Re:What about their work desktop policies?
on
Remote Access Policies
·
· Score: 3, Insightful
In three words: don't do it. The only "safe" way to allow remote access is if you issue company laptops to all of the affected employees.
Assuming your corporate network is locked down pretty tight, the biggest thing you have to ensure is the security of the computer that the worker is using to access the VPN. The agreement and technology policy should either a) limit VPN access to company-issued computers (i.e., laptops) or b) require the use of firewall, anti-virus, hard-disk encryption and other security software from a list of approved products.
Once you open the access to non-company-owned computers, you expand your scope of security, legal and system administrative risks dramatically. For example, what happens when some PHB downloads a report from your customer/sales database to their personal laptop while on vacation in Bermuda, and someone steals the laptop? Or if there's a keylogger on the computer that they use to log into the VPN?
Unless your corporate security software licenses allow deployment of the software on non-company owned computers, you are going to incur a per-seat cost over $150 (possibly up to $500?) just to install required security software, or you will be forcing your workers to bear those costs. And then your network infrastructure team needs an on-going process to monitor those non-company computers to make sure that they are kept up to date with security updates for each of the installed products. At that point, it's more practical to issue company-owned laptops and integrate them into your standard support/licensing/update architecture.
Eventually I'll get around to hating Google for doing an "embrace/extend/destroy" number on OpenId, but right now I'm just savoring the schadenfreude of seeing Microsoft fall into Google's trap.
Of course if Microsoft decides to do their own fork, then everyone's forked.
True. And I think everyone in the country should be thankful they're discovering all these problems during the computer simulation phase. In the past, they would've had to do live tests to uncover a lot of these issues. We'd have a lot of new videos like the old Werner von Braun videos from the 1950s and '60s.
I would recommend an alcohol solution rather than bleach. Bleach can leave a conductive, salty residue while alcohol evaporates more cleanly.
Rather than waiting a few years, once they look "dry", take a blow-dryer to them (at medium to low heat) for about 15 minutes (guesstimate) per square foot of area. One advantage you have this time of year is that the dry winter air will get rid of the moisture by January at the latest, so the key thing is to make sure you don't leave any conductive residue behind as the water evaporates.
Do you have a USB 8" floppy drive (or even 5 1/4") on hand? Not to mention things like 9-track tape, or punch cards.
tsb_sf isn't clear enough about how far back he wants to go with this. I'd say his best bet is a combination of SCSI, firewire and USB connections, but there's a good chance he won't be able to interface any of the truly ancient stuff. With SCSI and USB (and a MB that still has a floppy connector), he can cover: -Most QIC-xx tape formats -5.25 and 3.5" floppies, all formats. -CD/DVD/Blu-ray and their relatives. -Hard drives from just about any small to mid-range server, assuming he has the file-system drivers. -Memory cards of all types. -Old iOmega and Syquest cartridge drives (and others of that ilk). -DAT tape backups. If he's lucky, he might be able to find SCSI 9-track tape drives and perhaps 8" floppy, too. But AFAIK the supply of these things gave out sometime during Web 1.0.
Once you have the device channels, the rest of the job is accumulating the hardware and device drivers. Finding 32-bit Windows device drivers for a lot of these will be challenging, to say the least. You'll probably need a multi-boot system with BSD/Linux, Win 95, and Win XP. OS/2 might help too.
Start with the oldest stuff first, since that is what will disappear first. Say anything from before 1990.
You'll also need data recovery software, since a lot of the old magnetic media will have decayed into unusability.
It sounds like it would be interesting to check the amino acids and genome of the life that exists surrounding the undersea vents. Since our oceans are no longer "prebiotic soup", there probably won't be anything truly remarkable (previously unknown amino acids in the DNA for example), but if there is anything, that would be an incredible breakthrough.
Considering the number of firewalls that block internet traffic and silently drop ICMP requests into internal corporate networks, how the heck can he conclude that addresses are unused when he performs a scan from the internet?
And before you go blaming those dam' foreigners, EDS is in this business in the UK because they bought the large UK contractor Scicon back in the 1990's. So regardless of the ownership, the people responsible for the operational f-ups that caused loss of the drive are probably home-grown.
There's only one solution that guarantees that nobody will rifle through your data: don't bring it with you through the border crossing. That's what servers are for... and SSL, or at least SSH/SCP/SFTP.
At which point No Such Agency will record your transmissions and decrypt them at their leisure. Nice try, though.
unless you have the original disks on you. Having "contraband pirated media files" on your drive is pretty likely to give them probable cause for a seizure. Without the original disks, there's no way to back up your story while in the airport, and even with the disks you could get unlucky. Customs has forms and things you can do so that you don't have to pay import duty on the "Made in China" camcorder you bought before you left. They may have similar forms and procedures for media you've already bought and paid for.
Not to mention OS/2 Warp, and products from Stardock Systems at the time. The claims on this patent better be very narrow, or there is an awful lot of prior art that they can run afoul of.
Not to mention that changing the date of the (presidential) election would require a constitutional amendment.
The only benign explanation I can think of is that the study describes ways to exploit the voting machines for election fraud, and in the view of the court there is no way to remedy the vulnerabilities before the election. Frankly, I'd prefer that wikileaks leave this one alone for a few weeks. As a short-term solution, sometimes security through obscurity is your only option.
Change management. Unless your team's change control processes are highly automated and difficult to circumvent, almost all bad code that makes it into production is caused by either: a) a very simple, last minute change that "doesn't need to be version controled (or tested or code reviewed), I know it's right." b) compiling/packaging the wrong version of a file, either one that is missing a required change or one that contains incomplete changes.
Actual mistakes in coding usually trail these two issues, since most coding errors are usually caught during testing or during the design and code review process. Most organizations due better at testing and code/design reviews than they do at version control and SCM.
Nah, I prefer going after them with the Computer Fraud and Abuse act or consumer laws in several states that prohibit installing software without explicit authorization (and burying it in a 20 screen EULA doesn't count) from the user. Lawyer fees add up a lot faster than lost sales.
This correlates well with my own observations of the tendencies of open source developers in the two regions: US Open Source projects tend more towards Apache and BSD-type licenses where redistribution doesn't necessarily require you to provide the source code. European Open Source projects trend heavily towards the GPL, which require any one who redistributes the code to also distribute the source. I would expect that open source developers tend to be a large segment of open source users, as well, so this trend would stand up with European vs. US users.
For myself, I reside in the US. My interest in having access to the source depends on how I'm making use of the tool. If it's a fairly generic tool like an FTP or SSH client, I may not be particularly concerned about having access to the source. This is because if there is a bug in a generic tool that impacts my daily work, I'm more likely to switch tools than to attempt to fix the code myself. If I'm using an open source project/product/tool without changes in a production environment, I would probably want access to the source code as a risk mitigation in case a really obscure problem occurs, but I'd be equally interested in access to support consultants and patch updates. If an open source tool was a compelling product that did not have good outside support, then I would be seriously interested in having the source code for the tool. The same would also apply for any open source product for which me or my team was making modifications.
The bottom line for me is not reinventing the wheel. Free as in beer is not going to keep my production system up and running. We'd still need to pay for some kind of support if we didn't have access to the code. And the project managers and bean counters here still need the security blanket of having paid support, vs. having access to the code. Support is a service they can understand, while to them having the code just means additional IT expenses for self maintenance.
Some of this lack of concern about access to the source also may be due to the American knee-jerk reaction against socialism, combined with our overly litigious society. An open source "community" sounds like a way to lose your trade secrets, even though a business could get the benefit of the labors of say 12 developers for the price of two, not to mention the recruiting and technical contacts that they would get if they elected to contribute back to an open project.
One sure defense that hasn't been mentioned yet against libel charges is that the "defamatory" statements are true.
But in that case any competent lawyer would have brought testimony that the actionable accusations (pedo-, hits on students) were true and that the rest was just name-calling by a victim or friend of a victim. So I have to think it's libel, especially since she was represented by the ACLU.
Talk with them about the services that they can't provide to their users because they don't have the budget. Or ask them what services your group could take over to free up their people for other things.
The risk is that if you're seen as taking people's jobs away in the IT department, they'll just clam up.
Another example: taking hardware courses in Digital Circuits, Logic and Microprocessors does wonders for you as a software developer. You probably will never have to program down to the bare metal, but it lets you analyze and/or develop software at any level from the bare metal up to highly abstracted design patterns.
Sounds like orgo should be a pre-law requisite, then too.
Speaking as an EE who never came near orgo, it sounds like maybe they need an "Orgo for pre-meds" similar to "Physics for poets". What premeds really need is a good bullshit detector when the pharmacologists and other researchers make claims about their brand-new miracle drugs.
Not to mention the federalization of the militias (National Guard), which basically precludes any sort of armed uprising in the name of states rights. Not that this was ever likely to occur again, but the other big negative impact is that it puts a large pool of soldiers available to the Federal government for adventurism in Iraq and similar situations, without having to declare a war and raise real federal troops.
So for all you computer security/programming geeks out there, it's a recursive data execution exploit. RIAA makes claims that Beckermann denounces publicly as lacking merit or evidence. RIAA files complaint that Beckerman's public pronouncements lack merit, but (pending investigation and judgement), the complaint itself lacks merit.
Well, that's one reason they say that even a lawyer who acts as their own lawyer is a fool. Apart from the distraction, it also cuts down on your income.
Slashdot Mirror
In three words: don't do it. The only "safe" way to allow remote access is if you issue company laptops to all of the affected employees.
Assuming your corporate network is locked down pretty tight, the biggest thing you have to ensure is the security of the computer that the worker is using to access the VPN. The agreement and technology policy should either a) limit VPN access to company-issued computers (i.e., laptops) or b) require the use of firewall, anti-virus, hard-disk encryption and other security software from a list of approved products.
Once you open the access to non-company-owned computers, you expand your scope of security, legal and system administrative risks dramatically. For example, what happens when some PHB downloads a report from your customer/sales database to their personal laptop while on vacation in Bermuda, and someone steals the laptop? Or if there's a keylogger on the computer that they use to log into the VPN?
Unless your corporate security software licenses allow deployment of the software on non-company owned computers, you are going to incur a per-seat cost over $150 (possibly up to $500?) just to install required security software, or you will be forcing your workers to bear those costs. And then your network infrastructure team needs an on-going process to monitor those non-company computers to make sure that they are kept up to date with security updates for each of the installed products. At that point, it's more practical to issue company-owned laptops and integrate them into your standard support/licensing/update architecture.
Eventually I'll get around to hating Google for doing an "embrace/extend/destroy" number on OpenId, but right now I'm just savoring the schadenfreude of seeing Microsoft fall into Google's trap.
Of course if Microsoft decides to do their own fork, then everyone's forked.
True. And I think everyone in the country should be thankful they're discovering all these problems during the computer simulation phase. In the past, they would've had to do live tests to uncover a lot of these issues. We'd have a lot of new videos like the old Werner von Braun videos from the 1950s and '60s.
Make sure you use your boss's name and email for all contact information on the user accounts you setup for the scraping.
I think you mean 100 F. Most components are only rated up to 100 C. Plus 110 C is about 225 F, which is more than enough. 150 F would be my setting.
I would recommend an alcohol solution rather than bleach. Bleach can leave a conductive, salty residue while alcohol evaporates more cleanly.
Rather than waiting a few years, once they look "dry", take a blow-dryer to them (at medium to low heat) for about 15 minutes (guesstimate) per square foot of area. One advantage you have this time of year is that the dry winter air will get rid of the moisture by January at the latest, so the key thing is to make sure you don't leave any conductive residue behind as the water evaporates.
Do you have a USB 8" floppy drive (or even 5 1/4") on hand? Not to mention things like 9-track tape, or punch cards.
tsb_sf isn't clear enough about how far back he wants to go with this. I'd say his best bet is a combination of SCSI, firewire and USB connections, but there's a good chance he won't be able to interface any of the truly ancient stuff. With SCSI and USB (and a MB that still has a floppy connector), he can cover:
-Most QIC-xx tape formats
-5.25 and 3.5" floppies, all formats.
-CD/DVD/Blu-ray and their relatives.
-Hard drives from just about any small to mid-range server, assuming he has the file-system drivers.
-Memory cards of all types.
-Old iOmega and Syquest cartridge drives (and others of that ilk).
-DAT tape backups.
If he's lucky, he might be able to find SCSI 9-track tape drives and perhaps 8" floppy, too. But AFAIK the supply of these things gave out sometime during Web 1.0.
Once you have the device channels, the rest of the job is accumulating the hardware and device drivers. Finding 32-bit Windows device drivers for a lot of these will be challenging, to say the least. You'll probably need a multi-boot system with BSD/Linux, Win 95, and Win XP. OS/2 might help too.
Start with the oldest stuff first, since that is what will disappear first. Say anything from before 1990.
You'll also need data recovery software, since a lot of the old magnetic media will have decayed into unusability.
It sounds like it would be interesting to check the amino acids and genome of the life that exists surrounding the undersea vents. Since our oceans are no longer "prebiotic soup", there probably won't be anything truly remarkable (previously unknown amino acids in the DNA for example), but if there is anything, that would be an incredible breakthrough.
Considering the number of firewalls that block internet traffic and silently drop ICMP requests into internal corporate networks, how the heck can he conclude that addresses are unused when he performs a scan from the internet?
WAFI
And before you go blaming those dam' foreigners, EDS is in this business in the UK because they bought the large UK contractor Scicon back in the 1990's. So regardless of the ownership, the people responsible for the operational f-ups that caused loss of the drive are probably home-grown.
At which point No Such Agency will record your transmissions and decrypt them at their leisure. Nice try, though.
unless you have the original disks on you. Having "contraband pirated media files" on your drive is pretty likely to give them probable cause for a seizure. Without the original disks, there's no way to back up your story while in the airport, and even with the disks you could get unlucky. Customs has forms and things you can do so that you don't have to pay import duty on the "Made in China" camcorder you bought before you left. They may have similar forms and procedures for media you've already bought and paid for.
Not to mention OS/2 Warp, and products from Stardock Systems at the time. The claims on this patent better be very narrow, or there is an awful lot of prior art that they can run afoul of.
Not to mention that changing the date of the (presidential) election would require a constitutional amendment.
The only benign explanation I can think of is that the study describes ways to exploit the voting machines for election fraud, and in the view of the court there is no way to remedy the vulnerabilities before the election. Frankly, I'd prefer that wikileaks leave this one alone for a few weeks. As a short-term solution, sometimes security through obscurity is your only option.
Change management.
Unless your team's change control processes are highly automated and difficult to circumvent, almost all bad code that makes it into production is caused by either:
a) a very simple, last minute change that "doesn't need to be version controled (or tested or code reviewed), I know it's right."
b) compiling/packaging the wrong version of a file, either one that is missing a required change or one that contains incomplete changes.
Actual mistakes in coding usually trail these two issues, since most coding errors are usually caught during testing or during the design and code review process. Most organizations due better at testing and code/design reviews than they do at version control and SCM.
Nah, I prefer going after them with the Computer Fraud and Abuse act or consumer laws in several states that prohibit installing software without explicit authorization (and burying it in a 20 screen EULA doesn't count) from the user. Lawyer fees add up a lot faster than lost sales.
This correlates well with my own observations of the tendencies of open source developers in the two regions: US Open Source projects tend more towards Apache and BSD-type licenses where redistribution doesn't necessarily require you to provide the source code. European Open Source projects trend heavily towards the GPL, which require any one who redistributes the code to also distribute the source. I would expect that open source developers tend to be a large segment of open source users, as well, so this trend would stand up with European vs. US users.
For myself, I reside in the US. My interest in having access to the source depends on how I'm making use of the tool. If it's a fairly generic tool like an FTP or SSH client, I may not be particularly concerned about having access to the source. This is because if there is a bug in a generic tool that impacts my daily work, I'm more likely to switch tools than to attempt to fix the code myself. If I'm using an open source project/product/tool without changes in a production environment, I would probably want access to the source code as a risk mitigation in case a really obscure problem occurs, but I'd be equally interested in access to support consultants and patch updates. If an open source tool was a compelling product that did not have good outside support, then I would be seriously interested in having the source code for the tool. The same would also apply for any open source product for which me or my team was making modifications.
The bottom line for me is not reinventing the wheel. Free as in beer is not going to keep my production system up and running. We'd still need to pay for some kind of support if we didn't have access to the code. And the project managers and bean counters here still need the security blanket of having paid support, vs. having access to the code. Support is a service they can understand, while to them having the code just means additional IT expenses for self maintenance.
Some of this lack of concern about access to the source also may be due to the American knee-jerk reaction against socialism, combined with our overly litigious society. An open source "community" sounds like a way to lose your trade secrets, even though a business could get the benefit of the labors of say 12 developers for the price of two, not to mention the recruiting and technical contacts that they would get if they elected to contribute back to an open project.
One sure defense that hasn't been mentioned yet against libel charges is that the "defamatory" statements are true.
But in that case any competent lawyer would have brought testimony that the actionable accusations (pedo-, hits on students) were true and that the rest was just name-calling by a victim or friend of a victim. So I have to think it's libel, especially since she was represented by the ACLU.
Yeah, that'll work. Put them under SEC or NASD regulation...
Talk with them about the services that they can't provide to their users because they don't have the budget. Or ask them what services your group could take over to free up their people for other things.
The risk is that if you're seen as taking people's jobs away in the IT department, they'll just clam up.
Another example: taking hardware courses in Digital Circuits, Logic and Microprocessors does wonders for you as a software developer. You probably will never have to program down to the bare metal, but it lets you analyze and/or develop software at any level from the bare metal up to highly abstracted design patterns.
Sounds like orgo should be a pre-law requisite, then too.
Speaking as an EE who never came near orgo, it sounds like maybe they need an "Orgo for pre-meds" similar to "Physics for poets". What premeds really need is a good bullshit detector when the pharmacologists and other researchers make claims about their brand-new miracle drugs.
Not to mention the federalization of the militias (National Guard), which basically precludes any sort of armed uprising in the name of states rights. Not that this was ever likely to occur again, but the other big negative impact is that it puts a large pool of soldiers available to the Federal government for adventurism in Iraq and similar situations, without having to declare a war and raise real federal troops.
So for all you computer security/programming geeks out there, it's a recursive data execution exploit. RIAA makes claims that Beckermann denounces publicly as lacking merit or evidence. RIAA files complaint that Beckerman's public pronouncements lack merit, but (pending investigation and judgement), the complaint itself lacks merit.
Well, that's one reason they say that even a lawyer who acts as their own lawyer is a fool. Apart from the distraction, it also cuts down on your income.