Agreed - and Quantum effects are discrete if someone is looking at them, which sounds a lot like a computing optimization... "Hey, I can save a lot of cycles if I just flip a coin if someone happens to look at an electron that closely and return a random spin for that electron rather then keeping track of a whole universe worth of electrons. Cool!"
I see a number of good ideas already for home-brew solutions so here's one for an enterprise out of the box solution. (usual crypto caveats apply, if you don't build it yourself, how do you know there's no backdoors... otoh, if you do build it yourself, assuming your not Bruce Schneier, how do you know you got it right? Take as directed, evaluate your risks before using)
I've had good success with Gemalto's protectfile product in this space. The NAE device handles the master key storage, temporal keys are stored in the device driver, encrypted by the master key. Accesses can be controlled by user through any of the usual authentication mechanisms, including saying "This is my backups user, it can read only encrypted data" which is a nice feature I don't see often enough on enterprise level encryption. Saves me from having to trust the sketchy encryption on the backup solution which is almost always backed by the "trust us" guarantee.
That's a sociopolitical issue to be resolved not by minimum wage hikes or make-work programs, but by legislating shorter standard work weeks and nationalizing health benefits. Make it affordable for employers to hire more people to do the work, make it less life-affecting for people to work less.
We can start by rolling back OT exemption rules. "Hey, you know what would be cool? If employers couldn't work you 100 hrs/wk without repercussions?"
That's simply fixing the free market. If your business model is so broken that you're not investing in proper automation and instead are working your IT staff 60hr/wk to compensate, congratulations, we just fixed your decision making process. Go invest in some IT automation instead, (or pay the OT to your IT staff, but I'll bet you the automation is cheaper, and will create jobs in the company that produces that automation software).
We've created a false supply, and are shocked that our job numbers aren't rising at the rate we'd like.
OT exemption is just a corporate handout paid on the backs of the people doing the work, and I'm speaking as a manager. Fix it.
I'd like a duress pin instead. It lets the phone function totally as normal, except it fires an email with my location, and an email that I'm being forced to unlock my phone to my lawyer or (for my work phone) my corporate legal dept. If I'm being forced to unlock my phone, I want to make it tough to disappear me, no matter what the circumstances are.
If you want, have it fire a user-defined script too, that way if you want to fry your crypto memory, have at it, or wipe your lastpass storage, or whatever.
If you're interested, most people would agree that when you connect to a defcon wifi network you should probably be... cautious. Let's face it, Defcon is to RSA from an info-risk pov as walking in downtown NY at 1am is to walking around the North/South Korean DMZ at 1am. Both are hazardous, but one of them is just plain insane.
The issue is, that's not my call. I'm a professional, I travel to the US on business. In doing so, I bring data that is not mine with me. Corporate emails, credentials that could cause a CNN moment if mishandled, etc.
Those data are stored under cryptographic control, using two factor authentication. It is not mine to decide if it's acceptable to hand it over to anyone.
So now I need to take further steps to ensure I have access to the data required when I travel internationally to my corporate HQ, which increases the cost of doing business.
My company will never move their HQ out of the US, but others may decide at some point that it'll cost them less in the long run.
Also the caps on penalties are more reasonable here, making the "Pay us 5000, or we'll sue you for 1,000,000" threat ineffective. The max for non-commercial infringement up here is 5k. Since that's the max, in most circumstances, the judge would prove a much lower cost, say 100-200$.
Quoting directly: "(b) in a sum of not less than $100 and not more than $5,000 that the court considers just, with respect to all infringements involved in the proceedings for all works or other subject-matter, if the infringements are for non-commercial purposes."
The copyright trolls haven't been too interested since then.
Honest question - how does he (and you I suppose by extension) feel about Libraries. They effectively cause the same issue for authors at a smaller scale (although maybe larger in aggregate, (not having firm numbers on ebook piracy rates vs traditional library use), especially since some libraries (my local included) offer ebook borrowing services.
After I got nailed making a left shortly after getting my license, I started thinking about left-turns and how much more dangerous they are then right turns. There's so many more things to account for, and more chances for other people to make errors that force me to take hazardous countermeasures. A NYC study showed they are 3 times more dangerous then right hand turns. So now unless doing the right would take me way out of my way, I do that instead.
Remember, two wrongs don't make a right, but three rights make a left:)
The one that always got me was the RSA booth at Blackhat - I mean, Blackhat is in VEGAS. If you want that sort of thing, you can get it with fewer lines any number of places. But one year they had people lining up to pose with women dressed in biker costumes at the RSA booth.
Seemed a little bit like bringing icecubes to Alaska.
I'd read a book, but people get SO upset when they see me with a paperback in my hand going down the freeway... Turns out they're OK with me listening to an audiobook instead.
In every subway station in my town there's a big red button that kills all power to the rails. Hitting that button would be a major PITA for everyone, but yet, it sits there, red and inviting, and somehow humans manage NOT to press the red button, years of D&D evidence to the country notwithstanding.
Humans can be trusted with (limited) power.
I vote we don't terminate all of them. We should keep at least 7 as historical landmarks.
My replacement is changing the screen rotation. As much fun, and more visual. Also it has a handy hotkey. Ctl-Alt-Left arrow. Quick and easy to do on a walk-by.
I have seen the chief of security frig around with unsecured workstations.
Hey - I resemble that remark, although my current goto is ctl-alt-left arrow. I assume no responsibility for neck injuries resulting from use of the aforementioned keyboard combo.:)
I wear an android watch so that I have a "Hey, look at your phone" or "Hey, get to your next meeting" reminder that's not disruptive. The fact that my time is on my wrist is a nice side effect, but mostly it avoids me having to take my phone out of my pocket in social and business situations where it would be disruptive or frowned upon.
Looking at your watch is a LOT more socially acceptable in certain circumstances then pulling your phone out.
I'll second this. Weaknesses I've observed in the current crop of SEs currently in the market place are:
1) Lack of security understanding and related defensive programming skills - If I have to tell you I found a XSS vulnerability in your code, you should be embarrassed, because you should have caught it way before I found it in QA.
2) A lack of understanding of the world outside your box. I don't expect that you'll be able to configure a cisco router, but I DO expect you to be able to tell me what ports you're using, and details on your communication protocols (are you encrypting, if so what protocol?
3) A lack of understanding of BASIC security principles, e.g. Authentication, Authorization, Auditing, & Availability. You should be able to rattle off what your code is doing with respect to those core needs.
I know talking to myself is a bad habit, but I'll also point out that arguably the largest nation state attack on record - the RSA SecurID breach was caused by someone in HR opened an email that said 2011 recruitment plan and clicked on the attachment. Some lateral movement later, and they made it into RSA's holiest of holys. LOTS of orgs are hard and crunchy on the outside and chewy on the inside. Once you get a toehold into the network it's often a matter of time before you can move to what you're looking for.
At the end of the day, you don't get style points in the spy game. If script kiddie level efforts give you the results you want and you don't really care about not being caught, script kiddie level stuff it is.
Governments have engaged in similar script kiddie level attacks in the past, both before and after the digitial age ("You've won a contest, come collect your prize here!", criminal shows up to collect prize, gets a pair of handcuffs)
This stuff is low-risk, high reward. Attackers only need to get lucky once, defense has to be good every time.
Slashdot Mirror
Agreed - and Quantum effects are discrete if someone is looking at them, which sounds a lot like a computing optimization... "Hey, I can save a lot of cycles if I just flip a coin if someone happens to look at an electron that closely and return a random spin for that electron rather then keeping track of a whole universe worth of electrons. Cool!"
Min
I see a number of good ideas already for home-brew solutions so here's one for an enterprise out of the box solution. (usual crypto caveats apply, if you don't build it yourself, how do you know there's no backdoors... otoh, if you do build it yourself, assuming your not Bruce Schneier, how do you know you got it right? Take as directed, evaluate your risks before using)
I've had good success with Gemalto's protectfile product in this space. The NAE device handles the master key storage, temporal keys are stored in the device driver, encrypted by the master key. Accesses can be controlled by user through any of the usual authentication mechanisms, including saying "This is my backups user, it can read only encrypted data" which is a nice feature I don't see often enough on enterprise level encryption. Saves me from having to trust the sketchy encryption on the backup solution which is almost always backed by the "trust us" guarantee.
Min
That's a sociopolitical issue to be resolved not by minimum wage hikes or make-work programs, but by legislating shorter standard work weeks and nationalizing health benefits. Make it affordable for employers to hire more people to do the work, make it less life-affecting for people to work less.
We can start by rolling back OT exemption rules. "Hey, you know what would be cool? If employers couldn't work you 100 hrs/wk without repercussions?"
That's simply fixing the free market. If your business model is so broken that you're not investing in proper automation and instead are working your IT staff 60hr/wk to compensate, congratulations, we just fixed your decision making process. Go invest in some IT automation instead, (or pay the OT to your IT staff, but I'll bet you the automation is cheaper, and will create jobs in the company that produces that automation software).
We've created a false supply, and are shocked that our job numbers aren't rising at the rate we'd like.
OT exemption is just a corporate handout paid on the backs of the people doing the work, and I'm speaking as a manager. Fix it.
Min
I'd like a duress pin instead. It lets the phone function totally as normal, except it fires an email with my location, and an email that I'm being forced to unlock my phone to my lawyer or (for my work phone) my corporate legal dept. If I'm being forced to unlock my phone, I want to make it tough to disappear me, no matter what the circumstances are.
If you want, have it fire a user-defined script too, that way if you want to fry your crypto memory, have at it, or wipe your lastpass storage, or whatever.
Min
If you're interested, most people would agree that when you connect to a defcon wifi network you should probably be... cautious. Let's face it, Defcon is to RSA from an info-risk pov as walking in downtown NY at 1am is to walking around the North/South Korean DMZ at 1am. Both are hazardous, but one of them is just plain insane.
Now watch this: https://www.youtube.com/watch?...
That's the 'so what'.
And keep in mind that most ppl are still using the same passwords on multiple sites.
Oops.
Min
The issue is, that's not my call. I'm a professional, I travel to the US on business. In doing so, I bring data that is not mine with me. Corporate emails, credentials that could cause a CNN moment if mishandled, etc.
Those data are stored under cryptographic control, using two factor authentication. It is not mine to decide if it's acceptable to hand it over to anyone.
So now I need to take further steps to ensure I have access to the data required when I travel internationally to my corporate HQ, which increases the cost of doing business.
My company will never move their HQ out of the US, but others may decide at some point that it'll cost them less in the long run.
Min
Also the caps on penalties are more reasonable here, making the "Pay us 5000, or we'll sue you for 1,000,000" threat ineffective. The max for non-commercial infringement up here is 5k. Since that's the max, in most circumstances, the judge would prove a much lower cost, say 100-200$.
Quoting directly: "(b) in a sum of not less than $100 and not more than $5,000 that the court considers just, with respect to all infringements involved in the proceedings for all works or other subject-matter, if the infringements are for non-commercial purposes."
The copyright trolls haven't been too interested since then.
background if you're interested:
http://www.michaelgeist.ca/201...
Honest question - how does he (and you I suppose by extension) feel about Libraries. They effectively cause the same issue for authors at a smaller scale (although maybe larger in aggregate, (not having firm numbers on ebook piracy rates vs traditional library use), especially since some libraries (my local included) offer ebook borrowing services.
Time to rename Facebook RickRollBook!
debug G=C800:5 to low level format a harddrive!
After I got nailed making a left shortly after getting my license, I started thinking about left-turns and how much more dangerous they are then right turns. There's so many more things to account for, and more chances for other people to make errors that force me to take hazardous countermeasures. A NYC study showed they are 3 times more dangerous then right hand turns. So now unless doing the right would take me way out of my way, I do that instead.
Remember, two wrongs don't make a right, but three rights make a left :)
Min
The one that always got me was the RSA booth at Blackhat - I mean, Blackhat is in VEGAS. If you want that sort of thing, you can get it with fewer lines any number of places. But one year they had people lining up to pose with women dressed in biker costumes at the RSA booth.
Seemed a little bit like bringing icecubes to Alaska.
Min
Yes, let's get rid of the AMA - after all who doesn't want goat testicles? :)
https://en.wikipedia.org/wiki/...
"Make Mud - Not War" - It's been done: https://en.wikipedia.org/wiki/...
Min
I'd read a book, but people get SO upset when they see me with a paperback in my hand going down the freeway... Turns out they're OK with me listening to an audiobook instead.
Min
I don't know. There's precedent.
In every subway station in my town there's a big red button that kills all power to the rails. Hitting that button would be a major PITA for everyone, but yet, it sits there, red and inviting, and somehow humans manage NOT to press the red button, years of D&D evidence to the country notwithstanding.
Humans can be trusted with (limited) power.
I vote we don't terminate all of them. We should keep at least 7 as historical landmarks.
ai@google.com
My replacement is changing the screen rotation. As much fun, and more visual. Also it has a handy hotkey. Ctl-Alt-Left arrow. Quick and easy to do on a walk-by.
Min
I have seen the chief of security frig around with unsecured workstations.
Hey - I resemble that remark, although my current goto is ctl-alt-left arrow. I assume no responsibility for neck injuries resulting from use of the aforementioned keyboard combo. :)
Min
I wear an android watch so that I have a "Hey, look at your phone" or "Hey, get to your next meeting" reminder that's not disruptive. The fact that my time is on my wrist is a nice side effect, but mostly it avoids me having to take my phone out of my pocket in social and business situations where it would be disruptive or frowned upon.
Looking at your watch is a LOT more socially acceptable in certain circumstances then pulling your phone out.
I'll second this. Weaknesses I've observed in the current crop of SEs currently in the market place are:
1) Lack of security understanding and related defensive programming skills - If I have to tell you I found a XSS vulnerability in your code, you should be embarrassed, because you should have caught it way before I found it in QA.
2) A lack of understanding of the world outside your box. I don't expect that you'll be able to configure a cisco router, but I DO expect you to be able to tell me what ports you're using, and details on your communication protocols (are you encrypting, if so what protocol?
3) A lack of understanding of BASIC security principles, e.g. Authentication, Authorization, Auditing, & Availability. You should be able to rattle off what your code is doing with respect to those core needs.
Min
Easier solution: Unplug them, remove any batteries. Security. When do I get my cheque?
One would presume the same way the US can gain jobs that had yet to be lost?
I know talking to myself is a bad habit, but I'll also point out that arguably the largest nation state attack on record - the RSA SecurID breach was caused by someone in HR opened an email that said 2011 recruitment plan and clicked on the attachment. Some lateral movement later, and they made it into RSA's holiest of holys. LOTS of orgs are hard and crunchy on the outside and chewy on the inside. Once you get a toehold into the network it's often a matter of time before you can move to what you're looking for.
Min
At the end of the day, you don't get style points in the spy game. If script kiddie level efforts give you the results you want and you don't really care about not being caught, script kiddie level stuff it is.
Governments have engaged in similar script kiddie level attacks in the past, both before and after the digitial age ("You've won a contest, come collect your prize here!", criminal shows up to collect prize, gets a pair of handcuffs)
This stuff is low-risk, high reward. Attackers only need to get lucky once, defense has to be good every time.
Min
This is true so long as the big telcos care.
Had this experience about a month ago:
Big Telecom (Rogers) comes to the door
"Hi! I'd like to lower your internet bill. If I can't give you better service for less, I won't waste any more of your time. Are you using Bell?"
"No, Teksavvy"
"OK, I won't waste any more of your time then. Have a nice evening" :)
Min