What's really necessary is for some kind of device that will communicate the data to remote places, but refuse to pass any messages from the outside onto the control system. I don't know how difficult this is, but it's certainly harder than "air gap it". On the other hand, this solution actually addresses the problem.
So, what you're saying is, if a utility is too cheap to lay in dedicated network assets and buy their own blacknet (which is not hard to do if you want to), it's ok to just connect the the Internet?
That said, the thing you're looking for is called a unidirectional network. Back in my military network operations days, the colloquial name was "data diode". Data goes one way but nothing (no data, no handshakes, no signaling at all) goes the other way. In that environment, they were used to promote data from a lower-level security environment (say, Secret-only) to a higher-level one with no risk of leak-back.
Yeah. They exist. They're considerably lower-bandwidth than your average gigabit Ethernet switch, but if you're just talking SCADA telemetry, they should suffice.
Managers will be monitored, but they'll be measured against different criteria than peons, just like in every other aspect of corporate life.
The net effect of the different evaluation rules is that PHBs will be come more pointy-haired and sociopathic, not less.
"We've been reviewing your Interaction Monitoring System logs, Bob. We're noticing some unfortunate tendencies in your communications with your subordinates. For instance, here last week, we detected some very clear indicators of human compassion and what appeared to be sincere interest in your team's well-being. We simply can't have that kind of interference with business goals; in particular, we're really worried you might be tempted to put your people ahead of this quarter's numbers. You need to reassure us by using more appropriately goal-based socialization and less touchy-feely 'caring' stuff."
I imagine it wasn't reported for revocation because (A) some bureaucrat would have to publicly 'fess up to a nasty boo-boo, and (B) that might inconvenience legitimate users of that certificate chain and (C) make lots of extra work for the fellow bureaucrats to replace the poisonous certificate and publicize its replacement in the using public.
So, yeah. Allowing the certificate to glimmering is obviously the better solution. There's no downside as long as no one uses the stolen certificate for evil purposes. And if they do, there's probably enough plausible deniability to buy time to do the revocation only when it's absolutely necessary, like buying fire insurance while the roof is burning.
Also, who the hell actually installs software just because the Malaysian government signs it?
It's not "who", it's "what". As in "What operating system trusts signed <foo> more than unsigned equivalent?" As in "All of them."
A signed cert opens doors that most users aren't even aware of. Add to that (in this case) an existing remote arbitrary code execution exploit in unpatched vulnerable versions of Acrobat Reader 8, and you've got a lovely recipe for malware drive-by installation.
Recent press release from Georgetown University Medical Center's Laboratory for Computational Cognitive Neurosciences announces breakthrough scientific discovery: a statistically significant majority of neuroscientists have no familiarity with Hanzi, Kanji, and other ideographic written languages used by over a third of Earth's current population.
Well, to be fair, if you knew what a Ford Prefect actually was, you'd never confuse it with "perfect." XD
As to the use (misuse?) of "stock phrases" like "beg the question", I assume that some people use those phrases idiomatically (i.e., no literal meaning intended) because they heard someone else they thought worthy of emulating doing so. Because of this, they don't consider if the literal phrase makes sense ("How do I do... what?").
In the specific (and hilariously controversial*) case of "beg the question", it's possible to torture a nearly-sensible literal meaning out of the phrase ("This begs the question" == "This begs someone to ask the question"), so the correct use derived from the original Latin phrase (and only sensible in light of Latin's vocabulary and grammar) will die out within a couple of generations, except in philosophical specialist material.
No need. They'll prey on the marketing and advertising people. Well, they'll try to prey on everyone, but because M&A has been weakened by low-level chronic radiation sickness, they're the ones naturally selected.
Or, to not coin a phrase, "I don't have to outrun the lawyer; I just have to outrun you."
I work in IT (sys admin), having spent a bit of time in the military. Military experience is certainly no stone-cold guarantee that you've got a quality person on your hands, but it does increase the probability significantly. Technical skills aside, the military tends to instill a fairly healthy amount of discipline, teamwork, and the ability to think/act under pressure. As my Dad puts it (formerly in the military for 12 years) - the ability to think and chew bubble gum at the same time.
As a former military system administrator myself, I'd like to point out that armed-services-veteran BOFHs have superior LART skills. They may complain about having to use improvised LARTs rather than appropriatepurpose-made ones, but they adjust rapidly.
OTOH, setting up a US based fab, even if expensive by COTS standards, would be a rounding error in the DOD's budget.
Whose fab? In case you hadn't noticed, the DoD manufactures NONE of its own equipment, let alone components.
So... pay IBM or TI to build and maintain dedicated fab capacity? Any company which won that particular prize would be swarmed by lawsuits and other contract protest actions by every competitor in that space, domestic or not.
We're in an acquisition environment which requires fairness in soliciting; a "domestic content" rule, explicit or implicit, would probably be the basis of the fastest and most effective contract award protest in history because it would disqualify so many otherwise valid bidders, and the mission-needs argument wouldn't ultimately matter as much as all of the companies getting their fair shot; after all, that's why they contribute to election campaigns and pay lobbyists, as well as why they make strategic partnerships with domestic companies (to put a local face on the bid, and to snare more locality-based political support).
Re:Best comment in article:
on
The F-35 Story
·
· Score: 1
"And who says the Marines need a fast jet in combat?" said McPeak, now chairman of Ethicspoint Inc., a consulting firm in Lake Oswego, Oregon.
This would be retired Air Force General Merrill McPeak. A life-long Tactical Air Command officer and rated fighter pilot. The most heavily indoctrinated and most influential officer in air doctrine circles in the early '90s. And, in keeping with that background, having absolutely no use for "fast jets" for any service but the Air Force. And by Air Force, I mean exclusively the Tactical Air Command or its post-1992-replacement, Air Combat Command.
The Air Force Chief of Staff which oversaw the ultimate triumph of the TAC Mafia in gunning down Strategic Air Command.
Unless the project had copyright assignment in place, in which the contributors wouldn't have a leg to stand on; the entire codebase would belong to the primary developers.
In which case, "Mmmm fork fork fork" would be the Swedish I mean only way forward.
How the hell do you make the switch work from thousands of miles away, in a non-remotely-reachable location? (For instance, behind the Great Islamic Firewall.)
And after the first time, how do you make it work again? It would only take a modicum of debugging skill to uncover and block any remotely-triggerable killswitch technique once it's been revealed by first use, unless your killswitch is also engaging hidden incendiary charges and slagging the hardware. And then you'll have to convince me that destroying other equipment and threatening the lives of people is worth it, at which point I'll just refer you to the US's current killswitchtechnologies.
Well, Florian Mueller's not a lawyer, and I'm not, and I'm pretty sure you're not... but that phrase "initial complainant as opposed to that of a party litigating a case" makes no sense. Does Spanish court procedure allow a party to launch a lawsuit against another and then disengage and let it fly unattended? I'm skeptical. If there's a distinction, it's an irrelevant technical one, and doesn't change anything.
Sorry. Regardless of the legal trickeration, if Apple initiates the lawsuit, and doesn't petition for dismissal, they're the plaintiff. You don't get to say "lol, just trolling" if it doesn't go your way.
The fact that the defendant is countersuing to recover legal expenses tells me that SOMEONE credibly thinks Apple was the active plaintiff in the suit, and the prime actor behind the injunction attempt.
But it's so costly and difficult to run that particular legal marathon, hardly anybody has ever completed the course. (Really, has anybody _ever_ actually completed it?)
If you just visit the library, then it's usually free. But if you check out something, the privilege is still paid for somehow.
Well, if we actually follow your logic to a reasonable conclusion, you're paying to just visit the library as well. Unless your library squats on someone else's property, pays no utilities, and steals all of its book and media holdings. At least in my community, my taxes pay for that as well.
Slashdot Mirror
What's really necessary is for some kind of device that will communicate the data to remote places, but refuse to pass any messages from the outside onto the control system. I don't know how difficult this is, but it's certainly harder than "air gap it". On the other hand, this solution actually addresses the problem.
So, what you're saying is, if a utility is too cheap to lay in dedicated network assets and buy their own blacknet (which is not hard to do if you want to), it's ok to just connect the the Internet?
That said, the thing you're looking for is called a unidirectional network. Back in my military network operations days, the colloquial name was "data diode". Data goes one way but nothing (no data, no handshakes, no signaling at all) goes the other way. In that environment, they were used to promote data from a lower-level security environment (say, Secret-only) to a higher-level one with no risk of leak-back.
Yeah. They exist. They're considerably lower-bandwidth than your average gigabit Ethernet switch, but if you're just talking SCADA telemetry, they should suffice.
Perhaps it's time to realize both statements are true and completely orthogonal to each other.
Leaping to the conclusion that pump failure in a SCADA-controlled utility is cyberwar is foolish.
Believing that anything remotely important should be connected to a publicly-accessible network is also foolish.
Both skepticism, and air-gapped networks, are very good ideas.
I think you're missing a critical point.
Managers will be monitored, but they'll be measured against different criteria than peons, just like in every other aspect of corporate life.
The net effect of the different evaluation rules is that PHBs will be come more pointy-haired and sociopathic, not less.
"We've been reviewing your Interaction Monitoring System logs, Bob. We're noticing some unfortunate tendencies in your communications with your subordinates. For instance, here last week, we detected some very clear indicators of human compassion and what appeared to be sincere interest in your team's well-being. We simply can't have that kind of interference with business goals; in particular, we're really worried you might be tempted to put your people ahead of this quarter's numbers. You need to reassure us by using more appropriately goal-based socialization and less touchy-feely 'caring' stuff."
Ad hominem: the sophisticated way to say "I lose".
CmdrTaco took his monolith with him. That's why slashfilter had context recognition fail.
"My God, it's full of trolls!"
So, yeah. Allowing the certificate to glimmering is obviously the better solution. There's no downside as long as no one uses the stolen certificate for evil purposes. And if they do, there's probably enough plausible deniability to buy time to do the revocation only when it's absolutely necessary, like buying fire insurance while the roof is burning.
Also, who the hell actually installs software just because the Malaysian government signs it?
It's not "who", it's "what". As in "What operating system trusts signed <foo> more than unsigned equivalent?" As in "All of them."
A signed cert opens doors that most users aren't even aware of. Add to that (in this case) an existing remote arbitrary code execution exploit in unpatched vulnerable versions of Acrobat Reader 8, and you've got a lovely recipe for malware drive-by installation.
Recent press release from Georgetown University Medical Center's Laboratory for Computational Cognitive Neurosciences announces breakthrough scientific discovery: a statistically significant majority of neuroscientists have no familiarity with Hanzi, Kanji, and other ideographic written languages used by over a third of Earth's current population.
that was "Ford Prefect" from HHGTTG.
Well, to be fair, if you knew what a Ford Prefect actually was, you'd never confuse it with "perfect." XD
As to the use (misuse?) of "stock phrases" like "beg the question", I assume that some people use those phrases idiomatically (i.e., no literal meaning intended) because they heard someone else they thought worthy of emulating doing so. Because of this, they don't consider if the literal phrase makes sense ("How do I do... what?").
In the specific (and hilariously controversial*) case of "beg the question", it's possible to torture a nearly-sensible literal meaning out of the phrase ("This begs the question" == "This begs someone to ask the question"), so the correct use derived from the original Latin phrase (and only sensible in light of Latin's vocabulary and grammar) will die out within a couple of generations, except in philosophical specialist material.
*Case in point
No need. They'll prey on the marketing and advertising people. Well, they'll try to prey on everyone, but because M&A has been weakened by low-level chronic radiation sickness, they're the ones naturally selected.
Or, to not coin a phrase, "I don't have to outrun the lawyer; I just have to outrun you."
I work in IT (sys admin), having spent a bit of time in the military. Military experience is certainly no stone-cold guarantee that you've got a quality person on your hands, but it does increase the probability significantly. Technical skills aside, the military tends to instill a fairly healthy amount of discipline, teamwork, and the ability to think/act under pressure. As my Dad puts it (formerly in the military for 12 years) - the ability to think and chew bubble gum at the same time.
As a former military system administrator myself, I'd like to point out that armed-services-veteran BOFHs have superior LART skills. They may complain about having to use improvised LARTs rather than appropriate purpose-made ones, but they adjust rapidly.
I suspect there are many anti-Flash bigots who feel that 750 unemployed is a small price to pay. As long as they're not the ones getting the pinkslip.
OTOH, setting up a US based fab, even if expensive by COTS standards, would be a rounding error in the DOD's budget.
Whose fab? In case you hadn't noticed, the DoD manufactures NONE of its own equipment, let alone components.
So... pay IBM or TI to build and maintain dedicated fab capacity? Any company which won that particular prize would be swarmed by lawsuits and other contract protest actions by every competitor in that space, domestic or not.
We're in an acquisition environment which requires fairness in soliciting; a "domestic content" rule, explicit or implicit, would probably be the basis of the fastest and most effective contract award protest in history because it would disqualify so many otherwise valid bidders, and the mission-needs argument wouldn't ultimately matter as much as all of the companies getting their fair shot; after all, that's why they contribute to election campaigns and pay lobbyists, as well as why they make strategic partnerships with domestic companies (to put a local face on the bid, and to snare more locality-based political support).
WRONG!
The even numbered firefoxes are good.
The irrationally numbered firefoxes are the best.
"And who says the Marines need a fast jet in combat?" said McPeak, now chairman of Ethicspoint Inc., a consulting firm in Lake Oswego, Oregon.
This would be retired Air Force General Merrill McPeak. A life-long Tactical Air Command officer and rated fighter pilot. The most heavily indoctrinated and most influential officer in air doctrine circles in the early '90s. And, in keeping with that background, having absolutely no use for "fast jets" for any service but the Air Force. And by Air Force, I mean exclusively the Tactical Air Command or its post-1992-replacement, Air Combat Command.
The Air Force Chief of Staff which oversaw the ultimate triumph of the TAC Mafia in gunning down Strategic Air Command.
Yaaaah. Yeah, he's an unbiased commentator.
Unless the project had copyright assignment in place, in which the contributors wouldn't have a leg to stand on; the entire codebase would belong to the primary developers.
In which case, "Mmmm fork fork fork" would be the Swedish I mean only way forward.
Apophenia.
Pareidolia.
We're wired to see patterns; if there aren't any we'll make them up with no conscious effort or intent at all.
Hellfire, never mind that.
How the hell do you make the switch work from thousands of miles away, in a non-remotely-reachable location? (For instance, behind the Great Islamic Firewall.)
And after the first time, how do you make it work again? It would only take a modicum of debugging skill to uncover and block any remotely-triggerable killswitch technique once it's been revealed by first use, unless your killswitch is also engaging hidden incendiary charges and slagging the hardware. And then you'll have to convince me that destroying other equipment and threatening the lives of people is worth it, at which point I'll just refer you to the US's current killswitch technologies.
I see that didn't make you puke. Did I mention... CORBA?
Couldn't be. Florian Mueller said it wasn't Apple, and legions of fanbois rose up in agreement.
And we know they're both always right.
It had to be Apple's evil twin. I mean, more evil.
(is that possible?)
I guess "patent on rectangle with rounded corners" is vastly more reasonable than "patent on mathematical algorithm implemented in software".
</sarcasm>
Well, Florian Mueller's not a lawyer, and I'm not, and I'm pretty sure you're not... but that phrase "initial complainant as opposed to that of a party litigating a case" makes no sense. Does Spanish court procedure allow a party to launch a lawsuit against another and then disengage and let it fly unattended? I'm skeptical. If there's a distinction, it's an irrelevant technical one, and doesn't change anything.
Sorry. Regardless of the legal trickeration, if Apple initiates the lawsuit, and doesn't petition for dismissal, they're the plaintiff. You don't get to say "lol, just trolling" if it doesn't go your way.
The fact that the defendant is countersuing to recover legal expenses tells me that SOMEONE credibly thinks Apple was the active plaintiff in the suit, and the prime actor behind the injunction attempt.
But it's so costly and difficult to run that particular legal marathon, hardly anybody has ever completed the course. (Really, has anybody _ever_ actually completed it?)
Novell, in SCO v. Novell
But that instance is legendary for how the respondent stuck to its defense, and the basic bad faith and scummy practices of the plaintiff.
And it only took 6 1/2 years, from initial complaint to Supreme Court refusing appeal.
So... yeah, at least ONE someone has actually completed the course. It may be the exception, though.
"With God as my witness, I thought that laptops could fly!"
If you just visit the library, then it's usually free. But if you check out something, the privilege is still paid for somehow.
Well, if we actually follow your logic to a reasonable conclusion, you're paying to just visit the library as well. Unless your library squats on someone else's property, pays no utilities, and steals all of its book and media holdings. At least in my community, my taxes pay for that as well.