Yes, the ones THAT ARE DETECTED are openly published. The ones that aren't remain unknown. Obviously if China would tell us every time they infiltrate a specific corporation, it would make the job of security professionals much easier.
He did disclose very concrete details. For example, he mentioned the Chinese University of Hong-Kong in his interview.
It's just obvious to anyone with more than a single brain cell. How the hell do you expect intelligence agencies to work if they have to tell the world what they do every time they do it? It's not a very difficult concept to understand.
You make no sense. If the CIA and the NSA have to tell Americans and the press of all the legal foreign intelligence operations they conduct, well, better just close them because as institutions they just became completely useless.
You can't spy if you have to tell your enemy every time you're doing it.
Cyber intelligence operations on specific and named China targets are not "known by everyone already".
The fact that we know (or highly suspect) the CIA to spy on Russia doesn't make it suddenly ok for a CIA employee to reveal the existence of specific Russia spying operations, or the identity of spies.
The NSA (and the CIA) are institutions designed to perform foreign intelligence operations. The very fact that it's illegal for them to spy on american people implies that it's ok to spy on foreigners: that's their role. That's the very reason they were created. I have a hard time believing how the American people couldn't "know" that.
As for specific intelligence operations, obviously those cannot be made public for reasons that I feel are unnecessary to explain here.
In an interview earlier this week, Snowden mentioned how the NSA conducted cyber espionage operations on Hong Kong and China infrastructures. He even mentioned specific targets.
These are clearly "highly classified state secrets", unrelated to the domestic spying scandals. He had no reason to reveal that to the press, as it is completely unrelated to his whistleblowing claims.
So, he could be "lying" about domestic spying, and still be prosecuted for espionage.
No, the goal is to show that information disclosed by Manning ended up helping "the enemy". That this information was "in the public domain" at one point isn't important, since it's the unauthorized disclosure that is being prosecuted.
Covering up war crimes is or should be a much bigger crime.
Is or should? Which one? Do you know what you are talking about, or are you just giving us your opinion?
And which war crimes are you talking about? Real ones (you know the actual definition of war crimes, right?) or what "should" be considered war crimes if it was up to you?
There's no "basic assumption", it's just the only real good way we know how to do these things. The industry, as a rule, is only interested in information security if they are forced to. In my experience, 99% of organisation won't lift a finger about security without a legal threat, ideally backed by a big fine in case of non-compliance. We are far, far away from any hope of seeing the industry self-regulate over something like this.
Well, it certainly matter for regulation purpose. If you handle data that need to be covered under a specific standard (say, PCI), you'll seek out a certified data center. In this context, the certification isn't about security, it's about risk transfer. It's the provider who become liable if there's a breach if it can't show to have respected the standard properly.
Now as security references, they certainly have their problems. We can take solace in the thought that they help enforce the bare minimum at the very least. As a security professional, I would say their best benefit is how well they can be used as a big stick, "encouraging" management to perform necessary changes. It's a hard sell to convince an average manager to invest in security for the sake of security. But if there's a legal penalty associated with whatever standard must be put in place, as well as a big dollar sign attached to it, they'll suddenly start to listen. That's a language they understand.
"Like the majority of the population, I turn into an absolute shrinking violet when pressured by intimidating authority, but I struggle with what I see to be blatant social devolution."
No. You're not like "the majority of the population": you have a problem with authority, while most people don't. The TSA is completely useless, and their presence is a sad statement of what the US has become, but it doesn't mean that personally complying to a TSA control is some kind of horrible event that you should struggle with and go out of your way to avoid.
You want to resist them as some form of political statement? I then encourage you, as this is necessary for things to change. But don't confuse this with protecting your bruised ego. There are plenty of times in your life you'll face "intimidating authority", and in most of these occasions, this authority will be legitimate, and will have a good reason to act so. Learning to cope with such personal feelings is important for your own psychological health.
Fact: asteroids have been striking our planet from the beginning of the Earth until present. Fact: Asteroids are going to continue falling on our planet until the end of time.
Clearly, this means we shouldn't do anything to protect ourselves. And if for some reason we strongly suspect that some of our own actions have the side effect of raising the chances of an asteroid striking us, well, we shouldn't do anything about it.
"They take one of two routes: deny the science, or pretend the problems don't exist."
First, the analysis presented by the author is fraudulent, nonsensical, and just a creation of the liberal elite. Second, there's simply no issue with how politicians deal with scientific facts, I don't know why anyone would say something like that.
After hand-waiving away the cannabis legalization and the software patent petitions, it would have been amazing to see the White House answers this one candidly. "After seeing such public pressure on the matter over decades, this administration has decided to come clean with the Martians and our contacts with them."
Lawyers are also trained to know, understand and work with the law. Giving that an important role of politicians is to create and modify laws, it's no wonder there's a lot of lawyers among them. The opposite would be surprising.
A story on Turing could exploits a lot of interesting angles. He's an important figure in computer science AND in cryptography. His most prestigious work was done with WWII in the backdrop, and helped the allies tremendously. Finally, he has the total romantic yet misunderstood hero story - his contribution was a war secret, he was condemned for his homosexuality by the state he helped so much, and died a Plato death.
There's a kickass script to be made out of that.
Oh and DiCaprio is a fine choice. Great actor, versatile enough to pull it out and to let the character be the story.
As a information security professional, I've always seen the whole "security by obscurity" issue somewhat misleading. By repeating the mantra, I feel many people forgot its true meaning.
Security shouldn't RELY on obscurity. That's true. But it doesn't mean obscurity, by itself, doesn't provide security benefits.
There are many examples where this is obvious. For example, would you publish your network topography on your public website? Of course not. Even if you were convinced that its security and access control are air tight, the cost of keeping such documentation "obscure" is negligible versus its usefulness by a potential attacker.
The problem arise when obscurity is used in lieu of proper security. Unfortunately, it still happens too often. But while the presence of obscurity may be seen as suspicious by an outside party trying to evaluate the security of a system, it shouldn't be considered as evidence of its insecurity, as it sometimes is.
Finally, I understand the "many eyes" argument, and how public disclosure of the security details of a system can help improving it. After all, nobody would think about trusting a crypto algorithm that hasn't been made public and scrutinized accordingly. But this logic cannot be generalized for all systems in all context.
No, it doesn't. For any other hashing algorithm of similar speed, the same results could be obtained. It's not a weakness of the algorithm, it's a weakness of only checking for passwords of 6 characters and less. That's not a very big space.
The reason why security programs are geared toward compliance is because that's what sells to stakeholders!
A security manager in a typical organisation can rarely go see his boss to ask for massive investment in security without being laughed at. Security cost money, and without facing a real, quantifiable risk, his boss simply won't care. Obviously your mileage may vary depending of your boss cluelessness, your ability to efficiently sell fear, and your industry.
Compliance, on the other hand, is scary. There are penalties directly associated with non-compliance, and you know someone will actually come here and check if your compliant or not. So the risk is very direct and very obvious. That's why it's a much easier sell.
Of course, standards and regulations are designed to enforce security to begin with. Not saying that they are always succeeding, but at least they try to. So in the end, being compliant to a security standard does helps your organisation's security. The issues arise when one try to game the compliance, by falsely reporting which assets are critical for example. But if you're ready to lie (or bend the truth) around compliance, I don't see why you wouldn't do the exact same thing for security if you were let alone with your own risks.
In one of his essay (can't remember the title), Asimov points out that the three law of robotics are, in fact, the three laws of tools.
You expect tools (any tools) to do the following: 1) Don't ever injure me 2) Do what I'm telling you to do, unless this goes against 1) 2) Don't break up when doing what you do, unless this goes against 1) or 2).
Robots are just very specialized tools. For Asimov, there were no reason why they wouldn't be build following the same "tool logic".
Helpless people want you to be helpless too, thus they don't understand any of this.
Scared and insecure people want you to be scared and insecure too, thus they don't bother trying to understand about risk analysis, and the cost-benefit of security controls, even if this gets explained in length every time something like this happens.
Strange, weird and unique peoples work in every sphere of society. You only think coders are special because you happen to hang out with coders and not, say, accountants. If you were hanging out with accountants, you would find accountants a weird and diverse bunch too, but instead you have a stereotypical view of how accountants act, just like the rest of the population have a stereotypical view of coders.
Slashdot Mirror
Yes, the ones THAT ARE DETECTED are openly published. The ones that aren't remain unknown. Obviously if China would tell us every time they infiltrate a specific corporation, it would make the job of security professionals much easier.
He did disclose very concrete details. For example, he mentioned the Chinese University of Hong-Kong in his interview.
No. I'm not even a US citizen.
It's just obvious to anyone with more than a single brain cell. How the hell do you expect intelligence agencies to work if they have to tell the world what they do every time they do it? It's not a very difficult concept to understand.
You make no sense. If the CIA and the NSA have to tell Americans and the press of all the legal foreign intelligence operations they conduct, well, better just close them because as institutions they just became completely useless.
You can't spy if you have to tell your enemy every time you're doing it.
Cyber intelligence operations on specific and named China targets are not "known by everyone already".
The fact that we know (or highly suspect) the CIA to spy on Russia doesn't make it suddenly ok for a CIA employee to reveal the existence of specific Russia spying operations, or the identity of spies.
The NSA (and the CIA) are institutions designed to perform foreign intelligence operations. The very fact that it's illegal for them to spy on american people implies that it's ok to spy on foreigners: that's their role. That's the very reason they were created. I have a hard time believing how the American people couldn't "know" that.
As for specific intelligence operations, obviously those cannot be made public for reasons that I feel are unnecessary to explain here.
So I fail to see what your point is.
In an interview earlier this week, Snowden mentioned how the NSA conducted cyber espionage operations on Hong Kong and China infrastructures. He even mentioned specific targets.
These are clearly "highly classified state secrets", unrelated to the domestic spying scandals. He had no reason to reveal that to the press, as it is completely unrelated to his whistleblowing claims.
So, he could be "lying" about domestic spying, and still be prosecuted for espionage.
Isn't this just a special case of a honeytoken?
http://en.wikipedia.org/wiki/Honeytoken
No, the goal is to show that information disclosed by Manning ended up helping "the enemy". That this information was "in the public domain" at one point isn't important, since it's the unauthorized disclosure that is being prosecuted.
Covering up war crimes is or should be a much bigger crime.
Is or should? Which one? Do you know what you are talking about, or are you just giving us your opinion?
And which war crimes are you talking about? Real ones (you know the actual definition of war crimes, right?) or what "should" be considered war crimes if it was up to you?
There's no "basic assumption", it's just the only real good way we know how to do these things. The industry, as a rule, is only interested in information security if they are forced to. In my experience, 99% of organisation won't lift a finger about security without a legal threat, ideally backed by a big fine in case of non-compliance. We are far, far away from any hope of seeing the industry self-regulate over something like this.
Well, it certainly matter for regulation purpose. If you handle data that need to be covered under a specific standard (say, PCI), you'll seek out a certified data center. In this context, the certification isn't about security, it's about risk transfer. It's the provider who become liable if there's a breach if it can't show to have respected the standard properly.
Now as security references, they certainly have their problems. We can take solace in the thought that they help enforce the bare minimum at the very least. As a security professional, I would say their best benefit is how well they can be used as a big stick, "encouraging" management to perform necessary changes. It's a hard sell to convince an average manager to invest in security for the sake of security. But if there's a legal penalty associated with whatever standard must be put in place, as well as a big dollar sign attached to it, they'll suddenly start to listen. That's a language they understand.
"Like the majority of the population, I turn into an absolute shrinking violet when pressured by intimidating authority, but I struggle with what I see to be blatant social devolution."
No. You're not like "the majority of the population": you have a problem with authority, while most people don't. The TSA is completely useless, and their presence is a sad statement of what the US has become, but it doesn't mean that personally complying to a TSA control is some kind of horrible event that you should struggle with and go out of your way to avoid.
You want to resist them as some form of political statement? I then encourage you, as this is necessary for things to change. But don't confuse this with protecting your bruised ego. There are plenty of times in your life you'll face "intimidating authority", and in most of these occasions, this authority will be legitimate, and will have a good reason to act so. Learning to cope with such personal feelings is important for your own psychological health.
It was a joke guys. I'm sorry the sarcasm wasn't limpid enough for slashdot.
Fact: asteroids have been striking our planet from the beginning of the Earth until present. Fact: Asteroids are going to continue falling on our planet until the end of time.
Clearly, this means we shouldn't do anything to protect ourselves. And if for some reason we strongly suspect that some of our own actions have the side effect of raising the chances of an asteroid striking us, well, we shouldn't do anything about it.
"They take one of two routes: deny the science, or pretend the problems don't exist."
First, the analysis presented by the author is fraudulent, nonsensical, and just a creation of the liberal elite. Second, there's simply no issue with how politicians deal with scientific facts, I don't know why anyone would say something like that.
After hand-waiving away the cannabis legalization and the software patent petitions, it would have been amazing to see the White House answers this one candidly. "After seeing such public pressure on the matter over decades, this administration has decided to come clean with the Martians and our contacts with them."
Lawyers are also trained to know, understand and work with the law. Giving that an important role of politicians is to create and modify laws, it's no wonder there's a lot of lawyers among them. The opposite would be surprising.
A story on Turing could exploits a lot of interesting angles. He's an important figure in computer science AND in cryptography. His most prestigious work was done with WWII in the backdrop, and helped the allies tremendously. Finally, he has the total romantic yet misunderstood hero story - his contribution was a war secret, he was condemned for his homosexuality by the state he helped so much, and died a Plato death.
There's a kickass script to be made out of that.
Oh and DiCaprio is a fine choice. Great actor, versatile enough to pull it out and to let the character be the story.
As a information security professional, I've always seen the whole "security by obscurity" issue somewhat misleading. By repeating the mantra, I feel many people forgot its true meaning.
Security shouldn't RELY on obscurity. That's true. But it doesn't mean obscurity, by itself, doesn't provide security benefits.
There are many examples where this is obvious. For example, would you publish your network topography on your public website? Of course not. Even if you were convinced that its security and access control are air tight, the cost of keeping such documentation "obscure" is negligible versus its usefulness by a potential attacker.
The problem arise when obscurity is used in lieu of proper security. Unfortunately, it still happens too often. But while the presence of obscurity may be seen as suspicious by an outside party trying to evaluate the security of a system, it shouldn't be considered as evidence of its insecurity, as it sometimes is.
Finally, I understand the "many eyes" argument, and how public disclosure of the security details of a system can help improving it. After all, nobody would think about trusting a crypto algorithm that hasn't been made public and scrutinized accordingly. But this logic cannot be generalized for all systems in all context.
No, it doesn't. For any other hashing algorithm of similar speed, the same results could be obtained. It's not a weakness of the algorithm, it's a weakness of only checking for passwords of 6 characters and less. That's not a very big space.
A MOTORcycle uses a motor for propulsion, while a BIcycle use a bi.
The reason why security programs are geared toward compliance is because that's what sells to stakeholders!
A security manager in a typical organisation can rarely go see his boss to ask for massive investment in security without being laughed at. Security cost money, and without facing a real, quantifiable risk, his boss simply won't care. Obviously your mileage may vary depending of your boss cluelessness, your ability to efficiently sell fear, and your industry.
Compliance, on the other hand, is scary. There are penalties directly associated with non-compliance, and you know someone will actually come here and check if your compliant or not. So the risk is very direct and very obvious. That's why it's a much easier sell.
Of course, standards and regulations are designed to enforce security to begin with. Not saying that they are always succeeding, but at least they try to. So in the end, being compliant to a security standard does helps your organisation's security. The issues arise when one try to game the compliance, by falsely reporting which assets are critical for example. But if you're ready to lie (or bend the truth) around compliance, I don't see why you wouldn't do the exact same thing for security if you were let alone with your own risks.
In one of his essay (can't remember the title), Asimov points out that the three law of robotics are, in fact, the three laws of tools.
You expect tools (any tools) to do the following:
1) Don't ever injure me
2) Do what I'm telling you to do, unless this goes against 1)
2) Don't break up when doing what you do, unless this goes against 1) or 2).
Robots are just very specialized tools. For Asimov, there were no reason why they wouldn't be build following the same "tool logic".
Helpless people want you to be helpless too, thus they don't understand any of this.
Scared and insecure people want you to be scared and insecure too, thus they don't bother trying to understand about risk analysis, and the cost-benefit of security controls, even if this gets explained in length every time something like this happens.
Strange, weird and unique peoples work in every sphere of society. You only think coders are special because you happen to hang out with coders and not, say, accountants. If you were hanging out with accountants, you would find accountants a weird and diverse bunch too, but instead you have a stereotypical view of how accountants act, just like the rest of the population have a stereotypical view of coders.