That's cool, and I appreciate the security researchers and their work to strengthen both protocols and implementations, but in the real world the entire conversation happens inside a TLS stream so it's not that easy, not only do you have to insert yourself into the communications path between the user and the resource, but you have to break TLS in realtime. It does increase the scope of attacks like BEAST/CRIME/POODLE a bit, but since that paper is almost 3 years old you would hope that at least the major providers have patched frameworks in place.
SAML has all authentication happen at the IDP (user organization side), not at the relying party/service provider so any login attempts are at your SAML endpoint. In theory you could even not allow passwords at the SAML point at all (if you have all your machines Kerberos joined you could use the Kerberos claim ticket to generate the SAML assertion and not have an alternate fallback authentication method, but for convenience and interoperability that isn't usually the case and there's generally a forms based login, in our case we have 3rd parties that use our cloud resources and have accounts in our authentication realm but not machines supplied by us so a forms bases login is a requirement). If an attacker wants to try to brute force one of your logins they have to do it at your SAML endpoint which you can and really should monitor tightly with all your normal tools, in fact since it's a single source of failure for security (the flipside of single signon) it should be better monitored than your average server.
Control is an illusion, if the folks at RSA can be spearfished and have their most valuable assets stolen basically anyone can. People are fallible and the bad guys only need one successful attack while the good guys need to defend perfectly. We run a relatively tight shop, no local admin, patches up to date, AV/Antispam on the email gateways, AV and Antimalware on the desktop, IDS/IPS in the firewall with additional IDS by spanning the vlans going to our firewall and the server vlan. What we've found is that we still end up with ~1% of our clients managing to get some kind of infection or infection attempt per month (the attempts are generally where an exploit of some kind succeeded but the payload was stopped by one of the defense layers from actually becoming persistent on the client).
As far as the point from the article, we're moving to have as many of our cloud apps as possible use our SAML repository for authentication so that we can treat it as much as possible like an extension of our general security stance with password attempt monitoring, rate throttling and attack blocking, user lockout, etc. It doesn't help if the service itself is breached, but it at least stops the more casual authorized user leaks that seem to be one of the more common failures identified.
The Android browser was horrible, not the least of which was the way it was bundled with the OS so could not be upgraded except by the manufacturer so if your phone shipped with a browser with a known vulnerability you were at the mercy of the manufacturer to get a security update (this was compounded 100x by the fact that many, many apps consume the browser as a component and so a vulnerable browser left you at risk even if you were to use a different browser for your web viewing needs). No, Google moving to use an updateable component for one of the most security critical parts of the OS was not a shortcoming.
Yes, I assume they failed to register a vote in that section of the ballot. Heck, I've done that many times, including the elections for county executive because the Democratic candidates have been corrupt machine picks and the Republicans have been wackos. I also did that on most judicial candidates before a local collection of editors-in-chiefs and the bar association started a non-partial judicial candidate review site. I would argue that it's often our civic duty to do so either to show a dissatisfaction with the candidates proposed or due to a lack of information.
I think large 4k tv's might be one of the final nails in the theater coffin if we get a decent distribution media going, there were already 60" 4k tv's for $999 this season, prices will only go down from there.
Wow, I'd probably never go at $20 per ticket, we see the most films at the local drive-in where the carload gets in for $22 with a bring your own food and drink pass, there's nothing better than watching a double feature with a few cold adult beverages on a warm summer evening. Other than that we tend to go to matinee showings on the weekend for around $6.50.
Hmmm, as far as I can tell from the various blog posts storage spaces in 8.1 is full featured, but not every option is available via the GUI, for some of the more advanced stuff you need to turn to powershell.
Um, 20 years ago cellphones were significantly smaller than they are today, look at the Motorola Star Tac (ok that was 19 years ago), it's smaller than even the iphone 3g.
Actually mechanical, electrical, and thermal cycles from power on/off events would tend to short the life of the drive significantly, so any metric assuming lots of short cycles is going to understate the MTBF if you use the drive in a 24x7 light duty situation (you can obviously run into problems with cooling capability if you run a drive to its limit 24x7, but I'd posit that if you put two drives in the same environment that the one run hard will still outlast the one put through lots of cycles). In the datacenter world the worst time for drive losses is when you've had a drive that's been running fine for years and you power it off for whatever reason and then have to turn the server back on, it's always a hold your breath moment to see if the server comes back online. It's why when I was recently working on retiring a server that's been online for nearly 10 years I unplugged the network rather than turning the server off when testing for any unknown dependancies.
D2D2Cloud is the most common method for home backup, that's how Mozy and Crashplan work, they backup to both a local HDD and to the cloud storage, if you have a non-catastrophic loss you restore from local media, if you've lost it all you restore from the cloud, either over the wire or if you have a lot of data you pay for optical or HDD recovery. Crashplan adds the option to backup to a friend or family member, if you design it so that they are using a separate drive for your target you can remove that drive and recover from localish media without paying. I'm personally using Crashplan and backing up to three targets (local, brother, and crashplan central) as well as acting as a target for my father-in-laws free Crashplan backups (he backs up locally and to me, no need to pay for a subscription since I have a machine that's on 24x7 and he has a fairly small volume of data to be backed up).
Yeah, except FF ESR is a joke compared to IE support, MS gives years and years of security support to IE versions whereas FF barely gives a year. We've had projects take nearly a year from demo to golive, having to go through a complete QA and UAT cycle just as you go live is not what most businesses want to do.
What is the point of "wireless"? You still need to power the lights.
You haven't seen the LED light strings powered by PV panels and a LiPo battery pack? I'm planning to use some of these for some trees along the far side of my driveway, being able to sequence those lights would be cool.
RAID1/0 is fine if your upper level can do parity checks, but if you can't rely on an upper layer than RAID6 is best. Of course folks looking out a bit are saying that even RAID6 or similar dual parity schemes will become insufficient and so there's intense interest in newer coding schemes like rateless erasure codes, but I'm not sure those will ever scale down to the SOHO level other than through the use of cloud services. At enterprise scales I'm using RAID5 raidlets with advanced layouts that allow for entire shelves to fail without data loss, but on 7k disks with the long rebuild times I use RAID6 and expect that if I ever lose a shelf that it will be faster to repair and reload from backup then it will to have the system rebuild from parity so the RAID is mostly to handle single drive failures with the knowledge that I'm covered if a second drive should happen to fail during the rebuild window.
No, they don't, and frankly that was never the goal of HTML and so having this mindset is a self defeating goal. Now if you had said they all need to render the webpage without breaking, then sure, but expecting the same output every time from various engines was never going to happen, if that's what you want then use something closer to display postscript or pdf, though even there with a much more strict language you get rendering differences between engines or even between versions of the same engine (PDF/A is probably the most reproducible, but that comes at the cost of limited features).
It's my understanding that MS is going to try to diverge from their waterfall development model and aim for a model more akin to the Chrome development model of rapid small releases, but they've probably gotten enough blow back from their corporate clients that there will be two browsers, one a more classic IE with a slower less disruptive development model, and the new browser with the rapid paced model. This is probably a good thing, as a slower target with longer release cycles is good for those of us that have to support third party systems that rely on the client browser to be the UI (basically every enterprise system that's not so crufty as to use a client/server or green screen) and will allow us to have a centrally managed and security updated browser with features that web devs will love.
Generally they run ethernet, wifi, and/or some form of DSL (Cisco's LRE used to be a favorite in older hotels as it allowed broadband speeds without the massive expense and disruption of running a new cable plant), though I did just see someone hawking ethernet over powerline to the hospitality sector in a google search, that has got to suck horribly.
Also, desktop DDR4 has been run at 4GHz already. Perhaps by enthusiast overclockers, but the current DDR4 standard only goes to 2400MT/s with provisions for up to 3200 in a future revision of the spec.
Paleo: all meats in america are processed to some level, and red meat has been directly correlated with an increased risk of prostate and colon cancer. various additives like nitrites and processing methods such as using carbon monoxide to improve meat color, actually involve carcinogens or cancer suspect agents in their execution. Factory farming and the prolific use of sterroids and hormones in all american meat have virtually guaranteed an increased risk of cancer. enjoy significantly elevated levels of cholesterol, and supporting a fundamentally unsustainable concept of factory farming that contributes to everything from climate change to aggressively resistant bacteria and viruses.
This is a specious argument, a man of such extreme wealth will have zero problems acquiring whatever form of meat his heart desires. Should he want only American Bison filet every day then he can afford an immense herd where one individual is killed to provide him his daily cut of meat.
Slashdot Mirror
That's cool, and I appreciate the security researchers and their work to strengthen both protocols and implementations, but in the real world the entire conversation happens inside a TLS stream so it's not that easy, not only do you have to insert yourself into the communications path between the user and the resource, but you have to break TLS in realtime. It does increase the scope of attacks like BEAST/CRIME/POODLE a bit, but since that paper is almost 3 years old you would hope that at least the major providers have patched frameworks in place.
SAML has all authentication happen at the IDP (user organization side), not at the relying party/service provider so any login attempts are at your SAML endpoint. In theory you could even not allow passwords at the SAML point at all (if you have all your machines Kerberos joined you could use the Kerberos claim ticket to generate the SAML assertion and not have an alternate fallback authentication method, but for convenience and interoperability that isn't usually the case and there's generally a forms based login, in our case we have 3rd parties that use our cloud resources and have accounts in our authentication realm but not machines supplied by us so a forms bases login is a requirement). If an attacker wants to try to brute force one of your logins they have to do it at your SAML endpoint which you can and really should monitor tightly with all your normal tools, in fact since it's a single source of failure for security (the flipside of single signon) it should be better monitored than your average server.
Control is an illusion, if the folks at RSA can be spearfished and have their most valuable assets stolen basically anyone can. People are fallible and the bad guys only need one successful attack while the good guys need to defend perfectly. We run a relatively tight shop, no local admin, patches up to date, AV/Antispam on the email gateways, AV and Antimalware on the desktop, IDS/IPS in the firewall with additional IDS by spanning the vlans going to our firewall and the server vlan. What we've found is that we still end up with ~1% of our clients managing to get some kind of infection or infection attempt per month (the attempts are generally where an exploit of some kind succeeded but the payload was stopped by one of the defense layers from actually becoming persistent on the client).
As far as the point from the article, we're moving to have as many of our cloud apps as possible use our SAML repository for authentication so that we can treat it as much as possible like an extension of our general security stance with password attempt monitoring, rate throttling and attack blocking, user lockout, etc. It doesn't help if the service itself is breached, but it at least stops the more casual authorized user leaks that seem to be one of the more common failures identified.
The Android browser was horrible, not the least of which was the way it was bundled with the OS so could not be upgraded except by the manufacturer so if your phone shipped with a browser with a known vulnerability you were at the mercy of the manufacturer to get a security update (this was compounded 100x by the fact that many, many apps consume the browser as a component and so a vulnerable browser left you at risk even if you were to use a different browser for your web viewing needs). No, Google moving to use an updateable component for one of the most security critical parts of the OS was not a shortcoming.
Yes, I assume they failed to register a vote in that section of the ballot. Heck, I've done that many times, including the elections for county executive because the Democratic candidates have been corrupt machine picks and the Republicans have been wackos. I also did that on most judicial candidates before a local collection of editors-in-chiefs and the bar association started a non-partial judicial candidate review site. I would argue that it's often our civic duty to do so either to show a dissatisfaction with the candidates proposed or due to a lack of information.
D[sic]o get elected to such a position you have to get what? About 100 people to vote for you? Even less depending on the county. lol
8,730(page 70) which was 54.72% of the voters, and he was unapposed!
I think large 4k tv's might be one of the final nails in the theater coffin if we get a decent distribution media going, there were already 60" 4k tv's for $999 this season, prices will only go down from there.
Wow, I'd probably never go at $20 per ticket, we see the most films at the local drive-in where the carload gets in for $22 with a bring your own food and drink pass, there's nothing better than watching a double feature with a few cold adult beverages on a warm summer evening. Other than that we tend to go to matinee showings on the weekend for around $6.50.
Hmmm, as far as I can tell from the various blog posts storage spaces in 8.1 is full featured, but not every option is available via the GUI, for some of the more advanced stuff you need to turn to powershell.
Um, 20 years ago cellphones were significantly smaller than they are today, look at the Motorola Star Tac (ok that was 19 years ago), it's smaller than even the iphone 3g.
Actually mechanical, electrical, and thermal cycles from power on/off events would tend to short the life of the drive significantly, so any metric assuming lots of short cycles is going to understate the MTBF if you use the drive in a 24x7 light duty situation (you can obviously run into problems with cooling capability if you run a drive to its limit 24x7, but I'd posit that if you put two drives in the same environment that the one run hard will still outlast the one put through lots of cycles). In the datacenter world the worst time for drive losses is when you've had a drive that's been running fine for years and you power it off for whatever reason and then have to turn the server back on, it's always a hold your breath moment to see if the server comes back online. It's why when I was recently working on retiring a server that's been online for nearly 10 years I unplugged the network rather than turning the server off when testing for any unknown dependancies.
D2D2Cloud is the most common method for home backup, that's how Mozy and Crashplan work, they backup to both a local HDD and to the cloud storage, if you have a non-catastrophic loss you restore from local media, if you've lost it all you restore from the cloud, either over the wire or if you have a lot of data you pay for optical or HDD recovery. Crashplan adds the option to backup to a friend or family member, if you design it so that they are using a separate drive for your target you can remove that drive and recover from localish media without paying. I'm personally using Crashplan and backing up to three targets (local, brother, and crashplan central) as well as acting as a target for my father-in-laws free Crashplan backups (he backs up locally and to me, no need to pay for a subscription since I have a machine that's on 24x7 and he has a fairly small volume of data to be backed up).
I thought 8.1 update 1 introduced all the hyper-v stuff into the client plus storage spaces?
Yeah, except FF ESR is a joke compared to IE support, MS gives years and years of security support to IE versions whereas FF barely gives a year. We've had projects take nearly a year from demo to golive, having to go through a complete QA and UAT cycle just as you go live is not what most businesses want to do.
What is the point of "wireless"? You still need to power the lights.
You haven't seen the LED light strings powered by PV panels and a LiPo battery pack? I'm planning to use some of these for some trees along the far side of my driveway, being able to sequence those lights would be cool.
RAID1/0 is fine if your upper level can do parity checks, but if you can't rely on an upper layer than RAID6 is best. Of course folks looking out a bit are saying that even RAID6 or similar dual parity schemes will become insufficient and so there's intense interest in newer coding schemes like rateless erasure codes, but I'm not sure those will ever scale down to the SOHO level other than through the use of cloud services. At enterprise scales I'm using RAID5 raidlets with advanced layouts that allow for entire shelves to fail without data loss, but on 7k disks with the long rebuild times I use RAID6 and expect that if I ever lose a shelf that it will be faster to repair and reload from backup then it will to have the system rebuild from parity so the RAID is mostly to handle single drive failures with the knowledge that I'm covered if a second drive should happen to fail during the rebuild window.
ALL NEED TO RENDER THE WEB PAGE THE SAME WAY
No, they don't, and frankly that was never the goal of HTML and so having this mindset is a self defeating goal. Now if you had said they all need to render the webpage without breaking, then sure, but expecting the same output every time from various engines was never going to happen, if that's what you want then use something closer to display postscript or pdf, though even there with a much more strict language you get rendering differences between engines or even between versions of the same engine (PDF/A is probably the most reproducible, but that comes at the cost of limited features).
It's my understanding that MS is going to try to diverge from their waterfall development model and aim for a model more akin to the Chrome development model of rapid small releases, but they've probably gotten enough blow back from their corporate clients that there will be two browsers, one a more classic IE with a slower less disruptive development model, and the new browser with the rapid paced model. This is probably a good thing, as a slower target with longer release cycles is good for those of us that have to support third party systems that rely on the client browser to be the UI (basically every enterprise system that's not so crufty as to use a client/server or green screen) and will allow us to have a centrally managed and security updated browser with features that web devs will love.
You realistically can't backup 6TB worth of data
Sure you can, we backup over 10x that every weekend.
Ugh, RAID5 with 7k drives, that's just asking for data loss.
Space Opera/Cowboys in Space, the idea that TOS was some masterwork of American literature is laughable, which is why I love the reboots so much =)
IV even had an oddball plot about whales and was still the highest grossing film in the whole series
Incorrect, the first JJ Abrams film was the highest grossing, both in raw and inflation adjusted dollars for the US box office. source.
Generally they run ethernet, wifi, and/or some form of DSL (Cisco's LRE used to be a favorite in older hotels as it allowed broadband speeds without the massive expense and disruption of running a new cable plant), though I did just see someone hawking ethernet over powerline to the hospitality sector in a google search, that has got to suck horribly.
Also, desktop DDR4 has been run at 4GHz already.
Perhaps by enthusiast overclockers, but the current DDR4 standard only goes to 2400MT/s with provisions for up to 3200 in a future revision of the spec.
Paleo: all meats in america are processed to some level, and red meat has been directly correlated with an increased risk of prostate and colon cancer. various additives like nitrites and processing methods such as using carbon monoxide to improve meat color, actually involve carcinogens or cancer suspect agents in their execution. Factory farming and the prolific use of sterroids and hormones in all american meat have virtually guaranteed an increased risk of cancer. enjoy significantly elevated levels of cholesterol, and supporting a fundamentally unsustainable concept of factory farming that contributes to everything from climate change to aggressively resistant bacteria and viruses.
This is a specious argument, a man of such extreme wealth will have zero problems acquiring whatever form of meat his heart desires. Should he want only American Bison filet every day then he can afford an immense herd where one individual is killed to provide him his daily cut of meat.