Yes, all of these vulnerabilities are well known, but the reason that they are common mistakes is because it is so much easier to make them than to avoid them. Making people aware of them isn't the same as instructing people in how to avoid them.
While the list is (appropriately) in OS-neutral and scripting language-neutral terms, the way to correct these problems is specific to the OS, webserver and scripting langauge you are using. So the next question is: what are the resources for addressing these issues, specifically, for particular OSes, webservers and languages?
For those taking the MS approach (and flame it if you want, but IIS isn't about to stop being the #2 web server overnight, so it might as well be done as securely as possible), I can recommend the following two guides from SANS:
These are listed as "course books" on their site, but they stand alone as guides for those who already have some background and knowledge. And if you don't have much background and knowledge, SANS courses are very good. (In fact, just about everything at the SANS website is valuable for the IT professional who wants to know more about security -- which ought to be all of us.)
So, stop just posting that these 10 problems are old news, and post the resources you use (or learned from) to avoid these problems yourself on your platform of choice, so the many (majority?) still making these mistakes can learn to avoid them too.
A hacker shouldn't be responsible for costs incurred in getting a new security system. I mean, it's something they needed before they were broken into, but just weren't aware of it.
Like, if someone broke into a car and stole a CD, they shouldn't need to pay for a new Car Alarm (or something)
I disagree, to a point. And, to a point, you're right and I was unclear.
In most cases, the security enhancement after an incident is a patch, not a "security system". But it isn't applying the patch that is expensive. It is analyzing the hack, identifying the right patch, rebuilding the system, and testing it to prove it is secure from the previous hack. Plus at the same time restoring the site onto a backup server, putting that machine in place, monitoring it constantly because it is presumable vulnerable to the same hack, then restoring the site onto the newly secured server. Plus (even before this), imaging the drive that was attacked, so you can later perform forensic analysis to collect evidence against the attacker. These expenses all follow directly from the hack, and can reasonably be considered the cost of the hack, for purposes of measuring the seriously of the crime.
But even beyond that, let's be clear. It is the hackers who create the need for security, and it is the persistence of hackers in defeating existing security measures that creates the need for constant vigilance and expensive and well-trained security professionals. If some organization without the best possible security gets hacked, and then decides to spend more money on security, that expense isn't directly related to the hack, but it isn't exactly a coincidence either.
Hey, cleaning up a mall is expensive, cleaning up a web site should not take more than the time to restore a daily backup...
Get real. If your response to a security incident on my network is going to be to restore from a daily backup and leave the compromised system exactly as it was before, then there's no way I'm letting you have any role in securing my network.
Companies that take security seriously have an incident response policy in place that presumes (unless proved convincingly otherwise) that a system which has been compromised has been totally compromised, i.e. backdoored, owned. In which case, the only appropriate response is rebuilding the system from scratch, and demonstrating that the new system is more secure in some relevant way from the old one. That's not also taking into account the forensics necessary to collect and/or preserve evidence to prosecute the cracker, if the victim wants to bother. (Many don't.)
Probably a mission critical website would be restored from a backup onto a backup server while this goes on, but that's an interim measure, and during that interim you're almost certain that the machine is vulnerable, so you're going to monitoring it continuously, which takes time and effort and tools.
I'm absolutely not a "throw away the key" guy regarding these teen crackers, but let's be realistic about the fact that security is expensive, and that they make it more expensive, when determining the cost of fixing their damage.
"You will have devices in the home of different screen sizes: wall-sized for a lot of people to watch, desk-sized for doing homework or taxes, and pocket-sized for information you have with you at all times, and watch-sized," he said. "We will make all those work together."
The point of this move by MS (and this isn't to defend MS, or claim it is original) is to make a move toward distributing computing throughout your home and over your body as nodes of a network. Or (as somebody other than MS likes to say), the network is the computer, so it's one big computer, in your home office, on your wall, in your kitchen, in your TV, on your wrist.
So is the watch pretty dumb, taken alone? Yes, absolutely. Is this a breakthrough? No. Do I really want Microsoft to control the move toward distributing computing around my while life in this way? No, no, no.
But do I think that this vision in general is right? Yes. I live in a house with programmable devices that include a VCR, DVD Player, thermostat and even the coffee maker now. I do want these things all integrated, and I don't want computer on my desk to be the only way into this network. In the long run, some sort of wearable option as part of this scheme is absolutely necessary. If this is part of that, and Bill says it is, I get it.
OK, probably too late for anybody to notice, but I'm still posting in this thread . . . .
I disagree, or at least I'm making a different point than what you are turning my point into. I'm disagreeing with the "do what makes you happy" position. I'm not just saying that doing for others is what makes me happy. I'm saying that doing what is good, and right, and beneficial to others is important, is morally (or at least ethically) imperative, even if it makes you less happy. I get less out of my new job than my old one in some ways. I make sacrifices for my daughter. Sometimes it makes me happy. Sometimes it is just frustrating, but I know it is right.
To put a point on it: the article completely lacked any ethical dimension. Chasing happiness is selfish. What if killing puppies makes you happy? What if doing nuclear weapons research makes you happy? Building power plants that pollute? Ruling despotically over a third-world nation? I'm not asking people to set aside happiness, but I'm saying that it is critical to look at something other than your own happiness when trying to decide how to spend your life. Even if you don't have kids, even if you have no family at all, you have an obligation to other people that needs to be a factor in deciding how you spend your life. We can argue about what kind of factor it needs to be, but this original article left it out, and encouraged selfishness. The only sacrifices his people made were short-term sacrifices for long term personal happiness.
OK, I guess I'll make this argument, even if I don't entirely believe it, because I've read almost every comment to this story to this point, and nobody else is.
Lots of people are saying "He broke the law, so fry him", but you don't really mean that, because the consensus around here is that some folks who break some laws (i.e. bad laws, laws we don't like) are heroes who don't deserve frying. But this law is a law preventing theft, and since we all agree that theft is bad, and we don't want our stuff stolen, we basically like this law.
But in this case, what he stole was a description of technology that is going to be used to stifle the flow of information. Somebody could argue that this property doesn't deserve to be protected from theft, and that anybody who steals from the information-rich to give to the information-poor doesn't deserve to be punished.
If this doesn't prove that the law is bad in general, it proves that this application of this law is protecting an unjust institutionalized system of information as property, when information isn't and shouldn't be treated as property.
If you treat this as an act of civil disobedience, in the style of MLK, then let the system arrest and punish the guy, so that the system reveals its own injustice to anybody who happens to be watching.
I'm not sure I buy it myself, but I think it is a serious argument to consider, and so I'll throw it out there, since nobody else seems to be.
I read the summary, then read the article. My first two reactions (roughly simultaneous) were:
This guys stole, and deserves to be punished, and
The slashdot crowd is going to try to make this guy into a martyr/hero
Then I look at the comments here at slashdot, and all of the top moderated comments says, more or less, "this guy stole, and deserves to be punished." Most also anticipate the same overreaction. And I'm sure it is out there, in some of the lower moderated comments, but on the whole, it looks like we're having the same sane reaction, even as each of us assumes he or she is the only sane one around here. Interesting, I thought.
Look, I get that the author here is trying to get to basic questions about happiness and all that. But he assumes that the highest value is making yourself happy, and he assumes that you do that through your career. And just about nobody in this discussion seems to have a problem with any of that.
Maybe I'm the only parent in all of Slashdot?
After my daughter was born, I realized that nothing that my career could provide me was going to be more satisfying or more important that what I could do for her, specifically, and for others, generally. I found a city 1000 miles away that was a better place to raise her and found a new job there, one that has a 40 hour work week 80-90% of the time. I have the time to spend with my daughter that I wanted, and my wife, and that makes me happier.
And . . . I'm just getting settled into the new city, new job, new home here (it's been under six months), but now I'm asking the question in a serious way -- What should I do with my life? And the answers I keep getting back involved how I spend all those hours other than the 40 in the office, not just with my family, but with my community, with people who have less than me, with a system of politics in the U.S. that I think is fundamentally broken in all the obvious ways and others not so obvious, with the world. I could try to find a job in that, but I really don't think there is one that pays me to do the things I want to do to make a difference, and I won't accept the logic of this article, which seems would make those possibilities outside of a career invisible.
My new job is fine. I get to use my IT skills, it pays enough, I like the people I work with well enough. Sometimes I like it more, and sometimes I like it less. It isn't a wild rollercoaster with 80 hour weeks and crazy deadlines (which I loved and hated), like my last job. But I never dread coming to the office, not even on my worst day of work. It's good enough for me, and it gives me the change to not let my career define me, and not let my career shape the possibilities for what will make me happy and satisfied. And this article missed that, completely.
> People who run antivirus software and keep it up to date
> are almost completely immune to this nonsense.
NO!
People who confuse anti-virus software (which is essential) with a complete security solution (even for a home computer) are setting themselves up for a fall. Maybe by "this nonsense" you mean something other than the subject of this discussion, i.e. all forms of virii, hacks, cracks, malicious software, trojans, whatever. Or else maybe you've got a false sense of security. For the time being.
Generally, the "rights of the press" aren't enumerated in any single piece of writing or law (unless you count the first amendment, which is where it all starts, in the U.S. at least), so much as they are built up by years and years of case law. There's plenty on the web that talks about freedom of the press and various interpretations of it. One good source I found with a quick google is actually A U.S. State Department website on press freedom.
But the thing to keep in mind is that there are hundreds of cases, Supreme Court and many lower federal courts and state courts as well, that spell out and interpret various rights and responsibilities of the press. Some decisions contradict others, or only apply in certain circuits or states. It isn't easy to summarize with a single enumeration, beyond "Congress shall make no law abridging the freedom of the press."
. . . and this year, they become a charity organization, meaning that contributions for US citizens will be tax deductions. Yay, tax deductions!
Last I checked, nobody checked your citizenship before they collected your tax dollars. All U.S. taxpayers, whether citizens or not, are entitled to tax deductions when they contribute to a registered 501(c)3 organization.
OK, this thread is getting a little old, probably nobody is still reading this, but since the poster above is an AC, I can't respond directly, so I'll respond here, to get it off of my chest.
You said:
For one thing, all of human love, compassion, empathy, and what have you is based upon the ability to share in your perception of your mutual condtion as conscious beings.
Almost all (if not all) of ethics is based on the ability of humans to recognize the fact that those aronud us share in our ability to *be*.
If everyone around you was a non-conscious robot, are you really saying you would treat them exactly the same as you do now (assuming you think they are conscious now)?
Your first assumption, apparently, is that however "apparently" intelligent a machine can be, it still won't be "conscious". Why is that? Again, Turing's point was that apparent intelligence is intelligence, because there's no other way of measuring or observing intelligence except by observing it it as phenomena. I don't see why "consciousness" is any different -- I only believe you have it because you say so, and because you seem to me as if you probably do.
Your second assumption then is that we have no ethical obligation to machines, which will always be qualitatively different from people. Again, why is that? Your argument begs the question of whether or not machines can have that sameness with humans that creates an ethical bond, by just asserting that this sameness can't exist. But where is that line? If you have a stroke and I start replacing parts of your brain with electronic chips, do you become less conscious, to the point that I'm not longer ethically obliged to not kill you just because I feel like it, because you are now an object? Where is the line? (This is exactly the question that motivated Asimov's The Bicentennial Man -- read it -- don't see the movie.)
I'll make the strong case; why not? If machines become indistinguishable from people, then we have the same ethical obligation to those machines. If a machine can write a novel or a symphony, fall in love, experience sadness and joy, are you really going to tell me that pulling the plug is just turning it off, rather than killing it? I don't buy that. But it will take a long time before we come to that point, fortunately, and so there's at least a chance we'll do so deliberately and thoughtfully.
No computer will have hormones, or millions of years of evolution, or bad hair days, or dendrites, or lots of things we have. But that's all beneath the surface, as it were. Turing's point is that whatever intelligence is beneath the surface, ultimately all we see if the phenomena of intelligence, its outward manifestations. If I decide whether or not you are an intelligent human (as opposed to a computer or a coffee table or a CD playing your voice), I don't see the gears turning inside your head, or really care if you've got actual gears or not. I just interact with you, and get an impression.
The idea here is that to pass Turing's test, you create a machine with the outward appearance of all of those things, by abstracting the phenomena from the underlying causes.
What your argument gets closer to is a slightly different point. Why would we want to create a computer that is indistinguishable from people? People make mistakes in their addition. People lie. People get depression and schizophrenia. People can be bastards. People don't want you to turn them off, and will fight like hell to stop you from doing it. If we really create an accurate simulation of human intelligence, one that acts like a person with neurons and hormones and everything else, you get all this baggage with it.
I'd really like intelligent agents to search the web for me, to remind me about things I didn't tell them to remind me about, whatever. But I don't see the practical need to create a Turing testable machine, unless it is really an interim step by the AI gurus to get to the programs I want. Now, there may be a theoretical need, a human drive to create Turning's definition of AI because the gauntlet has been thrown down, but that's a different animal, ironically enough.
I failed too. It looks we slashdotted the gimpy-server into utter non-sense. It is not only crawling, but it is definitely getting confused when it grades the results.
Update: now, suddenly, it is moving quickly and grading accurately again. Load balancing kicked in? Who knows.
I actually doubted for a bit that anybody would include LeGuin here -- she doesn't really seem very/. if you know what I mean.
But I've always absolutely loved her, in part because she really uses SF as a means to an end of speaking to grand human themes. In part (and unlike 90+% of SF writers), she has that option because she writes SF, Fantasy, mainstream fiction, non-fiction essays, literary criticism and poetry. If she's got something to say, she finds the right medium and says it in he way that works. She doesn't have to shoehorn a message into an SF story just because that's what she writes.
And she seems to always remember that SF if a way to tell us about ourselves, but creating a situation just sufficient foreign that we can see it clearly. How many of her stories and novels couldn't just as easily be told without SF, but not nearly as well? (Not Left Hand, of course, but many could.)
And finally, I have to agree with the comment above about world building. The Universe of Hain is remarkable for the history and the complex interweaving of worlds and characters and events and stories that built it into as rich and complex a SF universe as any author has ever created (and I will stand by that in a debate), without hitting anybody over the head with the didactic writing and history lessons to flesh out the universe.
This article just says "Fortunately, the Supreme Court has agreed to rule on a case challenging the Bono Act", leaving out the fact that it was pretty clear from the oral arguments before the Supreme Court that they are very unlikely to overturn this law. For details, see:
The point is that bad policy isn't always unconstitutional, and the court may take that as reason to disagree without acting.
In general, this article is very light on the legal specifics behind this case and this law, but there are good resources out there, including specifically:
Yes, this will slow down the spread of viruses -- but the article makes a big deal of the fact that a throttled system can detect the attempts to rapidly make many network connections, setting off an alert. Of course, as soon as people come to count on this as their primary form of virus detection, a virus will be written that only attempts one connection a second, and then, very slowly it will spread undetected on those systems that rely on the throttle for detection. And we know there will be people who rely on it exclusively . . . .
Look, I love Salon, and I'll really hate to see them go if it comes to that. But I don't see how they accumulated a debt of $80,000,000. They aren't in retail, so it isn't inventory. They didn't have to do years of unprofitable R&D to develop some sort of magical intellectual property that would pay off later. They are a web site. What am I missing?
Now they have a solid base of advertisers and 45,000 paying subscribers, which is really good for an online magazine. The WSJ article says they are looking at a strategy of reducing costs. Sounds like a plan to me. Is it really conceivable that they can't find a way to keep costs within expected revenues?
The issue in this case isn't the DMCA at all -- that's just an enforcement mechanism here for the redistribution of something to which somebody is claiming a copyright. The issue is whether or not the claim of a copyright is valid. Even if the DMCA didn't exist, another mechanism could probably be found for enforcing this particular copyright claim.
Probably the copyright claim is bogus itself, but it is common practice for the big corporations to use the threat of legal action to make small fries do what they want, even if they know they would lose. And that isn't a DMCA issue either -- that's a problem with the way capitalism leverages the legal system.
I'm not sticking up for the DMCA, but this case is really, ultimately, about something else.
On the whole, this is a good essay that makes a lot of valid points. Some are just common sense, others show some real insight. But he says something that strikes me as just wrong:
The market for add-on security (firewalls, intrusion detection, antivirus, monitoring, probing, etc.) will continue to grow, although we'll see considerable consolidation in the marketplace as the similarity of many tools becomes apparent. Sales of these items will be strong for years to come, despite the fact that the only real solutions require rearchitecting the underlying systems.
It sounds like he is saying that intrusion detection, antivirus, firewalls, etc. are combinable, which is pretty questionable, and even more questionable, that they can be integrated into the "underlying systems". If I understand this correctly, he's talking about rolling all of this functionality into operating systems.
The last thing I want is all my security tools prepackaged in my OS. Not all intrusion detection is the same. Not all firewalls are the same. I want to be able to pick the tools that make sense for the needs of my network. I want to be able to run some of my critical security services on separate dedicated boxes from critical network services. (Obviously the firewall, but other stuff too.) I want to create multiple layers of security distributed around my network. I don't want the OS of my production box to give away all the details of my security posture.
We all know that admins out there fail to keep up patch levels at an enormous rate, let alone creating a well designed multi-layered security posture. Maybe rolling it all into one box would simplify the job of getting to a minimally secure configuration. But seriously, who doesn't believe that the black-hats wouldn't have a field day with this? He talks about real solutions, but the only real solution, now or 10 years from now, is hiring IT security experts to create and maintain a real comprehensive security solution.
I don't disagree that "underlying systems" need to be "rearchitected" to meet basic security needs, if that means, for example, that MS needs a radically different approach to integrating security concerns into the OS development process. But that isn't a solution to the problems addressed by what he calls "add-on" security tools. That's a different problem, and an important one. But no matter how well designed my underlying OS, I'm still going to put it behind a firewall, I'm still going to run some sort of IDS, I'm still going to monitor the logs, and I want control over how I do those things.
Or maybe I'm reading his relatively sketchy argument wrong, but I can't figure out a different way to take it.
If the problem with this proposal is sifting through all the trash, how about somebody combine this idea with SlashCode, so we can get moderated indie music. Moderators grade the songs and bands, individual users give personalized preferences, and the stuff you want to hear rises to the top. The technology is all out there -- it's just waiting for somebody with a lot of time on their hands . . . . and who doesn't care that there's no obvious business model . . . oh, well
This made me think of the discussion here a few days ago about when the cable guy sits at your computer accepting all the EULAs of the software he installs on your PC as a condition of getting your broadband set up. Then about 50 slashdotters posted back with "When he came to my house, I told him he couldn't touch my computer, and I did it myself." I almost posted a useless "me too", until I saw somebody say that we all missed the biggger point. And we did.
The bigger point was that maybe we see what's at stake here, but most folks can't and don't. Most folks aren't able to understand and make intelligent decisions about privacy, security, EULAs, file-sharing, and everything else we argue here. The world of computing, and especially the industry of computing, controls them because they lack the understanding and skills and proficiency to control it themselves. We can argue about the abuses by Microsoft and the federal government and the spammers (and on and on), but 90+% of computer users don't have the ability to take basic steps that allow them to do take control of their own computing, whether it means using a firewall, identifying and removing spyware on their computer, applying simple patches that reduce vulnerabilities, choosing an operating system, or even participating in the discussion.
Or, to put it another way, informed use of technology is now a major issue for citizenship, in the broadest sense of the word. And when I went to college, I was taught that one goal of a liberal arts education was specifically an education for citizenship in this sense, to understand your own rights and those of others, to be active and engaged with the broader community and with the government.
This article was a little light on what, exactly, is taught in this Princeton course, but it sounded like CompSci-lite to me. But, if we're going to teach technology to non-technology majors, in the context of a broad liberal arts education, wouldn't we be better off to be teaching courses in technology and citizenship? And wouldn't that go a long way toward enabling people to assert their rights and take more effective steps toward moderating the excesses of the business and government interests in technology that tick all of us at slashdot off so much, without requiring these folks to become hard core IT geeks, which just isn't going to happen anyway?
Sorry if I rant, I guess I just believe that higher education can make a difference, when it is done right.
Sorry, I was unclear. I only meant that you don't need a "multiple universe theory" to have a coherent theory that is consistent with inflation and other observable phenomena.
And, in any event, I'm not judging which theories are superior. But it seems to me that a theory that posits fewer universes is simpler. And I acknowledge thatcan be debated too, since a new thread on this topic now asserts that the theory that all possible universes exist is the simplest theory.
Parsimony is in the eye of the beholder, I guess. Go figure.
Re:Load of bs...
on
One of Many
·
· Score: 2, Insightful
Lots of people in this thread are getting caught up in semantics, which really isn't interesting, and which really isn't physics. If the only thing you don't like about this theory is the choice of words, then you really aren't objecting to a serious part of the science.
But kevlar's point above is a much more important one, namely, at what point does science become philosophy or religion or whatever, but no longer science.
The standard philosophy of science answer is that a theory is scientific not when there is evidence supporting it, but (and the difference is slight, but not inconsequential) when it is falsifiable. Basically this means when you can describe an experiment that would create evidence that could (depending on the results of the experiment) contradict and invalidate the theory. (Philosopher Karl Popper came up with this defition of a scientific theory, and it is still widely used.)
In other words, if something can't ever possibly be proven wrong, it isn't science. If it could be, it is, even if you haven't yet done the experiment, or even lack the technology (as opposed to pure science) to do it. (Yes, this does create a grey area, since some experiments may not ever be realistic, or not in the next several centuries . . ..)
Many theories in physics and astrophysics have been put forward without empirical evidence to back them up at the time of their creation, and then later, improved technology has made it possible to do the experiments that either falsify them or else support them. Particle accelerators are the prototypical example. Others are observations of the effects of gravity on light (by viewing stars during an eclipse), or careful examination of small variations in planetary orbits, both of which were understood as providing potential falsifying evidence of general relativity well before they were able to carried out. (Of course, both have since been conducted, and neither did provide falsifying evidence.)
Note that this understanding of science means that nothing is ever really definitively proven true. More and more empirical evidence can support a theory, but you never know when some other observation will provide falsification. Here, the obvious example is Newtonian physics, which sure looked good for an awful long time, but now we can observe exceptions at extreme speeds and energies that demonstrate the need for relativity.
So (to get back on topic), does this mean that this theory is absolutely unscientific? Well, let's do something radical, and look at the article.
For Dr. Rees, the Astronomer Royal, it is not necessary to observe other universes to gain some confidence that they may exist. One thing that will help, he explained, is a more precise theory of how the cosmological constant may vary and how it will affect life in the universe. We should live in a statistically typical example of the range of universes compatible with life, he explained. For example, if the cosmological constant was, say, 10 percent of the maximum value consistent with life, that would be acceptable, he said.
"If it was a millionth, that would raise eyebrows."
Another confidence builder would be more support for the theory of inflation, either in the form of evidence from particle physics theory or measurements of the cosmic Big Bang radiation that gave a more detailed model of what theoretically happened during that first trillionth of a trillionth of a second.
Here are a couple of specific examples which the author calls confidence builders, but which are in fact potential falsifiers. So, at least in principle, it is scientific.
The problem is that there are other theories which work with the same sets of observable scientific results which are, potentially, much simpler and less messy. So now you get into an Ockham's razor issue, which let's you argue that this is a lousy scientific theory, but not that it is unscientific.
Re:Load of bs...
on
One of Many
·
· Score: 2, Informative
OK, the article does a lousy job with this point, but it actually goes to what is different about this theory. We can think of the Universe as
Everything (basically the definition in the parent post)
OR
All the stuff created in the big bang, from here to the edge of what we can see, up to the background radiation "echoing" from the big bang, where a single set of rules of physics apply to everything.
We use these two definitions interchangeably, because the common understanding of the big bang says we can. This theory says we can't, and it says that there are multiple "universes" in the second sense of the word.
The Times article does say that these universes are "theoretically" reachable from one another, in the sense that there's no wall between them, no freaky "separate dimension" problem or anything like that. But inflation basically causes so much space to come into being between them so quickly that they are further apart than light (or any force or interaction) could have travelled in the time since their creation.
What this implies is that they are not physically separated from one another, but their physics are separated from one another. They are so far apart, and so completely incapable of any interaction bridging the sheer gap of inflation between them, that they could have radically different rules of physics, different speeds of light, and so on.
That isn't equivalent to saying that different galaxies are different universes (as the parent post says). It is saying that two radically different portions of the one big massive *everything* are different "universes" in some sense, and maybe that is a silly and stupid thing to say given the pure meaning of the word. But the point is that, given a common colloquial understanding of what a/the "universe" is, this theory says there are more than one.
Slashdot Mirror
While the list is (appropriately) in OS-neutral and scripting language-neutral terms, the way to correct these problems is specific to the OS, webserver and scripting langauge you are using. So the next question is: what are the resources for addressing these issues, specifically, for particular OSes, webservers and languages?
For those taking the MS approach (and flame it if you want, but IIS isn't about to stop being the #2 web server overnight, so it might as well be done as securely as possible), I can recommend the following two guides from SANS:
Securing Internet Information Server
and
Windows 2000/XP Scripting For Security
These are listed as "course books" on their site, but they stand alone as guides for those who already have some background and knowledge. And if you don't have much background and knowledge, SANS courses are very good. (In fact, just about everything at the SANS website is valuable for the IT professional who wants to know more about security -- which ought to be all of us.)
So, stop just posting that these 10 problems are old news, and post the resources you use (or learned from) to avoid these problems yourself on your platform of choice, so the many (majority?) still making these mistakes can learn to avoid them too.
In most cases, the security enhancement after an incident is a patch, not a "security system". But it isn't applying the patch that is expensive. It is analyzing the hack, identifying the right patch, rebuilding the system, and testing it to prove it is secure from the previous hack. Plus at the same time restoring the site onto a backup server, putting that machine in place, monitoring it constantly because it is presumable vulnerable to the same hack, then restoring the site onto the newly secured server. Plus (even before this), imaging the drive that was attacked, so you can later perform forensic analysis to collect evidence against the attacker. These expenses all follow directly from the hack, and can reasonably be considered the cost of the hack, for purposes of measuring the seriously of the crime.
But even beyond that, let's be clear. It is the hackers who create the need for security, and it is the persistence of hackers in defeating existing security measures that creates the need for constant vigilance and expensive and well-trained security professionals. If some organization without the best possible security gets hacked, and then decides to spend more money on security, that expense isn't directly related to the hack, but it isn't exactly a coincidence either.
Companies that take security seriously have an incident response policy in place that presumes (unless proved convincingly otherwise) that a system which has been compromised has been totally compromised, i.e. backdoored, owned. In which case, the only appropriate response is rebuilding the system from scratch, and demonstrating that the new system is more secure in some relevant way from the old one. That's not also taking into account the forensics necessary to collect and/or preserve evidence to prosecute the cracker, if the victim wants to bother. (Many don't.)
Probably a mission critical website would be restored from a backup onto a backup server while this goes on, but that's an interim measure, and during that interim you're almost certain that the machine is vulnerable, so you're going to monitoring it continuously, which takes time and effort and tools.
I'm absolutely not a "throw away the key" guy regarding these teen crackers, but let's be realistic about the fact that security is expensive, and that they make it more expensive, when determining the cost of fixing their damage.
So is the watch pretty dumb, taken alone? Yes, absolutely. Is this a breakthrough? No. Do I really want Microsoft to control the move toward distributing computing around my while life in this way? No, no, no.
But do I think that this vision in general is right? Yes. I live in a house with programmable devices that include a VCR, DVD Player, thermostat and even the coffee maker now. I do want these things all integrated, and I don't want computer on my desk to be the only way into this network. In the long run, some sort of wearable option as part of this scheme is absolutely necessary. If this is part of that, and Bill says it is, I get it.
I disagree, or at least I'm making a different point than what you are turning my point into. I'm disagreeing with the "do what makes you happy" position. I'm not just saying that doing for others is what makes me happy. I'm saying that doing what is good, and right, and beneficial to others is important, is morally (or at least ethically) imperative, even if it makes you less happy. I get less out of my new job than my old one in some ways. I make sacrifices for my daughter. Sometimes it makes me happy. Sometimes it is just frustrating, but I know it is right.
To put a point on it: the article completely lacked any ethical dimension. Chasing happiness is selfish. What if killing puppies makes you happy? What if doing nuclear weapons research makes you happy? Building power plants that pollute? Ruling despotically over a third-world nation? I'm not asking people to set aside happiness, but I'm saying that it is critical to look at something other than your own happiness when trying to decide how to spend your life. Even if you don't have kids, even if you have no family at all, you have an obligation to other people that needs to be a factor in deciding how you spend your life. We can argue about what kind of factor it needs to be, but this original article left it out, and encouraged selfishness. The only sacrifices his people made were short-term sacrifices for long term personal happiness.
Lots of people are saying "He broke the law, so fry him", but you don't really mean that, because the consensus around here is that some folks who break some laws (i.e. bad laws, laws we don't like) are heroes who don't deserve frying. But this law is a law preventing theft, and since we all agree that theft is bad, and we don't want our stuff stolen, we basically like this law.
But in this case, what he stole was a description of technology that is going to be used to stifle the flow of information. Somebody could argue that this property doesn't deserve to be protected from theft, and that anybody who steals from the information-rich to give to the information-poor doesn't deserve to be punished.
If this doesn't prove that the law is bad in general, it proves that this application of this law is protecting an unjust institutionalized system of information as property, when information isn't and shouldn't be treated as property.
If you treat this as an act of civil disobedience, in the style of MLK, then let the system arrest and punish the guy, so that the system reveals its own injustice to anybody who happens to be watching.
I'm not sure I buy it myself, but I think it is a serious argument to consider, and so I'll throw it out there, since nobody else seems to be.
- This guys stole, and deserves to be punished, and
- The slashdot crowd is going to try to make this guy into a martyr/hero
Then I look at the comments here at slashdot, and all of the top moderated comments says, more or less, "this guy stole, and deserves to be punished." Most also anticipate the same overreaction. And I'm sure it is out there, in some of the lower moderated comments, but on the whole, it looks like we're having the same sane reaction, even as each of us assumes he or she is the only sane one around here. Interesting, I thought.Maybe I'm the only parent in all of Slashdot?
After my daughter was born, I realized that nothing that my career could provide me was going to be more satisfying or more important that what I could do for her, specifically, and for others, generally. I found a city 1000 miles away that was a better place to raise her and found a new job there, one that has a 40 hour work week 80-90% of the time. I have the time to spend with my daughter that I wanted, and my wife, and that makes me happier.
And . . . I'm just getting settled into the new city, new job, new home here (it's been under six months), but now I'm asking the question in a serious way -- What should I do with my life? And the answers I keep getting back involved how I spend all those hours other than the 40 in the office, not just with my family, but with my community, with people who have less than me, with a system of politics in the U.S. that I think is fundamentally broken in all the obvious ways and others not so obvious, with the world. I could try to find a job in that, but I really don't think there is one that pays me to do the things I want to do to make a difference, and I won't accept the logic of this article, which seems would make those possibilities outside of a career invisible.
My new job is fine. I get to use my IT skills, it pays enough, I like the people I work with well enough. Sometimes I like it more, and sometimes I like it less. It isn't a wild rollercoaster with 80 hour weeks and crazy deadlines (which I loved and hated), like my last job. But I never dread coming to the office, not even on my worst day of work. It's good enough for me, and it gives me the change to not let my career define me, and not let my career shape the possibilities for what will make me happy and satisfied. And this article missed that, completely.
People who confuse anti-virus software (which is essential) with a complete security solution (even for a home computer) are setting themselves up for a fall. Maybe by "this nonsense" you mean something other than the subject of this discussion, i.e. all forms of virii, hacks, cracks, malicious software, trojans, whatever. Or else maybe you've got a false sense of security. For the time being.
But the thing to keep in mind is that there are hundreds of cases, Supreme Court and many lower federal courts and state courts as well, that spell out and interpret various rights and responsibilities of the press. Some decisions contradict others, or only apply in certain circuits or states. It isn't easy to summarize with a single enumeration, beyond "Congress shall make no law abridging the freedom of the press."
Last I checked, nobody checked your citizenship before they collected your tax dollars. All U.S. taxpayers, whether citizens or not, are entitled to tax deductions when they contribute to a registered 501(c)3 organization.
You said:
Your first assumption, apparently, is that however "apparently" intelligent a machine can be, it still won't be "conscious". Why is that? Again, Turing's point was that apparent intelligence is intelligence, because there's no other way of measuring or observing intelligence except by observing it it as phenomena. I don't see why "consciousness" is any different -- I only believe you have it because you say so, and because you seem to me as if you probably do.Your second assumption then is that we have no ethical obligation to machines, which will always be qualitatively different from people. Again, why is that? Your argument begs the question of whether or not machines can have that sameness with humans that creates an ethical bond, by just asserting that this sameness can't exist. But where is that line? If you have a stroke and I start replacing parts of your brain with electronic chips, do you become less conscious, to the point that I'm not longer ethically obliged to not kill you just because I feel like it, because you are now an object? Where is the line? (This is exactly the question that motivated Asimov's The Bicentennial Man -- read it -- don't see the movie.)
I'll make the strong case; why not? If machines become indistinguishable from people, then we have the same ethical obligation to those machines. If a machine can write a novel or a symphony, fall in love, experience sadness and joy, are you really going to tell me that pulling the plug is just turning it off, rather than killing it? I don't buy that. But it will take a long time before we come to that point, fortunately, and so there's at least a chance we'll do so deliberately and thoughtfully.
No computer will have hormones, or millions of years of evolution, or bad hair days, or dendrites, or lots of things we have. But that's all beneath the surface, as it were. Turing's point is that whatever intelligence is beneath the surface, ultimately all we see if the phenomena of intelligence, its outward manifestations. If I decide whether or not you are an intelligent human (as opposed to a computer or a coffee table or a CD playing your voice), I don't see the gears turning inside your head, or really care if you've got actual gears or not. I just interact with you, and get an impression.
The idea here is that to pass Turing's test, you create a machine with the outward appearance of all of those things, by abstracting the phenomena from the underlying causes.
What your argument gets closer to is a slightly different point. Why would we want to create a computer that is indistinguishable from people? People make mistakes in their addition. People lie. People get depression and schizophrenia. People can be bastards. People don't want you to turn them off, and will fight like hell to stop you from doing it. If we really create an accurate simulation of human intelligence, one that acts like a person with neurons and hormones and everything else, you get all this baggage with it.
I'd really like intelligent agents to search the web for me, to remind me about things I didn't tell them to remind me about, whatever. But I don't see the practical need to create a Turing testable machine, unless it is really an interim step by the AI gurus to get to the programs I want. Now, there may be a theoretical need, a human drive to create Turning's definition of AI because the gauntlet has been thrown down, but that's a different animal, ironically enough.
Update: now, suddenly, it is moving quickly and grading accurately again. Load balancing kicked in? Who knows.
But I've always absolutely loved her, in part because she really uses SF as a means to an end of speaking to grand human themes. In part (and unlike 90+% of SF writers), she has that option because she writes SF, Fantasy, mainstream fiction, non-fiction essays, literary criticism and poetry. If she's got something to say, she finds the right medium and says it in he way that works. She doesn't have to shoehorn a message into an SF story just because that's what she writes.
And she seems to always remember that SF if a way to tell us about ourselves, but creating a situation just sufficient foreign that we can see it clearly. How many of her stories and novels couldn't just as easily be told without SF, but not nearly as well? (Not Left Hand, of course, but many could.)
And finally, I have to agree with the comment above about world building. The Universe of Hain is remarkable for the history and the complex interweaving of worlds and characters and events and stories that built it into as rich and complex a SF universe as any author has ever created (and I will stand by that in a debate), without hitting anybody over the head with the didactic writing and history lessons to flesh out the universe.
High court weighs copyright law
The point is that bad policy isn't always unconstitutional, and the court may take that as reason to disagree without acting.
In general, this article is very light on the legal specifics behind this case and this law, but there are good resources out there, including specifically:
Opposing Copyright Protection
Yes, this will slow down the spread of viruses -- but the article makes a big deal of the fact that a throttled system can detect the attempts to rapidly make many network connections, setting off an alert. Of course, as soon as people come to count on this as their primary form of virus detection, a virus will be written that only attempts one connection a second, and then, very slowly it will spread undetected on those systems that rely on the throttle for detection. And we know there will be people who rely on it exclusively . . . .
Now they have a solid base of advertisers and 45,000 paying subscribers, which is really good for an online magazine. The WSJ article says they are looking at a strategy of reducing costs. Sounds like a plan to me. Is it really conceivable that they can't find a way to keep costs within expected revenues?
Probably the copyright claim is bogus itself, but it is common practice for the big corporations to use the threat of legal action to make small fries do what they want, even if they know they would lose. And that isn't a DMCA issue either -- that's a problem with the way capitalism leverages the legal system.
I'm not sticking up for the DMCA, but this case is really, ultimately, about something else.
The last thing I want is all my security tools prepackaged in my OS. Not all intrusion detection is the same. Not all firewalls are the same. I want to be able to pick the tools that make sense for the needs of my network. I want to be able to run some of my critical security services on separate dedicated boxes from critical network services. (Obviously the firewall, but other stuff too.) I want to create multiple layers of security distributed around my network. I don't want the OS of my production box to give away all the details of my security posture.
We all know that admins out there fail to keep up patch levels at an enormous rate, let alone creating a well designed multi-layered security posture. Maybe rolling it all into one box would simplify the job of getting to a minimally secure configuration. But seriously, who doesn't believe that the black-hats wouldn't have a field day with this? He talks about real solutions, but the only real solution, now or 10 years from now, is hiring IT security experts to create and maintain a real comprehensive security solution.
I don't disagree that "underlying systems" need to be "rearchitected" to meet basic security needs, if that means, for example, that MS needs a radically different approach to integrating security concerns into the OS development process. But that isn't a solution to the problems addressed by what he calls "add-on" security tools. That's a different problem, and an important one. But no matter how well designed my underlying OS, I'm still going to put it behind a firewall, I'm still going to run some sort of IDS, I'm still going to monitor the logs, and I want control over how I do those things.
Or maybe I'm reading his relatively sketchy argument wrong, but I can't figure out a different way to take it.
If the problem with this proposal is sifting through all the trash, how about somebody combine this idea with SlashCode, so we can get moderated indie music. Moderators grade the songs and bands, individual users give personalized preferences, and the stuff you want to hear rises to the top. The technology is all out there -- it's just waiting for somebody with a lot of time on their hands . . . . and who doesn't care that there's no obvious business model . . . oh, well
The bigger point was that maybe we see what's at stake here, but most folks can't and don't. Most folks aren't able to understand and make intelligent decisions about privacy, security, EULAs, file-sharing, and everything else we argue here. The world of computing, and especially the industry of computing, controls them because they lack the understanding and skills and proficiency to control it themselves. We can argue about the abuses by Microsoft and the federal government and the spammers (and on and on), but 90+% of computer users don't have the ability to take basic steps that allow them to do take control of their own computing, whether it means using a firewall, identifying and removing spyware on their computer, applying simple patches that reduce vulnerabilities, choosing an operating system, or even participating in the discussion.
Or, to put it another way, informed use of technology is now a major issue for citizenship, in the broadest sense of the word. And when I went to college, I was taught that one goal of a liberal arts education was specifically an education for citizenship in this sense, to understand your own rights and those of others, to be active and engaged with the broader community and with the government.
This article was a little light on what, exactly, is taught in this Princeton course, but it sounded like CompSci-lite to me. But, if we're going to teach technology to non-technology majors, in the context of a broad liberal arts education, wouldn't we be better off to be teaching courses in technology and citizenship? And wouldn't that go a long way toward enabling people to assert their rights and take more effective steps toward moderating the excesses of the business and government interests in technology that tick all of us at slashdot off so much, without requiring these folks to become hard core IT geeks, which just isn't going to happen anyway?
Sorry if I rant, I guess I just believe that higher education can make a difference, when it is done right.
Sorry, I was unclear. I only meant that you don't need a "multiple universe theory" to have a coherent theory that is consistent with inflation and other observable phenomena. And, in any event, I'm not judging which theories are superior. But it seems to me that a theory that posits fewer universes is simpler. And I acknowledge thatcan be debated too, since a new thread on this topic now asserts that the theory that all possible universes exist is the simplest theory. Parsimony is in the eye of the beholder, I guess. Go figure.
But kevlar's point above is a much more important one, namely, at what point does science become philosophy or religion or whatever, but no longer science.
The standard philosophy of science answer is that a theory is scientific not when there is evidence supporting it, but (and the difference is slight, but not inconsequential) when it is falsifiable. Basically this means when you can describe an experiment that would create evidence that could (depending on the results of the experiment) contradict and invalidate the theory. (Philosopher Karl Popper came up with this defition of a scientific theory, and it is still widely used.)
In other words, if something can't ever possibly be proven wrong, it isn't science. If it could be, it is, even if you haven't yet done the experiment, or even lack the technology (as opposed to pure science) to do it. (Yes, this does create a grey area, since some experiments may not ever be realistic, or not in the next several centuries . . . .)
Many theories in physics and astrophysics have been put forward without empirical evidence to back them up at the time of their creation, and then later, improved technology has made it possible to do the experiments that either falsify them or else support them. Particle accelerators are the prototypical example. Others are observations of the effects of gravity on light (by viewing stars during an eclipse), or careful examination of small variations in planetary orbits, both of which were understood as providing potential falsifying evidence of general relativity well before they were able to carried out. (Of course, both have since been conducted, and neither did provide falsifying evidence.)
Note that this understanding of science means that nothing is ever really definitively proven true. More and more empirical evidence can support a theory, but you never know when some other observation will provide falsification. Here, the obvious example is Newtonian physics, which sure looked good for an awful long time, but now we can observe exceptions at extreme speeds and energies that demonstrate the need for relativity.
So (to get back on topic), does this mean that this theory is absolutely unscientific? Well, let's do something radical, and look at the article.
Here are a couple of specific examples which the author calls confidence builders, but which are in fact potential falsifiers. So, at least in principle, it is scientific.The problem is that there are other theories which work with the same sets of observable scientific results which are, potentially, much simpler and less messy. So now you get into an Ockham's razor issue, which let's you argue that this is a lousy scientific theory, but not that it is unscientific.
- Everything (basically the definition in the parent post)
- OR
- All the stuff created in the big bang, from here to the edge of what we can see, up to the background radiation "echoing" from the big bang, where a single set of rules of physics apply to everything.
We use these two definitions interchangeably, because the common understanding of the big bang says we can. This theory says we can't, and it says that there are multiple "universes" in the second sense of the word.The Times article does say that these universes are "theoretically" reachable from one another, in the sense that there's no wall between them, no freaky "separate dimension" problem or anything like that. But inflation basically causes so much space to come into being between them so quickly that they are further apart than light (or any force or interaction) could have travelled in the time since their creation.
What this implies is that they are not physically separated from one another, but their physics are separated from one another. They are so far apart, and so completely incapable of any interaction bridging the sheer gap of inflation between them, that they could have radically different rules of physics, different speeds of light, and so on.
That isn't equivalent to saying that different galaxies are different universes (as the parent post says). It is saying that two radically different portions of the one big massive *everything* are different "universes" in some sense, and maybe that is a silly and stupid thing to say given the pure meaning of the word. But the point is that, given a common colloquial understanding of what a/the "universe" is, this theory says there are more than one.