Why in 2014 does any self respecting browser allow pop-ups or pop-unders without explicit permission?
Security issues aside there is almost nothing quite so irritating as a website opening additional windows except in the rare list of exceptions most of us are quite used to manually keeping.
Why do you assume it has not been? What makes you think adequate detective controls are in place to even determine if it has or has not? Why do think the Obama administration would tell you if they knew it had, especially if there was not fix in place yet?
Learn the laws if you state too. In many states you have rights to "enjoy your property" lots of thoes HOA agreements don't exactly get a solid legal review before they are enacted. I know people that have successful challenged various provisions in court and had them found to be I unenforceable, be careful with that through there are hefty attorney fees to be encountered there, and if you do prevail against the HOA you might not get invited to the next block party
One core aspect of the problem here is the Hollywood lobby has managed to turn a civil matter copyright infirgment into a criminal one and also got the public footing the bill for most of the investigative work.
What they should do is throttle it at peak times, lock everyone down to 2mbt during peak hours, charge extra for everyone who does not want to be snapped
Except none of that really matters; because all the 5gb per month users all use the service at the same time. The folks doing north of 100gb are all torrenting or running netflix at all hours of the day.
Realistically if the want to be able to offer actually decent service they have to have the capacity to handle 6pm when everyone starts getting home from work, it costs them nothing to for the high volume folks to be torrenting away at 3am, and nothing for the soccer moms to put Dora the explorer in at 11am while they fix lunch for the runts.
"I don't want to do anything; I don't plan to much; I don't know how what little I am offering will get done or when" -- Pretty much sums it up.
The interesting thing is, some of the statements Obama made directly contradict the congressional testimony. Is anyone getting charged with perjury this time? Or is CONgress just going to let being lied to go?
No, actually we Americans probably pay the most for gasoline, we just do it indirectly. A huge portion of our income taxes and inflationary debts go to fund the worlds largest military apparatus, which disproportionately expends its efforts in or near oil producing regions, theoretically at least ensuring a constant supply.
Lefties don't understand why we can't have all the social programs of Europe, and Righties don't understand why we have to have personal income taxes that are so high, and corporate taxes that are event higher, in both cases its because we are paying to make cheap gasoline available.
if the company is doing both things then it falls to company policy, and you have to pray that this policy is both a good one and well enforced. In general companies tend not to give more than slap on the wrist to individuals who are important enough to receive said company devices.
^^^This
Every company I have ever worked at or contracted with has an IT AUP that spells out some rules and says violation can be grounds for immediate termination. I have never see it used that way except once; when two employees one male and one female were caught watching porn together in his office. I am pretty sure even in that case while the AUP violation was cited for the offical reason for the firings (provided the legal out) HR was probably more worried about the future sexual harassment lawsuits the behavior of these two likely would put the company in jeopardy of in the future.
Otherwise what usually happens is some middle level IT manager as a "response" to the incident report drafts off an carefully worded e-mail to the effect of "you know that isn't allowed and please stop," It never goes further than unless the offender is really unimportant in which case its possible his or her manager might be CC'ed on such e-mail and that person will do something if and only if they are looking to create fear among their other reports or they have some other personal problem with the offender. This is the case even if the offending behavior does not actually stop.
There is franckly no way anyone at the pay scale (which isn't even very high) to be issued an iPhone on the companies dime is going to face retribution for installing un-approved apps. Its far more likely they will convince their manager to make up some garbage for IT about how he has to have Angry Birds to do his job entertaining clients or something.
I was going to say this too. I have done a bit of sockets programing on Windows, Linux and AIX and I don't know of anyway to change the next hop for route for any traffic, especially traffic not from my application that does not require elevated privileges.
More broadly speaking though all these platforms have gotten so large and complex any security at all is at this point I think largely and illusion. As long as security is based around people deploying quick prophylactics like "I'll use VPN and just encrypt all the traffic" we are going to continue to get burned every time someone discovers a little used API that turns on source routing or similar. The same is largely true for "run it in a vm" or "add a sandbox".
Probably until someone develops an entirely new platform with the realities of modern networks in mind every step of they we will continue to get pwnd.
If you are competent enough to use MDM on your mobile devices then your end users wouldn't be installing non-approved apps anyway
Bullshit Apple at least has gone out of their way to make this nearly impossible. Anything you can do to remove access to the App store with any of the MDMs while the device is on the carrier network is either trivially by passed by end users, or also make doing things like installing updates for approved apps completely broken.
At best you can deny micro VPN connections and sandboxed services when unapproved apps are detected, while possibly acceptable from a security standpoint its kind of closing the barn door after the horses are out for a user perspective. They just paid $5 for their app because they "forgot company policy about not installing other apps," and now your telling them they can't use it? Does not fly well.
Then there is the little matter of the fact you can't micro VPN just anything on IOS, unless its an in house app or the app vendor is willing to make ipks available, you are SOL. Which leaves you going back to things like AnyConnect or the builtin IPSec VPN; followed shortly by the users crying about how hard it is to type their password when they need to connect, so you say will okay we can use certificate only authentication but now we need a strong password on the device, and reasonable lock screen timeout, so we know its you and not the guy who grabbed it after you left in on the seat of the bus. When you do that they really pitch a fit.
IOS devices are a disaster in terms of DLP and asset management.
Things are a tad bit better on the Android side of the house with regard to MDM, yes. I am not so sure its much better on the over all security. There seems to be lots more malware in the wild.
As far as I know from a little testing with MDM demos provided by vendors and my contacts most of them fail utterly to actually detect rooted devices. They typically look for pirate ( as in radio, not warez) app stores and root tools. They often can't tell the kernel has been modified, boot loader is unlocked, etc if minor efforts to conceal the usual tools are under taken. As Corporate MDM becomes more common the rooting community is going to start making kits that are evasive and is almost sure to succeed given the current state of MDM. To say nothing of the true malware authors out there are probably already doing.
That was advice, because what he also said was as you keep on earth so shall he keep in heaven, as well as judge not least you be judged.
Notice a pattern, he is basically saying God is going to hold you to your own standard and very likely treat you accordingly as well. So avoid hypocracy and treat others well and be quick and open to forgive, because that will timately serve you best.
OTOH - Christians don't have to just roll over and accept monstrous actions by others. There are things that most people would never do because it's incredibly immoral where some amout of judgement and response is okay.
That said this is an example of why the death penalty is something that needs to put on the shelf and if not retired completely reserved for the most monsterous of acts (mass murders like 911), where society might need the finality to move forward at least when the evidence is clear about who done it. Beyond that it kills to many wrongfully convicted, isn't an effective deterrent, and causes to many tragedys of its own like this one.
The government can and should create money (or borrow it at no cost from the Fed) to do things in the public interest.
That does nothing but create inflation. Its exactly the same as taxation, except worse. It specifically targets the middle class and the poor. They very wealthy have their wealth in assets that move with inflation, commodities contracts, corporate ownership, real-estate, etc. Everyone else sees their savings mostly cash and money markets which tend to hold debt instruments like bonds, effectively devalued, and the buying power of their wages lowered.
And don't try repeating that claptrap about how federal deficits don't hurt. I can't dispute the overall standard of living continues to rise, but its fundamentally altering our society in ways most of us don't like. It absolutely IS the cause of the growing wealth gap. It is destroying social mobility. It puts things like home ownership perpeturally out of reach for some, it puts college out of reach for many, etc.
Calling at least the distribution component of utilities a private enterprise is a fucking joke, or a lie told by statists to make the argument for ever expanded state power. Speaking as libertarian the only thing I find worse than a government operated entity is these unholy public/private mixed entities we create like public utilities.
A company that operates a effective regional monopoly because it alone has been give right of way across public lands and been the benefactor of eminent domain in order to get easements on otherwise private property is not private. A company that does not get to set its own rates, but has rates decided for it by a government utilities commission is effectively not private. A company that enjoys special legal limits on its liability for accidents, etc is not private.
In summary the notion that your gas company is a "private" is a fiction. Now there may be logistical problems with gas and electric distribution being private, I don't have answers for all them. Perhaps they are an example of something that should be public, I'll concede that might be the case.
I will say that if they were fully private though, these other issues aside we would not have problems like this. They bad actors would be out of the market in a hurry. Why? Both their employees and their customers would sue them into oblivion inside of a week; were they unable to escape responsibility for the injuries and property damage they cause. If they had to negotiate access to the land they needed, someone would know where all the pipes were, because they'd want to charge the utility rent and or get a discount on their rates in exchange for the land use; being economically evolved the property owners would probably watch those pipes for problems pretty closely as well.
Moreover the data has to be sold in chunks anyway. The card info pretty much has to be used in the region in which it was purloined. They don't have the CCV codes, so mostly they will need to make counterfeit cards and use them at physical locations, online will be difficult. There is already evidence the cards are being used in the region they were stolen from, and that makes sense to do otherwise would trip everyone's fraud monitoring.
So they are not trying to sell the whole grab to anyone to begin with.
Do you want to rely on the good graces of your bank to take care of you or do you want the law on your side for certain. The best advice is don't use a debit card; use credit and pay it off.
Tell me, do you split tunnel? if not do you always check the routing table before and after you connect to those VPNs? Because despite what you think those machine might very well be visible on the internet. Just takes the right malware running on your laptop.
Fundamentally you are mixing a high security domain ( the SCADA network ) with you machine which has been in a low security domain and is in a questionable security state. Even if we want to believe the VPN isolation it self is always perfect and nothing ever users you machine as a live pivot point there is still the possibility you introduce a STUXNET like worm, that has established a beach head on your machine and will hop onto any network you connect to from there. STUXNET needed no command and control to do its work.
That said I understand the need to do what you do is a very real one. I also no all the vendors of this stuff who really ought to be condemned to death like to depend on things like Teamviewer for support. The only really good enough solution to your use case I can see goes like this:
you vpnlayer internet vpnlayer -> (note the direcationality here no connections outbound allowed) firewall allowing only desktop sharing app, -> application layer firewall that makes sure only desktop sharing features are used, shuts down the connection if file transfer features show up DMZ with access server you use remotely -> firewall with minimum required ports open -> NAT translation from the DMZ to an IP on the SCADA subnet -> IPS/IDS -> SCADA network hosts, all configured with no gateway.
Security is about "don't let it through unless you're sure", which obviously conflicts with the more important goals.
No security is about, availability, integrity, and authorization. If the system needs low latency communications that is an availability concern; its absolutely part of the security practitioners job to make sure those availability and integrity goals are met. They are not competing goals they are complementary goals.
Security experts who don't understand that are not in fact experts. People who think security just gets in the way also need to shut up and listen.
I have seen the numbers actually for a major nation wide retail chain; from an activity based costing perspective.
I know for a fact the average ticket total is always larger when the tender type is credit. I never said cash handling cost more than credit processing fees and the associated IT infrastructure to support it, just that cash handling was by no means without cost.
Retailers participate in these contracts because they represent a net win. At least the big ones understand perfectly well both the costs involved and the revenue enhancements accepting CCs generates. They do it because its profitable, for the guys operating 1000+ box stores.
I know a lot of small business owners that give reports more similar to yours and I can imagine that. If you don't do retail transactions averaging several per minute you are open, I am sure the math changes. As I am sure it does if you are operating a business like a restaurant or gas station where people tend to buy things in fixed predestine quantity independent of tender type.
But don't try to tell me CCs are not a good thing for the box store type business I was talking about, I know better.
a couple things. Handling cash costs retailers money too. Might not impact smaller ones as much but box stores and like it makes a difference. Cash transactions take longer, so they need more checkers, it takes longer to get cash to the bank do they lose interest. Assistant managers often still hourly have to count it, and they usually need an armored car service to come pick it up, and it increases theft risks.
For bigger retailers the swipe fees can be a bargain. It's been proven over and over again customers spend more when they don't have to think about how much cash they have on them too. As an individual I like the fees too, I can track what I spend on my card so I never pay any interest, yet I still get the cash back awards and points which part of the swipe fee pay for.
As the merchant agreements usually force places not to discount cash, it's like a tax I get to charge. As others have pointed out the cards provide useful consumer protections as well.
Everybody wins except the folks who can't keeps and track receipts and get surprised with a bill they can't afford at months end or the folks who have messed up so bad they can't get a card
Slashdot Mirror
Right what we have here is an example of the moral hazard public assistance creates.
Why in 2014 does any self respecting browser allow pop-ups or pop-unders without explicit permission?
Security issues aside there is almost nothing quite so irritating as a website opening additional windows except in the rare list of exceptions most of us are quite used to manually keeping.
why hasn't it been cracked by a Black Hat yet?
Why do you assume it has not been? What makes you think adequate detective controls are in place to even determine if it has or has not? Why do think the Obama administration would tell you if they knew it had, especially if there was not fix in place yet?
Learn the laws if you state too. In many states you have rights to "enjoy your property" lots of thoes HOA agreements don't exactly get a solid legal review before they are enacted. I know people that have successful challenged various provisions in court and had them found to be I unenforceable, be careful with that through there are hefty attorney fees to be encountered there, and if you do prevail against the HOA you might not get invited to the next block party
One core aspect of the problem here is the Hollywood lobby has managed to turn a civil matter copyright infirgment into a criminal one and also got the public footing the bill for most of the investigative work.
These people are vipers.
What they should do is throttle it at peak times, lock everyone down to 2mbt during peak hours, charge extra for everyone who does not want to be snapped
Except none of that really matters; because all the 5gb per month users all use the service at the same time. The folks doing north of 100gb are all torrenting or running netflix at all hours of the day.
Realistically if the want to be able to offer actually decent service they have to have the capacity to handle 6pm when everyone starts getting home from work, it costs them nothing to for the high volume folks to be torrenting away at 3am, and nothing for the soccer moms to put Dora the explorer in at 11am while they fix lunch for the runts.
Right, the sate should be barred from running schools entirely not providing them.
"I don't want to do anything; I don't plan to much; I don't know how what little I am offering will get done or when" -- Pretty much sums it up.
The interesting thing is, some of the statements Obama made directly contradict the congressional testimony. Is anyone getting charged with perjury this time? Or is CONgress just going to let being lied to go?
No, actually we Americans probably pay the most for gasoline, we just do it indirectly. A huge portion of our income taxes and inflationary debts go to fund the worlds largest military apparatus, which disproportionately expends its efforts in or near oil producing regions, theoretically at least ensuring a constant supply.
Lefties don't understand why we can't have all the social programs of Europe, and Righties don't understand why we have to have personal income taxes that are so high, and corporate taxes that are event higher, in both cases its because we are paying to make cheap gasoline available.
if the company is doing both things then it falls to company policy, and you have to pray that this policy is both a good one and well enforced. In general companies tend not to give more than slap on the wrist to individuals who are important enough to receive said company devices.
^^^This
Every company I have ever worked at or contracted with has an IT AUP that spells out some rules and says violation can be grounds for immediate termination. I have never see it used that way except once; when two employees one male and one female were caught watching porn together in his office. I am pretty sure even in that case while the AUP violation was cited for the offical reason for the firings (provided the legal out) HR was probably more worried about the future sexual harassment lawsuits the behavior of these two likely would put the company in jeopardy of in the future.
Otherwise what usually happens is some middle level IT manager as a "response" to the incident report drafts off an carefully worded e-mail to the effect of "you know that isn't allowed and please stop," It never goes further than unless the offender is really unimportant in which case its possible his or her manager might be CC'ed on such e-mail and that person will do something if and only if they are looking to create fear among their other reports or they have some other personal problem with the offender. This is the case even if the offending behavior does not actually stop.
There is franckly no way anyone at the pay scale (which isn't even very high) to be issued an iPhone on the companies dime is going to face retribution for installing un-approved apps. Its far more likely they will convince their manager to make up some garbage for IT about how he has to have Angry Birds to do his job entertaining clients or something.
Between not enough young people signing up, the initial problems and now these problems victory over Obamacare is still entirely possible.
I was going to say this too. I have done a bit of sockets programing on Windows, Linux and AIX and I don't know of anyway to change the next hop for route for any traffic, especially traffic not from my application that does not require elevated privileges.
More broadly speaking though all these platforms have gotten so large and complex any security at all is at this point I think largely and illusion. As long as security is based around people deploying quick prophylactics like "I'll use VPN and just encrypt all the traffic" we are going to continue to get burned every time someone discovers a little used API that turns on source routing or similar. The same is largely true for "run it in a vm" or "add a sandbox".
Probably until someone develops an entirely new platform with the realities of modern networks in mind every step of they we will continue to get pwnd.
If you are competent enough to use MDM on your mobile devices then your end users wouldn't be installing non-approved apps anyway
Bullshit Apple at least has gone out of their way to make this nearly impossible. Anything you can do to remove access to the App store with any of the MDMs while the device is on the carrier network is either trivially by passed by end users, or also make doing things like installing updates for approved apps completely broken.
At best you can deny micro VPN connections and sandboxed services when unapproved apps are detected, while possibly acceptable from a security standpoint its kind of closing the barn door after the horses are out for a user perspective. They just paid $5 for their app because they "forgot company policy about not installing other apps," and now your telling them they can't use it? Does not fly well.
Then there is the little matter of the fact you can't micro VPN just anything on IOS, unless its an in house app or the app vendor is willing to make ipks available, you are SOL. Which leaves you going back to things like AnyConnect or the builtin IPSec VPN; followed shortly by the users crying about how hard it is to type their password when they need to connect, so you say will okay we can use certificate only authentication but now we need a strong password on the device, and reasonable lock screen timeout, so we know its you and not the guy who grabbed it after you left in on the seat of the bus. When you do that they really pitch a fit.
IOS devices are a disaster in terms of DLP and asset management.
Things are a tad bit better on the Android side of the house with regard to MDM, yes. I am not so sure its much better on the over all security. There seems to be lots more malware in the wild.
As far as I know from a little testing with MDM demos provided by vendors and my contacts most of them fail utterly to actually detect rooted devices. They typically look for pirate ( as in radio, not warez) app stores and root tools. They often can't tell the kernel has been modified, boot loader is unlocked, etc if minor efforts to conceal the usual tools are under taken. As Corporate MDM becomes more common the rooting community is going to start making kits that are evasive and is almost sure to succeed given the current state of MDM. To say nothing of the true malware authors out there are probably already doing.
That was advice, because what he also said was as you keep on earth so shall he keep in heaven, as well as judge not least you be judged.
Notice a pattern, he is basically saying God is going to hold you to your own standard and very likely treat you accordingly as well. So avoid hypocracy and treat others well and be quick and open to forgive, because that will timately serve you best.
OTOH - Christians don't have to just roll over and accept monstrous actions by others. There are things that most people would never do because it's incredibly immoral where some amout of judgement and response is okay.
That said this is an example of why the death penalty is something that needs to put on the shelf and if not retired completely reserved for the most monsterous of acts (mass murders like 911), where society might need the finality to move forward at least when the evidence is clear about who done it. Beyond that it kills to many wrongfully convicted, isn't an effective deterrent, and causes to many tragedys of its own like this one.
The government can and should create money (or borrow it at no cost from the Fed) to do things in the public interest.
That does nothing but create inflation. Its exactly the same as taxation, except worse. It specifically targets the middle class and the poor. They very wealthy have their wealth in assets that move with inflation, commodities contracts, corporate ownership, real-estate, etc. Everyone else sees their savings mostly cash and money markets which tend to hold debt instruments like bonds, effectively devalued, and the buying power of their wages lowered.
And don't try repeating that claptrap about how federal deficits don't hurt. I can't dispute the overall standard of living continues to rise, but its fundamentally altering our society in ways most of us don't like. It absolutely IS the cause of the growing wealth gap. It is destroying social mobility. It puts things like home ownership perpeturally out of reach for some, it puts college out of reach for many, etc.
Calling at least the distribution component of utilities a private enterprise is a fucking joke, or a lie told by statists to make the argument for ever expanded state power. Speaking as libertarian the only thing I find worse than a government operated entity is these unholy public/private mixed entities we create like public utilities.
A company that operates a effective regional monopoly because it alone has been give right of way across public lands and been the benefactor of eminent domain in order to get easements on otherwise private property is not private. A company that does not get to set its own rates, but has rates decided for it by a government utilities commission is effectively not private. A company that enjoys special legal limits on its liability for accidents, etc is not private.
In summary the notion that your gas company is a "private" is a fiction. Now there may be logistical problems with gas and electric distribution being private, I don't have answers for all them. Perhaps they are an example of something that should be public, I'll concede that might be the case.
I will say that if they were fully private though, these other issues aside we would not have problems like this. They bad actors would be out of the market in a hurry. Why? Both their employees and their customers would sue them into oblivion inside of a week; were they unable to escape responsibility for the injuries and property damage they cause. If they had to negotiate access to the land they needed, someone would know where all the pipes were, because they'd want to charge the utility rent and or get a discount on their rates in exchange for the land use; being economically evolved the property owners would probably watch those pipes for problems pretty closely as well.
Apparently the judge did not think so when he very correctly dismissed the charge for lack of evidence.
Moreover the data has to be sold in chunks anyway. The card info pretty much has to be used in the region in which it was purloined. They don't have the CCV codes, so mostly they will need to make counterfeit cards and use them at physical locations, online will be difficult. There is already evidence the cards are being used in the region they were stolen from, and that makes sense to do otherwise would trip everyone's fraud monitoring.
So they are not trying to sell the whole grab to anyone to begin with.
Do you want to rely on the good graces of your bank to take care of you or do you want the law on your side for certain. The best advice is don't use a debit card; use credit and pay it off.
I know right, I wish we could get a success rate that high on our legitimate patching efforts!
Tell me, do you split tunnel? if not do you always check the routing table before and after you connect to those VPNs? Because despite what you think those machine might very well be visible on the internet. Just takes the right malware running on your laptop.
Fundamentally you are mixing a high security domain ( the SCADA network ) with you machine which has been in a low security domain and is in a questionable security state. Even if we want to believe the VPN isolation it self is always perfect and nothing ever users you machine as a live pivot point there is still the possibility you introduce a STUXNET like worm, that has established a beach head on your machine and will hop onto any network you connect to from there. STUXNET needed no command and control to do its work.
That said I understand the need to do what you do is a very real one. I also no all the vendors of this stuff who really ought to be condemned to death like to depend on things like Teamviewer for support. The only really good enough solution to your use case I can see goes like this:
you vpnlayer internet vpnlayer -> (note the direcationality here no connections outbound allowed) firewall allowing only desktop sharing app, -> application layer firewall that makes sure only desktop sharing features are used, shuts down the connection if file transfer features show up DMZ with access server you use remotely -> firewall with minimum required ports open -> NAT translation from the DMZ to an IP on the SCADA subnet -> IPS/IDS -> SCADA network hosts, all configured with no gateway.
Security is about "don't let it through unless you're sure", which obviously conflicts with the more important goals.
No security is about, availability, integrity, and authorization. If the system needs low latency communications that is an availability concern; its absolutely part of the security practitioners job to make sure those availability and integrity goals are met. They are not competing goals they are complementary goals.
Security experts who don't understand that are not in fact experts. People who think security just gets in the way also need to shut up and listen.
I have seen the numbers actually for a major nation wide retail chain; from an activity based costing perspective.
I know for a fact the average ticket total is always larger when the tender type is credit. I never said cash handling cost more than credit processing fees and the associated IT infrastructure to support it, just that cash handling was by no means without cost.
Retailers participate in these contracts because they represent a net win. At least the big ones understand perfectly well both the costs involved and the revenue enhancements accepting CCs generates. They do it because its profitable, for the guys operating 1000+ box stores.
I know a lot of small business owners that give reports more similar to yours and I can imagine that. If you don't do retail transactions averaging several per minute you are open, I am sure the math changes. As I am sure it does if you are operating a business like a restaurant or gas station where people tend to buy things in fixed predestine quantity independent of tender type.
But don't try to tell me CCs are not a good thing for the box store type business I was talking about, I know better.
a couple things. Handling cash costs retailers money too. Might not impact smaller ones as much but box stores and like it makes a difference. Cash transactions take longer, so they need more checkers, it takes longer to get cash to the bank do they lose interest. Assistant managers often still hourly have to count it, and they usually need an armored car service to come pick it up, and it increases theft risks.
For bigger retailers the swipe fees can be a bargain. It's been proven over and over again customers spend more when they don't have to think about how much cash they have on them too. As an individual I like the fees too, I can track what I spend on my card so I never pay any interest, yet I still get the cash back awards and points which part of the swipe fee pay for.
As the merchant agreements usually force places not to discount cash, it's like a tax I get to charge. As others have pointed out the cards provide useful consumer protections as well.
Everybody wins except the folks who can't keeps and track receipts and get surprised with a bill they can't afford at months end or the folks who have messed up so bad they can't get a card