Because really, what coder wouldn't want to strum a guitar and have code flow from his awesome chords?
It's doable. The five "color" buttons can be interpreted as 5 bits, which give us 2^5=32 possible characters, probably enough for a simple case insensitive language... of course, nothing stop you from using another button (select?) to get to 64 and have more breathing room.
Could be very cool, in a geeky, "that's what I did during my weekend" kind of way. I wonder how a=a+1 sounds...
"Think again about security"? After offering genious tips such as promoting "secure design" and "secure implementation"? Wow, you sure sound like someone who knows what he's talking about!
The parent is 100% right: almost all the time the weak link in security is the user, not the technology. Remove the user and most security issues are trivial to resolve.
I don't like these articles on hackers becoming security consultants. Obviously it has happened in the past - and the story itself covers well known examples, but doing information security for private corporation is so much, much, much much much more than pen testing and other skills typical crackers are good at. In practice, the vast majority of security professionals aren't ex-hackers, and that's a damn good thing.
Maybe it's because I'm actually working in the field, but I really don't like how the medias keep bringing back ex-hackers and present them as some kinds of security gurus, or worst, geek super stars. I don't think it is mature, and I don't think it is healthy. These individuals are criminals, and many have caused thousands if not millions of damages, or forced other people to spend countless hours to fix their mess. No matter how you look at this, this is not cool.
Exactly. This is a very important disctinction that some peoples fail to grasp.
An auditor basically compare a situation vs a checklist of auditable issues. He's NOT there to find your security vulnerabilities and tell you to fix them. He's there to tell you that you do or don't respect requirement XYZ. If an issue isn't covered by the standard's requirements, well, what can he do? He can always make a formal observation, but that's beyond the scope of his responsabilities.
Standards such as PCI, SOX, NERC CIPs etc. aren't designed to protect you against all known threats, they are designed around the general, most common, most problematic security issues. A company can pass an audit and still be very insecure.
True... but that's not "defense in depth", that's "not having a single point of failure".
I agree that one big box to do everything has its issues. It's certainly not acceptable for corporations. But I think the cost/benefit is worthwile for a lot of small business who most of the time don't have shit (although this is getting less and less true).
It's a bit like those Linksys routers: sure they sucks, but they are so cheap and so commonly available, and so better than being only jacked right in a modem, they are overall a Good Thing.
Defense in depth refers to the principle of having multiple, overlapping security controls. For example, I've seen some companies use dual-firewall configurations where they will use two different brands of firewall. Or they will use a main network firewall as well as host-based software ones. So if one control fail the other is there to protect the asset.
This has nothing to do with UTM, who are about hosting *complementary* controls on the same device. In this case, there is a real benefit in term of management effort. These kinds of devices are especially interesting for small companies who can't bother handling a lot of different appliances and software for something perceived as unproductive as security.
Unless the quality of earthquake prediction gets considerably better, the punchline is that the money is better spent on decent architects and engineers. Building structures that won't collapse and crush everybody inside isn't trivial; but it is doable now, which makes it a better investment.
Add disaster recovery to that list. When you can't predict a disaster, you make sure you'll be handle it efficiently after the fact.
Also, investing in disaster recovery is great because it helps you against a lot of different threats. Mass terrorism, earthquake, etc. all involve more or less the same logistical considerations about moving lots of people/food/water/medicine quickly.
The issue here aren't P2P networks. The issue is government employees either loading confidential data on non-approved environments, or unauthorized software being installed on supposedly restricted environments. Both these problems must be addressed with traditional security controls that are completely independent of P2P technologies.
Your argument make no sense, and is in fact pretty childish. The goal is to reduce the overall carbon emition, but it makes perfect sense to "spend" carbon emission in something if we think this will help us reduce it considerably elsewhere. This is a perfectly sound investment.
"Dear MS"? Who's MS? Microsoft has close to 100k employees in more than one hundred countries, working on completely different products and technologies. Do you think they somewhat are a monolithic entity, that all these employees share the same skills and areas of expertise? That somehow, every security experts Microsoft ends up hiring turn into incompetents?
I can't believe this was moded insightful. Oh, wait, this is slashdot!
In order to enforce a strong cybersecurity strategy, the US government and major owners of US telecommunication assets will have to cooperate. Unfortunately, the recent scandals regarding the illegal spying of US citizen using the telco infrastructure has affected the trust these privates companies had in the US government. Aside from granting them retroactive immunity, what other steps are you willing to take to ensure future cooperation from the private industry?
I'm not a Certified Game Theorist, but I find the author's conclusions difficult to accept.
If we take the entire software industry as a zero-sum system, we can say that the GPL shoots for an optimal maximum. If we take the Prisoner's dilemma as an analogy, it would be like saying that the optimal strategy is to never defect (always cooperate). And he's right: it IS the optimal strategy on the long run.
But like every game theorists know, optimals maxima are almost never reached on complex systems, particularly in those made of "selfish entities", in this case humans. Why? Simply because there is way too much to gain in defecting. The more the system approach its optimal maximum, the more it pays for a single individual to "not follow the group" and play for its own personal good. For example, if most of the softwares written were released through the GPL, it would pay a lot for a single programmer to released it through a private license. Sure, it would be a short relative gain for him (and a short loss for the system as whole), but in real life most people lives in short term (for obvious reasons).
I'm not saying that the GPL or the open source movement is bad. On the contrary, it seeks the best for the community, and you just can't be against that. But it is also illusory to believe that the kind of Holy Grail that the author's suggest could ever be reached. There's plenty of similar systems in our society, working more or less the same way, and none (AFAIK) as ever reached its optimal strategy.
Slashdot Mirror
Because really, what coder wouldn't want to strum a guitar and have code flow from his awesome chords?
It's doable. The five "color" buttons can be interpreted as 5 bits, which give us 2^5=32 possible characters, probably enough for a simple case insensitive language... of course, nothing stop you from using another button (select?) to get to 64 and have more breathing room.
Could be very cool, in a geeky, "that's what I did during my weekend" kind of way. I wonder how a=a+1 sounds...
"Think again about security"? After offering genious tips such as promoting "secure design" and "secure implementation"? Wow, you sure sound like someone who knows what he's talking about!
The parent is 100% right: almost all the time the weak link in security is the user, not the technology. Remove the user and most security issues are trivial to resolve.
So you think that putting an hardware firewall will "solve" the security problem, but it's MS who doesn't understand what security actually means?
I don't like these articles on hackers becoming security consultants. Obviously it has happened in the past - and the story itself covers well known examples, but doing information security for private corporation is so much, much, much much much more than pen testing and other skills typical crackers are good at. In practice, the vast majority of security professionals aren't ex-hackers, and that's a damn good thing.
Maybe it's because I'm actually working in the field, but I really don't like how the medias keep bringing back ex-hackers and present them as some kinds of security gurus, or worst, geek super stars. I don't think it is mature, and I don't think it is healthy. These individuals are criminals, and many have caused thousands if not millions of damages, or forced other people to spend countless hours to fix their mess. No matter how you look at this, this is not cool.
Exactly. This is a very important disctinction that some peoples fail to grasp.
An auditor basically compare a situation vs a checklist of auditable issues. He's NOT there to find your security vulnerabilities and tell you to fix them. He's there to tell you that you do or don't respect requirement XYZ. If an issue isn't covered by the standard's requirements, well, what can he do? He can always make a formal observation, but that's beyond the scope of his responsabilities.
Standards such as PCI, SOX, NERC CIPs etc. aren't designed to protect you against all known threats, they are designed around the general, most common, most problematic security issues. A company can pass an audit and still be very insecure.
True... but that's not "defense in depth", that's "not having a single point of failure".
I agree that one big box to do everything has its issues. It's certainly not acceptable for corporations. But I think the cost/benefit is worthwile for a lot of small business who most of the time don't have shit (although this is getting less and less true).
It's a bit like those Linksys routers: sure they sucks, but they are so cheap and so commonly available, and so better than being only jacked right in a modem, they are overall a Good Thing.
Defense in depth refers to the principle of having multiple, overlapping security controls. For example, I've seen some companies use dual-firewall configurations where they will use two different brands of firewall. Or they will use a main network firewall as well as host-based software ones. So if one control fail the other is there to protect the asset.
This has nothing to do with UTM, who are about hosting *complementary* controls on the same device. In this case, there is a real benefit in term of management effort. These kinds of devices are especially interesting for small companies who can't bother handling a lot of different appliances and software for something perceived as unproductive as security.
You're batshit crazy.
Unless the quality of earthquake prediction gets considerably better, the punchline is that the money is better spent on decent architects and engineers. Building structures that won't collapse and crush everybody inside isn't trivial; but it is doable now, which makes it a better investment.
Add disaster recovery to that list. When you can't predict a disaster, you make sure you'll be handle it efficiently after the fact.
Also, investing in disaster recovery is great because it helps you against a lot of different threats. Mass terrorism, earthquake, etc. all involve more or less the same logistical considerations about moving lots of people/food/water/medicine quickly.
Oh I'm sorry, you're perfectly right.
I live in a country where most healthcare providers ARE government employees...
My mistake.
The issue here aren't P2P networks. The issue is government employees either loading confidential data on non-approved environments, or unauthorized software being installed on supposedly restricted environments. Both these problems must be addressed with traditional security controls that are completely independent of P2P technologies.
Thank you for your opinion. It's a shame it has absolument nothing to do with what we were talking about. Not that I'm particularly surprised.
Your original argument still makes no sense whatsoever.
Your argument make no sense, and is in fact pretty childish. The goal is to reduce the overall carbon emition, but it makes perfect sense to "spend" carbon emission in something if we think this will help us reduce it considerably elsewhere. This is a perfectly sound investment.
"Dear MS"? Who's MS? Microsoft has close to 100k employees in more than one hundred countries, working on completely different products and technologies. Do you think they somewhat are a monolithic entity, that all these employees share the same skills and areas of expertise? That somehow, every security experts Microsoft ends up hiring turn into incompetents?
I can't believe this was moded insightful. Oh, wait, this is slashdot!
The "challenge" issued is so lame, I doubt this will help them recruit anyone.
I mean, come on. YYY.AHB.MSK/NSCDC.OFZ? Can you make it more easy? Jeez.
In order to enforce a strong cybersecurity strategy, the US government and major owners of US telecommunication assets will have to cooperate. Unfortunately, the recent scandals regarding the illegal spying of US citizen using the telco infrastructure has affected the trust these privates companies had in the US government. Aside from granting them retroactive immunity, what other steps are you willing to take to ensure future cooperation from the private industry?
I'm not a Certified Game Theorist, but I find the author's conclusions difficult to accept.
If we take the entire software industry as a zero-sum system, we can say that the GPL shoots for an optimal maximum. If we take the Prisoner's dilemma as an analogy, it would be like saying that the optimal strategy is to never defect (always cooperate). And he's right: it IS the optimal strategy on the long run.
But like every game theorists know, optimals maxima are almost never reached on complex systems, particularly in those made of "selfish entities", in this case humans. Why? Simply because there is way too much to gain in defecting. The more the system approach its optimal maximum, the more it pays for a single individual to "not follow the group" and play for its own personal good. For example, if most of the softwares written were released through the GPL, it would pay a lot for a single programmer to released it through a private license. Sure, it would be a short relative gain for him (and a short loss for the system as whole), but in real life most people lives in short term (for obvious reasons).
I'm not saying that the GPL or the open source movement is bad. On the contrary, it seeks the best for the community, and you just can't be against that. But it is also illusory to believe that the kind of Holy Grail that the author's suggest could ever be reached. There's plenty of similar systems in our society, working more or less the same way, and none (AFAIK) as ever reached its optimal strategy.