That "encrypted with 3DES" thing has bothered me too, it does not make much sense unless they mean the filesystem the database is on or something. Otherwise how do you effectively cipher a 4 digit pin with 3DES?
Yes some databases can cipher tables, but that isn't really helpful against an online attack where the table is already unlocked.
Ideally you would store the ciphered values and the application layer would have the key, which leaves you with needing to make sure you select unique IVs for every PIN otherwise you will have lots of repeated cipher texts with some known plain texts and lots of pins will be exposed quickly and easily.
All in all without more detail and given this appears to have been an online attack, I don't have much confidence that those PINs are secure against even the most amateur crypto analysis ( if they did not actually get them in the clear to start with, again possible even likely given the access vectors ) for longer than hours.
There is absolutely no reason to take CC data out of the transaction system and put in the data mart. None, I helped build a activity based costing system for a major retailer you create a surrogate customer id, and your store the tender type. Ids/ips sensors should spot pii and cc info leaving the PCI world in bulk going anywhere unexpected, even if it's not much data in terms of network traffic.
If the environment is properly secured and instramented ex filtration should be detected
Security is layers. For all our firewalls, ids sensors, seim correlation, and other efforts it was the lowly endpoint security package and it's alerts in it's console that got our attention the last time we had an unannounced pen test.
A/v might not be the sexiest thing in computer security today, it might not even be very effective overall but it's one more shot at detecting and stopping the bad guys and it can be a shout worth taking.
And you both need to get over it. English has only descriptive dictionaries not prescriptive ones, anyone can assign any meaning to a word they like. I think from context it'd pretty unlikely ggp post was implying anything racial. Irrespective of the etemology "gyp" is used commonly today to simply mean a cheat of some kind, long separated from any disparaging racial stereotype, quite honestly the best way to get these racial stereotypes to go away is to stop finding reasons, or rather excuses to get all butt hurt ( is that offensive to homosexuals? ) all the time, if you don't come by later and make it about a certain group for most listeners and readers it won't be.
This was what I was getting at with my comment. Either you win it or you end it. War is fundamentally horrific. Your fellow countrymen die fighting and the enemy is killed or maimed as well. Either the cause is worth that and the war is believed winnable or you should cease fighting immediately (well beyond covering a retreat anyway).
What you don't do is half fight it, it wrong. People's lives are more important than that or they should be.
Is it really so damning the Obama didn't consider Afganistan "his war", and "wanted to get out"?
Yes yes its damning. Obama ran on getting us out of Iraq but he never really ran against the Afghanistan effort. If he really wanted out and though that continuing the war was a bad idea he should have had the courage to end it. He should have order the general to being an orderly retreat with the single objective of getting as many of ours home as quickly and safely as possible. No more traning native forces, no more pacifying Helmont (sp?) nothing.
I can't think of much worse in the way of moral depravity than to have your soldiers fighting and dieing for a war, not to mention those of the enemy, for an objective you don't think possible or a cause you don't believe in.
Seriously if he really felt that we he should have run on "if elected, I will withdraw our forces for Afghanistan" and let the people decide.
I find Pogue's theory's about the demography of normals a bit suspect, but conceptually its not crazy. Every business should know who their customers are and beyond that know who their good customers are (IE the ones that make them rather than cost them money).
In the case of Yahoo though a couple things come to mind: Gear Heads are your customers customers in many cases. There seems to be two types of product pushed in online ads, scammy stuff sold to idots and highend ( or at least high margin ) stuff sold to various types of gearhead/*-ophile,foodie,junkie types. If you as Yahoo don't bring these eyeballs not sure why your actually customers (advertisers) would bother with you. I don't P&G pushing toilet-trees online a whole lot, and its things like toothpaste, frozen pizzas, and lawn fertilizer the "normals" spend their money on.
Lots of people like the think they are "gearheads" they think they want to feel like they are experts at their hobbies and such feel like they are dealing with fancy things. I am not sure deliberately not projecting an image of "elite" is really going to put people in a buying mood, again something advertizes won't love.
If you really want fair you don't tax income at all! You do all your taxation on the consumptive side; buyer pays.
You then tax exempt a few key things, that represent a disproportional amount of spending/income for the lower earners ( not this is not unfair because if you are a high earner you are still getting the exemption) *Unprepared foods. *Public utilities delivered to a residence water/gas/electric/etc *transportation fuels gasoline/automotive grade diesel/avgas *residential buildings (sales taxes not real estate taxes)
You can take it a bit farther if you like and except education and some others.
For work-related passwords, my boss has every right to know my passwords if I get sick. So, it makes sense to store them offline (e.g. a piece of paper in a drawer at the secretary's office). The security my passwords then relies on the security guards at the gate.
Disagree.
Your boss has every right to possess credentials himself capable of resetting or changing your password to something he knows; should a need arise. He should not however have your password. This is a audit and separations of powers issue. Being able to reset your password is fine, that should result in a log, of what account was reset and what account did the resting. If it was root, who sudo'ed to root, etc. Can someone with administrative access still taper with logs? Yes; but it raises the bar and makes it harder to cover their tracks from forensic examination if something happens.
Account credentials should not be shared for accountability reasons, even with the boss.
Most of those jobs are white collar though and often require substantial investments in education which statistically pays off, but statistically works out and works out for an individual are not always the same.
There are still jobs like welder, that people can still go get hired and trained to do right out of high school but these are rapidly disappearing.
Labor saving technology created opportunities for just about everyone on; automation is creating opportunities for capital owners, and certain groups of white collar middle class workers that fall into some prerequisite conditions; but its not helping helping everyone.
Its largely leaving the jobs that are so low skill and low wage they are not worth anyones trouble to automate ( cleaning, final assembly, landscaping ) and jobs that require (or at least appear to require) intelligence and decision making we can replicate with a machine.
Yes history repeats itself. I come back to the only justifiable war is one where you are willing to do what is required to win. If the issue is important enough to engage in massive property destructions and to kill or maim people, than it should never be done in vain, an obligation exists to see it thru and secure the intended outcome. "What is required" May vary if you posses an outsized military advantage you have the luxury not using certain forms of brutality and less des descriminating targeting practice and you should so long as it does not jepordise victory. If you are disadvantaged than asymmetric and "terror" tactics are probably a must.
Societies not just soldiers go to war. It does not matter if you have a gun in hand or a garden hoe you are supporting the war fighting capability and so be considered a target if need be.
That is just it, some of them might join some fundamentalist sect, but they won't attack us, they will be to preoccupied trying to get the young women there to but the Hajab back on and the young other men to stop watching the free porn to do anything about us. The culture war is a losing one, freedom and self fulfillment always win once the possibities are really understood
It is leftist myth that if the US withdraws the islamists will calm down
Maybe but I would offer two things:
One: its not really our problem, simple geography means its the western societies in Europe and Africa's problem.
Two: If you really think fundamentalist Islam is a serious threat to the United States than we ought to drop, DVDs, Magazines, clothing, and packaged snack food on them instead of bombs. We should crank up the wattage on FM transmitters pushing VOA and other western networks just outside their boarders so high no State Sponsored media in their own nation can be heard. It would cost so much less in both dollars and lives. I am with you the 12th Century brand of Islamic Culture is absolutely something we ought to seek to eradicate. If you really want to do that though you expose them to our Culture constantly and repressively. Yes it will cause a tiny fraction of radicals to start frothing at the mouth but I seriously doubt the majority are going to continue to tolerate oppressive radical fundamentalist Islamic regimes when they actually know what modern western society is really like.
As far as the intent argument goes. We have know all kinds of abuses have been happening for a long time. Courts have issued rules on insane standings rules that say things like "you can't know your right were violated" so you can't sue, which means you can't find out through discovery.
So someone like Snowden who is on the outside would have had little choice but to intentionally infiltrate the NSA or just keep bending over and taking it like everyone else. It might be more fair to describe him as an activist than a whistle-blower, but morally I think there is plenty of equivalence there.
The issue about disclosing the stuff that isn't likely to be illegal or outside charter is that it was probably necessary for credibility. If the only stuff he handed over was heavily filtered and redacted the only questions that would have been raised would be "why should we believe any of this is authentic, the courts will never let us verify any of it?" and "What aren't you telling us?" It isn't as if he posted the whole trove on 4chan or something he leaked to (mostly) responsible press agencies who have always played the role of filter for this kind of thing in western democracy. I think the wider leaks though perhaps unfortunate with respect to some national interests were quite necessary and done as responsibly as possible.
All and all the arguments against clemency pretty much boil down to "he threatened order, and we can't have that" Which when it comes to military and intelligence personal and civilian employes of similar nature is not an argument entirely without merit; but the NSA is so out of hand a wrench any smaller would have done nothing to even slow the gears. At some point the system gets to broken to work with in it.
I don't think anyone is suggesting HR is not necessary but to continue your analogy: If the the HR / recruiting firm pairing at some places I have worked was a firewall/IPS pair it would:
Have an insanely high false negative rate frequently forwarding malicious traffic with will known signatures
Drop large amounts of legitimate traffic to important assets like the web farm, with log events of "just because, or I don't remember why".
Forward traffic originally destine for other unused address to live hosts without any filtering to meet some minimum number of resumes^H^H^H^H connections setups.
Interpret it policy rules on a per connection basis, frequently with different and non-deterministic results and log nothing.
I think you are to something more thn you think. Social media provides a plausable somewhat reasonable sounding explanation for their actions, when/if they need to explain themselves to either their boss, the client firm, and maybe some legal process. Even if they have to craft said explaination after the fact.
You mean the business people who usually buy these "tech firms" for a billions and sell them a few years later for millions as is the usually pattern, those business people?
the non tech enduser will (once again) see personal or financial information compromised, or will participate in yet another botnet. It's public now, but nobody knows how much this has been exploited as zero day. Replace router/firmware with 'car' and we would see class action lawsuits as never before.
If it were a car there would be a manufacturer recall. If the problem was discovered in the first decade, after that people would be expected to take care of it on their own.
Device makers should be better behaved to do recalls for stuff like this, maybe they should be forced to, I don't know.
These non tech enduers need to stop getting a free pass too though. "herp derp, gee I didn't know I needed to check for patches and updates, set a non-default password, and have some kind of port filtering" just can't fly these days. Honestly end users like that need to be held responsible for the harm their machines cause.
If I didn't maintain my car and it rolled breaks failed causing it roll into a busy street I'd be liable for the damage it causes. Yes the people creating the botnets and worms are the real criminals and need to punished, but regular users have at least some civil responsibility for negligent and reckless operation. \
Exactly correct. What this shows is its really been hardware improvements that have driven OS upgrades on Windows PCs. With Windows 3.0 and Windows 3.95 (Windows 95), being exceptions; that people really did rush out to buy in a shrink wrapped box; No client Windows release has offered an improvement compelling enough for home PC users to bother upgrading.
Its almost the same story for business users but lots of desktops did get upgraded to XP, from Win 2k Workstation or Windows 9x; with relative haste.
On the server side OS upgrades have usually offered enough value to make it worth while, at least for core infrastructure machines; although I don't see what is terribly compelling about migrating Server 2008 to Server 2012.
Slashdot Mirror
That "encrypted with 3DES" thing has bothered me too, it does not make much sense unless they mean the filesystem the database is on or something. Otherwise how do you effectively cipher a 4 digit pin with 3DES?
Yes some databases can cipher tables, but that isn't really helpful against an online attack where the table is already unlocked.
Ideally you would store the ciphered values and the application layer would have the key, which leaves you with needing to make sure you select unique IVs for every PIN otherwise you will have lots of repeated cipher texts with some known plain texts and lots of pins will be exposed quickly and easily.
All in all without more detail and given this appears to have been an online attack, I don't have much confidence that those PINs are secure against even the most amateur crypto analysis ( if they did not actually get them in the clear to start with, again possible even likely given the access vectors ) for longer than hours.
There is absolutely no reason to take CC data out of the transaction system and put in the data mart. None, I helped build a activity based costing system for a major retailer you create a surrogate customer id, and your store the tender type. Ids/ips sensors should spot pii and cc info leaving the PCI world in bulk going anywhere unexpected, even if it's not much data in terms of network traffic.
If the environment is properly secured and instramented ex filtration should be detected
Security is layers. For all our firewalls, ids sensors, seim correlation, and other efforts it was the lowly endpoint security package and it's alerts in it's console that got our attention the last time we had an unannounced pen test.
A/v might not be the sexiest thing in computer security today, it might not even be very effective overall but it's one more shot at detecting and stopping the bad guys and it can be a shout worth taking.
http://xmonad.org/ -- nuff said
And you both need to get over it. English has only descriptive dictionaries not prescriptive ones, anyone can assign any meaning to a word they like. I think from context it'd pretty unlikely ggp post was implying anything racial. Irrespective of the etemology "gyp" is used commonly today to simply mean a cheat of some kind, long separated from any disparaging racial stereotype, quite honestly the best way to get these racial stereotypes to go away is to stop finding reasons, or rather excuses to get all butt hurt ( is that offensive to homosexuals? ) all the time, if you don't come by later and make it about a certain group for most listeners and readers it won't be.
This was what I was getting at with my comment. Either you win it or you end it. War is fundamentally horrific. Your fellow countrymen die fighting and the enemy is killed or maimed as well. Either the cause is worth that and the war is believed winnable or you should cease fighting immediately (well beyond covering a retreat anyway).
What you don't do is half fight it, it wrong. People's lives are more important than that or they should be.
Is it really so damning the Obama didn't consider Afganistan "his war", and "wanted to get out"?
Yes yes its damning. Obama ran on getting us out of Iraq but he never really ran against the Afghanistan effort. If he really wanted out and though that continuing the war was a bad idea he should have had the courage to end it. He should have order the general to being an orderly retreat with the single objective of getting as many of ours home as quickly and safely as possible. No more traning native forces, no more pacifying Helmont (sp?) nothing.
I can't think of much worse in the way of moral depravity than to have your soldiers fighting and dieing for a war, not to mention those of the enemy, for an objective you don't think possible or a cause you don't believe in.
Seriously if he really felt that we he should have run on "if elected, I will withdraw our forces for Afghanistan" and let the people decide.
I find Pogue's theory's about the demography of normals a bit suspect, but conceptually its not crazy. Every business should know who their customers are and beyond that know who their good customers are (IE the ones that make them rather than cost them money).
In the case of Yahoo though a couple things come to mind:
Gear Heads are your customers customers in many cases. There seems to be two types of product pushed in online ads, scammy stuff sold to idots and highend ( or at least high margin ) stuff sold to various types of gearhead/*-ophile,foodie,junkie types. If you as Yahoo don't bring these eyeballs not sure why your actually customers (advertisers) would bother with you. I don't P&G pushing toilet-trees online a whole lot, and its things like toothpaste, frozen pizzas, and lawn fertilizer the "normals" spend their money on.
Lots of people like the think they are "gearheads" they think they want to feel like they are experts at their hobbies and such feel like they are dealing with fancy things. I am not sure deliberately not projecting an image of "elite" is really going to put people in a buying mood, again something advertizes won't love.
If you really want fair you don't tax income at all! You do all your taxation on the consumptive side; buyer pays.
You then tax exempt a few key things, that represent a disproportional amount of spending/income for the lower earners ( not this is not unfair because if you are a high earner you are still getting the exemption)
*Unprepared foods.
*Public utilities delivered to a residence water/gas/electric/etc
*transportation fuels gasoline/automotive grade diesel/avgas
*residential buildings (sales taxes not real estate taxes)
You can take it a bit farther if you like and except education and some others.
For work-related passwords, my boss has every right to know my passwords if I get sick. So, it makes sense to store them offline (e.g. a piece of paper in a drawer at the secretary's office). The security my passwords then relies on the security guards at the gate.
Disagree.
Your boss has every right to possess credentials himself capable of resetting or changing your password to something he knows; should a need arise. He should not however have your password. This is a audit and separations of powers issue. Being able to reset your password is fine, that should result in a log, of what account was reset and what account did the resting. If it was root, who sudo'ed to root, etc. Can someone with administrative access still taper with logs? Yes; but it raises the bar and makes it harder to cover their tracks from forensic examination if something happens.
Account credentials should not be shared for accountability reasons, even with the boss.
Most of those jobs are white collar though and often require substantial investments in education which statistically pays off, but statistically works out and works out for an individual are not always the same.
There are still jobs like welder, that people can still go get hired and trained to do right out of high school but these are rapidly disappearing.
Labor saving technology created opportunities for just about everyone on; automation is creating opportunities for capital owners, and certain groups of white collar middle class workers that fall into some prerequisite conditions; but its not helping helping everyone.
Its largely leaving the jobs that are so low skill and low wage they are not worth anyones trouble to automate ( cleaning, final assembly, landscaping ) and jobs that require (or at least appear to require) intelligence and decision making we can replicate with a machine.
Yes history repeats itself. I come back to the only justifiable war is one where you are willing to do what is required to win. If the issue is important enough to engage in massive property destructions and to kill or maim people, than it should never be done in vain, an obligation exists to see it thru and secure the intended outcome. "What is required" May vary if you posses an outsized military advantage you have the luxury not using certain forms of brutality and less des descriminating targeting practice and you should so long as it does not jepordise victory. If you are disadvantaged than asymmetric and "terror" tactics are probably a must.
Societies not just soldiers go to war. It does not matter if you have a gun in hand or a garden hoe you are supporting the war fighting capability and so be considered a target if need be.
No I think its just a recognition of the fact that most peoples eyes are not really open until they are 30 or so.
Rust
That is just it, some of them might join some fundamentalist sect, but they won't attack us, they will be to preoccupied trying to get the young women there to but the Hajab back on and the young other men to stop watching the free porn to do anything about us. The culture war is a losing one, freedom and self fulfillment always win once the possibities are really understood
Or at least get collectively owned by mother nature.
It is leftist myth that if the US withdraws the islamists will calm down
Maybe but I would offer two things:
One: its not really our problem, simple geography means its the western societies in Europe and Africa's problem.
Two: If you really think fundamentalist Islam is a serious threat to the United States than we ought to drop, DVDs, Magazines, clothing, and packaged snack food on them instead of bombs. We should crank up the wattage on FM transmitters pushing VOA and other western networks just outside their boarders so high no State Sponsored media in their own nation can be heard. It would cost so much less in both dollars and lives. I am with you the 12th Century brand of Islamic Culture is absolutely something we ought to seek to eradicate. If you really want to do that though you expose them to our Culture constantly and repressively. Yes it will cause a tiny fraction of radicals to start frothing at the mouth but I seriously doubt the majority are going to continue to tolerate oppressive radical fundamentalist Islamic regimes when they actually know what modern western society is really like.
As far as the intent argument goes. We have know all kinds of abuses have been happening for a long time. Courts have issued rules on insane standings rules that say things like "you can't know your right were violated" so you can't sue, which means you can't find out through discovery.
So someone like Snowden who is on the outside would have had little choice but to intentionally infiltrate the NSA or just keep bending over and taking it like everyone else. It might be more fair to describe him as an activist than a whistle-blower, but morally I think there is plenty of equivalence there.
The issue about disclosing the stuff that isn't likely to be illegal or outside charter is that it was probably necessary for credibility. If the only stuff he handed over was heavily filtered and redacted the only questions that would have been raised would be "why should we believe any of this is authentic, the courts will never let us verify any of it?" and "What aren't you telling us?" It isn't as if he posted the whole trove on 4chan or something he leaked to (mostly) responsible press agencies who have always played the role of filter for this kind of thing in western democracy. I think the wider leaks though perhaps unfortunate with respect to some national interests were quite necessary and done as responsibly as possible.
All and all the arguments against clemency pretty much boil down to "he threatened order, and we can't have that" Which when it comes to military and intelligence personal and civilian employes of similar nature is not an argument entirely without merit; but the NSA is so out of hand a wrench any smaller would have done nothing to even slow the gears. At some point the system gets to broken to work with in it.
I don't think anyone is suggesting HR is not necessary but to continue your analogy:
If the the HR / recruiting firm pairing at some places I have worked was a firewall/IPS pair it would:
Have an insanely high false negative rate frequently forwarding malicious traffic with will known signatures
Drop large amounts of legitimate traffic to important assets like the web farm, with log events of "just because, or I don't remember why".
Forward traffic originally destine for other unused address to live hosts without any filtering to meet some minimum number of resumes^H^H^H^H connections setups.
Interpret it policy rules on a per connection basis, frequently with different and non-deterministic results and log nothing.
I think you are to something more thn you think. Social media provides a plausable somewhat reasonable sounding explanation for their actions, when/if they need to explain themselves to either their boss, the client firm, and maybe some legal process. Even if they have to craft said explaination after the fact.
Does the law as written actually permit the granting of waivers or is this just more of the Obama administration making it up as it goes along?
You mean the business people who usually buy these "tech firms" for a billions and sell them a few years later for millions as is the usually pattern, those business people?
the non tech enduser will (once again) see personal or financial information compromised, or will participate in yet another botnet. It's public now, but nobody knows how much this has been exploited as zero day. Replace router/firmware with 'car' and we would see class action lawsuits as never before.
If it were a car there would be a manufacturer recall. If the problem was discovered in the first decade, after that people would be expected to take care of it on their own.
Device makers should be better behaved to do recalls for stuff like this, maybe they should be forced to, I don't know.
These non tech enduers need to stop getting a free pass too though. "herp derp, gee I didn't know I needed to check for patches and updates, set a non-default password, and have some kind of port filtering" just can't fly these days. Honestly end users like that need to be held responsible for the harm their machines cause.
If I didn't maintain my car and it rolled breaks failed causing it roll into a busy street I'd be liable for the damage it causes. Yes the people creating the botnets and worms are the real criminals and need to punished, but regular users have at least some civil responsibility for negligent and reckless operation. \
Any of the plug computers. http://www.globalscaletechnologies.com/
Exactly correct. What this shows is its really been hardware improvements that have driven OS upgrades on Windows PCs. With Windows 3.0 and Windows 3.95 (Windows 95), being exceptions; that people really did rush out to buy in a shrink wrapped box; No client Windows release has offered an improvement compelling enough for home PC users to bother upgrading.
Its almost the same story for business users but lots of desktops did get upgraded to XP, from Win 2k Workstation or Windows 9x; with relative haste.
On the server side OS upgrades have usually offered enough value to make it worth while, at least for core infrastructure machines; although I don't see what is terribly compelling about migrating Server 2008 to Server 2012.