The fact is that while everyone knows there is an insider threat, you have to trust someone w/ something. The goal is simply to never trust 1 person with everything.
The question is really, "is a multiple EMP attack really a high probability threat?" Just as your parent post posted a bunch of the very common attacks we would expect to try and prepare for, it doesn't make a lot of sense to spend a lot of resources to prepare for an uncommon one. (Why use an EMP anyway. There are tons more ways to physically disable computers. Water sprinkler systems in computer rooms, axes. backhoes, etc, etc.)
Assuming they had DoD participation they probably did. The war machine has always been concious that its threats are not always just the guy in the trenches on the other side of the battle field.
Does mythTV support windows media extenders yet? THat is the biggest feature I am waiting on in a PVR piece of software before I build a high-end computer around it. (Note. WMC will not work because I can't live w/ the format it stores in.)
I personally bought my domain simply because I wanted my information to reside on my hardware. I think in the future people will finding giving up control of their information wasn't the best idea.
I have a reasonably large DVD library that I'd like stored on my hard drive. I can't figure out a good program to transcode to mp4 though. Does anyone have any suggestions?
In addition to this, I rarely am working for only 8 hours. Like most people, I have to stay late, come in early, and show up some weekends.
Re:Paid for 8 hours work or to be present for 8?
on
Fired for Solitare At Work
·
· Score: 5, Informative
People need breaks. I know when I was working hourly I legally had half an hour for lunch and a few 15min breaks reguardless of what the company said.
Now as a salaried employee, I constantly have slashdot, fark, etc open. On the other hand, I will read it, then do a bit of this, then read. In all honesty my productivity improves because to answer tough questions many times you have to distract yourself from them for a bit. (I am one of the most productive people in my group.) If the person wasn't playing solitare he'd be over in the other cube talking to a friend, getting some water, just roaming around, etc. That kind of thing has happened for AGES. To fire someone for playing a game for 5min is rediculious though it would be justifiable if the guy was always playing.
It sounds like they uncovered 2 issues. First the things you called "childhood tactics" impared your operations and second, you don't have an addiquate policy to deal with compormised systems. (THis could be in a bunch of policies: Disaster recover, incident reporting and forensics, Configuration Management, etc)
While I think this article is talking about a table top or paper drill, it does hint at a bigger question. How do you do realistic pen testing on a system that must be 100% configuration controlled? I think you have to assume that the Pen Testing will take the system into an unknown state though you should know the range of that unknown state, (it may not effect the entire system.) From that you can conclude you need to have a plan to take the system or parts of the system from an unknown configuration state back to the current baselined configuration state. But is this possible? How long does it take? What methods do you use? Does anyone on slashdot have any experience with such a plan? Has anyone had to write one or even enact one?
From the sound of it, this is a paper exercise. The Government more than anyone is scared of the impact of actual pen testing. More than likely this will consist of everyone sitting in the same room or VTC'd in. They'll go, "ok, a hacker just disabled electrical junction boxes shutting down power to Boston, how do you respond?" and then they'll talk it over for a while. End the end they'll realize, "humm, we don't know how" or "well we know how but we rely on group X for help and group X didn't know they'd need to be involved" or something like that.
I heard once that the NSA would only certify software under 4,000 LOC. (I don't know if this is still true.) The reason was over 4,000 lines of code it became to complex to validate for highly critical systems. The person who told me this also stated that all of those old systems that have been running for ever that protect are nation were coded below this requirement. Some of them signifigantly under it.
I don't know how complex your system has to be, but I'd strip out anything that isn't 100% necessary. No convenience code. No pretty, easy-to-use, fully featured gui. Just the basic required to get the job done. At that short a length you should be able to reliably verify a VERY low coding error/KLOC. Also, I would recommend 2-person coding if you have the say in it. Have 2 people working at the same time. 1 codes, the other checks. It will save yourself a lot when you go to testing and check out.
I am waiting on my PVR system. Mainly now I am waiting for backend software that supports saving in a format I can play on any of my computers and which can be controlled from a thin client like the windows media connector ones. It would also have to have the standard features. Support for various cards, HD capability, wide screen, etc, etc. I don't care about the OS as long as the features are there. Unfortunately it seems that only Windows Media Center really does what I want and it, unfortunately, does not save to widely usable format.
I believe we are confusing "tested" with "initially deployed". The testing should have been conducted in a lab. The operational testing takes place as part of, well, operations. For that it should be deployed where it is most needed. The superbowl is the perfect place to put it through it's paces.
Hey, we've all been saying we need something to push encryption. Maybe this is it. Everything becomes encrypted so that telecos can't tell what is what. They can't tell how many downloads I've used if all my traffic is point to point encrypted when crossing their network.
I actually run Windows XP 64 and am fairly protected. It is like my other boxes, behind an OpenBSD firewall, and it isn't the computer I generally use for browsing, but 99% of the time, new vulnerabilities don't effect it. I believe the plan is for Vista to benefit from the improvements as well.
But lets face it. The OS is no longer the primary threat vector. The user is primary, (opening attachments, downloading things, and agreeing to install browser helpers). Widely deployed 3rd party software is a close second. All those extremely common servers out there get more of a focus every day.
The only time the OS is the threat vector is when you have other policies, (CM etc), that prevent you from taking care of the OS.
I tried running non-admin on my windows box for a while. That ended quickly. I just couldn't function.
On my linux box I never run as root. I change to root a bit to do this and that but nothing else.
Now my work laptop I have no problem not running as root. But lets face it, there is only a very specific subset of the functionality of my computer I can use on my work laptop. (I actually carry 2 company owned laptops. 1 is the IO laptop that I can plug into the corporate network, the other I admin myself and I can do whatever I want with.)
I wish sprint would get with the program and offer some truely innovative phones. They bearly even have bluetooth support. I would desparately like a cell phone that did both wifi SIP, VOIP, or skype calling and cell phone calls. (Nor would it really hurt sprint because most of my home calls are after my unlimited nights and weekends cutoff.) But sprints phones are severely lacking in this arena.
Ogg may make open source people feel good, but it's a terrible way to go. I encoded a bunch of my music in ogg and now can only use it in open source players and winamp. I have transitioned to encoding to aac. There's open source implimentations. The quality is good. And you can play it with most devices that are not mp3/wma only.
This is a good idea. Certainly one I would be interested in. But come on. The cost of a DVD for something I download? Also I didn't see anything in the article about burning which would be very important to me. Similarly are they making the video playable in any way other than their software? Everything stored on my computer but played through my TV is done using xbox media center for me. And I don't mine sharing some. Maybe 2x or 3x my download. But I certainly am not going to leave it on indefinately and let them suck up my bandwidth. I have a 90k uplink. I become everyone's best friend when I turn on bittorrent.
But over all I am happy to see them stepping forward. Most of the above problems, (pricing, amount to upload, burning), would take a little redirection at the corporate level and could be implimented quickly.
We really need a universal streaming format acceptable by DRM standards but open to client implimentations. Something like NTSC over IP. The server can be closed but the client should be universal so that I can get it built into my xbox media center or my windows media extender, etc. I would think that recording this would be no more of a threat than recording to a vhs tape or rca in connection.
I recommend taking the first thing that comes along your way that is relatively better. Don't try to find the perfect job, just get out of the terrible one. The longer you wait the harder it is to get out. If you do a good job somewhere you will almost always get a semi-serious offer or 2. look at those and find one that you can accept or that will at least give you a year or so to job hunt.
Slashdot Mirror
The fact is that while everyone knows there is an insider threat, you have to trust someone w/ something. The goal is simply to never trust 1 person with everything.
The question is really, "is a multiple EMP attack really a high probability threat?" Just as your parent post posted a bunch of the very common attacks we would expect to try and prepare for, it doesn't make a lot of sense to spend a lot of resources to prepare for an uncommon one. (Why use an EMP anyway. There are tons more ways to physically disable computers. Water sprinkler systems in computer rooms, axes. backhoes, etc, etc.)
Assuming they had DoD participation they probably did. The war machine has always been concious that its threats are not always just the guy in the trenches on the other side of the battle field.
Does mythTV support windows media extenders yet? THat is the biggest feature I am waiting on in a PVR piece of software before I build a high-end computer around it. (Note. WMC will not work because I can't live w/ the format it stores in.)
I personally bought my domain simply because I wanted my information to reside on my hardware. I think in the future people will finding giving up control of their information wasn't the best idea.
The computer I'm encoding on is a WinXP 64 athlon.
I guess that came out wrong. I do it when it is necessary, but, like one of my bosses once said, "My priorities are: Health, Family, Work."
I have a reasonably large DVD library that I'd like stored on my hard drive. I can't figure out a good program to transcode to mp4 though. Does anyone have any suggestions?
In addition to this, I rarely am working for only 8 hours. Like most people, I have to stay late, come in early, and show up some weekends.
Now as a salaried employee, I constantly have slashdot, fark, etc open. On the other hand, I will read it, then do a bit of this, then read. In all honesty my productivity improves because to answer tough questions many times you have to distract yourself from them for a bit. (I am one of the most productive people in my group.) If the person wasn't playing solitare he'd be over in the other cube talking to a friend, getting some water, just roaming around, etc. That kind of thing has happened for AGES. To fire someone for playing a game for 5min is rediculious though it would be justifiable if the guy was always playing.
Great, does this mean I have to get another CAC card?
It sounds like they uncovered 2 issues. First the things you called "childhood tactics" impared your operations and second, you don't have an addiquate policy to deal with compormised systems. (THis could be in a bunch of policies: Disaster recover, incident reporting and forensics, Configuration Management, etc)
While I think this article is talking about a table top or paper drill, it does hint at a bigger question. How do you do realistic pen testing on a system that must be 100% configuration controlled? I think you have to assume that the Pen Testing will take the system into an unknown state though you should know the range of that unknown state, (it may not effect the entire system.) From that you can conclude you need to have a plan to take the system or parts of the system from an unknown configuration state back to the current baselined configuration state. But is this possible? How long does it take? What methods do you use? Does anyone on slashdot have any experience with such a plan? Has anyone had to write one or even enact one?
From the sound of it, this is a paper exercise. The Government more than anyone is scared of the impact of actual pen testing. More than likely this will consist of everyone sitting in the same room or VTC'd in. They'll go, "ok, a hacker just disabled electrical junction boxes shutting down power to Boston, how do you respond?" and then they'll talk it over for a while. End the end they'll realize, "humm, we don't know how" or "well we know how but we rely on group X for help and group X didn't know they'd need to be involved" or something like that.
I don't know how complex your system has to be, but I'd strip out anything that isn't 100% necessary. No convenience code. No pretty, easy-to-use, fully featured gui. Just the basic required to get the job done. At that short a length you should be able to reliably verify a VERY low coding error/KLOC. Also, I would recommend 2-person coding if you have the say in it. Have 2 people working at the same time. 1 codes, the other checks. It will save yourself a lot when you go to testing and check out.
I am waiting on my PVR system. Mainly now I am waiting for backend software that supports saving in a format I can play on any of my computers and which can be controlled from a thin client like the windows media connector ones. It would also have to have the standard features. Support for various cards, HD capability, wide screen, etc, etc. I don't care about the OS as long as the features are there. Unfortunately it seems that only Windows Media Center really does what I want and it, unfortunately, does not save to widely usable format.
I believe we are confusing "tested" with "initially deployed". The testing should have been conducted in a lab. The operational testing takes place as part of, well, operations. For that it should be deployed where it is most needed. The superbowl is the perfect place to put it through it's paces.
Did google see this coming? Is this the reason for their dark fiber purchases? Could google subvert the telecoms with some type of alternate system?
Hey, we've all been saying we need something to push encryption. Maybe this is it. Everything becomes encrypted so that telecos can't tell what is what. They can't tell how many downloads I've used if all my traffic is point to point encrypted when crossing their network.
But lets face it. The OS is no longer the primary threat vector. The user is primary, (opening attachments, downloading things, and agreeing to install browser helpers). Widely deployed 3rd party software is a close second. All those extremely common servers out there get more of a focus every day.
The only time the OS is the threat vector is when you have other policies, (CM etc), that prevent you from taking care of the OS.
On my linux box I never run as root. I change to root a bit to do this and that but nothing else.
Now my work laptop I have no problem not running as root. But lets face it, there is only a very specific subset of the functionality of my computer I can use on my work laptop. (I actually carry 2 company owned laptops. 1 is the IO laptop that I can plug into the corporate network, the other I admin myself and I can do whatever I want with.)
I wish sprint would get with the program and offer some truely innovative phones. They bearly even have bluetooth support. I would desparately like a cell phone that did both wifi SIP, VOIP, or skype calling and cell phone calls. (Nor would it really hurt sprint because most of my home calls are after my unlimited nights and weekends cutoff.) But sprints phones are severely lacking in this arena.
Ogg may make open source people feel good, but it's a terrible way to go. I encoded a bunch of my music in ogg and now can only use it in open source players and winamp. I have transitioned to encoding to aac. There's open source implimentations. The quality is good. And you can play it with most devices that are not mp3/wma only.
But over all I am happy to see them stepping forward. Most of the above problems, (pricing, amount to upload, burning), would take a little redirection at the corporate level and could be implimented quickly.
We really need a universal streaming format acceptable by DRM standards but open to client implimentations. Something like NTSC over IP. The server can be closed but the client should be universal so that I can get it built into my xbox media center or my windows media extender, etc. I would think that recording this would be no more of a threat than recording to a vhs tape or rca in connection.
I recommend taking the first thing that comes along your way that is relatively better. Don't try to find the perfect job, just get out of the terrible one. The longer you wait the harder it is to get out. If you do a good job somewhere you will almost always get a semi-serious offer or 2. look at those and find one that you can accept or that will at least give you a year or so to job hunt.