Are you comfortable that your platform has been largely co-opted by and identified as a safe-haven for alt-right and other racist xenophobes and cyptocurrency scam artists looking to make a quick buck?
Find out who the Vendor Relations Manager. Ask your customer at the Company.
Engage them. They should be able to guide you through the abyss that is Supply Chain and Accounting.
Most large Companies have specific guidelines for Emailing or Faxing invoices. Purchase Order numbers typically have to be referenced on all invoices.
Do you have a Master Agreement? Refer to that for remittance instructions.
You don't have a Master Agreement? Don't do any more work until you obtain one.
If this Company doesn't have a Vendor Relations department, ask your contact for a contact in Supply Chain.
Supply Chain would be the one's to work up any Master Agreements between you and them anyway. They'll also be able to provide remittance guidelines and instructions.
Last, ask your Contact at the Company for a name and telephone number of somebody in Accounts Payable. Reach out to them.
It's not that difficult.
But your first stop is with your contact inside the Company, not here on Slashdot.
Oh agreed. Definitely. In fact I already knew the answer before writing the guy originally. Any telecom provider located in the US *must* be CALEA compliant. However the entire service will give folks a false sense of security and that's the larger point I was trying to make.
Most speech isn't prohibited today, but political winds change all too often and what may be legal today may become illegal tomorrow.
Just hope and wish folks realize that their calls can and WILL be intercepted no matter what Silent Circle may say on the matter, that's all.
I wrote to Silent Circle over a week ago when news of the impending launch first started making circles.
SC's COO was kind to respond in an attempt to allay my fears. Sadly though his answer was more "non" than one.
A week ago replied back with a follow-up question, and have yet to receive a response.
While my political activism is pretty much limited to change.org petitions, SC is directly marketing their services TO activists. As the Occupy movement has shown, political activism, and the free-speech that goes along with it, are becoming in jeopardy. My concern, and I feel it's a valid one, is that CALEA will give subscribers a false sense of security. After all when Microsoft purchased Skype, one of the first things they did (they had no choice) was to install CALEA intercepts.
Hopefully somebody at Silent Circle will be able to answer this. Until then, I wouldn't recommend it. Check out The Guardian Project and Jitsi instead.
(Note - I'm only posting this because as Silent Circle's COO, Vic Hyder is authorized to speak on behalf of the Company.)
-----BEGIN EMAIL----- Mr. Hyder,
Thank you very much for the reply and information you've provided below, but I'm afraid I'm still unclear on one particular point:/does Silent Circle fall under/CALEA/jurisdiction or not/?
Kind regards,
George Ellenburg
On 10/11/12 7:43 PM, Vic Hyder wrote: > *George*, > Thanks for the note. Quick response - Silent Circle provides peer to > peer encryption from subscriber to subscriber. The Secure Calling Plan > offers members a little flexibility to use their Silent Phone number > to send and receive calls outside the Circle (encrypted to our servers > but decrypted from servers to non-subscriber). We'll let our members > determine what their threat model is and how they need to protect > their transmissions. > > Circle up. > *______________* > > Vic Hyder > Chief Operations Officer > > Silent Circle > Private Encrypted Communications > Silicon Valley | Washington DC > > w: SilentCircle.com > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you received this e-mail in error, please notify the > sender immediately and destroy and/or delete all copies. Circle up. > > > > On Oct 11, 2012, at 6:01 AM, George Ellenburg > wrote: > >> Hello- >> >> I read with interest news reports yesterday that Silent Circle was >> getting ready to launch. As an activist and privacy advocate, I was >> troubled though to read that Silent Circle was planning on offering a >> Secure Calling Plan amongst other communication services. >> >> I understand the obvious revenue stream such an offering will generate, >> but I'm intrigued as to how you plan to not comply with CALEA, or >> curious as to how CALEA wouldn't do an end-run around your service >> altogether? CALEA, as you probably know, is the Communications >> Assistance for Law Enforcement Act, which requires mandatory technical >> intercept points for Law Enforcement and Intelligence purposes. >> >> Being a United States Company, offering Communication services, located >> in the United States, your Company is certainly subjected to mandatory >> CALEA implementations. >> >> Thanks for your time. I earnestly look forward to your response. >> >> -George Ellenburg >> > -----END EMAIL-----
Thank you for this. This is precisely what I'm planning on doing myself in a few years when hopefully the housing market can recover even just a little.
Sell everything (house, car, most furnishings, etc.) and buy a used 40' 5th wheel & truck and basically live and work out of it full-time.
Only thing I'm debating is whether to get one with 2 bedrooms (1 for office) or "work" out of the living room.
(And I'm a pretty hardcore geek so power & network access is a must.):-)
My 24" Core 2 Duo iMac has EFI Boot. It didn't stop me from installing Linux Mint on it last month (full format & repartition of the hard drive, not as a "guest"). Can someone help me understand what's the difference?
You might think that telephones carry an inherent expectation of privacy. But they don't. At least not your communication while you're sitting at your desk.
All of the machines that are joined to our domain are company-owned workstations and servers.
The Local & Personal Certificate Stores are controlled through Group Policy.
All of our workstations have our internal root certificate already on the machines, and all of our workstations and servers explicitly trust our root certificate.
Again: Our stuff. Our network. Our data. You have no privacy.
If employees stopped conducting themselves like they thought they had privacy while they were surfing the net while they were at work they wouldn't be so shocked and amazed when they find out they have none.
We don't hide anything. Not sure where or why you think we are (have?).
All of our employees know that:
(1) The company own the computers, the network, and the information stored on them.
(2) Employees have no expectation of privacy while using and interacting with any of the items from #1.
Not saying I disagree with anything you've written, but the courts have stated an employee has an implicit expectation of privacy while reading their blackberry sitting on the toilet.
However, they have none while they're surfing the net.
There is a distinct difference than an employer installing a video camera in the bathrooms than installing technical controls to fulfill their fiduciary and regulatory responsibilities to protect their trade secrets and other company data.
Most companies contract with a third-party to do the classification for them. There's just too many domains out there to try to manage something like that manually.
Well for starters, most of that work is done by our compliance folks. The group that I'm in just manages the infrastructure.
I'm fairly confident thought that spreadsheets would easily be detectable provided the information wasn't encrypted within the spreadsheets.
Most of the alerts are generated by folks themselves doing personal business while at work.
As for the stuff we might not be able to detect - again - encryption is key (pun intended).
But in all honesty a lot depends on the data classification, which is set by the data owner.
Confidential data is supposed to be encrypted while the data is at rest and while it's in motion.
In that regard the data leakage products aren't going to see it.
(Yes I know a malicious actor could just as easily encrypt our own precious data and send it to themselves undetected.)
Look, security is a balancing act. A company could make their network more secure than it is but no work could get done if they did. No company can be expected to plug all the holes that might exist, but you look for the highest risks with the largest impacts and you mitigate those risks accordingly.
For my Company, we're looking for patterns indicative of SSNs, credit card numbers, and certain keywords such as "confidential", "proprietary", or other keywords that refer to sensitive internal projects or other sensitive company information.
And Googling for information isn't "data leakage", because your activity is bringing information INTO the company (from the results of your Google search) so we don't care a lot about that.
SSH can't be proxied like SSL traffic. The reason SSL traffic works is precisely because of the existence of a wildcard certificate issued from a Trusted Root CA. (I also manage our PKI too).
But SSH — as a matter of good practice — should be heavily restricted. In other words, good security policy dictates you don't let anyone on your network blithely open up an outgoing SSH connection to any host on the Internet.
Slashdot Mirror
Are you comfortable that your platform has been largely co-opted by and identified as a safe-haven for alt-right and other racist xenophobes and cyptocurrency scam artists looking to make a quick buck?
Every medium & above -sized Corporation has at least two departments, possibly three.
1 - Vendor Management
2 - Supply Chain
3 - Accounts Payable
Find out who the Vendor Relations Manager. Ask your customer at the Company.
Engage them. They should be able to guide you through the abyss that is Supply Chain and Accounting.
Most large Companies have specific guidelines for Emailing or Faxing invoices. Purchase Order numbers typically have to be referenced on all invoices.
Do you have a Master Agreement? Refer to that for remittance instructions.
You don't have a Master Agreement? Don't do any more work until you obtain one.
If this Company doesn't have a Vendor Relations department, ask your contact for a contact in Supply Chain.
Supply Chain would be the one's to work up any Master Agreements between you and them anyway. They'll also be able to provide remittance guidelines and instructions.
Last, ask your Contact at the Company for a name and telephone number of somebody in Accounts Payable. Reach out to them.
It's not that difficult.
But your first stop is with your contact inside the Company, not here on Slashdot.
Oh agreed. Definitely. In fact I already knew the answer before writing the guy originally. Any telecom provider located in the US *must* be CALEA compliant. However the entire service will give folks a false sense of security and that's the larger point I was trying to make.
Most speech isn't prohibited today, but political winds change all too often and what may be legal today may become illegal tomorrow.
Just hope and wish folks realize that their calls can and WILL be intercepted no matter what Silent Circle may say on the matter, that's all.
I wrote to Silent Circle over a week ago when news of the impending launch first started making circles.
SC's COO was kind to respond in an attempt to allay my fears. Sadly though his answer was more "non" than one.
A week ago replied back with a follow-up question, and have yet to receive a response.
While my political activism is pretty much limited to change.org petitions, SC is directly marketing their services TO activists. As the Occupy movement has shown, political activism, and the free-speech that goes along with it, are becoming in jeopardy. My concern, and I feel it's a valid one, is that CALEA will give subscribers a false sense of security. After all when Microsoft purchased Skype, one of the first things they did (they had no choice) was to install CALEA intercepts.
Hopefully somebody at Silent Circle will be able to answer this. Until then, I wouldn't recommend it. Check out The Guardian Project and Jitsi instead.
(Note - I'm only posting this because as Silent Circle's COO, Vic Hyder is authorized to speak on behalf of the Company.)
-----BEGIN EMAIL-----
Mr. Hyder,
Thank you very much for the reply and information you've provided below, /does Silent /CALEA/jurisdiction or not/?
but I'm afraid I'm still unclear on one particular point:
Circle fall under
Kind regards,
George Ellenburg
On 10/11/12 7:43 PM, Vic Hyder wrote:
> *George*,
> Thanks for the note. Quick response - Silent Circle provides peer to
> peer encryption from subscriber to subscriber. The Secure Calling Plan
> offers members a little flexibility to use their Silent Phone number
> to send and receive calls outside the Circle (encrypted to our servers
> but decrypted from servers to non-subscriber). We'll let our members
> determine what their threat model is and how they need to protect
> their transmissions.
>
> Circle up.
> *______________*
>
> Vic Hyder
> Chief Operations Officer
>
> Silent Circle
> Private Encrypted Communications
> Silicon Valley | Washington DC
>
> w: SilentCircle.com
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you received this e-mail in error, please notify the
> sender immediately and destroy and/or delete all copies. Circle up.
>
>
>
> On Oct 11, 2012, at 6:01 AM, George Ellenburg > wrote:
>
>> Hello-
>>
>> I read with interest news reports yesterday that Silent Circle was
>> getting ready to launch. As an activist and privacy advocate, I was
>> troubled though to read that Silent Circle was planning on offering a
>> Secure Calling Plan amongst other communication services.
>>
>> I understand the obvious revenue stream such an offering will generate,
>> but I'm intrigued as to how you plan to not comply with CALEA, or
>> curious as to how CALEA wouldn't do an end-run around your service
>> altogether? CALEA, as you probably know, is the Communications
>> Assistance for Law Enforcement Act, which requires mandatory technical
>> intercept points for Law Enforcement and Intelligence purposes.
>>
>> Being a United States Company, offering Communication services, located
>> in the United States, your Company is certainly subjected to mandatory
>> CALEA implementations.
>>
>> Thanks for your time. I earnestly look forward to your response.
>>
>> -George Ellenburg
>>
>
-----END EMAIL-----
You mean like:
- Dropbox
- Google Drive
- Amazon S3
- Evernote
- PogoPlug
- YouSendIt
And the countless other file lockers and document/ file distribution services that are out there?
Thank you for this. This is precisely what I'm planning on doing myself in a few years when hopefully the housing market can recover even just a little.
Sell everything (house, car, most furnishings, etc.) and buy a used 40' 5th wheel & truck and basically live and work out of it full-time.
Only thing I'm debating is whether to get one with 2 bedrooms (1 for office) or "work" out of the living room.
(And I'm a pretty hardcore geek so power & network access is a must.) :-)
My 24" Core 2 Duo iMac has EFI Boot. It didn't stop me from installing Linux Mint on it last month (full format & repartition of the hard drive, not as a "guest"). Can someone help me understand what's the difference?
You might think that telephones carry an inherent expectation of privacy. But they don't. At least not your communication while you're sitting at your desk.
If we didn't install our root certificate on every machine than every internal website that is protected by SSL would not be trusted.
Also, 802.1x authentication would break.
We also couldn't do smart card authentication.
LOL. We're not injecting anything.
We've got a Microsoft Enterprise PKI.
Our own Root CA, Policy CA, and Issuing CA.
All of the machines that are joined to our domain are company-owned workstations and servers.
The Local & Personal Certificate Stores are controlled through Group Policy.
All of our workstations have our internal root certificate already on the machines, and all of our workstations and servers explicitly trust our root certificate.
Again: Our stuff. Our network. Our data. You have no privacy.
If employees stopped conducting themselves like they thought they had privacy while they were surfing the net while they were at work they wouldn't be so shocked and amazed when they find out they have none.
We don't hide anything. Not sure where or why you think we are (have?).
All of our employees know that:
(1) The company own the computers, the network, and the information stored on them.
(2) Employees have no expectation of privacy while using and interacting with any of the items from #1.
Not saying I disagree with anything you've written, but the courts have stated an employee has an implicit expectation of privacy while reading their blackberry sitting on the toilet.
However, they have none while they're surfing the net.
There is a distinct difference than an employer installing a video camera in the bathrooms than installing technical controls to fulfill their fiduciary and regulatory responsibilities to protect their trade secrets and other company data.
Very true, and a point that a lot of people seem to forget.
SSH public/ private key authentication is fantastic. Wish more people would use it,
There is NO privacy.
There. Fixed that for you.
There. Fixed that for you .
Somebody mod the parent up. ;-)
Anything is possible, and no amount of security technology or policy is going to stop the most determined individual.
It would depend on the policy.
Most companies contract with a third-party to do the classification for them. There's just too many domains out there to try to manage something like that manually.
Well for starters, most of that work is done by our compliance folks. The group that I'm in just manages the infrastructure.
I'm fairly confident thought that spreadsheets would easily be detectable provided the information wasn't encrypted within the spreadsheets.
Most of the alerts are generated by folks themselves doing personal business while at work.
As for the stuff we might not be able to detect - again - encryption is key (pun intended).
But in all honesty a lot depends on the data classification, which is set by the data owner.
Confidential data is supposed to be encrypted while the data is at rest and while it's in motion.
In that regard the data leakage products aren't going to see it.
(Yes I know a malicious actor could just as easily encrypt our own precious data and send it to themselves undetected.)
Look, security is a balancing act. A company could make their network more secure than it is but no work could get done if they did. No company can be expected to plug all the holes that might exist, but you look for the highest risks with the largest impacts and you mitigate those risks accordingly.
I just checked. Turns out ours can do it too but I don't remember ever seeing it on a roadmap of something to turn on.
Not sure what benefit it would provide us anyway tbh.
Actually it's important for any publicly traded companies.
It's not just HIPAA, but also Sarbanes-Oxley, GLBA, the SEC, and a myriad of other pesky CFRs.
LOL. Because it's not wiretapping when you're sniffing the communication going on your own private network.
For my Company, we're looking for patterns indicative of SSNs, credit card numbers, and certain keywords such as "confidential", "proprietary", or other keywords that refer to sensitive internal projects or other sensitive company information.
And Googling for information isn't "data leakage", because your activity is bringing information INTO the company (from the results of your Google search) so we don't care a lot about that.
SSH can't be proxied like SSL traffic. The reason SSL traffic works is precisely because of the existence of a wildcard certificate issued from a Trusted Root CA. (I also manage our PKI too).
But SSH — as a matter of good practice — should be heavily restricted. In other words, good security policy dictates you don't let anyone on your network blithely open up an outgoing SSH connection to any host on the Internet.
Agreed. But the OP's Ask Slashdot isn't about Data Leakage, it's about SSL proxying.
Now, if you WANT to have a discussion about Data Leakage, well then grab a cup of coffee and pull up a chair.
I do this shit for a living.