I read an article some time ago which outlined a very low-tech way to help purify water in countries with high incidences of Malaria, Dysentery, etc. By painting the surface of huts/housing flat black and placing clear plastic water bottles on them for a few hours. The sun & UV help to kill off most parasites and biological pathogens quite effectively and at a price much cheaper than other filtration solutions. Nice low-tech solution which is cheap, effective, and requires no special equipment.
Re:Costly...
on
PCI Compliance
·
· Score: 2, Informative
PCI is actually much less complex than other compliance standards like SOX, HIPAA, GLBA... If I had to choose a compliance requirement to deal with PCI would be my choice. Overall, it's the most sane compliance guideline I've seen which actually improves your overall security if done correctly. It's like being forced to be a good security-citizen with your data.
Some clarification on your comments:
Lets look at #10 first. What does "all access to network resources" define out to be? These days EVERYTHING is a network resource, and not all of them are within the admin's control. Take the iPhone for example. Is the PCI-compliant admin supposed to certify that every iPhone on the company's network cannot be accessed by others, thereby turning it into a 'network resource'? How do I, as an admin, track that Joe and Jim transfered files peer-to-peer style between their phones? I assume that we have to then ban all these devices?
The requirement only applies to systems which hold or transmit CVV/PII and/or are on the same network segment as those systems with no mitigating security controls in place (firewalls, IDS/IPS, etc). Thos are your in-scope PCI systems. Your desktop at work? Not a PCI in-scope system unless your internal network is completely flat. The Oracle DB back-end to your webserver shopping cart? In-scope. The blog server in the same DMZ as your shopping cart? In-scope.
For #11, does 'regular' imply frequent as well? Does that compound with 'all network resources'? If so, this is a HUGE time sink. It could also be done, but this has a cost attached as well.
The intervals are defined in sections 11.2 (quarterly external testing by a qualified ASV, or after any significant change in PCI in-scope infrastructure) and 11.3. (annual penetration-testing requirement and after any significant in-scope infrastructure change).
Believe it or not, the cost for testing is actually quite small compared to what most organizations need to fix with infrastructure and internal processes. The 11.2/3 requirements are mostly verifying that you are PCI-compliant and stay that way.
The only problem I have with PCI is the fines for non-compliance. Currently I think it's around $25k/month, which for large organizations is almost a rounding error. And there is now way VISA etc are going to remove the merchant status from a huge income stream like Amazon or similar. There has been talk of instead changing the fine to a doubling of the transaction cost for non-compliant merchants. If your costs went from $.05/transaction to $.10/transaction and you are doing several hundreds of thousands or even millions of $ per day... that is a huge hit to the bottom line. If this fine structure ever comes to pass I will have klots of fun watching the ensuing shitstorm as companies fight to reach compliance.
Amoeba
For something that is supposed to be a cornerstone of our country, you'd think that the money, time, and other issues you list would be minor problems when compared to the overall purpose and goal of voting and the importance of integrity of accurate count and auditing. As an aside, why is election day *not* a national holiday? A serious WTF?
Of all the issues you list (and I'm sure others could come up with additional problems) not a single one of them is an issue around the ability to tally the numbers with accuracy.
"Hey how can we kill off a lot of small businesses so our big behemoth telecomm contributors can make more money in the long run? Ooh! increased operating costs! Our friends have the coffers to handle this while their smaller competitors die off. We'll have to make it look like something else though. Tie it to crime. Everyone hates criminals."
If you're serious about using Linux, and you absolutely have to have Exchange and MS Office, you need to come to terms with running those applications in a terminal services environment...Or, (for Exchange) if you're a cheapskate, just use the Exchange web interface that fricking comes with Exchange! It doesn't look as good in Firefox as it does in IE, but if you're doing it on a shoestring, that's what you get, and it is feature complete.
Actually, there are some very good replacements for Exchange available for Linux: Scalix, Zimbra, and others... no Exchange termserv setup required. These and similar products offer full Outlook email & calendaring integration so you can run a heterogeneous client space and not care if Bob in Marketing still uses Office 2k3 and Chuck the IT guy is a Fedora junkie running StarOffice.
As CTO for a security services and training company, I'm in the middle of transitioning my company to a Scalix solution right now and so far there have been no speed bumps at all.
The *only* issue remaining is cross-office document compatibility but that is due to MS closed formats/API's rather than an inability for OSS to compete in the groupware environment.
What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.
eldavojohn, I was agreeing with everything you said up until this point. I'm the moderator for the SecurityFocus pentration-testing mail list and the CTO for a security firm specializing in pen-testing. At the level of skill I'm talking about there is no "thousand other people... and meet the basic qualifications" but a very limited number. That fact alone allows for some wiggle room for companies looking for candidates with a rare high-level skill set. Would I hire someone with a blackhat background? Sure, if they met the criteria you outlined above and played at the level I'm looking for because there aren't that many candidates out there looking for work.
Of course, while I would hope the decision would be a sound one I'd remain wary as it *is* risky... but people can change or grow up. Anyone who has been in the security industry for a good length of time has some skeletons in their closet. I was not always a lily-white scion of responsibility *cough*... but I grew up. Had the mistakes of my youth precluded me from working in the industry I might have turned out to be a very well-dressed, sensitive, thoughtful, extremely hireable burger flipper.
Money and control of money. Alcohol takes some equipment and knowledge to make and a way to distribute it to your end user. Marijuana is a weed. Anyone can grow it anywhere so no distribution channel. Which one is easier to control and make money from?
Not to mention that VOIP is functionally useles with response times greater than 150ms. Since this is a new infrastructure for a flat-rate data plan I'm not surprised that T-Mobile is blocking (or purposefully not paying attention to) UDP heavy packets (IM) and VOIP which would require some QoS crafting to ensure reliability. By restricting certain services they can be in a better position to get meaningful usage data and network utilization stats out of the internal testing.
While cell companies make the most profit from voice services, don't believe for a second that should VOIP or other data services become more in demand that they won't fill that need... with a slight hike in data connection rates calculated for a price sweet spot.
"If Granny's into trannies, and doesn't want her grandkids to know, she should be able to download without fear," says Taylor Banks, project leader.
'So easy to use you can hand it to your grandmother and send her off on her own to the local Starbucks.'
Am I the only one who finds the juxtaposition of these two quotes alarming? I don't want gamgams to end up in the pokey (pun intended) for inappropriate behavior at Starbucks. That would be weird.
From the article:
"If Granny's into trannies, and doesn't want her grandkids to know, she should be able to download without fear," says Taylor Banks, project leader.
This is why co-workers and I have been working on Fappix - The Pornnoisseur Distro. Not only can you browse anonymously but you have several thousand pre-bookmarked pages to choose from in categories ranging from Amateur Nudes to Bukkake Hentai to Puke porn. You have a hankering for some DP? We got it. Maybe a little fisting for those slow lonely nights at home. Nothing but the best for our users!
Never worry about having the correct video codec or player again as they will all be pre-installed! No more waiting another 20 minutes to download and install some obscure viewer just so you can rub on off to Kismet the Albino Sheep Goes to the Circus!
With our patented "Live (Hand) CD" technology you simply boot from the disk and off you go into fantastic realms of spanktacular fun without the worry of spyware, malware, trojans, or incriminating cache files again. You'll never have to blame that spandex scat video on "some spam or something" ever again!
Yes. Hotmail was originally run on clusters of E3500 and E4500's running Solaris 2.5.1. After they got bought by Microsoft, a major initiative to migrate all boxes to Windows was undertaken in 2000. Hotmail has been 99.9% Windows for over 3 years now. The remaining 0.1% are some legacy solaris boxes used to handle backups for clusters... and even they are being phased out slowly.
My question ends at "How do you tackle that problem?" and Sid's response begins from that point forward and not where the current Response: is listed.
All that aside, the answer is not quite what I expected and was pleasantly surprised tha in some cases Sid needs the visuals in order to proceed. That method/criteria for balance never crossed my mind:)
-Amoeba
Playability vs Graphics
on
Ask Sid Meier
·
· Score: 5, Interesting
Sid,
In any Slashdot gaming discussion invariably the debate between playability vs. graphics comes up. "This game is pretty but the game sucks!" "Nethack is all I need man."
Of all the games you've had a hand in, the intricate strategies and complex ways one can enjoy the game have always seemed paramount, with graphics playing a backseat for the most part. Some of the most successful games in the past have been very simple on the surface but can have amazing depth, all without gee-whiz factor of purty lights and pictures of bleeding edge graphics engines (Tetris, Nethack, Civ series, etc). How much focus do you place on the graphical aspects of gaming and do you think there is a way to achieve a balance without sacrifices on either end and how do you tackle that problem? Nintendo's approach of focusing on "fun" and innovation in their games seems to be one example of how it can be done but sadly they are an exception to the rule it seems.
Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.
If you read the SecurityFocus article you'll notice that MS is claiming they found the first 0-day exploit for this vulnerability *in the wild*. You are absolutely correct that a proof of vuln was published by SEC-Consult. However, no known exploit yet existed to take advantage of the vuln. And the SEC-Consulting page does note that MS was finally able to reproduce the problem.
You and I both know that it's a matter of semantics and the MS PR machine is in full effect here in the way this announcement was worded. However, that doesn't negate the interesting aspects of the honeymonkey approach. By actively trolling the net for "in the wild" exploits and vulnerabilities they're increasing the chances of finding and (hopefully) addressing security issues in a proactive manner.
Despite the fact that MS is indirectly responsible for my paycheck from my day job, I've never viewed them as a particularly security-focused company and I'll be the first to admit their track record blows goats. But the honeymonkey project is a step in the right direction and could be a useful approach for other OS's and security-minded orgs [1]. It's a neat concept and I'm frankly surprised it's MS doing it.
[1] I'm currently the moderator for SecurityFocus' penetration testing mail list. I don't get to see as much discussion of these types of things as say, the vuln-dev list, but it would be great discussion material to see if a similar approach could be utilized for pen-testing.
Okay, we all enjoy the self-righteous feeling of anger we get when we see the little man with his mouth taped over.
Whoa. For a second there I was trying to figure out why you would get angry at safe-sex porn... until I realized it's been a long time since I had images turned on for the front page articles.
My question is this: if you find a security vulnerability in linux, do you inform the linux community about it?
Actually I believe a better question would be: What *nix security-related approaches or methodologies with a long history of working well (chroot, sudo, user permissions, add your favorite here) are being analyzed and looked at for possible similar implementation within windows?
Some of the Next-Generation-Secure-Computing-Base (NGSCB nee Palladium) work currently being put into play seems to take a lot of cues from how similar security methods were implemented in *nix. It would be interesting to see how much of what Linux does right in the security realm is being co-opted into Windows.
unfortunately the kiddies discovered it useful for attacking already.
Actually, it's also being used by security professionals and pen-testers for legitimate testing and assessment. There's currently a discussion regarding TOR for pen-testing purposes on the SecurityFocus pen-test mailing list. See http://securityfocus.com/archive/101/406238/30/0/t hreaded.
Just because the kiddies are using it doesn't minimize the usefulness of the protocol. Bitorrent, P2P, and other protocols face the same abuse issues.
Full disclosure: I am the moderator of the pen-test mailing list.
So, let me get this straight. If I so chose to upgrade to Longhorn, I'd have to buy a whole new videocard and monitor to actually view the OS and any other programs tailor written for it?
Actually, no. Only if you want to use the Secure Computing platform built in to Longhorn.
This "feature" is part of Microsoft's Next-Generation Secure Computing Base. Essentially they are putting into place a framework that will provide a secure channel from keyboard to OS to monitor that runs in a protected bubble from the non-secure OS/apps/hardware. Longhorn will use a protected kernel "shell" in which DRM-enabled applications can run without interference (or being touched by) applications or non-DRM-enabled hardware running in the non-secure OS portion.
The videocard tech they are talking about here is ostensibly to prevent things like screen-scraping or intercepting video output. The goal is to provide a secure portion of OS that is inviolate from bootup and has secured pathways for data to travel. Think of it as Uber-root or a chroot'd OS partition that include hardware.
Using this secure channel is optional. You are not forced to use it. You can run all the aps you want, you can run it on your old hardware. However, the NGSCB is there should you need... and provided you have the hardware that supports it.
Now, certainly this feature has the *IIA's drooling. The theory is sound but the actual use and implementation can be (and probably will be) abused.
This comparison is flawed. A more direct comparison that would have resulted in better information would have been Mac/OS X vs. x86/BSD.
What performance is he measuring? The hardware or the OS? Comparing both with no baseline control for each is about as informative as pulling numbers out of my ass.
Slashdot Mirror
I read an article some time ago which outlined a very low-tech way to help purify water in countries with high incidences of Malaria, Dysentery, etc. By painting the surface of huts/housing flat black and placing clear plastic water bottles on them for a few hours. The sun & UV help to kill off most parasites and biological pathogens quite effectively and at a price much cheaper than other filtration solutions. Nice low-tech solution which is cheap, effective, and requires no special equipment.
The requirement only applies to systems which hold or transmit CVV/PII and/or are on the same network segment as those systems with no mitigating security controls in place (firewalls, IDS/IPS, etc). Thos are your in-scope PCI systems. Your desktop at work? Not a PCI in-scope system unless your internal network is completely flat. The Oracle DB back-end to your webserver shopping cart? In-scope. The blog server in the same DMZ as your shopping cart? In-scope.
The intervals are defined in sections 11.2 (quarterly external testing by a qualified ASV, or after any significant change in PCI in-scope infrastructure) and 11.3. (annual penetration-testing requirement and after any significant in-scope infrastructure change).
Believe it or not, the cost for testing is actually quite small compared to what most organizations need to fix with infrastructure and internal processes. The 11.2/3 requirements are mostly verifying that you are PCI-compliant and stay that way.
The only problem I have with PCI is the fines for non-compliance. Currently I think it's around $25k/month, which for large organizations is almost a rounding error. And there is now way VISA etc are going to remove the merchant status from a huge income stream like Amazon or similar. There has been talk of instead changing the fine to a doubling of the transaction cost for non-compliant merchants. If your costs went from $.05/transaction to $.10/transaction and you are doing several hundreds of thousands or even millions of $ per day... that is a huge hit to the bottom line. If this fine structure ever comes to pass I will have klots of fun watching the ensuing shitstorm as companies fight to reach compliance. Amoeba
For something that is supposed to be a cornerstone of our country, you'd think that the money, time, and other issues you list would be minor problems when compared to the overall purpose and goal of voting and the importance of integrity of accurate count and auditing. As an aside, why is election day *not* a national holiday? A serious WTF?
Of all the issues you list (and I'm sure others could come up with additional problems) not a single one of them is an issue around the ability to tally the numbers with accuracy.
I can only imagine how politicians think:
"Hey how can we kill off a lot of small businesses so our big behemoth telecomm contributors can make more money in the long run? Ooh! increased operating costs! Our friends have the coffers to handle this while their smaller competitors die off. We'll have to make it look like something else though. Tie it to crime. Everyone hates criminals."
Actually, there are some very good replacements for Exchange available for Linux: Scalix, Zimbra, and others... no Exchange termserv setup required. These and similar products offer full Outlook email & calendaring integration so you can run a heterogeneous client space and not care if Bob in Marketing still uses Office 2k3 and Chuck the IT guy is a Fedora junkie running StarOffice.
As CTO for a security services and training company, I'm in the middle of transitioning my company to a Scalix solution right now and so far there have been no speed bumps at all.
The *only* issue remaining is cross-office document compatibility but that is due to MS closed formats/API's rather than an inability for OSS to compete in the groupware environment.
other "theories":
- Theory of Gravity
- Theory of Relativity
- Atomic Theory
eldavojohn, I was agreeing with everything you said up until this point. I'm the moderator for the SecurityFocus pentration-testing mail list and the CTO for a security firm specializing in pen-testing. At the level of skill I'm talking about there is no "thousand other people... and meet the basic qualifications" but a very limited number. That fact alone allows for some wiggle room for companies looking for candidates with a rare high-level skill set. Would I hire someone with a blackhat background? Sure, if they met the criteria you outlined above and played at the level I'm looking for because there aren't that many candidates out there looking for work.
Of course, while I would hope the decision would be a sound one I'd remain wary as it *is* risky... but people can change or grow up. Anyone who has been in the security industry for a good length of time has some skeletons in their closet. I was not always a lily-white scion of responsibility *cough*... but I grew up. Had the mistakes of my youth precluded me from working in the industry I might have turned out to be a very well-dressed, sensitive, thoughtful, extremely hireable burger flipper.
Penn & Teller on the War on Drugs: http://video.google.com/videoplay?docid=-365311429 6815352489&q=penn+teller&hl=en
I knew my wasting hours at work watching Bullshit! episodes online would come in handy someday.
Money and control of money. Alcohol takes some equipment and knowledge to make and a way to distribute it to your end user. Marijuana is a weed. Anyone can grow it anywhere so no distribution channel. Which one is easier to control and make money from?
Exactly.
Not to mention that VOIP is functionally useles with response times greater than 150ms. Since this is a new infrastructure for a flat-rate data plan I'm not surprised that T-Mobile is blocking (or purposefully not paying attention to) UDP heavy packets (IM) and VOIP which would require some QoS crafting to ensure reliability. By restricting certain services they can be in a better position to get meaningful usage data and network utilization stats out of the internal testing.
While cell companies make the most profit from voice services, don't believe for a second that should VOIP or other data services become more in demand that they won't fill that need... with a slight hike in data connection rates calculated for a price sweet spot.
'So easy to use you can hand it to your grandmother and send her off on her own to the local Starbucks.'
Am I the only one who finds the juxtaposition of these two quotes alarming? I don't want gamgams to end up in the pokey (pun intended) for inappropriate behavior at Starbucks. That would be weird.
This is why co-workers and I have been working on Fappix - The Pornnoisseur Distro. Not only can you browse anonymously but you have several thousand pre-bookmarked pages to choose from in categories ranging from Amateur Nudes to Bukkake Hentai to Puke porn. You have a hankering for some DP? We got it. Maybe a little fisting for those slow lonely nights at home. Nothing but the best for our users!
Never worry about having the correct video codec or player again as they will all be pre-installed! No more waiting another 20 minutes to download and install some obscure viewer just so you can rub on off to Kismet the Albino Sheep Goes to the Circus!
With our patented "Live (Hand) CD" technology you simply boot from the disk and off you go into fantastic realms of spanktacular fun without the worry of spyware, malware, trojans, or incriminating cache files again. You'll never have to blame that spandex scat video on "some spam or something" ever again!
Fappix. The sound of one hand clapping.
Unlike now where you have a single provider (Verizon) holding this spectrum that could prey on consumers?
Yes. Hotmail was originally run on clusters of E3500 and E4500's running Solaris 2.5.1. After they got bought by Microsoft, a major initiative to migrate all boxes to Windows was undertaken in 2000. Hotmail has been 99.9% Windows for over 3 years now. The remaining 0.1% are some legacy solaris boxes used to handle backups for clusters... and even they are being phased out slowly.
--Amoeba (who no longer works there)
A minor note on my question that Sid answered:
:)
My question ends at "How do you tackle that problem?" and Sid's response begins from that point forward and not where the current Response: is listed.
All that aside, the answer is not quite what I expected and was pleasantly surprised tha in some cases Sid needs the visuals in order to proceed. That method/criteria for balance never crossed my mind
-Amoeba
Sid,
In any Slashdot gaming discussion invariably the debate between playability vs. graphics comes up. "This game is pretty but the game sucks!" "Nethack is all I need man."
Of all the games you've had a hand in, the intricate strategies and complex ways one can enjoy the game have always seemed paramount, with graphics playing a backseat for the most part. Some of the most successful games in the past have been very simple on the surface but can have amazing depth, all without gee-whiz factor of purty lights and pictures of bleeding edge graphics engines (Tetris, Nethack, Civ series, etc). How much focus do you place on the graphical aspects of gaming and do you think there is a way to achieve a balance without sacrifices on either end and how do you tackle that problem? Nintendo's approach of focusing on "fun" and innovation in their games seems to be one example of how it can be done but sadly they are an exception to the rule it seems.
Amoeba
So apparently I'm in the Be Very Afraid range. Remind me to never go into business for myself or I'll eventually kill the bastard.
If you read the SecurityFocus article you'll notice that MS is claiming they found the first 0-day exploit for this vulnerability *in the wild*. You are absolutely correct that a proof of vuln was published by SEC-Consult. However, no known exploit yet existed to take advantage of the vuln. And the SEC-Consulting page does note that MS was finally able to reproduce the problem.
You and I both know that it's a matter of semantics and the MS PR machine is in full effect here in the way this announcement was worded. However, that doesn't negate the interesting aspects of the honeymonkey approach. By actively trolling the net for "in the wild" exploits and vulnerabilities they're increasing the chances of finding and (hopefully) addressing security issues in a proactive manner.
Despite the fact that MS is indirectly responsible for my paycheck from my day job, I've never viewed them as a particularly security-focused company and I'll be the first to admit their track record blows goats. But the honeymonkey project is a step in the right direction and could be a useful approach for other OS's and security-minded orgs [1]. It's a neat concept and I'm frankly surprised it's MS doing it.
[1] I'm currently the moderator for SecurityFocus' penetration testing mail list. I don't get to see as much discussion of these types of things as say, the vuln-dev list, but it would be great discussion material to see if a similar approach could be utilized for pen-testing.
Whoa. For a second there I was trying to figure out why you would get angry at safe-sex porn... until I realized it's been a long time since I had images turned on for the front page articles.
Actually I believe a better question would be: What *nix security-related approaches or methodologies with a long history of working well (chroot, sudo, user permissions, add your favorite here) are being analyzed and looked at for possible similar implementation within windows?
Some of the Next-Generation-Secure-Computing-Base (NGSCB nee Palladium) work currently being put into play seems to take a lot of cues from how similar security methods were implemented in *nix. It would be interesting to see how much of what Linux does right in the security realm is being co-opted into Windows.
Now where are the hookers and beer? Bring me your finest meats and cheeses or I shall be forced to pipe all email through a jive translator.
Actually, it's also being used by security professionals and pen-testers for legitimate testing and assessment. There's currently a discussion regarding TOR for pen-testing purposes on the SecurityFocus pen-test mailing list. See http://securityfocus.com/archive/101/406238/30/0/t hreaded.
Just because the kiddies are using it doesn't minimize the usefulness of the protocol. Bitorrent, P2P, and other protocols face the same abuse issues.
Full disclosure: I am the moderator of the pen-test mailing list.
Actually, no. Only if you want to use the Secure Computing platform built in to Longhorn. This "feature" is part of Microsoft's Next-Generation Secure Computing Base. Essentially they are putting into place a framework that will provide a secure channel from keyboard to OS to monitor that runs in a protected bubble from the non-secure OS/apps/hardware. Longhorn will use a protected kernel "shell" in which DRM-enabled applications can run without interference (or being touched by) applications or non-DRM-enabled hardware running in the non-secure OS portion.
The videocard tech they are talking about here is ostensibly to prevent things like screen-scraping or intercepting video output. The goal is to provide a secure portion of OS that is inviolate from bootup and has secured pathways for data to travel. Think of it as Uber-root or a chroot'd OS partition that include hardware.
Using this secure channel is optional. You are not forced to use it. You can run all the aps you want, you can run it on your old hardware. However, the NGSCB is there should you need... and provided you have the hardware that supports it.
Now, certainly this feature has the *IIA's drooling. The theory is sound but the actual use and implementation can be (and probably will be) abused.
This comparison is flawed. A more direct comparison that would have resulted in better information would have been Mac/OS X vs. x86/BSD.
What performance is he measuring? The hardware or the OS? Comparing both with no baseline control for each is about as informative as pulling numbers out of my ass.
You had hands!??
(Someone had to take this thread to its logical conclusion. Thankfully, the voices in my head were up to the task.)
Amoeba