If I weren't already in this conversation, I'd +1 Insightful your post.
I'm in Florida. We don't get earthquakes, but we definitely get storms. Besides hurricanes, we get our summer thunderstorms. The homes that stand up to them.
This video was from July 30.. I'm only mentioning it because it was recent, and lots of people saw it. This video isn't from me.
I was leaving work on the West side of the storm. Looking East, the sky was black. We also got some very heavy gusty winds, up to about 60mph. I don't mind missing the twisty part. We've seen
Any home worth staying in is concrete block or brick. Homes that are wood frame don't hold up so well when big storms hit.
I have a personal weather station. We had a maximum windspeed of 119.0 mph on July 24, 2013 at 02:42am (Eastern). If you view the yearly graph, it shows a few good gusts this year. We didn't have any tropical storms hit us this year.
Here's a little something I posted to others.. I only figured it out 2 nights ago. I wrote it for a more general audience. I hope it helps you...
---------------------
I found a problem with the healthcare.gov site. If you aren't able to log in at all, read the following... Share as you wish.
Ignore what the instructions say. I'm showing 3 tries. The third try worked. Obviously, I'm not showing the real values I used, just values following the same pattern.
For the username, use mixed uppercase, lowercase, and numbers. No more than 9 characters.
After creating the 1st and 2nd account, for the first couple days I couldn't get any automated messages when I tried the username or password retrieval.
Tonight I got responses for the password retrieval, which said the accounts didn't exist. I tried to sign up again with the 1st and 2nd username, and it said the username already existed. (Hint!)
I don't know what the real limit is on the username or password length. I used 8 characters, because it's "strong enough", and deals with the ancient crypt() problem. Always use random strings. Never use real words in any language or "31337" character substitution! (zero for O, 1 for i, 3 for e, 7 for t, 8 for B, etc). If I ever find out you use p@$$w0rd, I will personally hunt you down and slap you in the head.... and this is what happens when a sysadmin/programmer tries to figure out how someone elses system is horribly broken.
That's not always possible. It definitely wouldn't pass planning and zoning in most residential neighborhoods.
Where we are, the house takes up the area allocated for the home. We can't build onto the easement (the space between the house and property line).
Any structure that could rise on the pilings would also be able to be ripped away by a tornado. The FEMA guidelines are pretty clear on the minimum required to keep your safe room in place. I believe it was 3 feet into the ground, with L shaped anchors, concreted in place. Anything less, and your safe room may end up a safe coffin somewhere other than where it started.
Actually, we intend to move inland, when we have the money... And ya, part of the move would involve constructing the safe room.
I'm not partial to earthquakes.. Hurricanes and floods, you know are coming. Earthquakes come with no notice.
I've lived all over the US, and have been through the major disasters. Blizzards with devastating snowfall. Northeasters pushing frozen ocean inland. Hurricanes and tornadoes. And ya, a few years out in earthquake prone areas.
I'll stick with hurricanes and tornadoes. We stay at home. When the storm gets too rough, or the waters too deep, we can drive inland. We already have the routes planned, to avoid any bridges or areas that are lower than where we live.
Aluminum foil. Not only does it give the illusion of no windows, but it keeps the alien mind control beams out.. Well, at least from coming in the windows.:)
It's been up for years, and the instructions are clear enough for a do-it-yourselfer to do, or to hand off to a contractor to build.
How big you make the room(s) is up to you. If you're in a tornado area, it wouldn't be a bad idea to make effectively a studio apartment. That could be a bedroom, bathroom, and kitchen pantry. That way, if your house was completely blown away, you'd still have somewhere to live.
If you can afford a $50k room for something statistically rare, you can make a nice home theater (aka "man cave"). A theater room is better without windows, and soundproof from the rest of the house. With independent emergency power, you could camp out in it, and watch movies through the apocalypse, and come out sometime after its done.
We've been discussing making our safe room here. Unfortunately, most of Florida is not only a tornado risk, but a flood zone. You get both risks during hurricanes. So you may be in the totally safe shelter room from the house falling down around you, but if your exits are blocked, you may end up drowning in the same room.
Everyone goes on the assumption that scale is "just make it bigger". I'd like to add some of my own notes on why this launch was doomed from the start.
I used to work for an adult internet company who had massive traffic. We were serving millions of people daily before 2000. We would exceed 10M daily viewers about once a week. That fluctuated by rather consistent calendar influences, like the day of the week, part of the month, and part of the year. Sept 11, 2011 dropped 3/4 of our traffic for almost exactly 2 hours. So we knew how long huge news event would impact us.
To handle 10M customers without a hiccup, we had to consider a lot of things. We didn't do much dynamic content. That's a killer. There were some elements that had to be dynamic, such as the voting/polling systems, message forums, etc. Otherwise, we had to try to keep the pages (html and images) as light as possible.
The hardest abused system we had was user authentication and authorization. We only had a few million users that hit it, but there were thousands of hackers (and script kiddies) that wanted to try to get something for nothing. Come on, it was cheap porn, just pay for it. We could easily see over 10M auth requests per hour. In time, we fine tuned the system, and outright blocked abusive users at the firewall.
The advantage we had was, when I was first in control over the IT work, we'd only see about 1M/day, so we had the luxury of growing it out. We'd watch for the problematic parts, and fix them. What works on your test bed where 10,000 users try it, even if they try hard, it doesn't mean you can put it on 100 servers and expect it to work for 1M users.
healthcare.gov has some other severe disadvantages. From what I understand, they are hitting the SSA database. I don't know if that's an online query to the SSA, or if they're provided a static file to import periodically. I'd assume all kinds of government organizations have put their 2 cents in too. What are they checking identity against? Drivers licenses, SS cards, voter ID, green cards? That means they could be hitting 151+ more databases run by other organizations. Does DHS get the information? Is it fed back to them when a users accesses? Are the checked against law enforcement databases? Only those directly involved in the development will know. You can disregard anything in the privacy statements. You're not going to see a friendly note in the FAQ "If you're a wanted felon, information will be transmitted to the law enforcement organization looking for you." That kind of defeats the purpose.
Depending on load testing never replicates what real users will do. Real users do weird things, just because they can. No amount of planning and testing will give you everything. There is always a lot of reactive work to be done. Shit, everyone reads the FAQ 14 times before logging in? They 20% of the people go through the login screens, back out to the 2nd page, and try again?
I'm stuck on the same non-functional healthcare.gov site as everyone else is. I signed up. I never got an email confirmation or email address verification.
My girlfriend got the verification and signed up again. I was able to present my user:pass and it did seem to say it was valid, but stayed there until I was thrown the overloaded message. Later, it said my user:pass was invalid. Is it really invalid?
I tried to do the username and password recovery. Neither sent me anything, so I assumed my account wasn't made. When signing up again, it said my combination of email, username, and real name was not unique. Ok, so I'm at least partly there.
I signed up again with a different username. This time I received the email verification, and clicking it did say I was confirmed to be a user. I still can't get in. It says my user:pass is wrong. Is there som
So.. We sold them to France, so they can operate them. The intention is that they will cooperate with the US. So if we want "surveillance" of a target, and France has one that's closer, we can use their intel. There's nothing unusual about that. It's similar to ICBM early warning systems that were "sold" during the cold war. Sure, they were being operated in another country, but we still used the intel from them.
I don't have any specific cases to list, but I do know that different jurisdictions in my state have different rules.
There are weird things too. How does it know if a driver is speeding? Obviously, the VSS gives the ground speed, but what about the posted speeds? I use a Garmin GPS as my primary navigation tool, and I update it frequently. I also use a variety of apps on my phone mounted on the dash. The Garmin is great at navigation and traffic. Others get their traffic data from other places, so I use a combination of them to know how to get where I'm going.
When I hit where I live, the last 1.5 miles there is a posted speed limit of 20 mph. Based on the kind of road, the speed limits should be 30 mph to 45 mph. None of my devices indicate what my speed should be.
So the car would most likely believe the speed limit should be at least 30 mph. About once every couple months, the police set up to bust people speeding, and they *will* ticket for 5mph over the speed limit.
Construction zones come and go rather rapidly, and here it's double the fine for speeding through those. I got hit with that one. 65mph is the normal speed limit. The "construction" speed limit was 40mph, even though there was no construction going on. I was doing 65mph. The officer was more than happy to write out the fat ticket for 25mph over. I had to retain a lawyer for, as it could have been considered a criminal offense. A car like that would do a wonderful job of automating the offenses.
1. Shall vacate the lane closest to the emergency vehicle or wrecker when driving on an interstate highway or other highway with two or more lanes traveling in the direction of the emergency vehicle or wrecker, except when otherwise directed by a law enforcement officer. If such movement cannot be safely accomplished, the driver shall reduce speed as provided in subparagraph 2.
2. Shall slow to a speed that is 20 miles per hour less than the posted speed limit when the posted speed limit is 25 miles per hour or greater; or travel at 5 miles per hour when the posted speed limit is 20 miles per hour or less, when driving on a two-lane road, except when otherwise directed by a law enforcement officer.
That doesn't cover other pesky things like school zones, temporary construction speed limit changes, and other reasons that you can't just go cruising through at the speed limit.
I'd worry less about abuses by the gov't, and more about unintentional actions by the car.
The story says it will pass slower traffic. Great. But will it detect that guy you've seen in your rear view mirror switching lanes doing 40mph faster than you? I see a great chance to have a multicar accident just on that one thing.
It's not all that unusual either. I've seen quite a few close calls, where exactly that has happened. Either he takes the grassy median, or the other car swerves back.
If it can't figure out that he's back here, but you did based on observation, now you're going to have him rear ending you, and one of you hitting the slower car(s).
I wonder how it will handle unusual activity, like a car running a stop sign on a perpendicular road, or something not quite car sized like a dog, large bird, child, or object falling off another vehicle. I've seen wheels come off of cars; big rigs throw the tread off a wheel; a rock truck break a driveshaft, part of which went bouncing down the road behind him; and other various things that shouldn't have been on the road. If people get use to the car doing the driving, they *won't* be doing the driving themselves. They'll become more reliant on the fact that the car can do it for them.
Ya.. Some of what I put up earlier was so others would question it.
I posted a link in another reply about gov't entities who are root CAs. In that, if you read a bit, it shows who you have to suck up to. Firefox, to be included in Firefox (all platforms). Microsoft to be included in MSIE. Microsoft for Chrome on Windows, as it uses the OS's root CAs. Chrome on Linux uses Firefox's CAs. And I'm sure Apple for it's various devices.
I haven't looked enough to see what the Android browsers use, but I'm pretty sure you'd have to get friendly with Google for that, plus any 3rd party browser authors who use their own.
I actually wrote up a quick and dirty page about 7 years ago, which goes through all the hoops of making the key, CSR, and self-signed cert. It was mostly for me, so I didn't have to type out all the openssl commands, but it's out there for the world to use, even though they shouldn't. I see hits to it all the time, so there are people using it, which means I could have been logging their key.
That is what got me thinking about it then. Why were my employers and friends throwing money at another company for their sites, when they could throw it at me and safe a few bucks.
It's really stupid if you think about it. Why does a SSL cert cost more than a couple bucks? Even at that, they'd be making a profit. Most CAs just send an email to a pre-determined address (whois owner, root, admin, domadmin, ssladmin, etc), to "verify" it's legitimate, and then send the signed cert over to the user. The obnoxious ones that usually charge more, want the D&B number, check the state's corporation filings, require blood and semen samples, etc.
End users are dumb. Most don't even know if they're punching in their credit card info on a SSL protected page or not. There are enough that look for the little padlock to believe it's trusted, but the rare exception checks to see who signed it. Why bother, it's trusted by the browser, it must be ok. At most, a few people catch irregularities like the one in the original story, and make noise about it. Do I care who signed Google's SSL cert? Not really. All that I've learned from the story is that Google might use different certs on different servers. That or the author was caught in a MITM attack and actually noticed it... and for giggles, I just went to my bank's web site. I'm replacing the bank domain name with "[mybank]" in this, and account access as [private.mybank].
https://mybank.com/ has a regular SSL cert for *.domain.com . Ya actually "domain". It immediately redirects to the next one.
https://mybank.org/ is a EV cert, signed by COMODO CA Limited, with a SHA1 fingerprint ending in 46:F6:C3, with an alias of www.[mybank].org
https://private.mybank.org/ is an EV cert signed by COMODO CA Limited, with a SHA1 fingerprint ending in 3C:8C:CA
That seems strange to me. They bothered to alias [mybank].org and www.[mybank].org, but didn't add the alias [private.mybank].org or [mybank].com. Well, whatever floats their corporate boat.
The same still applies. Sure, you're circumventing the eavesdropping of your employer. You still have a long list of trusted signing authorities in your browser.
There's no good reason to believe your encryption is end-to-end safe. It's end-to-whoever-runs-the-proxy-server encrypted. Someone in your house won't eavesdrop on it, but ye olde MITM by a large enough organization can. There are some telecom providers included.
So your employer can't sniff your traffic, and you've compromised their internal security. You're safe from your desk to your home machine and that's it. I'd say you're totally safe on your computer, but as your employer could use keystroke loggers, watch your screen, and even access your files (via \\yourdesktop\C$\), the only thing you're protecting is the easy logging of the URLs you've browsed. If they're already doing deep packet inspection, either the VPN connection won't be established because VPN won't traverse the content inspector, or they'll notice massive amounts of encrypted traffic always going to the same place. So it won't work, or you'll raise red flags.
What if a government agency got in on this game? They could sign and eavesdrop without you knowing. Oh wait. They are already there.
Firefox: France, Hong Kong, Japan, The Netherlands, Spain, Taiwan, Turkey
Microsoft/MSIE: Austria, Brazil, Finland, France, Hong Kong, India, Japan, Korea, Latvia, Macao, Mexico, Portugal, Serbia, Slovenia, South Africa, Spain, Sweden, Switzerland, The Netherlands, United States, Tunisia,Turkey, Uruguay, Venezuela,
Chrome uses the underlying OS root CA list.
Any one of them can sign valid certs. For MSIE and Chrome users, the US Gov't can sign for *.google.com, and intercept all the traffic, without the need of adding any extra CAs to your browser/computer.
That made me wonder about something at work recently. All the machines at work are owned by the organization. It would be trivial for them to add their own trusted signing authority, so they could MITM every SSL web site. It wouldn't be terribly hard to auto-generate "valid" SSL certs, and have it tagged as whoever you want the signing authority to be. All they'd have to do is add their own cert, in this case named "GeoTrust Global CA", and they'd have perfect control. To do it perfectly, they'd just need to query the site you're going to, and match up the signer's CN and sign the new fake cert, and you wouldn't know the difference. Who tracks the fingerprint of every cert for every site they go to? Well, I'm sure in this crowd, a few do.
It's good for network security, as they can pump everything out through a common proxy (or cluster of proxies) and inspect all the traffic for malicious intent (malware inbound, or organization secrets outbound). It's not good for privacy, if you were to visit your bank, gmail, etc.
As far as that goes, there are an awful lot of "trusted" signing authorities that come with any browser. I know we should probably trust them, because the authors of the browsers trust them. There's no really good reason to do so, other than if you don't, all SSL sites will warn that they may not be trustworthy.
I was considering a while back, how would *I* become my own signing authority, to be trusted by all browsers. I didn't find a good answer. An intermediary cert would solve it, but I didn't find how to accomplish that. Like, who do I throw money at to get one. Getting added to all browsers would be another even larger headache.
My thought on it was, technically it isn't hard to do. I could spend a day writing a very nice site, that would verify ownership and make whatever cert for the domain. Why can't I (or whoever) offer $5/yr, or $50/10yr single domain or wildcard cert? The code and infrastructure isn't very heavy.
Needless to say, since you haven't seen JWSmythe's Cheap Certs available, it never happened.
If not microwave ovens, there are all kinds of fun ways to generate signals.
But hey, if a cheap microwave oven does the job, that's good enough. Walmart has some for $36. That seems like some pretty affordable. I would think it would need a better antenna than the shell of a microwave would provide.
Well, that's nothing I'd be experimenting with. No one is shooting missiles at me.
One issue that has yet to arise is whether offshoring the utility's IT services would create long-term security risks, particularly if work is moved offshore.
Of course it does. IMHO, IT shouldn't be outside of a secure environment's walls. Even with "good" IT people, when they can VPN in from home computers and do things, it can compromise the security of the network. When your entire shop is off-shore, there's no one standing guard to make sure things are safe.
The risks are huge. It can range from malware on a workstation, to malicious actions by a 3rd party or employee.
The "what could possibly go wrong" goes from the confines of their office, to... well... the whole world.
I'm surprised DHS hasn't said no to this. They're worried about critical infrastructure, including power utilities, being compromised by outside attackers. When all the work is being done by someone other than in-house staff, it's inviting exactly that kind of trouble.
I guess "best case" here is that they're trying to get a bunch of people to quit, so they can get fresh locals in for less pay, screwing the existing staff in the process.
There are a few instances where they have found the specific piece of electronics that were causing problems, and in some cases purchased it from the passenger.
1995, 737 airplane. A passenger laptop computer was reported to cause autopilot disconnects during cruise. Boeing purchased the computer from the passenger and performed a laboratory testing...
1996/1997, 767 airplane. Over a period of eight months, Boeing received five reports on interference with various navigation equipment (uncommanded rolls, displays blanking, flight management computer [FMC]/ autopilot/standby altimeter inoperative, and autopilot disconnects) caused by passenger operation of a popular handheld electronic game device. In one of these cases, the flight crew confirmed the interference by turning the unit on and off to observe the correlation.
1998, 747 airplane. A passengerâ(TM)s palmtop computer was reported to cause the airplane to initiate a shallow bank turn. One minute after turning the PED off, the airplane returned to "on course." When the unit was brought to the flight deck, the flight crew noticed a strong correlation by turning the unit back on and watching the anomaly return, then turning the unit off and watching the anomaly stop. Boeing was not able to purchase the actual PED...
Funny thing, all the cases of problems caused weren't cell phones.
Farther down the page, they discuss cell phones. They do put out more noise on critical frequencies, sometimes over what the FAA permits for the aircraft itself. In testing, none actually caused problems.
Boeing conducted a laboratory and airplane test with 16 cell phones typical of those carried by passengers, to determine the emission characteristics of these intentionally transmitting PEDs. The laboratory results indicated that the phones not only produce emissions at the operating frequency, but also produce other emissions that fall within airplane communication/navigation frequency bands... Emissions at the operating frequency were as high as 60 dB over the airplane equipment emission limits...
Boeing also performed an airplane test on the ground with the same 16 phones. The airplane was placed in a flight mode and the flight deck instruments, control surfaces, and communication/navigation systems were monitored. No susceptibility was observed.
Well.. Whales have a vestigial pelvis. Somehow the author, editor, and whoever else they have reviewing news stories failed to recognize the glaring mistake.
Most of his argument is that the UI is different. It's like saying that if you don't have a Gnome/KDE/Unity UI, you're not running Linux..
As a sysadmin, when I'm in a shell on Android, I see Linux. When I'm in a shell on a Mac, I see a Unix. When I open a cmd.exe window on Windows, I see Windows.
I was having some fun with some of my older Android phones a couple weeks ago. I put Dropbear Server II on. I had 4 shells open to 4 phones. I was remounting filesystems, moving files, using wget to collect stuff from my server, installpkg packages (with pm), chmod'ing files, and rebooting as I saw fit. It's just another *nix, and by his own admission a barely modified Linux kernel...
If it looks like a bear, and acts like a bear, and everything else says it's a bear, it must be a spherical chicken in a vacuum.
Android is just another embedded *nix. I'm happy that it's Linux. You shouldn't expect it to have a whole bunch of scripting languages, and unnecessary servers.
With all that said, it is a functional embedded system, where you *do* have the ability. to extend it do to all kinds of neat things.
They provided hooks to just about everything in Java. I'm not terribly delighted with that decision, but it's what they went with.
For most purposes, play is their package manager. For the majority of users, they'll never open a terminal. I do 99% of my phone stuff through the happy little touchscreen. That's the nice interface provided.
If you really want the CLI package manager, you'll find pm, which does just about everything you'd expect from a package manager.
You can get Apache, Perl, and pretty much whatever else you want on there. Is it going to be like developing for an x86 server or desktop? Not really. It's a different platform.
If you're going to be developing for distribution, and not just for yourself, I'd recommend about the Android way to do it.. If you're doing it yourself, grab a copy of Perl for Android, and enjoy.
If you're going to complain, well, that's up to you. At least research it a little.
I don't know why anyone would have that problem.. At the end of the Great War, I shipped back plenty of barbed wire and landmines. More than enough to border my property. It was very useful during the Great Depression.
There have been a few stray animals that have caused problem, but no damned kids on the lawn.
Them youngins don't know how to protect their lawns.
I'll go back to watching those funny kids, Larry, Moe, and Curly. Great fun they are.
One in particular that I remember was about a laptop locking cable that you could unlock with a pen in just a few seconds.
If a criminal wants a laptop, and sees 3 sitting around. No one is at them, and he has a few moments of no one looking. One is on a desk with the easily defeated cable. One is on another desk, tied down with a piece of string. The third was just put into a laptop bag, and is on the floor by a chair.
He won't go for the one with the cable. Even if he was prepared and knew exactly how to do it, it is still an obstacle. Even the one in the string requires a little extra time to untie or cut. The one in the bag on the floor is easiest, as he can just pick it up and keep walking.
The only variation on this would be the perceived value. If the one in the bag looked like an antique, he'd disregard it in favor of one that he can sell. If it's the one with the cable, and may get someone's attention by picking the lock, he may just move on to somewhere else.
The same applies to homes. All things equal except for security, the insecure house is the easy target and will get broken into. If the insecure house is a dilapidated hovel, but there is a nicer house that's an easy enough target, he'll go for the nicer one or pick a different neighborhood with better targets.
Slashdot Mirror
If I weren't already in this conversation, I'd +1 Insightful your post.
I'm in Florida. We don't get earthquakes, but we definitely get storms. Besides hurricanes, we get our summer thunderstorms. The homes that stand up to them.
This video was from July 30 .. I'm only mentioning it because it was recent, and lots of people saw it. This video isn't from me.
http://www.youtube.com/watch?v=ybUPOUxIxzo
I was leaving work on the West side of the storm. Looking East, the sky was black. We also got some very heavy gusty winds, up to about 60mph. I don't mind missing the twisty part. We've seen
Any home worth staying in is concrete block or brick. Homes that are wood frame don't hold up so well when big storms hit.
I have a personal weather station. We had a maximum windspeed of 119.0 mph on July 24, 2013 at 02:42am (Eastern). If you view the yearly graph, it shows a few good gusts this year. We didn't have any tropical storms hit us this year.
http://www.wunderground.com/weatherstation/WXDailyHistory.asp?ID=KFLHOLID5&day=24&year=2013&month=7&graphspan=year
All in all, it's been pretty calm, including the July 30 waterspout/tornado.
Here's a little something I posted to others.. I only figured it out 2 nights ago. I wrote it for a more general audience. I hope it helps you...
---------------------
I found a problem with the healthcare.gov site. If you aren't able to log in at all, read the following... Share as you wish.
Ignore what the instructions say. I'm showing 3 tries. The third try worked. Obviously, I'm not showing the real values I used, just values following the same pattern.
For the username, use mixed uppercase, lowercase, and numbers.
No more than 9 characters.
1st try: johnsmith_99
2nd try: johnsmith_9
3rd try: JohnSmith99
For the password, use mixed uppercase, lowercase, and numbers.
No more than 8 characters.
1st try: A0b1c2D3e4^hIJklmnoP
2nd try: A0b1c2D3e4hIJklmnoP
3rd try: AbCd3fG4
After creating the 1st and 2nd account, for the first couple days I couldn't get any automated messages when I tried the username or password retrieval.
Tonight I got responses for the password retrieval, which said the accounts didn't exist. I tried to sign up again with the 1st and 2nd username, and it said the username already existed. (Hint!)
I don't know what the real limit is on the username or password length. I used 8 characters, because it's "strong enough", and deals with the ancient crypt() problem. Always use random strings. Never use real words in any language or "31337" character substitution! (zero for O, 1 for i, 3 for e, 7 for t, 8 for B, etc). If I ever find out you use p@$$w0rd, I will personally hunt you down and slap you in the head. ... and this is what happens when a sysadmin/programmer tries to figure out how someone elses system is horribly broken.
That's not always possible. It definitely wouldn't pass planning and zoning in most residential neighborhoods.
Where we are, the house takes up the area allocated for the home. We can't build onto the easement (the space between the house and property line).
Any structure that could rise on the pilings would also be able to be ripped away by a tornado. The FEMA guidelines are pretty clear on the minimum required to keep your safe room in place. I believe it was 3 feet into the ground, with L shaped anchors, concreted in place. Anything less, and your safe room may end up a safe coffin somewhere other than where it started.
Actually, we intend to move inland, when we have the money... And ya, part of the move would involve constructing the safe room.
I'm not partial to earthquakes.. Hurricanes and floods, you know are coming. Earthquakes come with no notice.
I've lived all over the US, and have been through the major disasters. Blizzards with devastating snowfall. Northeasters pushing frozen ocean inland. Hurricanes and tornadoes. And ya, a few years out in earthquake prone areas.
I'll stick with hurricanes and tornadoes. We stay at home. When the storm gets too rough, or the waters too deep, we can drive inland. We already have the routes planned, to avoid any bridges or areas that are lower than where we live.
Aluminum foil. Not only does it give the illusion of no windows, but it keeps the alien mind control beams out.. Well, at least from coming in the windows. :)
FEMA has instructions on how to build a safe-room into your home..
http://www.fema.gov/safe-rooms
It's been up for years, and the instructions are clear enough for a do-it-yourselfer to do, or to hand off to a contractor to build.
How big you make the room(s) is up to you. If you're in a tornado area, it wouldn't be a bad idea to make effectively a studio apartment. That could be a bedroom, bathroom, and kitchen pantry. That way, if your house was completely blown away, you'd still have somewhere to live.
If you can afford a $50k room for something statistically rare, you can make a nice home theater (aka "man cave"). A theater room is better without windows, and soundproof from the rest of the house. With independent emergency power, you could camp out in it, and watch movies through the apocalypse, and come out sometime after its done.
We've been discussing making our safe room here. Unfortunately, most of Florida is not only a tornado risk, but a flood zone. You get both risks during hurricanes. So you may be in the totally safe shelter room from the house falling down around you, but if your exits are blocked, you may end up drowning in the same room.
Everyone goes on the assumption that scale is "just make it bigger". I'd like to add some of my own notes on why this launch was doomed from the start.
I used to work for an adult internet company who had massive traffic. We were serving millions of people daily before 2000. We would exceed 10M daily viewers about once a week. That fluctuated by rather consistent calendar influences, like the day of the week, part of the month, and part of the year. Sept 11, 2011 dropped 3/4 of our traffic for almost exactly 2 hours. So we knew how long huge news event would impact us.
To handle 10M customers without a hiccup, we had to consider a lot of things. We didn't do much dynamic content. That's a killer. There were some elements that had to be dynamic, such as the voting/polling systems, message forums, etc. Otherwise, we had to try to keep the pages (html and images) as light as possible.
The hardest abused system we had was user authentication and authorization. We only had a few million users that hit it, but there were thousands of hackers (and script kiddies) that wanted to try to get something for nothing. Come on, it was cheap porn, just pay for it. We could easily see over 10M auth requests per hour. In time, we fine tuned the system, and outright blocked abusive users at the firewall.
The advantage we had was, when I was first in control over the IT work, we'd only see about 1M/day, so we had the luxury of growing it out. We'd watch for the problematic parts, and fix them. What works on your test bed where 10,000 users try it, even if they try hard, it doesn't mean you can put it on 100 servers and expect it to work for 1M users.
healthcare.gov has some other severe disadvantages. From what I understand, they are hitting the SSA database. I don't know if that's an online query to the SSA, or if they're provided a static file to import periodically. I'd assume all kinds of government organizations have put their 2 cents in too. What are they checking identity against? Drivers licenses, SS cards, voter ID, green cards? That means they could be hitting 151+ more databases run by other organizations. Does DHS get the information? Is it fed back to them when a users accesses? Are the checked against law enforcement databases? Only those directly involved in the development will know. You can disregard anything in the privacy statements. You're not going to see a friendly note in the FAQ "If you're a wanted felon, information will be transmitted to the law enforcement organization looking for you." That kind of defeats the purpose.
Depending on load testing never replicates what real users will do. Real users do weird things, just because they can. No amount of planning and testing will give you everything. There is always a lot of reactive work to be done. Shit, everyone reads the FAQ 14 times before logging in? They 20% of the people go through the login screens, back out to the 2nd page, and try again?
I'm stuck on the same non-functional healthcare.gov site as everyone else is. I signed up. I never got an email confirmation or email address verification.
My girlfriend got the verification and signed up again. I was able to present my user:pass and it did seem to say it was valid, but stayed there until I was thrown the overloaded message. Later, it said my user:pass was invalid. Is it really invalid?
I tried to do the username and password recovery. Neither sent me anything, so I assumed my account wasn't made. When signing up again, it said my combination of email, username, and real name was not unique. Ok, so I'm at least partly there.
I signed up again with a different username. This time I received the email verification, and clicking it did say I was confirmed to be a user. I still can't get in. It says my user:pass is wrong. Is there som
There's a good bit of bartering that happens with these "sales".
The DSCA proposal of sale from June 2013
Another article from June 2013 regarding the sale, with an important quote.
Here is more on what was purchased.
So.. We sold them to France, so they can operate them. The intention is that they will cooperate with the US. So if we want "surveillance" of a target, and France has one that's closer, we can use their intel. There's nothing unusual about that. It's similar to ICBM early warning systems that were "sold" during the cold war. Sure, they were being operated in another country, but we still used the intel from them.
I don't have any specific cases to list, but I do know that different jurisdictions in my state have different rules.
There are weird things too. How does it know if a driver is speeding? Obviously, the VSS gives the ground speed, but what about the posted speeds? I use a Garmin GPS as my primary navigation tool, and I update it frequently. I also use a variety of apps on my phone mounted on the dash. The Garmin is great at navigation and traffic. Others get their traffic data from other places, so I use a combination of them to know how to get where I'm going.
When I hit where I live, the last 1.5 miles there is a posted speed limit of 20 mph. Based on the kind of road, the speed limits should be 30 mph to 45 mph. None of my devices indicate what my speed should be.
So the car would most likely believe the speed limit should be at least 30 mph. About once every couple months, the police set up to bust people speeding, and they *will* ticket for 5mph over the speed limit.
Construction zones come and go rather rapidly, and here it's double the fine for speeding through those. I got hit with that one. 65mph is the normal speed limit. The "construction" speed limit was 40mph, even though there was no construction going on. I was doing 65mph. The officer was more than happy to write out the fat ticket for 25mph over. I had to retain a lawyer for, as it could have been considered a criminal offense. A car like that would do a wonderful job of automating the offenses.
That's a good point. Each state has their own laws. Ours is...
FS 316.126(1)(b)
That doesn't cover other pesky things like school zones, temporary construction speed limit changes, and other reasons that you can't just go cruising through at the speed limit.
I'd worry less about abuses by the gov't, and more about unintentional actions by the car.
The story says it will pass slower traffic. Great. But will it detect that guy you've seen in your rear view mirror switching lanes doing 40mph faster than you? I see a great chance to have a multicar accident just on that one thing.
It's not all that unusual either. I've seen quite a few close calls, where exactly that has happened. Either he takes the grassy median, or the other car swerves back.
If it can't figure out that he's back here, but you did based on observation, now you're going to have him rear ending you, and one of you hitting the slower car(s).
I wonder how it will handle unusual activity, like a car running a stop sign on a perpendicular road, or something not quite car sized like a dog, large bird, child, or object falling off another vehicle. I've seen wheels come off of cars; big rigs throw the tread off a wheel; a rock truck break a driveshaft, part of which went bouncing down the road behind him; and other various things that shouldn't have been on the road. If people get use to the car doing the driving, they *won't* be doing the driving themselves. They'll become more reliant on the fact that the car can do it for them.
Ya.. Some of what I put up earlier was so others would question it.
I posted a link in another reply about gov't entities who are root CAs. In that, if you read a bit, it shows who you have to suck up to. Firefox, to be included in Firefox (all platforms). Microsoft to be included in MSIE. Microsoft for Chrome on Windows, as it uses the OS's root CAs. Chrome on Linux uses Firefox's CAs. And I'm sure Apple for it's various devices.
I haven't looked enough to see what the Android browsers use, but I'm pretty sure you'd have to get friendly with Google for that, plus any 3rd party browser authors who use their own.
I actually wrote up a quick and dirty page about 7 years ago, which goes through all the hoops of making the key, CSR, and self-signed cert. It was mostly for me, so I didn't have to type out all the openssl commands, but it's out there for the world to use, even though they shouldn't. I see hits to it all the time, so there are people using it, which means I could have been logging their key.
That is what got me thinking about it then. Why were my employers and friends throwing money at another company for their sites, when they could throw it at me and safe a few bucks.
It's really stupid if you think about it. Why does a SSL cert cost more than a couple bucks? Even at that, they'd be making a profit. Most CAs just send an email to a pre-determined address (whois owner, root, admin, domadmin, ssladmin, etc), to "verify" it's legitimate, and then send the signed cert over to the user. The obnoxious ones that usually charge more, want the D&B number, check the state's corporation filings, require blood and semen samples, etc.
End users are dumb. Most don't even know if they're punching in their credit card info on a SSL protected page or not. There are enough that look for the little padlock to believe it's trusted, but the rare exception checks to see who signed it. Why bother, it's trusted by the browser, it must be ok. At most, a few people catch irregularities like the one in the original story, and make noise about it. Do I care who signed Google's SSL cert? Not really. All that I've learned from the story is that Google might use different certs on different servers. That or the author was caught in a MITM attack and actually noticed it. .. and for giggles, I just went to my bank's web site. I'm replacing the bank domain name with "[mybank]" in this, and account access as [private.mybank].
https://mybank.com/ has a regular SSL cert for *.domain.com . Ya actually "domain". It immediately redirects to the next one.
https://mybank.org/ is a EV cert, signed by COMODO CA Limited, with a SHA1 fingerprint ending in 46:F6:C3, with an alias of www.[mybank].org
https://private.mybank.org/ is an EV cert signed by COMODO CA Limited, with a SHA1 fingerprint ending in 3C:8C:CA
That seems strange to me. They bothered to alias [mybank].org and www.[mybank].org, but didn't add the alias [private.mybank].org or [mybank].com. Well, whatever floats their corporate boat.
The same still applies. Sure, you're circumventing the eavesdropping of your employer. You still have a long list of trusted signing authorities in your browser.
Firefox list
Microsoft/MSIE
Chrome
There's no good reason to believe your encryption is end-to-end safe. It's end-to-whoever-runs-the-proxy-server encrypted. Someone in your house won't eavesdrop on it, but ye olde MITM by a large enough organization can. There are some telecom providers included.
So your employer can't sniff your traffic, and you've compromised their internal security. You're safe from your desk to your home machine and that's it. I'd say you're totally safe on your computer, but as your employer could use keystroke loggers, watch your screen, and even access your files (via \\yourdesktop\C$\), the only thing you're protecting is the easy logging of the URLs you've browsed. If they're already doing deep packet inspection, either the VPN connection won't be established because VPN won't traverse the content inspector, or they'll notice massive amounts of encrypted traffic always going to the same place. So it won't work, or you'll raise red flags.
What if a government agency got in on this game? They could sign and eavesdrop without you knowing. Oh wait. They are already there.
Firefox: France, Hong Kong, Japan, The Netherlands, Spain, Taiwan, Turkey
Microsoft/MSIE: Austria, Brazil, Finland, France, Hong Kong, India, Japan, Korea, Latvia, Macao, Mexico, Portugal, Serbia, Slovenia, South Africa, Spain, Sweden, Switzerland, The Netherlands, United States, Tunisia,Turkey, Uruguay, Venezuela,
Chrome uses the underlying OS root CA list.
Any one of them can sign valid certs. For MSIE and Chrome users, the US Gov't can sign for *.google.com, and intercept all the traffic, without the need of adding any extra CAs to your browser/computer.
That made me wonder about something at work recently. All the machines at work are owned by the organization. It would be trivial for them to add their own trusted signing authority, so they could MITM every SSL web site. It wouldn't be terribly hard to auto-generate "valid" SSL certs, and have it tagged as whoever you want the signing authority to be. All they'd have to do is add their own cert, in this case named "GeoTrust Global CA", and they'd have perfect control. To do it perfectly, they'd just need to query the site you're going to, and match up the signer's CN and sign the new fake cert, and you wouldn't know the difference. Who tracks the fingerprint of every cert for every site they go to? Well, I'm sure in this crowd, a few do.
It's good for network security, as they can pump everything out through a common proxy (or cluster of proxies) and inspect all the traffic for malicious intent (malware inbound, or organization secrets outbound). It's not good for privacy, if you were to visit your bank, gmail, etc.
As far as that goes, there are an awful lot of "trusted" signing authorities that come with any browser. I know we should probably trust them, because the authors of the browsers trust them. There's no really good reason to do so, other than if you don't, all SSL sites will warn that they may not be trustworthy.
I was considering a while back, how would *I* become my own signing authority, to be trusted by all browsers. I didn't find a good answer. An intermediary cert would solve it, but I didn't find how to accomplish that. Like, who do I throw money at to get one. Getting added to all browsers would be another even larger headache.
My thought on it was, technically it isn't hard to do. I could spend a day writing a very nice site, that would verify ownership and make whatever cert for the domain. Why can't I (or whoever) offer $5/yr, or $50/10yr single domain or wildcard cert? The code and infrastructure isn't very heavy.
Needless to say, since you haven't seen JWSmythe's Cheap Certs available, it never happened.
If not microwave ovens, there are all kinds of fun ways to generate signals.
But hey, if a cheap microwave oven does the job, that's good enough. Walmart has some for $36. That seems like some pretty affordable. I would think it would need a better antenna than the shell of a microwave would provide.
Well, that's nothing I'd be experimenting with. No one is shooting missiles at me.
From the evil dictator perspective...
If I knew jamming would make me a target, I'd put jammers out in remote locations, so they'd waste their ordinance on worthless targets.
Like I said, if you want security, you have to keep it within your walls.
Why did this part only make it to page 3?
Of course it does. IMHO, IT shouldn't be outside of a secure environment's walls. Even with "good" IT people, when they can VPN in from home computers and do things, it can compromise the security of the network. When your entire shop is off-shore, there's no one standing guard to make sure things are safe.
The risks are huge. It can range from malware on a workstation, to malicious actions by a 3rd party or employee.
The "what could possibly go wrong" goes from the confines of their office, to ... well ... the whole world.
I'm surprised DHS hasn't said no to this. They're worried about critical infrastructure, including power utilities, being compromised by outside attackers. When all the work is being done by someone other than in-house staff, it's inviting exactly that kind of trouble.
I guess "best case" here is that they're trying to get a bunch of people to quit, so they can get fresh locals in for less pay, screwing the existing staff in the process.
There are a few instances where they have found the specific piece of electronics that were causing problems, and in some cases purchased it from the passenger.
http://www.boeing.com/commercial/aeromagazine/aero_10/interfere_textonly.html
Funny thing, all the cases of problems caused weren't cell phones.
Farther down the page, they discuss cell phones. They do put out more noise on critical frequencies, sometimes over what the FAA permits for the aircraft itself. In testing, none actually caused problems.
Well.. Whales have a vestigial pelvis. Somehow the author, editor, and whoever else they have reviewing news stories failed to recognize the glaring mistake.
You're thinking spherical cow.
This is the spherical chicken reference.
Ya, I've seen this kind of troll before..
Most of his argument is that the UI is different. It's like saying that if you don't have a Gnome/KDE/Unity UI, you're not running Linux..
As a sysadmin, when I'm in a shell on Android, I see Linux. When I'm in a shell on a Mac, I see a Unix. When I open a cmd.exe window on Windows, I see Windows.
I was having some fun with some of my older Android phones a couple weeks ago. I put Dropbear Server II on. I had 4 shells open to 4 phones. I was remounting filesystems, moving files, using wget to collect stuff from my server, installpkg packages (with pm), chmod'ing files, and rebooting as I saw fit. It's just another *nix, and by his own admission a barely modified Linux kernel...
If it looks like a bear, and acts like a bear, and everything else says it's a bear, it must be a spherical chicken in a vacuum.
You're expecting too much.
Android is just another embedded *nix. I'm happy that it's Linux. You shouldn't expect it to have a whole bunch of scripting languages, and unnecessary servers.
With all that said, it is a functional embedded system, where you *do* have the ability. to extend it do to all kinds of neat things.
They provided hooks to just about everything in Java. I'm not terribly delighted with that decision, but it's what they went with.
For most purposes, play is their package manager. For the majority of users, they'll never open a terminal. I do 99% of my phone stuff through the happy little touchscreen. That's the nice interface provided.
If you really want the CLI package manager, you'll find pm, which does just about everything you'd expect from a package manager.
You can get Apache, Perl, and pretty much whatever else you want on there. Is it going to be like developing for an x86 server or desktop? Not really. It's a different platform.
If you're going to be developing for distribution, and not just for yourself, I'd recommend about the Android way to do it.. If you're doing it yourself, grab a copy of Perl for Android, and enjoy.
If you're going to complain, well, that's up to you. At least research it a little.
I don't know why anyone would have that problem.. At the end of the Great War, I shipped back plenty of barbed wire and landmines. More than enough to border my property. It was very useful during the Great Depression.
There have been a few stray animals that have caused problem, but no damned kids on the lawn.
Them youngins don't know how to protect their lawns.
I'll go back to watching those funny kids, Larry, Moe, and Curly. Great fun they are.
That's been discussed a lot on here in the past.
One in particular that I remember was about a laptop locking cable that you could unlock with a pen in just a few seconds.
If a criminal wants a laptop, and sees 3 sitting around. No one is at them, and he has a few moments of no one looking. One is on a desk with the easily defeated cable. One is on another desk, tied down with a piece of string. The third was just put into a laptop bag, and is on the floor by a chair.
He won't go for the one with the cable. Even if he was prepared and knew exactly how to do it, it is still an obstacle. Even the one in the string requires a little extra time to untie or cut. The one in the bag on the floor is easiest, as he can just pick it up and keep walking.
The only variation on this would be the perceived value. If the one in the bag looked like an antique, he'd disregard it in favor of one that he can sell. If it's the one with the cable, and may get someone's attention by picking the lock, he may just move on to somewhere else.
The same applies to homes. All things equal except for security, the insecure house is the easy target and will get broken into. If the insecure house is a dilapidated hovel, but there is a nicer house that's an easy enough target, he'll go for the nicer one or pick a different neighborhood with better targets.