The real reason that this doesn't happen is because its pointless. The first thing that a data forensic team does is mirror the original drive, and store the original away as evidence. They then work on the mirrored image.
So, you go and give the self destruct key, and it renders the data on the copy useless. Big deal. They just go and mirror the original again, and you are back at square one.
1) Switch from visual spectrum to infra-red cameras on HOV lanes 2) Invent dummy that can be plugged in to the lighter socket in the car that heats up in a realistic way to fool infra-red cameras 3) Profit!!
Its not useless if it gets the auditors off your back, and keeps the regulators from shutting down your company.
I know that the real world security gained by these actions is almost (though not quite) nil. Thats not really the point, is it? I thought I made that clear in my original reply.
You misunderstood my entire post. I stated quite clearly that I know for a fact that these measures most likely do not offer 'real world' security.
What I am saying is that none of that matters in the face of vague sets of regulatory requirements.
I see also that you chose to ignore the fact that I also listed GLBA as a requirement, as did a few others who responded.
I go through four to five audits per year. I have had to beg for specfiic guidelines, and have yet to receive any. And so, the safe thing to do is to appear to be trying as hard as possible.
The other thing that I *do* get is that as a self proclaimed geek (you are here arguing on the internets with me) that you might be naturally averse to a situation like the one we have here. Thats OK. And if you have the ability to pull up and leave for more open pastures, by all means, go. Go takea job where you aren't under this kind of insane scrunity. Really. I envy you that mobility.
However, the fact remains that this hardware belongs to the company. And if my boss says that after the latest audit, we're going to lock you down as tight as is possible, even if in real world terms it means nothing, then thats what I'm going to do. Thats what they PAY me for.
And whats more, actions like that do in fact, please regulators. And at the end of the day, if the regulators are happy, we get to continue to make money, rather than being fined or possibly even shut down. And when the business makes money, I make money. And that makes me happy.
I think its one of those things where people are book smart, but haven't really operated in the real world. I know its stupid, I know it sucks, and I know its not ideal, but the fact of the matter is, its gotta be done because someone said so.
People just don't seem to get that. And like I said, if you dont like it, and you can afford to leave, then more power to you bro, leave. But some of us have a job to do, and its just gotta get done, even if it hurts our nerd-feelings.:)
Actually we have PGP whole disk encryption on all laptops. Look, as a geek, and a security professional, I know that nothing is 100%.
I can't say it enough. I get it. But that doesn't matter. The regulators don't... So we do what we can to the maximum extent that we can in order to please the regulators (they can shut you down you know). And we do the max because we have no specific guidance. So, when it comes to the business...better safe than sorry.
I listed both SOX and GLBA.
And you are correct, section 404 says nothing of the sort. Its the fact that it is so vague, that our regulators and auditors have expanded on its requirements just to 'be safe'. Go ahead and look up some of the recent commentary by Mr. Oxley himself. They realize they've created a monster by being so damn vague. GLBA is the same way.
I'm paraphrasing, but the language says basically 'put into place a system of controls, and document those controls'.
Then my conversations with my regulators go like this:
Great, wtf does that mean? How about I just document what we currently do, and call that the controls...no? thats not good enough? Ok fine, tell me whats good enough...you cant? well how about some guidance...no you cant do that either? Ok fine. We'll just go whole hog to protect ourselves.
And then they are happy.
You know, its not always as sarcasticly simple as you want to make it out to be. The fact of the matter is, things like GLBA and SOX force IT departments to take these kinds of drastic measures whether we like it or not. They REQUIRE that you inventory 'customer sensitive data' and control the flow of that data. The CEO literally signs on the bottom line that the reports you give to the auditors are true. Not to the best of his knowledge or any cop outs like that. So, when the big guns come down from their gilded offices, and demand to know for a 'fact' that you have control over data, it doesn't matter that the steps you have to take might have little to no real world effect. You just have to take them.
Yes, as a security professional, *I* understand that if I wanted to get customer sensitve data out of the network, I could write it on my own ass, and press it up against a window for the guy in the next building over to read. But my board of directors doesn't find that amusing. They know they are legally responsible now, and they must be seen to be doing *everything* possible to secure the data. This does include doing our best to block things like mail apps, IM apps, USB drives and the like.
Personally, I can see MANY ways in which each of those things would streamline the business process, and provide actual performance and productivity increases for the business, but that doesn't matter because GLBA demands that if we were to use those things, we keep logs of ALL of the ways they were used for 3 years, that are indexed and searchable and online, and another 4 after that in archive format.
So when you go to the accounting dept with your new budget with all these new equipment costs, and software costs, and you have to GUARANTEE legally that they can't be used in ways other than intended...guess what the simpler solution is? Thats right, they go away. And lets be honest, for every valid business purpose, there's an equal number of time wasting BS purposes for that stuff that expose the company to legal liability.
And the fact of the matter is, if we have policies against it, procedures in place to prevent it, and you still manage to get it done, then we have a pretty damn good case in court to hang YOU out to dry and not the company. CYA for the big wigs, and frankly, for myself.
I know as geeks and nerds we think we know best, but if you play hard enough, stuff does break. I know I've had my own little personal web host 'pwned' before, and thats being decently careful to lock things down. I can't imagine my 'lusers' having more access than they already do, and what they might 'accomplish' with that access.
For my own sanity, our regulatory requirements, the CEOs CYAs, and to be able to support the secured environment that we do, things like you refer to so sarcasticaly would get you fired. We own that machine, we own the network its on, we own the bandwidth you use to connect to the outside world, and therefore, we get to say exactly what you get to do with it. If you don't like that, thats fine, I totally understand, leave. But sometimes, even though I personally don't like it, I 'get it'.
His emphasis in on 'war' not major. He's talking about a declared war in the legal sense. All of the things you listed are 'police actions' in the technical, legal desciption. Not War(tm), which is the GP's point.
I know you are taking a swipe at the disney flicks, and rightly so, but in all seriousness, there's a poster on the corner bus stop here in DC advertising a straight to DVD Cinderella III (yes three, there was a two?) Augh.
I might be mistaken, but the masks arent designed to pump enough oxygen to let you breathe completely without outside air. I think they are just supplemental O2 until you can get down below 10k feet where you can breathe the air outside again.
Also, its not just the chlorine gas. The other reactions are extremely caustic. They'll blind you and eat your skin away. Your mask isn't going to help you there.
Hell, you don't even need liquids. Pool chemicals are powders or tablets. Crush up, put in sink, turn on water.
You know, I've read several articles now talking about the potential difficulties in mixing a binary explosive on a plane. And you know, I'll buy that. But, for my dollar, and ease of use, why not just carry on some bleach and ammonia? When mixed they do some pretty nasty stuff. And there's no concern about explosion beforehand, and no strange requirements for mixing them properly. Plus, once you mix them, you can't stop the reaction.
The end result is the same. Everyone on the plane dies, and it falls out of the sky. That was the whole point, right?
Even after using precautions like dummy email address in public forums, I have been plagued by the spam mails for long time now. Two years back it used to be a few per day. And since then it has been a steady increase in the volume. As a result, till last weekend I used to get around 200 spam mails a day on my Institute's life-time email account. Then, one fine day (well, actually we were given notice 3 weeks in advance) our Institute decided to upgrade the Exchange mail server to the latest version. Hence the mail server was shut down for approximately 2 days/48 hours (4th Dec evening to 5th Dec noon). During that time, all the mails sent to my mail account were of course bouncing. Between the time when the system was shut down and the time when the system came back online on 5th noon, something miraculous had happened: My spam traffic had reduced considerably. Now I am receiving 'only' (!) 5-6 spam mails everyday! That is a 97.5 % drop in spam traffic! Interesting, eh? So what's happening is that the spammer dudes are dropping the bounced mail IDs like a mad-cow disease affected, well, cow. There doesn't seem to be a second try from spammers: Apparently they don't use the bounced email IDs again. I would assume that after the two-day shut-down/start-up of mail server, my spam traffic would have become zero. My current 'very low' spam traffic is only probably because of my email being available in public domain on webpages where I can not remove it from (damn my early Internet days' Naivete).
Essentially, for this De-Spamming methodology we can draw an analogy with the routine detoxing of the body. Example: On the basis of specific relgious beliefs, people fast once in a while. More than the religious custom, fasting has a scientific reason behind it: It detoxifies whole internal system by a) giving the body some much-needed rest and b) by cleansing the traces of toxins (as there's no fresh inflow, the bodily processes work on the left-over inventory and makes sure that it is digested properly and taken care of to give a fresh start the day after the fast).
So, is De-Toxing (De-Spamming) the Inbox by fasting/starving! (shutting down the Mail Server) a good idea? Well its effetive for sure, but it has its costs. You lose the genuine mail traffic for the duration of shut-down. Hence, if you are in a desperate need of De-Spamming your Inbox, here's what you should do. Let's say you plan to shut your mail sever down on Date T and you plan to bring it back to life after Y days. The question is for how long do you shut down the mail server? Well, I think most mail programs try to re-send the mail for a maximum of 48 hours. If the message doesn't go through even in 48 hours, the mail program gives up and finally returns error to the sender. Hence, to be on the safer side I would say, shut the mail server down for at least 48 hours (2 day). So once you have decided on a shut-down date and duration, here's the how-to guide to shutdown survival and resurrection thereafter! 1) T-30 (days) : Include in your mail signature at the top the "Please Note" clause stating that during days X to Y, your email won't be available and hence on those days, they should communicate to you on an alternative email ID. This should be highlighted in Bold and in a different color if possible. 2) T-15 (days): Remove all possible traces of your email ID from the Internet, public egroups, discussion boards or any other public forum. 3) T-15 (days): If you have to keep your email ID on a particular webpage in the public domain, encrypt your email ID by using simple HTML Codes for characters. 4) T-2 (days): Send all the people in your contact/address list a "Please Note" notification that during days X to Y, your email won't be available and hence on those days, they should communicate to you on an alternative email ID. 5) T-0: Well, shut the damn thing down! 6) T to Y: a) If you have a girlfriend, take a vacation with her.
b) If you dont have a girlfri
Slashdot Mirror
The real reason that this doesn't happen is because its pointless. The first thing that a data forensic team does is mirror the original drive, and store the original away as evidence. They then work on the mirrored image.
So, you go and give the self destruct key, and it renders the data on the copy useless. Big deal. They just go and mirror the original again, and you are back at square one.
I just put together a rig based on your suggestion on newegg. Looks like a decent setup, but I'm wondering which CPU cooler you run with?
1) Switch from visual spectrum to infra-red cameras on HOV lanes
:)
2) Invent dummy that can be plugged in to the lighter socket in the car that heats up in a realistic way to fool infra-red cameras
3) Profit!!
Dibs on onehotdummy.com
Its not useless if it gets the auditors off your back, and keeps the regulators from shutting down your company.
I know that the real world security gained by these actions is almost (though not quite) nil. Thats not really the point, is it? I thought I made that clear in my original reply.
You misunderstood my entire post. I stated quite clearly that I know for a fact that these measures most likely do not offer 'real world' security.
What I am saying is that none of that matters in the face of vague sets of regulatory requirements.
I see also that you chose to ignore the fact that I also listed GLBA as a requirement, as did a few others who responded.
I go through four to five audits per year. I have had to beg for specfiic guidelines, and have yet to receive any. And so, the safe thing to do is to appear to be trying as hard as possible.
The other thing that I *do* get is that as a self proclaimed geek (you are here arguing on the internets with me) that you might be naturally averse to a situation like the one we have here. Thats OK. And if you have the ability to pull up and leave for more open pastures, by all means, go. Go takea job where you aren't under this kind of insane scrunity. Really. I envy you that mobility.
However, the fact remains that this hardware belongs to the company. And if my boss says that after the latest audit, we're going to lock you down as tight as is possible, even if in real world terms it means nothing, then thats what I'm going to do. Thats what they PAY me for.
And whats more, actions like that do in fact, please regulators. And at the end of the day, if the regulators are happy, we get to continue to make money, rather than being fined or possibly even shut down. And when the business makes money, I make money. And that makes me happy.
I think its one of those things where people are book smart, but haven't really operated in the real world. I know its stupid, I know it sucks, and I know its not ideal, but the fact of the matter is, its gotta be done because someone said so.
:)
People just don't seem to get that. And like I said, if you dont like it, and you can afford to leave, then more power to you bro, leave. But some of us have a job to do, and its just gotta get done, even if it hurts our nerd-feelings.
Actually we have PGP whole disk encryption on all laptops. Look, as a geek, and a security professional, I know that nothing is 100%. I can't say it enough. I get it. But that doesn't matter. The regulators don't... So we do what we can to the maximum extent that we can in order to please the regulators (they can shut you down you know). And we do the max because we have no specific guidance. So, when it comes to the business...better safe than sorry.
I listed both SOX and GLBA. And you are correct, section 404 says nothing of the sort. Its the fact that it is so vague, that our regulators and auditors have expanded on its requirements just to 'be safe'. Go ahead and look up some of the recent commentary by Mr. Oxley himself. They realize they've created a monster by being so damn vague. GLBA is the same way. I'm paraphrasing, but the language says basically 'put into place a system of controls, and document those controls'. Then my conversations with my regulators go like this: Great, wtf does that mean? How about I just document what we currently do, and call that the controls...no? thats not good enough? Ok fine, tell me whats good enough...you cant? well how about some guidance...no you cant do that either? Ok fine. We'll just go whole hog to protect ourselves. And then they are happy.
You know, its not always as sarcasticly simple as you want to make it out to be. The fact of the matter is, things like GLBA and SOX force IT departments to take these kinds of drastic measures whether we like it or not. They REQUIRE that you inventory 'customer sensitive data' and control the flow of that data. The CEO literally signs on the bottom line that the reports you give to the auditors are true. Not to the best of his knowledge or any cop outs like that. So, when the big guns come down from their gilded offices, and demand to know for a 'fact' that you have control over data, it doesn't matter that the steps you have to take might have little to no real world effect. You just have to take them. Yes, as a security professional, *I* understand that if I wanted to get customer sensitve data out of the network, I could write it on my own ass, and press it up against a window for the guy in the next building over to read. But my board of directors doesn't find that amusing. They know they are legally responsible now, and they must be seen to be doing *everything* possible to secure the data. This does include doing our best to block things like mail apps, IM apps, USB drives and the like. Personally, I can see MANY ways in which each of those things would streamline the business process, and provide actual performance and productivity increases for the business, but that doesn't matter because GLBA demands that if we were to use those things, we keep logs of ALL of the ways they were used for 3 years, that are indexed and searchable and online, and another 4 after that in archive format. So when you go to the accounting dept with your new budget with all these new equipment costs, and software costs, and you have to GUARANTEE legally that they can't be used in ways other than intended...guess what the simpler solution is? Thats right, they go away. And lets be honest, for every valid business purpose, there's an equal number of time wasting BS purposes for that stuff that expose the company to legal liability. And the fact of the matter is, if we have policies against it, procedures in place to prevent it, and you still manage to get it done, then we have a pretty damn good case in court to hang YOU out to dry and not the company. CYA for the big wigs, and frankly, for myself. I know as geeks and nerds we think we know best, but if you play hard enough, stuff does break. I know I've had my own little personal web host 'pwned' before, and thats being decently careful to lock things down. I can't imagine my 'lusers' having more access than they already do, and what they might 'accomplish' with that access. For my own sanity, our regulatory requirements, the CEOs CYAs, and to be able to support the secured environment that we do, things like you refer to so sarcasticaly would get you fired. We own that machine, we own the network its on, we own the bandwidth you use to connect to the outside world, and therefore, we get to say exactly what you get to do with it. If you don't like that, thats fine, I totally understand, leave. But sometimes, even though I personally don't like it, I 'get it'.
His emphasis in on 'war' not major. He's talking about a declared war in the legal sense. All of the things you listed are 'police actions' in the technical, legal desciption. Not War(tm), which is the GP's point.
I know you are taking a swipe at the disney flicks, and rightly so, but in all seriousness, there's a poster on the corner bus stop here in DC advertising a straight to DVD Cinderella III (yes three, there was a two?) Augh.
I might be mistaken, but the masks arent designed to pump enough oxygen to let you breathe completely without outside air. I think they are just supplemental O2 until you can get down below 10k feet where you can breathe the air outside again.
Also, its not just the chlorine gas. The other reactions are extremely caustic. They'll blind you and eat your skin away. Your mask isn't going to help you there.
Hell, you don't even need liquids. Pool chemicals are powders or tablets. Crush up, put in sink, turn on water.
You know, I've read several articles now talking about the potential difficulties in mixing a binary explosive on a plane. And you know, I'll buy that. But, for my dollar, and ease of use, why not just carry on some bleach and ammonia? When mixed they do some pretty nasty stuff. And there's no concern about explosion beforehand, and no strange requirements for mixing them properly. Plus, once you mix them, you can't stop the reaction. The end result is the same. Everyone on the plane dies, and it falls out of the sky. That was the whole point, right?
Site was slowing down, so here's the text:
Even after using precautions like dummy email address in public forums, I have been plagued by the spam mails for long time now. Two years back it used to be a few per day. And since then it has been a steady increase in the volume. As a result, till last weekend I used to get around 200 spam mails a day on my Institute's life-time email account. Then, one fine day (well, actually we were given notice 3 weeks in advance) our Institute decided to upgrade the Exchange mail server to the latest version. Hence the mail server was shut down for approximately 2 days/48 hours (4th Dec evening to 5th Dec noon). During that time, all the mails sent to my mail account were of course bouncing. Between the time when the system was shut down and the time when the system came back online on 5th noon, something miraculous had happened: My spam traffic had reduced considerably. Now I am receiving 'only' (!) 5-6 spam mails everyday! That is a 97.5 % drop in spam traffic! Interesting, eh? So what's happening is that the spammer dudes are dropping the bounced mail IDs like a mad-cow disease affected, well, cow. There doesn't seem to be a second try from spammers: Apparently they don't use the bounced email IDs again. I would assume that after the two-day shut-down/start-up of mail server, my spam traffic would have become zero. My current 'very low' spam traffic is only probably because of my email being available in public domain on webpages where I can not remove it from (damn my early Internet days' Naivete).
Essentially, for this De-Spamming methodology we can draw an analogy with the routine detoxing of the body. Example: On the basis of specific relgious beliefs, people fast once in a while. More than the religious custom, fasting has a scientific reason behind it: It detoxifies whole internal system by a) giving the body some much-needed rest and b) by cleansing the traces of toxins (as there's no fresh inflow, the bodily processes work on the left-over inventory and makes sure that it is digested properly and taken care of to give a fresh start the day after the fast).
So, is De-Toxing (De-Spamming) the Inbox by fasting/starving! (shutting down the Mail Server) a good idea? Well its effetive for sure, but it has its costs. You lose the genuine mail traffic for the duration of shut-down. Hence, if you are in a desperate need of De-Spamming your Inbox, here's what you should do. Let's say you plan to shut your mail sever down on Date T and you plan to bring it back to life after Y days. The question is for how long do you shut down the mail server? Well, I think most mail programs try to re-send the mail for a maximum of 48 hours. If the message doesn't go through even in 48 hours, the mail program gives up and finally returns error to the sender. Hence, to be on the safer side I would say, shut the mail server down for at least 48 hours (2 day). So once you have decided on a shut-down date and duration, here's the how-to guide to shutdown survival and resurrection thereafter!
1) T-30 (days) : Include in your mail signature at the top the "Please Note" clause stating that during days X to Y, your email won't be available and hence on those days, they should communicate to you on an alternative email ID. This should be highlighted in Bold and in a different color if possible.
2) T-15 (days): Remove all possible traces of your email ID from the Internet, public egroups, discussion boards or any other public forum.
3) T-15 (days): If you have to keep your email ID on a particular webpage in the public domain, encrypt your email ID by using simple HTML Codes for characters.
4) T-2 (days): Send all the people in your contact/address list a "Please Note" notification that during days X to Y, your email won't be available and hence on those days, they should communicate to you on an alternative email ID.
5) T-0: Well, shut the damn thing down!
6) T to Y: a) If you have a girlfriend, take a vacation with her.
b) If you dont have a girlfri