS X could easily provide a suitable pool for new (or existing if one wanted to extend a botnet) malware to flourish. But that has yet to happen to any great effect.
People persecuting MS for poor security are living in the past. Windows is now a fine secure OS, while OS X doesn't even have basic protections in place and claims to be secure, simply taking advantage of the fact that they are not targeted as much.
I agree with this point as well. I'm not a Windows or Microsoft fan. But Microsoft has been getting on board. Although I would be cautious with how generous one hands out that credit. Not everything Microsoft has done as been well executed or as effective as their PR would have one believe.
Hopefully as marketshare increases they will take responsibility and secure their OS, if for no other reason than to maintain their image.
This has been the ongoing theme for the past few years. The doom and gloom has yet to descend (despite some pretty horrible mis-steps on Apple's part).
Hilariously, Paypal was actually started by a libertarian as some sort of "resist the man and his fiat currency's dead hand on trade." kind of thing. Now it voluntarily licks the boots of those who would suppress the entirely legal efforts of an advocacy group to secure a man a fair trial(rather than the present detention-without-trial-of-indefinite-length...)
I'm no fan of Bradley Manning. I think he's a fool and not worth all the hero worship and calls to rally a defense. But in so far as said rally is legal, I can't abide by Paypal interfering with it.
So what - you're saying soldiers should lie? You're saying that we should go back to the fiction of romantic war?
Uh no. What I'm saying is that soldiers DO enjoy killing, and I'm saying that we should stop making war for profit. You have to take a fairly obtuse read of my comment to get out of it what you got, deliberately or not. The sibling to my comment has it figured out.
Fair enough. However, I believe you're simply muddying the waters. To talk about the rush of adrenaline during combat does not imply over-all enjoyment of the exercise. One can feel the thrill of the moment and, after it passes, realize and feel the negative aspects of those actions. Making war for profit has no place in this conversation.
I should note that I suspect the entire conversational thread is based on a somewhat disingenuous pretext. I don't believe Assange claimed that "killing is fun" in so many words - his claim is that civilian deaths were because of taking "pleasure by getting a high score." I don't doubt body counts are a part of the reality of that environment. But I find this claim to be ignorant on Assange's part.
Your quip about false pretenses has no place in this discussion. That's politics.
It does have a place in this discussion. As I see it, the soldiers have two choices. They can learn to enjoy killing, or they can be bad at a very important aspect of their job; doing it badly can result in them not coming home. I do believe that there are ethical considerations beyond such simplifications, but I further believe that the real failure in ethics is made not at the military level, but at the civilian one that puts them in such a position in the first place when it is unwarranted. That's politics.
Again - these are two separate issues. The soldier having to go against norms of civilized society to be effective in (much less survive) an uncivilized situation has little to do with society choosing to put a soldier in that situation. You're confusing the two by trying to link them. And you're doing an injustice to society and soldiers by doing so. Society should understand that war is always hellish no matter what reasons are involved. And with that understanding, there should be much gravity to the decision to wage it.
I agree that this is all rather over-simplified. But that's part of my criticism of quips made by Assange. The issues Assange bring up are complex. But Assange is either ignorant of that complexity or realizes that complex doesn't make very good propaganda.
When you want to talk about the horrors and inhumanity of warfare, politics are moot.
Politics are never moot. Any and every action has political ramifications.
In the right context - yes, political ramifications are important. This is not that context. The politics of a situation does not make the battlefield any cleaner.
War is just as horrible when "justified" as when it isn't.
It is far more horrible when it is unnecessary than when it isn't.
To the soldier on the battlefield, feeling justified may be an important factor in maintaining motivation. But war does not get any less ugly for it. The situation is just as dangerous. Weapons still do horrible things to human bodies no matter what politics launched them. People still die.
You have obviously never taken part in an actual combat situation. The one displaying ignorance is you.
And neither has Assange. But that didn't stop him from claiming the only reason for the "collateral murder" incident was for the gunship crew to get a high score.
When soldiers stop talking to us about the rush of combat then we'll stop assuming that a significant percentage of them enjoy it. It is fairly reasonable for a soldier to adopt a personality which enjoys killing to avoid cracking under the strain of their actions, and not unusual. What is unreasonable is to go to war for false pretenses and create a situation where humans for whose wellbeing you are responsible have to become schizophrenics to continue functioning.
So what - you're saying soldiers should lie? You're saying that we should go back to the fiction of romantic war?
Your quip about false pretenses has no place in this discussion. That's politics. When you want to talk about the horrors and inhumanity of warfare, politics are moot. War is just as horrible when "justified" as when it isn't.
When Assange said "Killing people is fun" he very obviously meant that the American soldiers massacring civilians found the killing to be fun.
And what you don't seem to understand is that people understand this and find it to reflect Assange's level of ignorance. But don't let that get in the way of your asserting yourself as so far above all the sheep.
"All VOA ever wanted to do is bake you an apple pie."
"Legitimate" being largely a measure of one's own politics.
Ahhh. He's the idiot that started off calling sudo "like bowling with only the inflatable bumpers in the gutters."
I've noticed a few article lately about how 'real men' login as root at all times, but I've worked in Unix/Linux since the 90's, and this seems to be a recent phenomena.
I saw one article with this sentiment and I thought the guy was an idiot - or playing one for comedic effect. :P
Someone who wasn't being serious?
So you're saying Last.Fm is comparable to an iPod / iPhone / iPad?
A post-it note kept in ones wallet? Secure
When I need to do something like this, I use a several character cookie that resides in different positions of the passwords. The cookie is a placeholder for an additional sequence of characters - remove cookie and insert sequence (character count of cookie and sequence should not match). I never write the cookie down. When I need to use the password, I look it up on the slip in my wallet and then mentally replace the cookie with the actual sequence of characters. This allows for strong passwords unique to each system / environment that can be changed on a regular basis. I only have to remember a smaller sequence that is commonly used - less to remember and a better chance of repetition to help enforce / refresh that memory.
Granted - an observant attacker who got possession of my password list might notice the cookie repeated in each password listed. But it does present an additional hurdle.
This just shows that it's hard to build these highly available, low latency, massive usergroup systems. Previously there was a lot of chatter about the platforms (.NET, MSSQL 2003, etc...)
Yes. And let us not forget that a lot of that chatter came from Microsoft's PR department.
Which sounds all nice and fine. Unless you start really looking at where the lines of "good" and "evil" are drawn and who's drawing them. I'm wary of anyone who wants to put the signs of "good" and "evil" above any of these actors.
I'd sooner place my bets they're in the Long Con to paint "Anonymous" (there can be only one, right?) as a Threat. Then everyone in power profits when draconian measures come along.
Right - and some Machiavellian government bureaucrat is sitting back in his high-backed chair, petting a white cat, repeatedly saying "excellent."
I'd call it differently. Barr has an idea - using public information gleaned to expose relationships and additional information. It's not entirely a bad idea. However, plenty of good ideas have met a sudden end when implementing them effectively proves to be difficult. Barr ignores warnings that his implementation is lacking and generates publicity. As things ratchet up, he discovers that his implementation isn't as good as he thought. But by now too many people are watching to simply bow out. He invokes the Anonymous boogie man to provide himself a way out of the corner he's painted himself in to. Anonymous complies because being scary boogie men appeals to them.
So I am curious how this evolved into this form. How did this get implemented? How did you get the buy in that you should actually take the time to do this assessment?
It was the job description. The employer was dealing with a number of major security incidents and was trying to get a handle on the situation. They wanted to change how things were operating but they didn't want to kill the golden goose.
I have to admit, the environment was different than others. It was corporate but had more of a research feel to it. Unlike, say, banking environments where locking things down is a part of the culture. Yet this culture allowed for personal responsibility as management put their reputation on the line to support a business case. Taking risks was a part of that culture but you had to be able to justify those risks. So in effect, the security group was working as consultants to the various business units (while still being Masters of the Firewall and therefore holding the kill-switch to external network access).
I believe this would work in other environments. I've applied some of this to Government as well. I championed getting ourselves involved as problem solvers and not simply They Who Know You Surf Porn or Masters of the Firewall. I attended a number of meetings where we acted as consultants to help the group identify and mitigate security problems. Sometimes it was with existing or about-to-be-deployed solutions. Sometimes we got involved at the requirements stage and were able to help the organization start on the right path from the very beginning (which tended to make everyone happy). Come to think of it, this was another environment with a history of high-visibility security incidents.
And that is the point of getting executive buy-in. to bypass the security guys that say by default "no way, if it does not meet NSA security specs it's not on my network" and actually getting work done in the company.
The problem here is having to bypass the security guys. In that environment, we were constantly coming in to a meeting and putting the breaks on the Big Idea as presented. There were often huge risks due to absolutely no consideration or understanding of security or even the underlying technology. Our job was to not only find these problems, but help the business unit come up with solutions to those problems. That was the usual outcome. Sometimes the business unit just didn't want to change their direction or the Big Idea was fundamentally risky. And thats when we had the face-off between business gains and business risk.
That doesn't mean we didn't have people doing the end-run game you're describing. But they were often exposing our mutual employer to pretty significant risks - often completely unaware of what they were doing. Granted - your environment might be different. Your security group might be setting up their own headaches by being viewed as a problem rather than part of IT solutions. Or you might be setting yourself up to be part of the next big security incident for your employer.
Yeah, those "personal responsibility" contracts are just proof that you allowed senior management to do something unbelievably stupid and attempted to absolve yourself of the duties you were hired for. When it hits the fan, you'll be canned because you weren't doing your job (senior management might or might not be fired depending on cronyism).
I invite you to re-read my post. My job was to identify and outline the risks. Which I did in my report that was distributed to the team and all management involved in the decision process (always CYA with documentation). At that point, it is management's job to make the decision. That's what management does. If you're in a position where you can do your job, get ignored, and still get fired then you should cut your losses and get a different employer (or be a contractor with sufficient fees to cover the service of being a scapegoat).
I'll point out that in this environment, it was exceedingly rare for a management showdown. People tended to back down instead of taking the risk assessment to their managers. Managers would often come back with more questions and directions for their team to adopt recommendations. When it went up to the next level, it wasn't a given who would "win" the argument. If management over-ride was a trivial and common-day practice, I wouldn't have viewed my environment as being "one of the best." I agree that not every environment is like this. Heck - many environments seem to have little concept of accountability. But that doesn't mean it is impossible to do.