People are usually the weakest link, but they're also not ideal for an attacker because they're rarely in control of a lot of communication channels. Stagefright, for example, was a vulnerability that made it possible to install malware (with root privilege - more privilege, in fact, than the owner of the device) on 100% of Android phones that visited a malicious URL for about a week and around 30% of them for several months (it took a really long time to roll out the patch). Malware installed via that vector could protect itself from removal by updates and could compromise all encrypted communication to or from that device. It's unlikely that you can find a human that could give the same level of access.
I think we are basically on the same page here; my only point was by getting a human, either deliberately or by subterfuge, to visit the URL you have exploited the weakest link - the human vs being able to remotely enter a machine and install the malware; although that type of attack is also certainly possible with some malware.
Religion is a huge net negative for our species. So it's not so bad that a lot of developers aren't christian.
However, faith can be a big plus because it drives people to do things for altruistic reasons and to help others. The problem is taht religion often gets in teh way as people use it to control others rather than follow the precepts of their faith.
It's a bit different, because it's now not the person that you're attacking, it's something that the user views as part of the communication channel. The analogy would be sending a message in a sealed box in an armoured car with an armed escort and then delivering it to someone's unlocked mailbox where anyone off the street could grab it and make a copy.
While I get your point, I still contend the person remains the weak link; it's more like sending it to a locked mailbox where someone can be convinced to lend out the key (akin to opening that pdf that came as an attachment) or putting it in a locked dropbox that either has a default password that can be determined or you pay the courier to give you access. While it is a communications channel the two end points tend to be the weakest links because of human behavior; and subject to coercion, blackmail, money or other enticements to allow you to gain access.
The leaks tell us that encryption only works if the endpoints are secure, which they are not.
That has always been true, even before electronic devices became common place. The person is always the weakest link, and thus the best target; and not necessarily the important person but the one near him or her that has access to their correspondence, devices and files. Ge to them and the door is open to bigger targets; and the are often an easier target to turn. Now, you may be able to install a desired program without help, but you still target a person as the vector to the device.
If you have nothing to hide, why should it matter either way?
"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." - Cardinal Richelieu (supposedly)
Ray Donovan's (Reagan's Secretary of Labor) quote "Where do I go to get my reputation back?" seems appropriate as well.
I'm actually a little surprised that ransomware hasn't started dumping illegal images in victim's hard drives, just to discourage them from taking the machine to be fixed.
In addition, when there is money to be made and you've been told X is a target an unscrupulous person might "find" the desired evidence to collect a reward.
I would add: The Power of Habit: Why We Do What We Do in Life and Business. This gets you started thinking about why people do things a certain way, and if you do interface design you should think about how your interface will be used and what triggers actions.
My company hires many young non-degreed self-taught programmers (because that is all we can find). We give them a reading list, and require them to spend about four hours per week doing professional reading and studying on their own time.
While your approach has merit it would seem your company is setting itself up for a lawsuit over unpaid wages, unless the new hires are truly exempt employees.
In 3 hours you will be able to cover 5 or 6 things in enough detail to really explain them so you need to focus on what you think it i critical for a novice to know. I would start with identifying hat would you have liked to have known when you started out, then list the critical error you see novices make consistently, and then identify any critical skills a novice needs to have. Once you have that list, pick the 5 or 6 you think are the most valuable and over them.
I was wondering about the reverse situation, if I was to work for my former employer in the USA. I would expect to be paid at least the same a local for the same role, probably more due to my skills and experience. There would be one less local employed but the company would be better off because of my deep and long knowledge of their product range. Would I still be seen as stealing a job from a local?
In my experience, no you would not be viewed as stealing a job from a local. I've worked with multi-national companies and when some came from an overseas office we knew they were good and looked forward to working with them.
Trouble with this approach is it requires a lot of steps in the field, and requires a lot of time in the field. It moves the production line closer to enemy action to destroy it, and if they really do have to form the rough shape in a 3d print process then machine it, that's presumably a lot of space and a lot of time being committed in a vulnerable position, and is also presumably much more dependent on electricity and functional computers that a conventional machine shop.
You make some good points but they would not necessarily forward deploy them beyond a secure base and ship parts from there. Granted, shipping from a logistic base is an option, and our logistics capability is pretty amazing, especially if cost is not a concern. I see this as more of a stop gap whne you can't get priority but need something' or if spares aren't available.
The US military has been working with 3D printing for quite some time, at least since the early 2000's. The were doing additive printing using metal to make thins such as vehicle replacement parts. One one was printed it was then machined to the required tolerances an used; the printed parts were as, if not more, durable than the original. One of the uses was to reduce the supply chain by forward deploying the printing capability with instructions rather than having to procure, ship and stock replacements at various locations; or having a unit wait a few days while one was sent from the US. In addition, rarely need parts ould not need to be procured and stocked. A ship could carry one as well greatly reducing the time needed to procure a spare. If instructions weren't already available a lab in the US could create and send them.
Bitcoin is something that can easily be manipulated thanks to the fact that China holds the majority of the bitcoin mining operation. If the owner of the Chinese mining rigs wanted, they could manipulate the currency's value with ease. The SEC made a sane and calculated decision here.
Exactly. They could easily collude to drive the market, by colluding to control how they mine BitCoin. Since they have what, 70% of the mining capability they could control the rate of supply as needed to profit since their appears to be a correlation between price moves and mining difficulty changes. For example, they could short the ETF and then deliver a lot of new coins to cause a drop in its value and then closeout their position at a profit.
Wow - so they proved in court that Carmack was involved in stealing trade secrets worth $500 million, and he still expects to be promptly paid?
If I was convicted in court of stealing from a company, I wouldn't expect a paycheck. I guess that's one more way the rich executives are different from the rest of us.
It's a separate action. He left, they owed him money and he wants what they agreed to pay. They can argue they shouldn't have to, or that any award should be used to offset any money he owes them; but if they owe hm the money he should get paid.
1) Your first pet's name
2) The street you grew up on
3) The model of your first car
Things banks use for "security questions":
see above.
There is no requirement to answer correctly, only with answers you can remember. They'd do just as well to ask you to give 5 random two word answers as security answers and then give you two answer blocks and ask "Give us two of the security question answers you provided." While not perfect, it makes it a lot harder for someone to try to guess what info they need to get into your account.
They're practicing remembering things for 30 minutes every day for 40 days. It isn't some sort of "weird trick" like the headline might make you think.
Not only that, it really doesn't improve the memory that is most useful; i.e. the ability to recall information relevant to hat you are working on. If it enables you to memorize say a set of legal precedents and then recall later the exact one you need and be able to recite it verbatim or go to a specific paragraph in a document and remember it it would be useful. From TFA it wasn't even clear if the could recall what was the 4th word or just some subset of all the words. I use something similar when teaching. I "memorize" the names of 30 or so students on the first day so I can call on them by name. A colleague was impressed until I told her it was a parlor trick; I didn't really remember their names but the position of their names relative to each other and objects in the room. I knew John sat next to the purple lamp because I could visualize a john with a purple lamp in the bowl being held by Susan next to him and so forth. If they didn't sit in the same seats I was screwed, fortunately students tend to occupy the same seat every time. If I saw them outside of class I often did not remember their name because I could not recall it in a useful way, i.e. associated with their face.
The Vulnerabilities Equities Process doesn't have a mandate to disclosure, merely to determine if they should disclose or keep it for use. The EFF explains it:
EFF filed a lawsuit under the Freedom of Information Act in 2014 to get access to the government's "Vulnerability Equities Process" (VEP), the policy it uses to decide whether to disclose information about security vulnerabilities or instead withhold this information for its own purposes, including law enforcement, intelligence collection, and "offensive" exploitation.
Aren't there any consumer protection laws that can help you in the US?
In the UK we have Distance Selling Regulations. Basically, because buying online you don't have an opportunity to inspect the goods before buying you can return them for any or no reason at all in the first 14 days. If the goods are not otherwise defective you have to pay return postage, so in the case of a few dead pixels you would probably be out a few quid on that. but you can save some weight be discarding extraneous packaging.
It's actually better to buy stuff online than from a physical shop for this reason.
US law has no similar ironclad protections; it's up to the seller to set warranty terms although there are fitness for purpose laws so you can't simply sell a toaster that won't toast. The flip side is prices tend to be lower, even after VAT is removed, because companies do not have to account for some x% returns in their pricing model. It's the same with places that have longer warranty periods by law; companies simply price in the anticipated extra costs of warranty repairs and spread it over all the units sold there. TNSTAAFL
Sorry, but no. It's not that hard to get quality products out of China *if you're willing to pay the cost*. I know, because I've owned many high-quality products made in China which outlasted the utility of their design long before the hardware failed. Chances are that you have too, whether or not you were conscious of it. I know it's fashionable to shout "China means low quality", but the fact of the matter is that for a company the size of Nintendo, China only means low quality if you want it to. Odds are that Nintendo has made a conscious decision to lower its in-house quality standards and thereby increase the yields / reduce the costs for the LCD panels used in the Switch. It is that simple.
Exactly. They will manufacturer to whatever standards yo want to pay for and will enforce. One challenge is convincing the factory quality is more important than meeting an arbitrary delivery date; otherwise they will cut corners to deliver on time.
Unless it is the actual glass itself, and not the supporting electronics, then rebuilding them could continue to ensure availability. It may, however, simply not be cost effective to rebuild them , especially if a LED display offers an essentially drop in replacement at a much lower cost. Cognoscenti may decry the loss of originality but arcade owners looking to make a profit won't care; especially as users adapt to the new displays or grow up with them never seeing the original. A collector might pay to get a rebuilt CRT but collecting is far different than running an arcade or having a machine or two in a bar.
I play some on MAME and find them as playable and enjoyable as they were on a machine when you add an X-arcade joystick/trackball.
Call me stupid, but when there is lively traffic, the billboards are in full view of several cars at a time. So the update may be slow, so that e.g., ten or twenty cars see the same advertisement that is triggered by the first car? Or does every car get its own advertisement, so that you see a constantly flickering of different ads?
Paai
I would guess they have a tiered pricing structure so the highest paying ad gets shown; but you bring up a valid point, is the ad designed to be read or merely expose a target to the ad? We have a lot of electronic billboards and they change so frequently that if one catches my eye the ad is often gone before I can deduce who it is for.
It wasn't "bold easy to read type", but it WAS on the outside of the envelope (though the front I think), even easily visible in the pictures from TV screens.
So I think after Warren realized something was wrong, he had looked at both sides of the red envelope, he would have seen "Best Actress" on it.
Good points. It does have the award on the front of the envelope; which illustrates how cultural norms, i.e.we write address and names on the front of envelopes, not the back, interferes with good human factors which would place the critical information on the back of the envelope where it would be seen while opening it. The presenters hold the envelope with the front to the audience so they may not see the category before opening, couple that with an expectation they have the correct envelope and you can see why an error can occur. I agree Beatty might have caught the error had he looked at the front but it's poor human factors design, IMHO, to expect the operator to take action to clarify a situation when better design places a better barrier to prevent an error.
it's already been done. the auditors are supposed to memorize all the winners in all the categories. but word on some TMZ type blogs is that the two partners assigned to the event this year were too busy snapping pictures and looking at the stars and their near naked bodies
True, but memorizing the names doesn't fix giving out the wrong card. All it does is ensure a mistake gets corrected.
Slashdot Mirror
People are usually the weakest link, but they're also not ideal for an attacker because they're rarely in control of a lot of communication channels. Stagefright, for example, was a vulnerability that made it possible to install malware (with root privilege - more privilege, in fact, than the owner of the device) on 100% of Android phones that visited a malicious URL for about a week and around 30% of them for several months (it took a really long time to roll out the patch). Malware installed via that vector could protect itself from removal by updates and could compromise all encrypted communication to or from that device. It's unlikely that you can find a human that could give the same level of access.
I think we are basically on the same page here; my only point was by getting a human, either deliberately or by subterfuge, to visit the URL you have exploited the weakest link - the human vs being able to remotely enter a machine and install the malware; although that type of attack is also certainly possible with some malware.
He's going to realise why religions prefer access to children. Adults are a damn sight harder to bullshit.
It isn't the kids that donate millions to various religious groups or pay for mega churches.
Religion is a huge net negative for our species. So it's not so bad that a lot of developers aren't christian.
However, faith can be a big plus because it drives people to do things for altruistic reasons and to help others. The problem is taht religion often gets in teh way as people use it to control others rather than follow the precepts of their faith.
It's a bit different, because it's now not the person that you're attacking, it's something that the user views as part of the communication channel. The analogy would be sending a message in a sealed box in an armoured car with an armed escort and then delivering it to someone's unlocked mailbox where anyone off the street could grab it and make a copy.
While I get your point, I still contend the person remains the weak link; it's more like sending it to a locked mailbox where someone can be convinced to lend out the key (akin to opening that pdf that came as an attachment) or putting it in a locked dropbox that either has a default password that can be determined or you pay the courier to give you access. While it is a communications channel the two end points tend to be the weakest links because of human behavior; and subject to coercion, blackmail, money or other enticements to allow you to gain access.
The leaks tell us that encryption only works if the endpoints are secure, which they are not.
That has always been true, even before electronic devices became common place. The person is always the weakest link, and thus the best target; and not necessarily the important person but the one near him or her that has access to their correspondence, devices and files. Ge to them and the door is open to bigger targets; and the are often an easier target to turn. Now, you may be able to install a desired program without help, but you still target a person as the vector to the device.
If you have nothing to hide, why should it matter either way?
"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." - Cardinal Richelieu (supposedly)
Ray Donovan's (Reagan's Secretary of Labor) quote "Where do I go to get my reputation back?" seems appropriate as well.
I'm actually a little surprised that ransomware hasn't started dumping illegal images in victim's hard drives, just to discourage them from taking the machine to be fixed.
In addition, when there is money to be made and you've been told X is a target an unscrupulous person might "find" the desired evidence to collect a reward.
I would add: The Power of Habit: Why We Do What We Do in Life and Business. This gets you started thinking about why people do things a certain way, and if you do interface design you should think about how your interface will be used and what triggers actions.
My company hires many young non-degreed self-taught programmers (because that is all we can find). We give them a reading list, and require them to spend about four hours per week doing professional reading and studying on their own time.
While your approach has merit it would seem your company is setting itself up for a lawsuit over unpaid wages, unless the new hires are truly exempt employees.
In 3 hours you will be able to cover 5 or 6 things in enough detail to really explain them so you need to focus on what you think it i critical for a novice to know. I would start with identifying hat would you have liked to have known when you started out, then list the critical error you see novices make consistently, and then identify any critical skills a novice needs to have. Once you have that list, pick the 5 or 6 you think are the most valuable and over them.
I was wondering about the reverse situation, if I was to work for my former employer in the USA. I would expect to be paid at least the same a local for the same role, probably more due to my skills and experience. There would be one less local employed but the company would be better off because of my deep and long knowledge of their product range. Would I still be seen as stealing a job from a local?
In my experience, no you would not be viewed as stealing a job from a local. I've worked with multi-national companies and when some came from an overseas office we knew they were good and looked forward to working with them.
Trouble with this approach is it requires a lot of steps in the field, and requires a lot of time in the field. It moves the production line closer to enemy action to destroy it, and if they really do have to form the rough shape in a 3d print process then machine it, that's presumably a lot of space and a lot of time being committed in a vulnerable position, and is also presumably much more dependent on electricity and functional computers that a conventional machine shop.
You make some good points but they would not necessarily forward deploy them beyond a secure base and ship parts from there. Granted, shipping from a logistic base is an option, and our logistics capability is pretty amazing, especially if cost is not a concern. I see this as more of a stop gap whne you can't get priority but need something' or if spares aren't available.
The US military has been working with 3D printing for quite some time, at least since the early 2000's. The were doing additive printing using metal to make thins such as vehicle replacement parts. One one was printed it was then machined to the required tolerances an used; the printed parts were as, if not more, durable than the original. One of the uses was to reduce the supply chain by forward deploying the printing capability with instructions rather than having to procure, ship and stock replacements at various locations; or having a unit wait a few days while one was sent from the US. In addition, rarely need parts ould not need to be procured and stocked. A ship could carry one as well greatly reducing the time needed to procure a spare. If instructions weren't already available a lab in the US could create and send them.
Bitcoin is something that can easily be manipulated thanks to the fact that China holds the majority of the bitcoin mining operation. If the owner of the Chinese mining rigs wanted, they could manipulate the currency's value with ease. The SEC made a sane and calculated decision here.
Exactly. They could easily collude to drive the market, by colluding to control how they mine BitCoin. Since they have what, 70% of the mining capability they could control the rate of supply as needed to profit since their appears to be a correlation between price moves and mining difficulty changes. For example, they could short the ETF and then deliver a lot of new coins to cause a drop in its value and then closeout their position at a profit.
Wow - so they proved in court that Carmack was involved in stealing trade secrets worth $500 million, and he still expects to be promptly paid?
If I was convicted in court of stealing from a company, I wouldn't expect a paycheck. I guess that's one more way the rich executives are different from the rest of us.
It's a separate action. He left, they owed him money and he wants what they agreed to pay. They can argue they shouldn't have to, or that any award should be used to offset any money he owes them; but if they owe hm the money he should get paid.
Things you should never use as a password:
1) Your first pet's name 2) The street you grew up on 3) The model of your first car
Things banks use for "security questions":
see above.
There is no requirement to answer correctly, only with answers you can remember. They'd do just as well to ask you to give 5 random two word answers as security answers and then give you two answer blocks and ask "Give us two of the security question answers you provided." While not perfect, it makes it a lot harder for someone to try to guess what info they need to get into your account.
They're practicing remembering things for 30 minutes every day for 40 days. It isn't some sort of "weird trick" like the headline might make you think.
Not only that, it really doesn't improve the memory that is most useful; i.e. the ability to recall information relevant to hat you are working on. If it enables you to memorize say a set of legal precedents and then recall later the exact one you need and be able to recite it verbatim or go to a specific paragraph in a document and remember it it would be useful. From TFA it wasn't even clear if the could recall what was the 4th word or just some subset of all the words. I use something similar when teaching. I "memorize" the names of 30 or so students on the first day so I can call on them by name. A colleague was impressed until I told her it was a parlor trick; I didn't really remember their names but the position of their names relative to each other and objects in the room. I knew John sat next to the purple lamp because I could visualize a john with a purple lamp in the bowl being held by Susan next to him and so forth. If they didn't sit in the same seats I was screwed, fortunately students tend to occupy the same seat every time. If I saw them outside of class I often did not remember their name because I could not recall it in a useful way, i.e. associated with their face.
the services they supply to be critical and companies should invest more in them. In other news, water is wet.
The Vulnerabilities Equities Process doesn't have a mandate to disclosure, merely to determine if they should disclose or keep it for use. The EFF explains it:
EFF filed a lawsuit under the Freedom of Information Act in 2014 to get access to the government's "Vulnerability Equities Process" (VEP), the policy it uses to decide whether to disclose information about security vulnerabilities or instead withhold this information for its own purposes, including law enforcement, intelligence collection, and "offensive" exploitation.
EFF v. NSA, ODNI - Vulnerabilities FOIA"
The EFF has a heavily redacted copy of the policy the key statement in there is "When a decision is made to disseminate..."
Aren't there any consumer protection laws that can help you in the US?
In the UK we have Distance Selling Regulations. Basically, because buying online you don't have an opportunity to inspect the goods before buying you can return them for any or no reason at all in the first 14 days. If the goods are not otherwise defective you have to pay return postage, so in the case of a few dead pixels you would probably be out a few quid on that. but you can save some weight be discarding extraneous packaging.
It's actually better to buy stuff online than from a physical shop for this reason.
US law has no similar ironclad protections; it's up to the seller to set warranty terms although there are fitness for purpose laws so you can't simply sell a toaster that won't toast. The flip side is prices tend to be lower, even after VAT is removed, because companies do not have to account for some x% returns in their pricing model. It's the same with places that have longer warranty periods by law; companies simply price in the anticipated extra costs of warranty repairs and spread it over all the units sold there. TNSTAAFL
Sorry, but no. It's not that hard to get quality products out of China *if you're willing to pay the cost*. I know, because I've owned many high-quality products made in China which outlasted the utility of their design long before the hardware failed. Chances are that you have too, whether or not you were conscious of it. I know it's fashionable to shout "China means low quality", but the fact of the matter is that for a company the size of Nintendo, China only means low quality if you want it to. Odds are that Nintendo has made a conscious decision to lower its in-house quality standards and thereby increase the yields / reduce the costs for the LCD panels used in the Switch. It is that simple.
Exactly. They will manufacturer to whatever standards yo want to pay for and will enforce. One challenge is convincing the factory quality is more important than meeting an arbitrary delivery date; otherwise they will cut corners to deliver on time.
Unless it is the actual glass itself, and not the supporting electronics, then rebuilding them could continue to ensure availability. It may, however, simply not be cost effective to rebuild them , especially if a LED display offers an essentially drop in replacement at a much lower cost. Cognoscenti may decry the loss of originality but arcade owners looking to make a profit won't care; especially as users adapt to the new displays or grow up with them never seeing the original. A collector might pay to get a rebuilt CRT but collecting is far different than running an arcade or having a machine or two in a bar.
I play some on MAME and find them as playable and enjoyable as they were on a machine when you add an X-arcade joystick/trackball.
Call me stupid, but when there is lively traffic, the billboards are in full view of several cars at a time. So the update may be slow, so that e.g., ten or twenty cars see the same advertisement that is triggered by the first car? Or does every car get its own advertisement, so that you see a constantly flickering of different ads?
Paai
I would guess they have a tiered pricing structure so the highest paying ad gets shown; but you bring up a valid point, is the ad designed to be read or merely expose a target to the ad? We have a lot of electronic billboards and they change so frequently that if one catches my eye the ad is often gone before I can deduce who it is for.
It wasn't "bold easy to read type", but it WAS on the outside of the envelope (though the front I think), even easily visible in the pictures from TV screens.
So I think after Warren realized something was wrong, he had looked at both sides of the red envelope, he would have seen "Best Actress" on it.
Good points. It does have the award on the front of the envelope; which illustrates how cultural norms, i.e.we write address and names on the front of envelopes, not the back, interferes with good human factors which would place the critical information on the back of the envelope where it would be seen while opening it. The presenters hold the envelope with the front to the audience so they may not see the category before opening, couple that with an expectation they have the correct envelope and you can see why an error can occur. I agree Beatty might have caught the error had he looked at the front but it's poor human factors design, IMHO, to expect the operator to take action to clarify a situation when better design places a better barrier to prevent an error.
it's already been done. the auditors are supposed to memorize all the winners in all the categories. but word on some TMZ type blogs is that the two partners assigned to the event this year were too busy snapping pictures and looking at the stars and their near naked bodies
True, but memorizing the names doesn't fix giving out the wrong card. All it does is ensure a mistake gets corrected.