Most companies don't have the resources to do really good code review on their own software, much less on every piece of software that comes in the door. The government has (unfortunately) many more resources, and they also have the clout to get source code or request independent code reviews on software which they buy. Actually, independent code reviews and penetration testing are becoming a part of most customer contracts now anyway, even between two regular businesses.
Support. That's why companies and government agencies choose closed source. Open source products which you can get support for can usually get a decent foothold. Open source products for which there is no support or "community" support won't be able to become as widely adopted. It's really not this complex ideological war.
I have no idea why the comments in this article are so focused on open source. Well, yes I do, it's Slashdot....but this breach could have been prevented or detected any number of ways. I've seen suspicious TeamViewer traffic in IDS consoles before. Why were these agencies not implementing basic security controls?
Using open source software isn't the magic bullet to prevent compromises. Even in closed source environments phishing and spearphishing are widely used to gain a foothold on a network. This technique is suddenly impossible because of a financially impractical code review procedure for every piece of software that comes in the door? C'mon.
The answer to these compromises is the same as it's always been. Layered security, standardized procedures, visibility into network traffic and systems, preventing employees from installing non-supported non-auditable remote access software, monitoring and auditing, etc. If these agencies somehow have the resources to do code review on every piece of software in their environment then, sure, that's an awesome layer to add to the process...but it's an expensive layer and one that addresses a problem that isn't a big risk in the grand scheme of things.
Because there's not really a great financial incentive to make the changes. The OS works well enough for what it is. The OS works well enough to garner pretty good market share. It could be better, but its pretty stable...stable enough to do its job.
I lost 70lbs after being heavy all my life. Here's the secret...
Eat fewer calories than you burn....that's it. There's no magic solution, there's no way around it, there's no pill or device or routine which will allow you to keep eating shitty food and not exercising and lose weight. You can eat nothing but chocolate bars and lose weight if you really want to.
Change the way you eat to something you can live with on a long term basis. Dieting doesn't work.
Putting a treadmill under your standing desk is an asinine solution. I can only imagine how much your boss was cringing when you asked them such a ridiculous question with a straight face. If I was your cube neighbor and you did that I would stab you. Like legit....I would take a knife and stab you.
One trick is that you don't have to kill yourself exercising to lose weight. You want your heart rate to be in a target zone, which is surprisingly not that hard to maintain. You won't lose weight faster by killing yourself going balls-to-the-wall. Find out what your target heart rate for weight loss should be and arrange to be in that target zone for an hour at least three times a week, or more if you insist on cramming that sludge into your body. I recommend swimming, it is unbelievable exercise and easy to stay in the weight loss zone.
The other thing is to weigh yourself all the time. Weigh yourself in the morning and at night. You will start to understand what you can and cannot do. You will start to understand how much exercise you need and how much you can eat.
It's not as hard as you think, but there are no shortcuts. Sack up and do it. You'll be glad you did. Life is better when you're thin.
Does anyone actually think the administration had any intent of following through on what it said? This was a PR stunt to try and look like good guys. They knew very well that there were hiccups because of the treaty but, more importantly, that the change would never get past congress in the first place.
Why are people still so naive about how the government in this country works? Maybe I'm overly cynical, but I have a preeeeeeeeetty solid track record of predicting how these things will work out. The majority of people seem to think that these things are still decided by law and principle and opinion. They're not. They're decided by money and political wrangling.
Who would benefit from the ability to unlock phones? Consumers/voters. Who would lose? Cell Companies. Which is more important, looking cool to voters, or continuing to get the truckloads of money that an American politician must have to have even a ghost of a chance of winning an election? The answer is obviously the money, because without the money you can't get in the game in the first place. This form of corruption is so widespread that there really isn't a significant body of lawmakers who are really making an issue out of things like this, so why take a stand on something that you will never have to answer for in an election and will absolutely 100% lose you money that you need to win the election in the first place?
You must be a manager to have such a negative and limited point of view. If you look at the regs from the point of view of a manager, it's a checkbox to check. If you look at it from the perspective of a security engineer it's a driver to implement legitimate controls. All the regs have fluff and vagaries, but they all also have very useful requirements and provide a stick to make the business pay for reasonable controls.
It's also about liability. Sure, you can lie to your customers, but in addition to being unethical it means that if you have a breach you are in for a tremendous shitstorm. Comply with or, better yet, get ahead of the regs and you will be in a much stronger position to a.) not have a breach in the first place, b.) fare well in court if you do have a breach.
I totally agree that it doesn't solve all your problems. If your security people are telling you it does you need new security people. The problem is that keeping software up to date, auditing user permissions and doing other basic things doesn't have as big an impact as you might think.
Well...ok...keeping software up to date does...and I can certainly write a huge diatribe about that too that will be no less universal and impassioned.
But it's all about layers and it's all about getting ahead of regs and requirements. Turn security into a feature of the product, not something you bolt on at the last minute. The more we implement encryption universally the easier it will be for developers and the more mature key management solutions will be.
I don't agree with the always on server argument, though. Yes, it's not going to protect against many types of attacks, but it will protect against some and that is what's important. It's another layer. More importantly, it's a layer that is being increasingly asked for by customers whether or not any of us think it makes sense for a particular application. Building encryption in after the fact is an absolute nightmare and usually the costs and impact to production is going to be higher if you wait until you have to get it done in a month or you will lose a big deal. Better to implement it in the first place and put it in your marketing material so the question never even gets asked.
"Getting it wrong" in the implementation stage is a function of developers not viewing security as part of their job. I'm not saying that we can eliminate mistakes and develop perfect code every time, but you have to try. The more experience developers get with implementing it and the more universal it becomes, the fewer mistakes they're going to make when implementing it. Right now, it seems to be regarded as a novelty by most developers.
I don't buy the "false sense of security" argument at all, sorry. If it's not encrypted I can absolutely guarantee its not secure. If it's encrypted then at least that's one layer of protection to help mitigate issues at the many other layers they can occur.
I also don't buy that implementing encryption is going to double your time to market. That's another excuse used because the initial impact is large, but as developers gain experience with it the impact will be reduced.
Here's the thing with your other questions. When the product gets built, maybe the information isn't sensitive or regulated. It will be, though. This will happen either by the regs changing, because of new customer requirements, or because the scope of what the product is handling will increase. I see it every day. Developers don't seem to get eyes on the questionnaires that security gets from customers too often, but they should. Customers are asking VERY detailed security questions now and some have very very stringent requirements. So your choice is, a.) build security into the product and make it part of the value proposition or b.) wait until you get hammered by a customer and either have to reinvent the wheel in three months (or two weeks!) or, worse, lose the business. This happens over and over and over again but no one seems to understand that getting AHEAD of these requirements is going to save money in the long term.
Export restrictions are a valid point, that one I accept.
"If your server is rooted" is specious. If someone spearfishes an employee and gains remote access to their machine they will be able to bypass the firewall...so we shouldn't have firewalls? No, that's obviously not true. Integrity, audit, access control are critical almost no matter what data you are hosting. Even if it's not regulated data, your customers will eventually be asking.
I was just having a discussion about this at work today. Encryption should be ubiquitous now. There is no excuse. It's not "free" in terms of the resources it takes up, but it's pretty close. Everything should be encrypted in transit. Everything should be encrypted at rest. "Well you mean the table with the PII and not...." NO! I mean EVERYTHING. The servers drive should be encrypted. The entire database should be encrypted. Every network connection should be encrypted.
This doesn't mean encryption is a panacea solution to APTs or to any other security threat, but its an absolutely critical layer which is still not widely implemented enough. To prevent tampering, to prevent certain types of attacks, to prevent breaches through physical theft, etc. Saying encryption isn't as important anymore is like saying that keyboards aren't that important anymore. Sure, management shouldn't spend a lot of time worrying about them, and should be focusing on other problems instead....but that doesn't mean everything will be cool if everyone's keyboard is stolen overnight.
It needs to be there, and by there I mean everywhere. And its not. Every day developers are looking at security guys like, "huh??" because they are looking for encryption to be incorporated into the product. Or, they want to "just get the system built out" without encryption, but they'll totally enable it once everything is working perfectly and all the testing is done (FYI developers, security guys aren't falling for that, we realize that you really mean, 'we'll think about enabling it until we realize how many things it will break, and then we'll ship the product without it, ignoring the enormous liability it creates'). You would think things would be different now that its 2013...they are different, but not that much different. Security still isn't regarded as a core piece, or even an important feature, of most products.
I completely agree with you. The legislation isn't even set up in a paranoid or ignorant fashion...it's set up to impose insane penalties on anyone who dares to violate IP laws.
I'm not opposed to the idea of IP or profiting off the information-based products you build (though the current system is obviously broken) but the laws impose penalties which are clearly out of line with the scope of the crime. Most often, people liberating information and sharing it gets it into the hands of people who probably would never have paid for it anyway. I don't doubt that there is some impact to a company from a breach like that, but it's not as damaging as the penalties suggest it is.
Taking someone's trade secrets and giving them to a competitor? Yea, that's corporate espionage and it's a Big Deal. Even stealing the source code of a closed source product and putting that online is a relatively Big Deal because competitors will tend to get a hold of it and use it to their advantage. However, what Swartz did is not going to have the same impact to the organization that was breached.
The laws should exist, but they should be written to impose reasonable penalties based on the scope of the crime. Maybe there's some ignorance on the part of lawmakers there, but it's willful ignorance which comes directly from the fact that companies are paying them for the legislation to be passed.
I agree about some of the smaller projects, but the problem is that as a security engineer I consistently see the exact type of coding you allude to with your house analogy in bread-and-butter production systems. At one place I worked the developers couldn't even tell us what port range their application used to communicate...and this was in probably the most sensitive environment where faults were unacceptable that you can imagine...on an 80K node network. They were literally unable to provide us with that information. That type of incompetence isn't going to fly for much longer, and yet I see it everywhere.
If it were just a problem with small internal utilities or meaningless social media stuff I would agree, but it's not.
While completely banning smart phones altogether does seem a bit extreme, yes, the concerns are real and, yes, they are right to ban them.
A more reasonable approach would be to have company issued smart phones which the company enables strict security policies on, but banning them works too if there is no business need for them. I do hope, however, that the rest of your security posture is ramped up to match this somewhat stringent measure, and it's not some one-off policy that some manager got a bug up his ass about...I suspect that's probably exactly what it is, though.
BYOD and smart phones are rapidly becoming the bane of Infosec's existence. Companies are spending very significant amounts of money on MDM solutions to enable their employees to use whatever devices they like. If this is consistent with the company's culture and is affordable for them, that's fine. However, people push this privilege way too far. They insist on being able to use the latest and greatest tablet that just came out for their job. They want to use their iPad rather than a company issued laptop for work and will whine to upper management when they can't. Companies are not in business to give you an excuse to use your new toy, they're in business to make money and you need to comply with whatever policies they set.
The first post where the guy talks about how the "burden of proof" is on the employer (!!) is the most asinine thing I have ever read. It's typical of the entitlement mentality that I see every day. If you don't like the company's policy on smart phones, go work somewhere else. The company can set whatever policies it likes for interaction with it's systems, and you can take your labor anywhere you like if you're not on board with those policies. The company is under no obligation to "prove" anything.
At the end of the day, it's all about risk mitigation. Do smart phones pose a significant risk to the company? How big a risk? Are the benefits they provide worth spinning up an MDM solution? What policies need to be enabled to mitigate the risk? Are there other ways of mitigating the risk such as DLP? Do employees need remote access to their email? Do they need to be able to access the company wifi from their phone? Does every employee need this, or just some? These are the questions you have to ask.
Start looking for another job. In my experience having another manager come in to the group is always a disaster. I've never had it go well, and that's WITH new managers who seemed to think I was doing a great job.
Used to work in a medical environment and this does not surprise me at all. The whole "FDA regulated device" argument is just another sham by device manufacturers, software vendors, and lazy admins to avoid patching their systems. The medical community is completely out of touch with the current state of IT. They talk about needing continuity and up-time and all this, but have no idea what that means. You get a department file server trying to infect the entire network (including pcc devices) and they freak out when you knock their box offline. Yea, sorry, I know you can't get to your spreadsheet but I'm trying to prevent your server from KILLING SOMEONE.
It's a pathetic state of affairs and it won't change without better leadership. Hospitals need to start beating up their vendors to stop coding for Windows 3.11.
You say "compulsory to wear" like its a good thing.
Let me ask you something, are you seriously so concerned about people who are stupid enough not to wear seat belts that you need to go around pretending that making a law is going to force them to wear them?
Slashdot Mirror
Most companies don't have the resources to do really good code review on their own software, much less on every piece of software that comes in the door. The government has (unfortunately) many more resources, and they also have the clout to get source code or request independent code reviews on software which they buy. Actually, independent code reviews and penetration testing are becoming a part of most customer contracts now anyway, even between two regular businesses.
Support. That's why companies and government agencies choose closed source. Open source products which you can get support for can usually get a decent foothold. Open source products for which there is no support or "community" support won't be able to become as widely adopted. It's really not this complex ideological war.
I have no idea why the comments in this article are so focused on open source. Well, yes I do, it's Slashdot....but this breach could have been prevented or detected any number of ways. I've seen suspicious TeamViewer traffic in IDS consoles before. Why were these agencies not implementing basic security controls?
Using open source software isn't the magic bullet to prevent compromises. Even in closed source environments phishing and spearphishing are widely used to gain a foothold on a network. This technique is suddenly impossible because of a financially impractical code review procedure for every piece of software that comes in the door? C'mon.
The answer to these compromises is the same as it's always been. Layered security, standardized procedures, visibility into network traffic and systems, preventing employees from installing non-supported non-auditable remote access software, monitoring and auditing, etc. If these agencies somehow have the resources to do code review on every piece of software in their environment then, sure, that's an awesome layer to add to the process...but it's an expensive layer and one that addresses a problem that isn't a big risk in the grand scheme of things.
Because there's not really a great financial incentive to make the changes. The OS works well enough for what it is. The OS works well enough to garner pretty good market share. It could be better, but its pretty stable...stable enough to do its job.
It all comes down to money in the end.
High intensity low-time workouts, eh?
Well, that certainly flies in the face of every piece of research about weight loss.
You're much much much better off doing low intensity workouts (your heart rate in a specific zone) for longer periods of time.
I lost 70lbs after being heavy all my life. Here's the secret...
Eat fewer calories than you burn. ...that's it. There's no magic solution, there's no way around it, there's no pill or device or routine which will allow you to keep eating shitty food and not exercising and lose weight. You can eat nothing but chocolate bars and lose weight if you really want to.
Change the way you eat to something you can live with on a long term basis. Dieting doesn't work.
Putting a treadmill under your standing desk is an asinine solution. I can only imagine how much your boss was cringing when you asked them such a ridiculous question with a straight face. If I was your cube neighbor and you did that I would stab you. Like legit....I would take a knife and stab you.
One trick is that you don't have to kill yourself exercising to lose weight. You want your heart rate to be in a target zone, which is surprisingly not that hard to maintain. You won't lose weight faster by killing yourself going balls-to-the-wall. Find out what your target heart rate for weight loss should be and arrange to be in that target zone for an hour at least three times a week, or more if you insist on cramming that sludge into your body. I recommend swimming, it is unbelievable exercise and easy to stay in the weight loss zone.
The other thing is to weigh yourself all the time. Weigh yourself in the morning and at night. You will start to understand what you can and cannot do. You will start to understand how much exercise you need and how much you can eat.
It's not as hard as you think, but there are no shortcuts. Sack up and do it. You'll be glad you did. Life is better when you're thin.
You're in college. Go have fun. Get out of your room.
Does anyone actually think the administration had any intent of following through on what it said? This was a PR stunt to try and look like good guys. They knew very well that there were hiccups because of the treaty but, more importantly, that the change would never get past congress in the first place.
Why are people still so naive about how the government in this country works? Maybe I'm overly cynical, but I have a preeeeeeeeetty solid track record of predicting how these things will work out. The majority of people seem to think that these things are still decided by law and principle and opinion. They're not. They're decided by money and political wrangling.
Who would benefit from the ability to unlock phones? Consumers/voters. Who would lose? Cell Companies. Which is more important, looking cool to voters, or continuing to get the truckloads of money that an American politician must have to have even a ghost of a chance of winning an election? The answer is obviously the money, because without the money you can't get in the game in the first place. This form of corruption is so widespread that there really isn't a significant body of lawmakers who are really making an issue out of things like this, so why take a stand on something that you will never have to answer for in an election and will absolutely 100% lose you money that you need to win the election in the first place?
You must be a manager to have such a negative and limited point of view. If you look at the regs from the point of view of a manager, it's a checkbox to check. If you look at it from the perspective of a security engineer it's a driver to implement legitimate controls. All the regs have fluff and vagaries, but they all also have very useful requirements and provide a stick to make the business pay for reasonable controls.
It's also about liability. Sure, you can lie to your customers, but in addition to being unethical it means that if you have a breach you are in for a tremendous shitstorm. Comply with or, better yet, get ahead of the regs and you will be in a much stronger position to a.) not have a breach in the first place, b.) fare well in court if you do have a breach.
I totally agree that it doesn't solve all your problems. If your security people are telling you it does you need new security people. The problem is that keeping software up to date, auditing user permissions and doing other basic things doesn't have as big an impact as you might think.
Well...ok...keeping software up to date does...and I can certainly write a huge diatribe about that too that will be no less universal and impassioned.
But it's all about layers and it's all about getting ahead of regs and requirements. Turn security into a feature of the product, not something you bolt on at the last minute. The more we implement encryption universally the easier it will be for developers and the more mature key management solutions will be.
I get the point about the I/O heavy servers.
I don't agree with the always on server argument, though. Yes, it's not going to protect against many types of attacks, but it will protect against some and that is what's important. It's another layer. More importantly, it's a layer that is being increasingly asked for by customers whether or not any of us think it makes sense for a particular application. Building encryption in after the fact is an absolute nightmare and usually the costs and impact to production is going to be higher if you wait until you have to get it done in a month or you will lose a big deal. Better to implement it in the first place and put it in your marketing material so the question never even gets asked.
You're right about key management. Good point.
"Getting it wrong" in the implementation stage is a function of developers not viewing security as part of their job. I'm not saying that we can eliminate mistakes and develop perfect code every time, but you have to try. The more experience developers get with implementing it and the more universal it becomes, the fewer mistakes they're going to make when implementing it. Right now, it seems to be regarded as a novelty by most developers.
I don't buy the "false sense of security" argument at all, sorry. If it's not encrypted I can absolutely guarantee its not secure. If it's encrypted then at least that's one layer of protection to help mitigate issues at the many other layers they can occur.
I also don't buy that implementing encryption is going to double your time to market. That's another excuse used because the initial impact is large, but as developers gain experience with it the impact will be reduced.
Here's the thing with your other questions. When the product gets built, maybe the information isn't sensitive or regulated. It will be, though. This will happen either by the regs changing, because of new customer requirements, or because the scope of what the product is handling will increase. I see it every day. Developers don't seem to get eyes on the questionnaires that security gets from customers too often, but they should. Customers are asking VERY detailed security questions now and some have very very stringent requirements. So your choice is, a.) build security into the product and make it part of the value proposition or b.) wait until you get hammered by a customer and either have to reinvent the wheel in three months (or two weeks!) or, worse, lose the business. This happens over and over and over again but no one seems to understand that getting AHEAD of these requirements is going to save money in the long term.
Export restrictions are a valid point, that one I accept.
"If your server is rooted" is specious. If someone spearfishes an employee and gains remote access to their machine they will be able to bypass the firewall...so we shouldn't have firewalls? No, that's obviously not true. Integrity, audit, access control are critical almost no matter what data you are hosting. Even if it's not regulated data, your customers will eventually be asking.
I was just having a discussion about this at work today. Encryption should be ubiquitous now. There is no excuse. It's not "free" in terms of the resources it takes up, but it's pretty close. Everything should be encrypted in transit. Everything should be encrypted at rest. "Well you mean the table with the PII and not...." NO! I mean EVERYTHING. The servers drive should be encrypted. The entire database should be encrypted. Every network connection should be encrypted.
This doesn't mean encryption is a panacea solution to APTs or to any other security threat, but its an absolutely critical layer which is still not widely implemented enough. To prevent tampering, to prevent certain types of attacks, to prevent breaches through physical theft, etc. Saying encryption isn't as important anymore is like saying that keyboards aren't that important anymore. Sure, management shouldn't spend a lot of time worrying about them, and should be focusing on other problems instead....but that doesn't mean everything will be cool if everyone's keyboard is stolen overnight.
It needs to be there, and by there I mean everywhere. And its not. Every day developers are looking at security guys like, "huh??" because they are looking for encryption to be incorporated into the product. Or, they want to "just get the system built out" without encryption, but they'll totally enable it once everything is working perfectly and all the testing is done (FYI developers, security guys aren't falling for that, we realize that you really mean, 'we'll think about enabling it until we realize how many things it will break, and then we'll ship the product without it, ignoring the enormous liability it creates'). You would think things would be different now that its 2013...they are different, but not that much different. Security still isn't regarded as a core piece, or even an important feature, of most products.
I completely agree with you. The legislation isn't even set up in a paranoid or ignorant fashion...it's set up to impose insane penalties on anyone who dares to violate IP laws.
I'm not opposed to the idea of IP or profiting off the information-based products you build (though the current system is obviously broken) but the laws impose penalties which are clearly out of line with the scope of the crime. Most often, people liberating information and sharing it gets it into the hands of people who probably would never have paid for it anyway. I don't doubt that there is some impact to a company from a breach like that, but it's not as damaging as the penalties suggest it is.
Taking someone's trade secrets and giving them to a competitor? Yea, that's corporate espionage and it's a Big Deal. Even stealing the source code of a closed source product and putting that online is a relatively Big Deal because competitors will tend to get a hold of it and use it to their advantage. However, what Swartz did is not going to have the same impact to the organization that was breached.
The laws should exist, but they should be written to impose reasonable penalties based on the scope of the crime. Maybe there's some ignorance on the part of lawmakers there, but it's willful ignorance which comes directly from the fact that companies are paying them for the legislation to be passed.
I agree about some of the smaller projects, but the problem is that as a security engineer I consistently see the exact type of coding you allude to with your house analogy in bread-and-butter production systems. At one place I worked the developers couldn't even tell us what port range their application used to communicate...and this was in probably the most sensitive environment where faults were unacceptable that you can imagine...on an 80K node network. They were literally unable to provide us with that information. That type of incompetence isn't going to fly for much longer, and yet I see it everywhere.
If it were just a problem with small internal utilities or meaningless social media stuff I would agree, but it's not.
While completely banning smart phones altogether does seem a bit extreme, yes, the concerns are real and, yes, they are right to ban them.
A more reasonable approach would be to have company issued smart phones which the company enables strict security policies on, but banning them works too if there is no business need for them. I do hope, however, that the rest of your security posture is ramped up to match this somewhat stringent measure, and it's not some one-off policy that some manager got a bug up his ass about...I suspect that's probably exactly what it is, though.
BYOD and smart phones are rapidly becoming the bane of Infosec's existence. Companies are spending very significant amounts of money on MDM solutions to enable their employees to use whatever devices they like. If this is consistent with the company's culture and is affordable for them, that's fine. However, people push this privilege way too far. They insist on being able to use the latest and greatest tablet that just came out for their job. They want to use their iPad rather than a company issued laptop for work and will whine to upper management when they can't. Companies are not in business to give you an excuse to use your new toy, they're in business to make money and you need to comply with whatever policies they set.
The first post where the guy talks about how the "burden of proof" is on the employer (!!) is the most asinine thing I have ever read. It's typical of the entitlement mentality that I see every day. If you don't like the company's policy on smart phones, go work somewhere else. The company can set whatever policies it likes for interaction with it's systems, and you can take your labor anywhere you like if you're not on board with those policies. The company is under no obligation to "prove" anything.
At the end of the day, it's all about risk mitigation. Do smart phones pose a significant risk to the company? How big a risk? Are the benefits they provide worth spinning up an MDM solution? What policies need to be enabled to mitigate the risk? Are there other ways of mitigating the risk such as DLP? Do employees need remote access to their email? Do they need to be able to access the company wifi from their phone? Does every employee need this, or just some? These are the questions you have to ask.
Start looking for another job. In my experience having another manager come in to the group is always a disaster. I've never had it go well, and that's WITH new managers who seemed to think I was doing a great job.
But what about illegal aliens? Or maybe Socialists? Liberal University Intellectuals? Bible Thumping Hicks? Lawful Gun Owners?
The potential applications are limitless! The only thing they won't protect us from is ourselves.
Because we TOTALLY need drones in domestic airspace to protect us against ______________.
Used to work in a medical environment and this does not surprise me at all. The whole "FDA regulated device" argument is just another sham by device manufacturers, software vendors, and lazy admins to avoid patching their systems. The medical community is completely out of touch with the current state of IT. They talk about needing continuity and up-time and all this, but have no idea what that means. You get a department file server trying to infect the entire network (including pcc devices) and they freak out when you knock their box offline. Yea, sorry, I know you can't get to your spreadsheet but I'm trying to prevent your server from KILLING SOMEONE.
It's a pathetic state of affairs and it won't change without better leadership. Hospitals need to start beating up their vendors to stop coding for Windows 3.11.
Finally we can play Strategema without those annoying finger cups. Kolrami is going DOWN this time!
There is absolutely no possibility that this is going to benefit us peons in any way.
It's almost as though they're trying to achieve security by making information about their service very obscure. Has anyone ever tried this before?
You say "compulsory to wear" like its a good thing.
Let me ask you something, are you seriously so concerned about people who are stupid enough not to wear seat belts that you need to go around pretending that making a law is going to force them to wear them?
It's called "thinning the herd" dude.
They need legislation to somehow make this legal.
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1 ...and the other posters are right...in 5 years they'll make it 10. In 10 years, 15. In 15 years they'll just stop pretending and enslave us all.
Another alternative is "don't have a facebook account".