If you're relying on testing to protect your data, you're doing it wrong -- PCI outlines best practices to protect your data, scanning is only one part of the larger picture.
But they don't encourage the larger picture is my point. Their testing methodology encourages checklist thinking so you pass a limited test at 100% and you get your certification. Because you don't get any real protection from the certification - because they will retroactively deny your compliance after the fact - it becomes a necessary evil to be complied with not an active process. You're encouraged to think completely inside the box to get PCI certs but not rewarded in any way for taking a comprehensive security approach.
They will certify your computers as PCI compliant when they share domains with the unsecured network. Because you don't get any protection from PCI compliance and the testing is expensive the scope narrowed to computers themselves. Ignore the fact that I can steal credentials from the unsecured domain and then try them out on the secured PCI certified domain - to get the whole network certified is way too expensive so only do the minimum. And yes, I do know people who do exactly this kind of pen testing for PCI certified companies and that's exactly how you go about it. Your don't target the 5% PCI certified part of the network you look at the other 95% and work from there.
I've never heard that "no PCI certified system has ever been breached" and I'm pretty skeptical since I know a few ways to get data out our PCI compliant systems. However, If they found that you violated PCI standards, then you weren't really PCI compliant, were you?
They seem much more interested in maintaining the appearance of unbreakable security than actually creating a system than helps users the right thing. There is never 100% security, but rather than really help people achieve really good security they make you jump through hoops that encourage limited security scope examinations and then deny you any protection if you get breached. Their money would be much better spent on having a decent security over view of the entire network but instead they spend their money on a certification audit and then do a (worthless) internal "assessment" of the risks from the rest of the network.
It's like an ISO 9000 certification of a shitty product - they've certified that you have excellent management practices but your product is still shitty.
And back to something vaguely on topic I bet it was something like this at Sony. Their (criminally stupidly) unpatched public facing services probably didn't have any data they were worried about but they were connected to servers that did. If a simple network intrusion into an insignificant system yields a single login into a more important server that's all it takes. Major breaches are usually a chain of smaller security problems that get exploited in series until it actually adds up to something huge.
PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.- so only certain areas get tested. You can have your "certified" PCI system hooked up on a network to a botnet but insist that only your PCI computer get "certified". It's like going to doctor and telling him your arm hurts but he can only examine your arm. When it turns out to be a heart attack and you die the doctor only gets to say "His arm was fine when I checked it."
They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.
If that doesn't amount to the US tax payers subsidizing a failed business model, I don't know what does.
I don't think it sounds like that at all - I think it sounds like a schizophrenic "business" model. The USPS supplies mail to virtually everyone - that's their mandate. They maintain post offices in tiny places you wouldn't even consider towns and charge an extremely reasonable fee to move mail regardless of distance or address. They are an organ of the US government that has decided that almost all citizens should access to mail communications and I agree. What's crazy is to believe that they can do both things - run at cost and and fulfill the mandate to provide access for all.
The idea that the government should be run "like a business" when it is trying to do unbusinesslike things is the failed idea. The public good doesn't have a profit motive that can be measured in dollars and cents and therefore running like a business misses the point completely.
Why is it the some of the biggest and most vigorous defenders of MS refuse to pay for software? I have run into this in real life several times where I get the 10 minute treatise defending Vista but when I bring up cost and the multiple versions I get, "Well, I never actually pay for it so that doesn't effect me." Is it that it seems like a much better system (and MS a better company) if you're getting it "for free" or is that a-holes who refuse to pay for software just have big mouths?
VBA is gone from Office for the Mac and VBA developers is closed. Microsoft is acknowledging that both these "clues" that made people conclude that VBA in Office was going away are true - but they contend that VBA in Office is not going away.
"The facts you cited are right - but your logical conclusion was wrong. We're Microsoft and we are not bound by logic."
4. Engage in as many social activities with this good programmer as possible.
After sufficient interactions like these with a good programmer you really should be able to recognize him (or her).
But you forgot the most important details about the "recognizing" part. If they seem puzzled by the idea of interacting with people - especially people who don't program or otherwise spend most of their day with computers - then you're on right track. If they interact easily and are comfortable conversing on a wide variety of topics look elsewhere.
PROTIP: Unpronounceable last names and comically bad hair are also good signs - but not positive proof.
So, a lot of people are bringing up iCal Server but if you check their forums or try it yourself, you'll quickly find it is anything but polished. It's pretty flaky and difficult to get everything up and running.
I'm running it right now. As long as you use with Apple products in the way it was intended it's super easy and straightforward.
But most importantly, any iCal Server account has to be hosted by an Open Directory server.
Apple paid to create the product they wanted and - surprise - running OS X Server with Apple OD it sets up with a button push and just works. I'm sure running it on a Linux box against LDAP will take some effort. Isn't that the point of Open Source? If you want a specific usage/implementation feel free to write it yourself. Apple's supplied a 100% solution for their specific needs and 80-95% of the solution for someone who wants something different.
Apple's iCal Server is Open Source PHP (with Twisted Framework) and based on the new CalDAV open standard. Everyone (with the possible exception of Microsoft) is moving to CalDAV as the open standard. Many big companies (Oracle, IBM, Google) are involved with the committee and hopefully the holy grail of inter-operable calendaring systems - including free/busy, invitations etc - is finally on the horizon.
The server just officially went gold with Leopard but has actually been done for a while now. Apple's iCal Server and (closed source) Client are currently the most polished products but now that there is a solid CalDAV server I expect that the various clients with gain alot of polish and other CalDAV servers should start to roll out as well.
Now someone comes along and starts selling them on ebay. [] This person can sell them for a tiny mark-up and still make a profit. [] Now they can shut it down officially. [] We are talking about nasty cut-throat business practices. (that should be illegal)
I'm unclear... which are you saying should be illegal? Because I could make a case for either one from the above statements.
Company makes product and inflates it 2000% but protects that margin by promising exclusive dealerships for which dealers pay big bucks, pass on huge mark-ups and and mark products even further. They protect this channel by driving out of business anyone who tries to sell it at less than 3000% mark-up. Sounds cut-throat to me...
Freeper-Vision: Alberto Gonzales is being rotissered over fairly minor events taking place many months ago. That he does not have it all straight and clear in his memory is perfectly normal. That the people alleging that the 2000 election was stolen can't agree on the details of the accusation in the course of 6 years is, on contrast, rather surprising.
Translation: The fact that the supposed head of governmental agency in charge of "Justice" can't remember anything about a key part of doing his job several months ago. Perfectly normal and not at all proof that he's evading, lying and covering-up. The fact that scattered nutters spreading conspiracy rumors over the internet about events 6 years don't agree. Proof that they're wrong and their claims are baseless.
Right.... it all makes sense now.
Cheney about WMDs, or Feith about pre-war stove-piping, or George Bush about his... well anything... Translation: *staticy hissing sound*
We ALL know that facts and reality have a nasty liberal bias. Good thing you got rid of that and found the "truth". You get on with your bad self...
Seriously, who can argue that as the person in charge of enforcing the rule of law and "protecting the constitution" that George W. Bush is doing the exact opposite. He's not just not doing it he's actively working to undermine the entire idea of separation of powers and role of the executive branch.
Slashdot Mirror
Funny I was expecting this one instead: http://www.penny-arcade.com/comic/2002/3/25/
Ummm... only available through the App Store means Snow Leopard by default because there is no App Store on Leopard from which to buy it.
If you're relying on testing to protect your data, you're doing it wrong -- PCI outlines best practices to protect your data, scanning is only one part of the larger picture.
But they don't encourage the larger picture is my point. Their testing methodology encourages checklist thinking so you pass a limited test at 100% and you get your certification. Because you don't get any real protection from the certification - because they will retroactively deny your compliance after the fact - it becomes a necessary evil to be complied with not an active process. You're encouraged to think completely inside the box to get PCI certs but not rewarded in any way for taking a comprehensive security approach.
They will certify your computers as PCI compliant when they share domains with the unsecured network. Because you don't get any protection from PCI compliance and the testing is expensive the scope narrowed to computers themselves. Ignore the fact that I can steal credentials from the unsecured domain and then try them out on the secured PCI certified domain - to get the whole network certified is way too expensive so only do the minimum. And yes, I do know people who do exactly this kind of pen testing for PCI certified companies and that's exactly how you go about it. Your don't target the 5% PCI certified part of the network you look at the other 95% and work from there.
I've never heard that "no PCI certified system has ever been breached" and I'm pretty skeptical since I know a few ways to get data out our PCI compliant systems. However, If they found that you violated PCI standards, then you weren't really PCI compliant, were you?
They seem much more interested in maintaining the appearance of unbreakable security than actually creating a system than helps users the right thing. There is never 100% security, but rather than really help people achieve really good security they make you jump through hoops that encourage limited security scope examinations and then deny you any protection if you get breached. Their money would be much better spent on having a decent security over view of the entire network but instead they spend their money on a certification audit and then do a (worthless) internal "assessment" of the risks from the rest of the network.
It's like an ISO 9000 certification of a shitty product - they've certified that you have excellent management practices but your product is still shitty.
And back to something vaguely on topic I bet it was something like this at Sony. Their (criminally stupidly) unpatched public facing services probably didn't have any data they were worried about but they were connected to servers that did. If a simple network intrusion into an insignificant system yields a single login into a more important server that's all it takes. Major breaches are usually a chain of smaller security problems that get exploited in series until it actually adds up to something huge.
definitely shows that PCI is bullshit ;)
PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.- so only certain areas get tested. You can have your "certified" PCI system hooked up on a network to a botnet but insist that only your PCI computer get "certified". It's like going to doctor and telling him your arm hurts but he can only examine your arm. When it turns out to be a heart attack and you die the doctor only gets to say "His arm was fine when I checked it."
They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.
If that doesn't amount to the US tax payers subsidizing a failed business model, I don't know what does.
I don't think it sounds like that at all - I think it sounds like a schizophrenic "business" model. The USPS supplies mail to virtually everyone - that's their mandate. They maintain post offices in tiny places you wouldn't even consider towns and charge an extremely reasonable fee to move mail regardless of distance or address. They are an organ of the US government that has decided that almost all citizens should access to mail communications and I agree. What's crazy is to believe that they can do both things - run at cost and and fulfill the mandate to provide access for all.
The idea that the government should be run "like a business" when it is trying to do unbusinesslike things is the failed idea. The public good doesn't have a profit motive that can be measured in dollars and cents and therefore running like a business misses the point completely.
=hiredman
Newspapers... well for reading anyway. I guess people may still use them for "proof of life" photos and ransom notes, but not reading.
Because there was no MS bashing, duh!
Why is it the some of the biggest and most vigorous defenders of MS refuse to pay for software? I have run into this in real life several times where I get the 10 minute treatise defending Vista but when I bring up cost and the multiple versions I get, "Well, I never actually pay for it so that doesn't effect me." Is it that it seems like a much better system (and MS a better company) if you're getting it "for free" or is that a-holes who refuse to pay for software just have big mouths?
Has everyone else seen this or is it just me?
=tkk
Yeah - no one would be arrested for voicing their opinions. Like in NYC during the Republican convention. Or just standing next to someone who was...
http://www.nytimes.com/2005/04/12/nyregion/12video.html
The FBI wouldn't spy on you for being in a peaceful anti-war group, right?
http://globalresearch.ca/index.php?context=viewArticle&code=MIL20060127&articleId=1835
No one would be arrested because they wore an anti-Bush Tshirt, right?
http://www.commondreams.org/archive/2007/08/17/3243/
And you accuse others of not seeing? Look the f*ck around.
=tkk
VBA is gone from Office for the Mac and VBA developers is closed. Microsoft is acknowledging that both these "clues" that made people conclude that VBA in Office was going away are true - but they contend that VBA in Office is not going away.
"The facts you cited are right - but your logical conclusion was wrong. We're Microsoft and we are not bound by logic."
Basically.
=tkk
Not at all, I have both! Hire me!
=tkk
4. Engage in as many social activities with this good programmer as possible.
After sufficient interactions like these with a good programmer you really should be able to recognize him (or her).
But you forgot the most important details about the "recognizing" part. If they seem puzzled by the idea of interacting with people - especially people who don't program or otherwise spend most of their day with computers - then you're on right track. If they interact easily and are comfortable conversing on a wide variety of topics look elsewhere.
PROTIP: Unpronounceable last names and comically bad hair are also good signs - but not positive proof.
=tkk
So, a lot of people are bringing up iCal Server but if you check their forums or try it yourself, you'll quickly find it is anything but polished. It's pretty flaky and difficult to get everything up and running.
I'm running it right now. As long as you use with Apple products in the way it was intended it's super easy and straightforward.
But most importantly, any iCal Server account has to be hosted by an Open Directory server.
Apple paid to create the product they wanted and - surprise - running OS X Server with Apple OD it sets up with a button push and just works. I'm sure running it on a Linux box against LDAP will take some effort. Isn't that the point of Open Source? If you want a specific usage/implementation feel free to write it yourself. Apple's supplied a 100% solution for their specific needs and 80-95% of the solution for someone who wants something different.
=Tod
Absolutely right - Python not PHP. Sorry, serious lack of caffeine this morning....
=tkk
Apple's iCal Server is Open Source PHP (with Twisted Framework) and based on the new CalDAV open standard. Everyone (with the possible exception of Microsoft) is moving to CalDAV as the open standard. Many big companies (Oracle, IBM, Google) are involved with the committee and hopefully the holy grail of inter-operable calendaring systems - including free/busy, invitations etc - is finally on the horizon.
The server just officially went gold with Leopard but has actually been done for a while now. Apple's iCal Server and (closed source) Client are currently the most polished products but now that there is a solid CalDAV server I expect that the various clients with gain alot of polish and other CalDAV servers should start to roll out as well.
Check out the CALCONNECT standards body for more information: http://www.calconnect.org/
=tkk
PS Microsoft is finally a member but their commitment level is not that of the other partners.
Taken out of context this is the best Slashdot headline ever.
That is some seriously deep stuff right there.
=tkk
Now someone comes along and starts selling them on ebay. [] This person can sell them for a tiny mark-up and still make a profit. [] Now they can shut it down officially. [] We are talking about nasty cut-throat business practices. (that should be illegal)
I'm unclear... which are you saying should be illegal? Because I could make a case for either one from the above statements.
Company makes product and inflates it 2000% but protects that margin by promising exclusive dealerships for which dealers pay big bucks, pass on huge mark-ups and and mark products even further. They protect this channel by driving out of business anyone who tries to sell it at less than 3000% mark-up. Sounds cut-throat to me...
Just sayin'
After a giant cave was found on the plains of Arsia Mons scientists called a press conference to announce they have named it Mons Veneris.
And then they spent the rest of the press conference giggling and nudging each other.
=Hiredman
Freeper-Vision: Alberto Gonzales is being rotissered over fairly minor events taking place many months ago. That he does not have it all straight and clear in his memory is perfectly normal.
That the people alleging that the 2000 election was stolen can't agree on the details of the accusation in the course of 6 years is, on contrast, rather surprising.
Translation:
The fact that the supposed head of governmental agency in charge of "Justice" can't remember anything about a key part of doing his job several months ago. Perfectly normal and not at all proof that he's evading, lying and covering-up.
The fact that scattered nutters spreading conspiracy rumors over the internet about events 6 years don't agree. Proof that they're wrong and their claims are baseless.
Right.... it all makes sense now.
Cheney about WMDs, or Feith about pre-war stove-piping, or George Bush about his... well anything...
Translation: *staticy hissing sound*
We ALL know that facts and reality have a nasty liberal bias. Good thing you got rid of that and found the "truth". You get on with your bad self...
Oh, well, getting a story straight is always a problem, is not it?
Yeah, ask Alberto Gonzales about that... or Cheney about WMDs, or Feith about pre-war stove-piping, or George Bush about his... well anything...
You're trotting out some line about "getting stories straight" in defense of the Bush Administration?
As Bart Simpson would say, "The ironing is delicious..."
=Tod
So you let the head of the mafia run rampant because his lieutenant is worse?
My bad, I wasn't aware there was a "fraidy-cat" exception to the rule law enforcement. "But if we imprison that criminal the next one might be worse!"
Great law enforcement ethic there - run for police chief of your town on that motto and see how far you get.
=tkk
Seriously, who can argue that as the person in charge of enforcing the rule of law and "protecting the constitution" that George W. Bush is doing the exact opposite. He's not just not doing it he's actively working to undermine the entire idea of separation of powers and role of the executive branch.
Impeach.
Now.
=tkk
PS See you at GITMO!
It's already my policy not to put anything I value on a Windows box.
If you think I'm putting some THAT valuable to me in a Windows box you're very, very, very wrong.
=tkk
We were only the tenants of this world. We have been given a new lease, and a warning, from the landlord.
Basically living from my savings and a porn website (check my sig! ;)
Dude, if you're going to try and run a porn site and claim any geek cred at least turn off directory listing.
You look like an amateur otherwise....
Sheesh,
=tkk