You assume hotels think that security is some sort of top priority. It's not. You think that there aren't hundreds of people that could open your hotel room?
If push comes to shove, I guarantee you the preferred solution for 99% of hotels will be simply securing the physical port, and not monkeying around with circuit boards or replacing the whole system entirely. It's just too expensive for too little benefit. Hotel rooms aren't meant to be Fort Knox.
SCADA was supposed to be an industrial control system, where nobody thought "hey... let's suddenly connect this incredibly important system that could literally kill people if it were compromised..... to the internet".
So it shouldn't be surprising the thing is full of vulnerabilities. It wasn't designed to be a secure system from smart and incredibly skilled people trying to attack it. It was designed to be secure through physical security and lack of access in the first place. The problem is that everyone expects data all the time now, even reporting from their industrial processes. So some higher up demands it, and the IT department is forced to connect these systems to the net... opening up a huge amount of problems.
Setting either SAP or Oracle ~properly~ requires expert knowledge, and running either ~properly~ requires expert knowledge.
Except... why does it have to require expert knowledge? It should require expert knowledge to get maximum benefit, like anything else. But just to get the damn thing to run? That should be able to be done by a first level tech. Integrating the thing is a different matter.
Why the hell would you have a software developer installing 'enterprise' software anyway, unless they're some sort of expert in that software type anyway? Because not everyone works at mega-corp, with super-duper expert just sitting at your disposal who's spent weeks and weeks learning about Oracle and SAP installs with little else on his/her plate. There's lots and lots of people who have to wear multiple hats, and cringe at these freaking installs.
You're basically defending the status quo here, and not doing a particularly good job of it. It doesn't "have to be hard", it just is.
I'm a developer who winds up having to do a lot of backend support and installs, I've been installing various enterprise packages for the last 6 years. The authors experience is VERY familiar to me. It's quite hit or miss, with some of the most expensive ($40,000+) pieces of software giving the most miserable experiences. You spend days trying to fix this or that, and it winds up being some obscure setting somewhere that only a super-expert could ever understand.
What sucks is that we have to put up with this crap. End users wouldn't stand for it.... but yet sometimes I swear IT staff think it's somehow OK, and they either blame themselves, or think they've "learned" something by going through these dumb install problems and jumping through the hoops. I'm tired of it, and it wastes a lot of valuable time. There's some things that can't be avoided, but the majority of the problems I've come across could have provided MUCH better indications of what went wrong, or avoided the problem altogether.
The idea is just completely tangential to what the problem is. The problem isn't that "If we just had a secure little app that could ONLY go to my Bank, everything would be OK". The problem is that the internet is a series of interconnected sites, many of which you discover without even realizing what the site is, compounded by the fact that browsers aren't secure. We all know once the machine is infected from visiting a compromised site, all bets are off.
Drive bys happen because the browser isn't secure, not because people are supposed to have some inherent understanding of what sites are "good" and what sites are "bad". I've worked security in multiple different capacities, and even I can't tell you if a site is going to be "safe" or not. That's because a lot of drivebys are from the 3rd party adware server getting infected. Despite what some totally uninformed IT professionals will tell you, you can't protect yourself by just "knowing where not to click" or "knowing not to click on the fake anti-virus thing". Sadly, I know IT professionals that absolutely SWEAR that this is how people get malware, despite me repeatedly providing them examples of how that's just not that case.
Clearly this should be on the agenda for the new "Cyber Reserves" of the department of Homeland Security.
Good god do I hope you're joking. The last thing we need is the US government involved, especially som quasi-military organization of retired people and contractors that get "activated" in an emergency, all run by the freaking Gestapo.
I'm not even a anti-goverment person who thinks they can't get anything right... but I sure as hell realize that this is an international problem that has to be solved internationally, not by some police force, or extension of it.
This is yet another fine example of Government security doing its usual - leaking like a sieve, in clear violation of Statutory data security requirements. I
Have you SERIOUSLY not paid any attention to the massive, massive amount of data security breaches that have occurred over the last 10+ years? MOST of them are from private industry. How many times did Sony get 0wn3d in 2011.. like 10?
The problem really has nothing to do with "Government security doing its usual", it's a problem across the board. Your reply is complete and utter bullshit for singing out the Government for having shitty security. That's a problem for the entire industry.
About a year and half ago I looked into buying a salvage car that was in a minor accident and repairing it myself. Cars these days have at least 6 air bags + seat belt tensioners, and having 3-4 of them blow is very common in an accident. Replacing the air bags is a MAJOR expense, so I looked into ebay and other sources of air bags. There are/were several sites that sold these bags at greatly reduced prices, in high numbers for all car makers. This didn't make a hell of a lot of sense, as they were even cheaper than junkyards. After a bit of digging I found that counterfeit bags were a problem, and the ebay bags were most likely counterfeit.
I can't of course prove that these bags were counterfeit, but nothing else really made any sense. I actually abandoned my salvage car project after it didn't really make any financial and risk management sense. Real bags from the automaker are very expensive, and then you have to worry about screwing it all up if you DIY. In the end I didn't want to hold myself responsible for a passenger in my car being seriously injured because I wanted to save $1000.
The Linux kernel has now been developed for more than 20 years, and is in ways now part of "the establishment" since it now runs on everything from consumer televisions to mass-marketed phones.
If you could start something entirely new, or go back and do it all over again, what would you do? You've made comments in the past about disliking visualization, since getting close to the hardware was what attracted you to the kernel. So this question is largely about what you see as the next radical change at the kernel level might happen over the next 20 years, if anything.
Linus has never really minced words. He's not really beholden to anyone, and nobody is really paying attention (except strangely Slashdot). I realize Slashdot jumped the shark a while ago, but this story is just further confirmation of it.
Most technical people make the mistake that they should give all these technical reasons for something to non-technical people. What you should be doing is giving the high level picture. Here's how you do that:
"Developers screw up. A lot. Sometimes code breaks and we don't know how or why, or who did it. Keeping track of what/who/when and being able to go back to an old known good version saves us tons of headaches, and thus saves us time and money. When we don't do this we waste time and money and create stress. These are bad things. Source code control is extremely cheap, will pay for itself the first time it's used, and just requires the discipline to use it, which we already have".
That's actually about all you have to say. Anyone that's not a total moron will understand that going back to a known good version when something breaks is valuable.
Who's this everyone that actually WANTS to do this stuff? The problem isn't that people who want to it aren't being given the opportunity to do so. The problem is that people who have no interest in doing it, or have a totally different job description other than developer are being told that they suddenly all have to learn programming. Some idiot actually thought it was a good idea that suddenly the marketing people are going to be contributing code to the product simply because they required everyone to learn javascript?
The whole idea is stupid and wasteful. It's so stupid and wasteful (and obvious) that the article in question shouldn't have had to be written. It's as if somebody said "the sun isn't coming up tomorrow", and enough people were convinced this was true that someone else had to write an article pointing out that it will, in fact rise tomorrow.
Only on slashdot would an off handed Spaceballs reference be replied to not as the joke it is, but as if it were an analogy and critique of whether there was any real breakin or not.
In any case, the article is in French, and I'm sure as hell not going to trust an automated translation engine to interpret what happened. I will point out that in most countries (No idea about France) intent is required to commit a crime.
And you haven't exactly disputed the article either. Just because it's 2 years old doesn't mean it's not accurate.
I have several IOS devices, and the only "password" you can put into it is the simple 4 character unlock code. You should certainly know that all encryption is based on keeping something secret that's very difficult to guess. If the only secret you're keeping is a 4 digit key, you're completely hosed to brute force attacks.
5 minutes ago I knew nothing of Apples full disk encryption. Now I find an article that states:
The release of the iPhone 3GS (and later iPod Touch 3rd Generation) brought hardware-based full disk encryption (FDE) to the iPhone. This was designed to accomplish one thing: instantaneous remote wipe. While the iPhone 3G had to overwrite every bit in flash memory (sometimes taking several hours), disk wiping on the 3GS worked by simply erasing the 256-bit AES key used to encrypt the data.
Unfortunately, disk encryption on the iPhone did little beyond enabling remote wipe. Mobile forensicator Jonathan Zdziarski found that the iPhone OS automatically decrypts data when a request for data is made, effectively making the encryption worthless for protecting data.
So I'd say I'm just VERY skeptical that the DOJ can't crack something that wasn't really designed with any security in mind in the first place. Either that, or the DOJ has nobody with any skills whatsoever.
It sounds like a good idea until you think it through.
Security professionals often times make up very bad questions, and don't realize how easy it is to guess, or find the correct answer. How would you expect the general public to do it right?
The point of the security question should NEVER be to just reset the password, no matter how many questions you ask. It should be simply an additional layer to prevent attacks. You still need to provide another means of authentication, be it email or phone.
You're really just splitting hairs at this point. If you don't have any symptoms, and can't pass on the virus, and aren't receiving active treatment for the disease (virus cocktail)... in what sense could you be said to have HIV?
What you call "entitlements", other people call "not dying of cancer", or "being able to eat".
SS and medicare are only a problem because our taxes are too low, and the economy is in the shitter. If we repealed the Bush tax cuts, most of the problems go away. If you repeal the tax cuts, and cut the military budget back to pre-9/11 levels, the problem goes away entirely.
You don't have to agree this is a good thing to do. But you do have to agree that simply saying the problem is "entitlements", is a vast, vast oversimplification.
The problem with your analogy is that your house doesn't need to be super-dupe-secure because nobody has invented anonymous, instantly replicable robots that roam the countryside looking for open windows, and equipped with high speed glass cutters, valuable item detectors, and phone-home capabilities to alert a human when further action is warranted. This is routing on the internet.
This is the threat to you email address or bank account has to deal with. In your home you merely have to deal with the people around you who might rob you, and the occasional opportunistic criminal. On the internet, everyone is basically the same distance from everyone else, automation is cheap, and anonymity is common. Think that might lead to the need for more security than easily breakable glass windows? If all my shit is gone from my house, but my window is broken, I'm still not terribly happy that the thief was kind enough to let me know through the broken window.
Don't worry. Eventually there will be a huge FB breach of privacy story where FB starts selling all your info to the highest bidder. People will be outraged, FB will try to spin it into a non-story. Then another one will happen. Eventually people will over-react and FB will become the new Microsoft, with large amounts of people openly hating them. But unlike Microsoft the don't really have any powerful monopoly on anything where people can't just use something else. Eventually it'll suddenly become cool to NOT have a FB account, and people will turn to some other form of socialization online.
If the complaint about how "rise of run isn't a formal definition of slope" is indicative of the kinds of errors in his lectures, then I'd say Khan is right that the naysayers are just being picky. Yah, it's not perfectly accurate or a formal definition, but it's an excellent start to understanding a deeper understanding.
An educators job should be to get people excited about a subject, not to present the most perfect, gods honest truth answers to everything. Anyone interested in a subject will go on to learn more, and find out the more nuanced and correct answers. If you've ever become an expert in any field, you know that everyone (including the best teachers) don't always have time or knowledge to give the best possible answers. That's OK, since education doesn't stop once the class stops.
If your ultimate (and final) response when asked why you believe something is "because my teacher told me", then you really don't understand the subject matter very well at all.
FB can afford to piss away money on a proprietary app now that they're a multi-billion dollar company. The vast majority of companies can't. I just don't see a huge resurgence of native apps replacing web functionality. Very few companies have the resources to develop for multiple platforms like that, and you really can't afford to just ignore android, or whatever else comes out into the mobile world in 5 years.
My guess is the team who wrote the iOS app either had to deal with a lot of hard to implement features, and had to rely on inefficient slow javascript that ran really fast on modern PCs. but poorly on memory and processor limited phones, then didn't have the time and resources to re-write it and make it fast. Or they were just a shitty team. Impossible to say without an insider, but I absolutely agree there's no reason the client side can't be fast with just HTML and javascript.
The upper management hears about how shitty and slow the app is, and says "we need to make this faster RIGHT NOW". So someone else in the company sells them on making a native app, which everyone agrees will fix the slowness problem. They don't really care about the maintainability of the thing, since everyone is freaking out about Mobile and the lack of FB presence on mobile (this was one of the big sticking points in the IPO). So they just throw money at it, and probably just outsource the whole thing at the cost of several million dollars to a company who makes iOS apps.
Slashdot Mirror
You assume hotels think that security is some sort of top priority. It's not. You think that there aren't hundreds of people that could open your hotel room?
If push comes to shove, I guarantee you the preferred solution for 99% of hotels will be simply securing the physical port, and not monkeying around with circuit boards or replacing the whole system entirely. It's just too expensive for too little benefit. Hotel rooms aren't meant to be Fort Knox.
SCADA was supposed to be an industrial control system, where nobody thought "hey... let's suddenly connect this incredibly important system that could literally kill people if it were compromised..... to the internet".
So it shouldn't be surprising the thing is full of vulnerabilities. It wasn't designed to be a secure system from smart and incredibly skilled people trying to attack it. It was designed to be secure through physical security and lack of access in the first place. The problem is that everyone expects data all the time now, even reporting from their industrial processes. So some higher up demands it, and the IT department is forced to connect these systems to the net... opening up a huge amount of problems.
Duh.
Setting either SAP or Oracle ~properly~ requires expert knowledge, and running either ~properly~ requires expert knowledge.
Except... why does it have to require expert knowledge? It should require expert knowledge to get maximum benefit, like anything else. But just to get the damn thing to run? That should be able to be done by a first level tech. Integrating the thing is a different matter.
Why the hell would you have a software developer installing 'enterprise' software anyway, unless they're some sort of expert in that software type anyway?
Because not everyone works at mega-corp, with super-duper expert just sitting at your disposal who's spent weeks and weeks learning about Oracle and SAP installs with little else on his/her plate. There's lots and lots of people who have to wear multiple hats, and cringe at these freaking installs.
You're basically defending the status quo here, and not doing a particularly good job of it. It doesn't "have to be hard", it just is.
I'm a developer who winds up having to do a lot of backend support and installs, I've been installing various enterprise packages for the last 6 years. The authors experience is VERY familiar to me. It's quite hit or miss, with some of the most expensive ($40,000+) pieces of software giving the most miserable experiences. You spend days trying to fix this or that, and it winds up being some obscure setting somewhere that only a super-expert could ever understand.
What sucks is that we have to put up with this crap. End users wouldn't stand for it.... but yet sometimes I swear IT staff think it's somehow OK, and they either blame themselves, or think they've "learned" something by going through these dumb install problems and jumping through the hoops. I'm tired of it, and it wastes a lot of valuable time. There's some things that can't be avoided, but the majority of the problems I've come across could have provided MUCH better indications of what went wrong, or avoided the problem altogether.
The idea is just completely tangential to what the problem is. The problem isn't that "If we just had a secure little app that could ONLY go to my Bank, everything would be OK". The problem is that the internet is a series of interconnected sites, many of which you discover without even realizing what the site is, compounded by the fact that browsers aren't secure. We all know once the machine is infected from visiting a compromised site, all bets are off.
Drive bys happen because the browser isn't secure, not because people are supposed to have some inherent understanding of what sites are "good" and what sites are "bad". I've worked security in multiple different capacities, and even I can't tell you if a site is going to be "safe" or not. That's because a lot of drivebys are from the 3rd party adware server getting infected. Despite what some totally uninformed IT professionals will tell you, you can't protect yourself by just "knowing where not to click" or "knowing not to click on the fake anti-virus thing". Sadly, I know IT professionals that absolutely SWEAR that this is how people get malware, despite me repeatedly providing them examples of how that's just not that case.
Clearly this should be on the agenda for the new "Cyber Reserves" of the department of Homeland Security.
Good god do I hope you're joking. The last thing we need is the US government involved, especially som quasi-military organization of retired people and contractors that get "activated" in an emergency, all run by the freaking Gestapo.
I'm not even a anti-goverment person who thinks they can't get anything right... but I sure as hell realize that this is an international problem that has to be solved internationally, not by some police force, or extension of it.
This is yet another fine example of Government security doing its usual - leaking like a sieve, in clear violation of Statutory data security requirements. I
Have you SERIOUSLY not paid any attention to the massive, massive amount of data security breaches that have occurred over the last 10+ years? MOST of them are from private industry. How many times did Sony get 0wn3d in 2011.. like 10?
The problem really has nothing to do with "Government security doing its usual", it's a problem across the board. Your reply is complete and utter bullshit for singing out the Government for having shitty security. That's a problem for the entire industry.
About a year and half ago I looked into buying a salvage car that was in a minor accident and repairing it myself. Cars these days have at least 6 air bags + seat belt tensioners, and having 3-4 of them blow is very common in an accident. Replacing the air bags is a MAJOR expense, so I looked into ebay and other sources of air bags. There are/were several sites that sold these bags at greatly reduced prices, in high numbers for all car makers. This didn't make a hell of a lot of sense, as they were even cheaper than junkyards. After a bit of digging I found that counterfeit bags were a problem, and the ebay bags were most likely counterfeit.
I can't of course prove that these bags were counterfeit, but nothing else really made any sense. I actually abandoned my salvage car project after it didn't really make any financial and risk management sense. Real bags from the automaker are very expensive, and then you have to worry about screwing it all up if you DIY. In the end I didn't want to hold myself responsible for a passenger in my car being seriously injured because I wanted to save $1000.
The Linux kernel has now been developed for more than 20 years, and is in ways now part of "the establishment" since it now runs on everything from consumer televisions to mass-marketed phones.
If you could start something entirely new, or go back and do it all over again, what would you do? You've made comments in the past about disliking visualization, since getting close to the hardware was what attracted you to the kernel. So this question is largely about what you see as the next radical change at the kernel level might happen over the next 20 years, if anything.
Linus has never really minced words. He's not really beholden to anyone, and nobody is really paying attention (except strangely Slashdot). I realize Slashdot jumped the shark a while ago, but this story is just further confirmation of it.
Most technical people make the mistake that they should give all these technical reasons for something to non-technical people. What you should be doing is giving the high level picture. Here's how you do that:
"Developers screw up. A lot. Sometimes code breaks and we don't know how or why, or who did it. Keeping track of what/who/when and being able to go back to an old known good version saves us tons of headaches, and thus saves us time and money. When we don't do this we waste time and money and create stress. These are bad things. Source code control is extremely cheap, will pay for itself the first time it's used, and just requires the discipline to use it, which we already have".
That's actually about all you have to say. Anyone that's not a total moron will understand that going back to a known good version when something breaks is valuable.
Who's this everyone that actually WANTS to do this stuff? The problem isn't that people who want to it aren't being given the opportunity to do so. The problem is that people who have no interest in doing it, or have a totally different job description other than developer are being told that they suddenly all have to learn programming. Some idiot actually thought it was a good idea that suddenly the marketing people are going to be contributing code to the product simply because they required everyone to learn javascript?
The whole idea is stupid and wasteful. It's so stupid and wasteful (and obvious) that the article in question shouldn't have had to be written. It's as if somebody said "the sun isn't coming up tomorrow", and enough people were convinced this was true that someone else had to write an article pointing out that it will, in fact rise tomorrow.
Only on slashdot would an off handed Spaceballs reference be replied to not as the joke it is, but as if it were an analogy and critique of whether there was any real breakin or not.
In any case, the article is in French, and I'm sure as hell not going to trust an automated translation engine to interpret what happened. I will point out that in most countries (No idea about France) intent is required to commit a crime.
And you haven't exactly disputed the article either. Just because it's 2 years old doesn't mean it's not accurate.
I have several IOS devices, and the only "password" you can put into it is the simple 4 character unlock code. You should certainly know that all encryption is based on keeping something secret that's very difficult to guess. If the only secret you're keeping is a 4 digit key, you're completely hosed to brute force attacks.
5 minutes ago I knew nothing of Apples full disk encryption. Now I find an article that states:
http://anthonyvance.com/blog/forensics/ios4_data_protection/
So I'd say I'm just VERY skeptical that the DOJ can't crack something that wasn't really designed with any security in mind in the first place. Either that, or the DOJ has nobody with any skills whatsoever.
Let people design their own question.
It sounds like a good idea until you think it through.
Security professionals often times make up very bad questions, and don't realize how easy it is to guess, or find the correct answer. How would you expect the general public to do it right?
The point of the security question should NEVER be to just reset the password, no matter how many questions you ask. It should be simply an additional layer to prevent attacks. You still need to provide another means of authentication, be it email or phone.
These people had leukemia. The bone marrow transplant was to cure the leukemia. Getting bone marrow that's immune to HIV was just a bonus.
But that's true of anyone. You or me included.
You're really just splitting hairs at this point. If you don't have any symptoms, and can't pass on the virus, and aren't receiving active treatment for the disease (virus cocktail)... in what sense could you be said to have HIV?
What you call "entitlements", other people call "not dying of cancer", or "being able to eat".
SS and medicare are only a problem because our taxes are too low, and the economy is in the shitter. If we repealed the Bush tax cuts, most of the problems go away. If you repeal the tax cuts, and cut the military budget back to pre-9/11 levels, the problem goes away entirely.
You don't have to agree this is a good thing to do. But you do have to agree that simply saying the problem is "entitlements", is a vast, vast oversimplification.
The problem with your analogy is that your house doesn't need to be super-dupe-secure because nobody has invented anonymous, instantly replicable robots that roam the countryside looking for open windows, and equipped with high speed glass cutters, valuable item detectors, and phone-home capabilities to alert a human when further action is warranted. This is routing on the internet.
This is the threat to you email address or bank account has to deal with. In your home you merely have to deal with the people around you who might rob you, and the occasional opportunistic criminal. On the internet, everyone is basically the same distance from everyone else, automation is cheap, and anonymity is common. Think that might lead to the need for more security than easily breakable glass windows? If all my shit is gone from my house, but my window is broken, I'm still not terribly happy that the thief was kind enough to let me know through the broken window.
Don't worry. Eventually there will be a huge FB breach of privacy story where FB starts selling all your info to the highest bidder. People will be outraged, FB will try to spin it into a non-story. Then another one will happen. Eventually people will over-react and FB will become the new Microsoft, with large amounts of people openly hating them. But unlike Microsoft the don't really have any powerful monopoly on anything where people can't just use something else. Eventually it'll suddenly become cool to NOT have a FB account, and people will turn to some other form of socialization online.
If the complaint about how "rise of run isn't a formal definition of slope" is indicative of the kinds of errors in his lectures, then I'd say Khan is right that the naysayers are just being picky. Yah, it's not perfectly accurate or a formal definition, but it's an excellent start to understanding a deeper understanding.
An educators job should be to get people excited about a subject, not to present the most perfect, gods honest truth answers to everything. Anyone interested in a subject will go on to learn more, and find out the more nuanced and correct answers. If you've ever become an expert in any field, you know that everyone (including the best teachers) don't always have time or knowledge to give the best possible answers. That's OK, since education doesn't stop once the class stops.
If your ultimate (and final) response when asked why you believe something is "because my teacher told me", then you really don't understand the subject matter very well at all.
It's quite a bit more energy than that. 1.85 MJ is the equivalent energy of about 50 mL, or 1.7 fluid oz of gasoline.
FB can afford to piss away money on a proprietary app now that they're a multi-billion dollar company. The vast majority of companies can't. I just don't see a huge resurgence of native apps replacing web functionality. Very few companies have the resources to develop for multiple platforms like that, and you really can't afford to just ignore android, or whatever else comes out into the mobile world in 5 years.
I agree, and your first thought was exactly mine.
My guess is the team who wrote the iOS app either had to deal with a lot of hard to implement features, and had to rely on inefficient slow javascript that ran really fast on modern PCs. but poorly on memory and processor limited phones, then didn't have the time and resources to re-write it and make it fast. Or they were just a shitty team. Impossible to say without an insider, but I absolutely agree there's no reason the client side can't be fast with just HTML and javascript.
The upper management hears about how shitty and slow the app is, and says "we need to make this faster RIGHT NOW". So someone else in the company sells them on making a native app, which everyone agrees will fix the slowness problem. They don't really care about the maintainability of the thing, since everyone is freaking out about Mobile and the lack of FB presence on mobile (this was one of the big sticking points in the IPO). So they just throw money at it, and probably just outsource the whole thing at the cost of several million dollars to a company who makes iOS apps.