If you can excuse the small amount of self promotion, but I think that ethics plays a large part as well.
With my company (http://www.beskerming.com), we run no ads on our site, and our free mailing list is just that, free. There are no subscription fees, no advertising, no vendor pitches (besides our own occasional announcement), no spam, and no vendor sponsorship. It keeps our readers happy, and we have seen our influence stretch to over 400 million people via those responsible for their information and financial security, without really pimping the service to all and sundry. So long as we've keep our overheads low, it doesn't matter how many people receive our message from that service.
Faith in humanity keeps the list free, and it breeds some responses in kind. After the list started getting spammed with pump'n'dump scams (at least the moderator was spammed - no messages made it on the list), we sent out a simple request for recipients to review their system security and to ask anybody they had forwarded a copy of our messages to to do the same. Within 18 hours, the spam stopped. No subscriber has ever unsubscribed, and even after polling them for what they wanted to have done with the list, most responded that they enjoyed having access to a truly free list and wanted it kept that way.
Yeah, it would be easy to spam the list silly with ads, sell the subscriber list, and otherwise bleed the readership dry, but that is not ethically or morally justifiable and so long as I control the ethical path of the company, it will never happen.
We originally started the list to build credibility and reputation in the eyes of the market, and to show some of our capabilities, and even though we only recently started spreading word about it, we have attracted some quality readership who are firm supporters (at least of our free work).
I am sure that you are aware by now that MS06-019 specifically addressed a set of issues that Exchange had with iCal and vCal MIME types. Perhaps your attachments were somehow partially exploiting the vulnerabilities in Exchange and were thus being mangled on the way through.
Your post touched a tender spot. When my eldest daughter (now 5) was born prem at 25 and a bit weeks, she was doing great for a couple of weeks (despite the hole in the heart, and brain haemorrhage common to prems), moving about and making noise in the humidicrib. Then it all changed. Two weeks into her 3.5 month stay in NICU (Neonatal Intensive Care Unit), MRSA swept the ward (14 infants). At least 3-4 infants died and half of the rest got significant infections, including our daughter.
This wasn't some backwater hospital, but one of the leading Children's hospitals in the country, and her primary consultant was the head of the department, so there wasn't a whole lot more that could be done. Overnight she went from being active to effectively immobile and mute. For the next 3+ months for her hospital stay, and her first several months at home, she rarely moved, didn't cry, and made no sound.
She was on Vancomycin, which risked her kidneys, but compared to what she faced it was the least of her problems. She was scheduled for an operation to close the hole in her heart, but she was too sick. It got to the point where she was drowning in her own fluid (you can't do any more than 100% Oxygen, with sats dropping rapidly) and they had to operate.
While they were conducting routine X-Rays and scans a couple of weeks later they found that the MRSA had attacked her skeleton, leaving her without a hip or half of her right femur, and missing half of her left hip, and had somehow caused a cyst in her brain (the haemorrhage was long gone). While the bug was beaten, she and the other infected infants were isolated from the rest of the NICU and had their own equipment and caring material. It was more than 90 days from birth before she moved out of Intensive Care, into High Dependency, and almost 120 before she came home.
Partly due to her prematurity (though mainly due to the MRSA) she has a number of issues. The high Oxygen dependency (she was drowning in her own fluid) led to deafness (only partial hearing when aided on one side only, no hearing other side) and chronic lung disease. The long term intubation and drugs meant that she had vocal cord palsy (only one half of the cords work, and barely at that). The Osteomyelitis (skeletal infection from the MRSA) means that she has a distinct shortness of one leg, a floating hip on that side (it actually feels like it is floating, resting on some scar tissue) and moderate mobility problems (needs to be aided to stand / lean, wheelchair bound), and took almost 2 years to learn to crawl and roll due to other mobility restrictions. Every time she gets a chest infection, she has to go to hospital for 2+ weeks, and when they find out she was MRSA, she goes into isolation.
While she is a happy child, going into isolation in a strange place for 2+ weeks (on Oxygen) takes its toll, especially when she gets no audio cues from her surroundings and can not walk to the window or door to look out and at least look at something different. Having been in isolation in hospital as an adult for only a few days, I can only imagine how frustrating it is for a child.
Going back to the GGP comment, and the price for a catch-all address is that, to a remote system, ANY address is a valid address at your mail domain. Because a bounce is considered more 'important' than a randomly occurring normal message, most systems will let them through unmolested. The issue is the brain dead systems that spit back bounces no matter what.
The stock spam is part of a stock manipulation effort by people who have significant / some stock held prior to the spamming. They quickly dump the stock a set period after the spam, and cash in on the difference. There is a small, but significant, effect that the spam will actually have on the stock price, and it forms a simplistic pump and dump scheme for those people behind it. Why try and extort money / sell worthless sugar pills when you can launder money / make a killing on the stock market and make it appear completely legal?
These issues have been going on for a long time, and I have seen my company accounts used almost continuously in various Joe Jobs (and the resultant bounces), but accept that it is part of the price for going online. It shouldn't be, but it is. It is like advertising - it is an accepted annoyance that now forms part of the background noise for the Internet. There will also always be people at the other end of the connection who don't care, no matter how much you argue the point. There is not going to be a quick and easy solution, and most of those that get brought up have more potential to harm than benefit the end user (AOL's pay us and we'll guarantee your spam gets through sort of thing).
My company, Sûnnet Beskerming, has benefited from the OSS model in unexpected ways. In addition to providing a technological base which is infinitely customisable, many products and tools available under OSS-friendly licences allow us to quickly setup sandboxes and other testing environments where we can focus on researching and pursuing high risk (high return) ideas which would be cost prohibitive under commercial licencing.
The OSS approach to openness has also aided us in determining legitimate sources of Information Security threat data that is then distributed via our Free Security Mailing List. Having the source code at hand allows us to independently verify the reports that we uncover, and from there make an assessment of the relative technical merit of that particular source. This also means that we can more easily identify the gems amongst the sea of reports and risk announcements, allowing us to elevate the weight of what would otherwise be an unknown source.
The best way to write a business plan is to sit down and start writing. Work out what you want to do, how you want to do it, and why. Write that down. Then throw it out and start again. Even though I followed a basic template, it still took four goes before I had a business plan that was suitable to put in front of people with big buckets of money. You might find that there are no VC firms in Australia who will be interested in funding you, but if you want to try, look at the member list for AVCAL
Other important factors include where you are setting up. If you are not on the East Coast, then forget about funding. The Australian VC market is extremely risk averse, as they are reinvesting superannuation funds more often than not.
Brush up on your interpersonal selling skills. If you don't have any, you won't get any money, and you won't get any interest. You will also find that the business administration and building efforts will tend to push any coding efforts out of the way from time to time (some analysts suggest 80% of your time might be on business tasks, not coding / developing).
Ensure that you have the appropriate legal and tax setups in place, and that you have a solid plan on how to protect any Intellectual Property that you have developed. No, Australia does not have software patents, but you can patent software if you follow very specific guidelines. Be aware of what the FTA means to you, as well.
Other people who have been through the process before tend to recommend against seeking VC funding for software companies, but I have also seen some fairly stupid VC funding decisions made, so be prepared to take and make risks.
If you haven't already, seek out your regional / state NUG (.Net Users Group), they should be able to put you in reach of people who can help you out.
Interesting comment. I wasn't aware of any other South Australian based business owners / entrepreneurs who lurked on/.. Contact me via my company's site (in the comment or above) if you want to touch base, swap notes, see what we can do for each other.
Part of my company's Information Security work is monitoring reported defacements of websites under various domains (such as.au). Through this work, we have seen numerous cases where ISPs ignore complaints from their customers about their sites being hacked, ISPs having every single customer site hacked at the same time (and still ignoring customer complaints), ISPs where a commitment to action means some time in the next month or so, and ISPs where their lead technical people have trouble understanding their own technology.
By a strange coincidence, or maybe not, the troublesome ISPs are those that also accuse us of hacking their customers, threatening us and generally abusing us for providing a report of an identified defacement. The abuse from ISPs and technical contacts has gotten so bad that we no longer report every defacement that we otherwise would have. Now we only report significant cases (such as complete server compromises or sites which may have sensitive information accessible).
How many drivers are taught cadence braking these days?
I know I was taught cadence braking, although I have never seen that term used before now. My instruction in the technique was only 10 years ago, and it was a simple case of the instructor telling me what to do, and setting me loose on a dirt / loose gravel road and telling me I would fail if I locked the wheels. Putting the car into a skid on the dirt road, when compared to the cadence method really showed the difference for braking.
As to whether ABS does or doesn't save lives, that is a separate argument. I know that I have been in a number of life threatening situations where ABS would have been the difference between safety and death, but in the wrong direction, in both front and rear wheel drive vehicles both below and above 1,000kg weight class. There have even been times when ABS would have no benefit whatsoever (in fact it would be more dangerous as it is more likely that the driver would not have the experience to handle a suddenly skidding / sliding car at speed over undulating terrain). In all the situations, the only thing that probably would have been of any benefit would be a balanced four/all wheel drive system (such as Subaru make), giving the greatest opportunity to retain some traction/ability to retain control.
This issue is not US specific, I think that almost all Western nations are facing similar futures.
I think that whenever a country gets itself so bogged down in legislation and legal protectionism, that its scientific and research and development future (naturally risky endeavours) is short lived. While laws such as SOX, OSHA, and others are ostensibly for the protection of the community (i.e. protecting against the greed of the business world), the restrictions tend to mean that more time is spent complying than actually researching.
Patent and trademark law also stifles innovation, especially when IP holders exert their authority. This is one of the reasons cited for the near death of the early powered flight industry in the US (the Wright brothers were asserting their IP rights), and the location of the major Hollywood studios on the West Coast (apart from the improved climate, it was an attempt to evade the protectionism on the East Coast).
The prevailing theology would be the third leg of the stool, with significant historical injustices being carried out in the name of religion (and historical revisionism). There is no problem with science and theology / philosophy co-existing. The problem arises whenever ethical decisions are required for future research tracks, or when one tries to undermine the other (such as there is no higher being because we can't see it/them/her/him). Sometimes faith is just that, faith. It doesn't need to be rational (although it helps), and a faith in the scientific process is as valid as a faith in the intangible.
Of course, declining academic results, low birth rates, the MTV generation, the offshoring of high tech industry, the turning of tomorrow's leaders into cannon fodder, protracted conflict, government corruption, mismanagement and the proliferation of the 'short term profit at all costs' ethos all play their part as well.
It would be great if a situation like this happened, but here in Australia, the Gamecube has pretty much been withdrawn from the market. The few stores that still have it (such as EB) have it at $99 AUD for a new console, when the XBox and PS2 are still above the $200 AUD mark. These remaining Gamecube consoles are not flying off the shelves, even though there are still over a hundred titles on the market for the Gamecube, and new titles are still coming out.
I've been holding off on getting a Gamecube, but the pricepoint means I will probably get one in time for Christmas. A loaner that I got my hands on saw the PS2 pushed out of the way while the GC was in the house, and saw the non-gamers in the house fighting over who got to play it next.
Hopefully the Revolution will make a bigger impact.
When establishing my companies, I made sure to separate the IP R&D from the commercialisation processes. Although a lot of the research that is coming out of the R&D company is patentable, the decision whether to patent has been a long and well thought out process.
Ultimately, a lot of the research will be protected under trade secret and standard copyright law. The process of patenting requires disclosure of methods and techniques (even with legalese), and places a small company in a bind when larger companies can infringe at will (when the cost of compliance is less than the profit they will make from infringement). By definition, the patent allows one skilled in the art to recreate the invention, so it puts on public record the specifics to allow a competitor to recreate the result that has come from our significant effort and expenditure.
While we hold nothing against software patents (when issued properly), we do have major concerns about the patent process, and the ability to patent processes instead of inventions. When the next global superpower, and some of the largest companies in the industry, have a history of subverting IP restrictions to suit their own ends, the presence of a patent only stops the honest from ripping off the work we have carried out (and they are getting fewer and fewer in number).
Even in discussion with the patent office, and the Government body established to promote and assist the patent process, they readily admit that the model is broken, but it is the best we have at the moment - so we need to keep supporting it (which is a cop out if I have ever heard one).
Without a warchest of millions to fight legal battles, or huge patent holdings, the little guys are running on hope that no one picks their patent for willful infringement.
Probably the best advice for people involved in IP development - get yourself good legal counsel (even at the start of the research process), and remember that there is more than one way to achieve the same outcome (so if you get sued for an implementation - change it to something else).
A couple of months ago, our local council sent letters to all the residents in our area, telling them that rats were breeding rapidly, and that they would soon start eradicating them if the trend continued. As we had two cats (normally inside cats), we decided to let the cats hunt outside for a few days.
We expected the large male cat to be the lead killer but, to our surprise, the small female cat was the one who took on the infestation. Within two days she started trotting up to the back door with rats half her size in her mouth, and very obviously still alive. Once she finished playing with them, a sharp bite to the neck and it was all over for the rat. In less than a week she had cleared out the infestation, including at least one nest of babies - leaving all the carcasses for me to clean up (at least she left them outside).
The whole time that we have had the cats, we have never had any mice or cockroaches or other pest infections inside the house, which more than pays for the upkeep of the cats.
While it does a good job in terms of listing vulnerabilities that exist in various software applications, it can lag other public disclosure by up to a week.
The argument of it providing information that has been vetted doesn't necessarily gel, given that sometimes it leads the disclosure with some fairly vague reports.
Having said that, it is one of the sources that we use for our Information Security Advisory mailing list, but it isn't really one of the primary sources (due to the delays in disclosure).
Even though the areas that you will go to will probably already have facilities and amenities being established, you should really plan on not using any resources that you haven't carried in. Also, remember that this is where people live (or lived), and you are essentially a guest in their county. Above all, listen, be patient, be humble, and be there for them. You might even find that the residents have a stronger need for spiritual help, than physical help.
Basically, as an extension to the above response - while the exact items can be left up to your imagination, so long as you are self-sufficient in the following needs (and in the following order), you will not burden locals, and can use your spare capacity to carry tools, and whatever you choose. This is basic survival (assuming you are going into a completely devastated area)
Shelter / Protection from the elements (including protective clothing - boots, denim / heavy cotton clothing, tents etc)
First Aid (insect repellant, sunscreen, dressings, first aid packs [also consider heat stress a part of this and chafing])
Warmth (the smoke from a fire will repel insects, the fire can be used for cooking, water purification, sterilisation, drying of wet clothing, morale, and you will still die from exposure if you don't retain heat through the night).
Water (self-evident, but it is only your fourth most important survival need - bring enough bottled water, and also purification tablets - at least twice as much as you think you will need).
The most important thing to remember is that you need to take everything with you, don't expect help from the locals. If you end up in an area that is truly devastated, the above guidelines will keep you alive - maybe not as comfortable as you like, but you are essentially voluntarily entering a survival situation.
Wow, I could never think that someone finds the local circuit flying to be less of a hassle than out in the open skies.
The reason why people are there riding your ass to do things is to keep you safe. If they didn't do this, and you stumbled into their airspace and had a significant emergency, then you could find yourself in a much worse world of hurt than if you had listened to them in the first place. You need to remember that they don't want to annoy you, and would like to see you reach your destination in an expeditious manner, but to do so, you need to play their game for a little bit.
Ignoring the rules of the air leads to situations where you become a posthumous case study for the latest aviation safety papers.
If you think that the obligations faced by a PPL or CPL are onerous, it might be worthwhile looking into what military aircrew have to deal with. There is a reason why they have multi-crew aircraft with personnel whose primary role is communications. Not only do they have to play by the civilian rules, but they need to adhere to the military rules attached. While sometimes they get right of way (either if they are pushy, or you have stumbled into their airspace), you can bet that a nasty letter will be headed their way if they abuse their status to sidestep the civilian rules.
In less than a month, my company has notified over 600 sites that they have been defaced by 'Internet Hackers', and the majority do leave a political message. The flavour of the month seems to be Turkish hackers badmouthing AUS, UK, US and the 'War on Terrorism'.
The remainder are just the equivalent of 'I was here', or 'Our group R0xx0rs'. I think that the reason it has changed is that Internet defacements do not really reach out and touch people like worms do.
I do know of the 5/10 year split for Microsoft products, but I also believe that there will still be a large number of organisations running Windows 2000, come 2010, and they won't be upgrading. It is like the current concern over Cisco's IOS. Yes, they have patched the vulnerability Mike Lynn used as his example (stealthily in the April update), but there will be a not-insignificant number of network devices that will never see this patch, or others that are needed to protect against the newly described attack vector.
I know of some large government bodies interested in various matters of security and privacy, who are still stuck with NT4 on their outward facing systems (and internal). Where is the ongoing support for them? Yes, they probably should have upgraded by now, and they probably have already started a rollout, but it hasn't finished, and they possibly remain vulnerable, given the root of Win 2000, XP, 2003, which were all affected by these latest vulnerabilities.
The recent article on the front page here (2 down at the moment), talks about vulnerabilities linked to MS05-038 being in the wild in mid July (actually quite a bit earlier, but we will give them the benefit of the doubt). There have been a number of minor exploits in existence for at least a month and a half with respect to some image handling capabilities through IE (also MS05-038).
Security-Protocols claimed to have discovered the vulnerability linked to MS05-041, and there were some minor claims that other people had been able to make it into exploits which weren't widespread.
I initially thought that the Plug and Play vulnerability was linked to a report on an overflow with respect to handling USB devices (which has also been reported), but it seems to be much worse.
I am fully aware of the reasons why companies EOL their software, but Microsoft's cessation of mainstream support for Win 2000 might be coming back to bite them, given that Win 2000 is just as vulnerable to these exploits as Win XP and 2003, if not more so.
I do not deny that the Honeymonkey project is useful, and will be in the future (although the figures listed for number of sites with malware seems low).
Because there was a lot of contrary reporting and postings which appeared around the start of July, it is difficult to sort the wheat from the chaff in order to obtain accurate information, but I do remember reading that proof of concept code definitely existed, and was published, at the start of July, with one example being reported on the ISC Diary. I also recall a post on a mailing list that suggested that exploits were already circulating, but I can not track down a citation for that. I really would not call it a 0-day (which is probably semantics), but at least their project picked it up within two weeks of the POC being published.
To Microsoft's credit, they do publicly acknowledge SEC-Consult as being responsible for discovery of the initial flaws, on the patch information page.
Sticking with M05-38, the image handling errors which were fixed are another example where Microsoft ignored public disclosure, especially when the disclosure sparked a level of interest on the Full-Disclosure mailing list.
With respect to pen-testing, my approach has always been to obtain a copy of the target software, and to test locally, before heading out for the client systems. Although not automated like the Honeymonkeys, it achieves a similar purpose. I also think that the monkey component of the honeymonkey might refer to the crazed monkey(?) testing tool in the original Macs, which performed random input (mouse movement, clicks, keys (I think)) as part of testing for unexpected application behaviour.
The so-called vulnerability that Microsoft claim to have found a 0-day for in the second week of July was actually discovered by SEC-Consult, and first published on June 29, having discovered it, and notified Microsoft on June 17. There was effectively nil response from Microsoft (they claimed to have not been able to reproduce the issue...).
While many people believe that the sample object used, the javaprxy.dll, was the flaw itself, the first paragraph of the advisory (the background) indicates that it is a COM level issue, and they identified at least 20 vulnerable objects on a standard XP installation.
It was this issue that Microsoft ignored until the recent Black Tuesday updates, and then claimed ownership of via the honey monkey project.
Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.
Ignoring the decision to bomb Hiroshima and Nagasaki, some of your points are a little off centre.
Germany and Japan started the war. Hmm, for a six word summary, it works. The counter argument here is that it was the Treaty of Versailles that was the impetus for WWII. The German people were subjugated (yeah, they lost the first time), and it created the turmoil which allowed the rise of Nazism. They were pushed so far down, that they felt it was important to fight back to the top in order to regain their status as a nation.
The Japanese, on the other hand had been fighting the Russians and Chinese for a while, and WWII gave them an opportunity to implement their expansionist plans on a wider scale (plus colonialism was an issue in Asia). I wouldn't say that Japan started WWII, but they were instrumental in bringing the US into the war with the Pearl Harbour Attack.
It has been suggested that the plans for the Holocaust were heavily influenced (or even created) by the Imam of Palestine, and Hitler found that it worked well with his Aryan ideals. For an interesting exercise, it is possible to trace direct links back to Hitler with the current Israeli / Palestinian issues (hint Arafat is the key). Remember that the Jews were not the only non-combatants placed in camps. My own grandfather (a Dutchman) was placed in a forced labour camp in Germany.
I will give you the Philippines for having been grateful to the US, especially as they were once a US colony themselves, but I disagree with your other points. Australia was never occupied by Japan. They were bombed a number of times, but no land war (although rumours suggest minor investigative probes on remote coastlines). It was Australian troops who first turned back the Japanese on land, in New Guinea, on the Kokoda Track, and who were instrumental in leading the clearance of Indonesia and Timor. West of Singapore, and on the mainland, it was mainly the British and the Commonwealth troops who fought the land and air war.
The Australians, as a general rule, resented the US military presence in Australia (read about the riots in Brisbane).
Where the US was instrumental was in the Island and Naval war that was needed to clear out the Japanese from the actual Pacific theatre.
My final year undergrad project at University was to write a two-dimensional flight simulator (really only one dimension of control - pitch, the second is throttle) in Macromedia Director (using the inbuilt scripting language Lingo).
It was the pet of the head of the Aeronautical and Mechanical Engineering School, and I took over from a PHD student who had managed to mangle it pretty badly, and it was still not workable after two years.
The intent was to provide a learning tool for first and second year Aeronautical Engineering students to provide practical display of the theory being studied.
When I started reading the code, I quickly decided that the easiest way to refactor it was to nuke most of it and start again. The logic was very poorly presented, and poorly documented, but there were some inspired elements which were worth keeping.
Inside of six months, I had managed to deliver above and beyond what the School Head was expecting, and had a fully functional simulator, with some interesting additions. Unlike MS FS, which uses approximations and predetermined limits for a flight model (which doesn't really exist), the simulator used the base theoretical models as applied to a true NACA aerofoil. The difficulty was determining the lift curve when the aerofoil was travelling in a reverse flow (i.e. backwards), allowing demonstration of tail slides and horizontal aircraft movement when the aircraft is pointed straight up or down.
One of the best moments came early in testing when the model demonstrated a pilot induced oscillation recovery perfectly, telling me that the model worked. At the end of the project, even I was amazed that such a piece of crap as Director could be hammered into submission for such a project, but just because it can be done, doesn't always mean that it should.
In response to your query about 'if... leadership can be effective once [groupthink] has become prevalent...', then the short answer is no.
Long answer, not exactly.
Once Groupthink has become entrenched, it requires a leader with a very high ability to mix the charisma, logic, and personality required in order to sway the mindset of the group.
If the leader is respected, then their dissenting opinion should carry more weight than a dissension from within the group. Once the respect is lost, then the group takes control, and the dissension from the leader is ignored.
Based on your comment, I think you are referring to Groupthink, the unique behavioural trait that sometimes expresses itself whenever otherwise rational people get together in a group, whereupon they make decisions that they wouldn't accept individually.
Some commentators suggest that it is due to a dissociation of responsibility and guilt, e.g. 'I wasn't the only one who backed it.'
Good leadership (even mediocre leadership) should be able to identify this pattern, and stop it. The problem, especially when dealing with Government agencies, or contracted Government work, is that the mediocre tend to rise to the top, as the talented leave at the lower levels, and the people in the positions of responsibility are not adequately equipped to carry out those duties, or accept that responsibility. It's easy when you are only in a position for five years, and the negative effects won't be seen for fifteen.
Slashdot Mirror
If you can excuse the small amount of self promotion, but I think that ethics plays a large part as well.
With my company (http://www.beskerming.com), we run no ads on our site, and our free mailing list is just that, free. There are no subscription fees, no advertising, no vendor pitches (besides our own occasional announcement), no spam, and no vendor sponsorship. It keeps our readers happy, and we have seen our influence stretch to over 400 million people via those responsible for their information and financial security, without really pimping the service to all and sundry. So long as we've keep our overheads low, it doesn't matter how many people receive our message from that service.
Faith in humanity keeps the list free, and it breeds some responses in kind. After the list started getting spammed with pump'n'dump scams (at least the moderator was spammed - no messages made it on the list), we sent out a simple request for recipients to review their system security and to ask anybody they had forwarded a copy of our messages to to do the same. Within 18 hours, the spam stopped. No subscriber has ever unsubscribed, and even after polling them for what they wanted to have done with the list, most responded that they enjoyed having access to a truly free list and wanted it kept that way.
Yeah, it would be easy to spam the list silly with ads, sell the subscriber list, and otherwise bleed the readership dry, but that is not ethically or morally justifiable and so long as I control the ethical path of the company, it will never happen.
We originally started the list to build credibility and reputation in the eyes of the market, and to show some of our capabilities, and even though we only recently started spreading word about it, we have attracted some quality readership who are firm supporters (at least of our free work).
I am sure that you are aware by now that MS06-019 specifically addressed a set of issues that Exchange had with iCal and vCal MIME types. Perhaps your attachments were somehow partially exploiting the vulnerabilities in Exchange and were thus being mangled on the way through.
Your post touched a tender spot. When my eldest daughter (now 5) was born prem at 25 and a bit weeks, she was doing great for a couple of weeks (despite the hole in the heart, and brain haemorrhage common to prems), moving about and making noise in the humidicrib. Then it all changed. Two weeks into her 3.5 month stay in NICU (Neonatal Intensive Care Unit), MRSA swept the ward (14 infants). At least 3-4 infants died and half of the rest got significant infections, including our daughter.
This wasn't some backwater hospital, but one of the leading Children's hospitals in the country, and her primary consultant was the head of the department, so there wasn't a whole lot more that could be done. Overnight she went from being active to effectively immobile and mute. For the next 3+ months for her hospital stay, and her first several months at home, she rarely moved, didn't cry, and made no sound.
She was on Vancomycin, which risked her kidneys, but compared to what she faced it was the least of her problems. She was scheduled for an operation to close the hole in her heart, but she was too sick. It got to the point where she was drowning in her own fluid (you can't do any more than 100% Oxygen, with sats dropping rapidly) and they had to operate.
While they were conducting routine X-Rays and scans a couple of weeks later they found that the MRSA had attacked her skeleton, leaving her without a hip or half of her right femur, and missing half of her left hip, and had somehow caused a cyst in her brain (the haemorrhage was long gone). While the bug was beaten, she and the other infected infants were isolated from the rest of the NICU and had their own equipment and caring material. It was more than 90 days from birth before she moved out of Intensive Care, into High Dependency, and almost 120 before she came home.
Partly due to her prematurity (though mainly due to the MRSA) she has a number of issues. The high Oxygen dependency (she was drowning in her own fluid) led to deafness (only partial hearing when aided on one side only, no hearing other side) and chronic lung disease. The long term intubation and drugs meant that she had vocal cord palsy (only one half of the cords work, and barely at that). The Osteomyelitis (skeletal infection from the MRSA) means that she has a distinct shortness of one leg, a floating hip on that side (it actually feels like it is floating, resting on some scar tissue) and moderate mobility problems (needs to be aided to stand / lean, wheelchair bound), and took almost 2 years to learn to crawl and roll due to other mobility restrictions. Every time she gets a chest infection, she has to go to hospital for 2+ weeks, and when they find out she was MRSA, she goes into isolation.
While she is a happy child, going into isolation in a strange place for 2+ weeks (on Oxygen) takes its toll, especially when she gets no audio cues from her surroundings and can not walk to the window or door to look out and at least look at something different. Having been in isolation in hospital as an adult for only a few days, I can only imagine how frustrating it is for a child.
Going back to the GGP comment, and the price for a catch-all address is that, to a remote system, ANY address is a valid address at your mail domain. Because a bounce is considered more 'important' than a randomly occurring normal message, most systems will let them through unmolested. The issue is the brain dead systems that spit back bounces no matter what.
The stock spam is part of a stock manipulation effort by people who have significant / some stock held prior to the spamming. They quickly dump the stock a set period after the spam, and cash in on the difference. There is a small, but significant, effect that the spam will actually have on the stock price, and it forms a simplistic pump and dump scheme for those people behind it. Why try and extort money / sell worthless sugar pills when you can launder money / make a killing on the stock market and make it appear completely legal?
These issues have been going on for a long time, and I have seen my company accounts used almost continuously in various Joe Jobs (and the resultant bounces), but accept that it is part of the price for going online. It shouldn't be, but it is. It is like advertising - it is an accepted annoyance that now forms part of the background noise for the Internet. There will also always be people at the other end of the connection who don't care, no matter how much you argue the point. There is not going to be a quick and easy solution, and most of those that get brought up have more potential to harm than benefit the end user (AOL's pay us and we'll guarantee your spam gets through sort of thing).
My company, Sûnnet Beskerming, has benefited from the OSS model in unexpected ways. In addition to providing a technological base which is infinitely customisable, many products and tools available under OSS-friendly licences allow us to quickly setup sandboxes and other testing environments where we can focus on researching and pursuing high risk (high return) ideas which would be cost prohibitive under commercial licencing.
The OSS approach to openness has also aided us in determining legitimate sources of Information Security threat data that is then distributed via our Free Security Mailing List. Having the source code at hand allows us to independently verify the reports that we uncover, and from there make an assessment of the relative technical merit of that particular source. This also means that we can more easily identify the gems amongst the sea of reports and risk announcements, allowing us to elevate the weight of what would otherwise be an unknown source.
The best way to write a business plan is to sit down and start writing. Work out what you want to do, how you want to do it, and why. Write that down. Then throw it out and start again. Even though I followed a basic template, it still took four goes before I had a business plan that was suitable to put in front of people with big buckets of money. You might find that there are no VC firms in Australia who will be interested in funding you, but if you want to try, look at the member list for AVCAL
Other important factors include where you are setting up. If you are not on the East Coast, then forget about funding. The Australian VC market is extremely risk averse, as they are reinvesting superannuation funds more often than not.
Brush up on your interpersonal selling skills. If you don't have any, you won't get any money, and you won't get any interest. You will also find that the business administration and building efforts will tend to push any coding efforts out of the way from time to time (some analysts suggest 80% of your time might be on business tasks, not coding / developing).
Ensure that you have the appropriate legal and tax setups in place, and that you have a solid plan on how to protect any Intellectual Property that you have developed. No, Australia does not have software patents, but you can patent software if you follow very specific guidelines. Be aware of what the FTA means to you, as well.
Other people who have been through the process before tend to recommend against seeking VC funding for software companies, but I have also seen some fairly stupid VC funding decisions made, so be prepared to take and make risks.
If you haven't already, seek out your regional / state NUG (.Net Users Group), they should be able to put you in reach of people who can help you out.
Finally, good luck!
Interesting comment. I wasn't aware of any other South Australian based business owners / entrepreneurs who lurked on /.. Contact me via my company's site (in the comment or above) if you want to touch base, swap notes, see what we can do for each other.
Part of my company's Information Security work is monitoring reported defacements of websites under various domains (such as .au). Through this work, we have seen numerous cases where ISPs ignore complaints from their customers about their sites being hacked, ISPs having every single customer site hacked at the same time (and still ignoring customer complaints), ISPs where a commitment to action means some time in the next month or so, and ISPs where their lead technical people have trouble understanding their own technology.
By a strange coincidence, or maybe not, the troublesome ISPs are those that also accuse us of hacking their customers, threatening us and generally abusing us for providing a report of an identified defacement. The abuse from ISPs and technical contacts has gotten so bad that we no longer report every defacement that we otherwise would have. Now we only report significant cases (such as complete server compromises or sites which may have sensitive information accessible).
How many drivers are taught cadence braking these days?
I know I was taught cadence braking, although I have never seen that term used before now. My instruction in the technique was only 10 years ago, and it was a simple case of the instructor telling me what to do, and setting me loose on a dirt / loose gravel road and telling me I would fail if I locked the wheels. Putting the car into a skid on the dirt road, when compared to the cadence method really showed the difference for braking.
As to whether ABS does or doesn't save lives, that is a separate argument. I know that I have been in a number of life threatening situations where ABS would have been the difference between safety and death, but in the wrong direction, in both front and rear wheel drive vehicles both below and above 1,000kg weight class. There have even been times when ABS would have no benefit whatsoever (in fact it would be more dangerous as it is more likely that the driver would not have the experience to handle a suddenly skidding / sliding car at speed over undulating terrain). In all the situations, the only thing that probably would have been of any benefit would be a balanced four/all wheel drive system (such as Subaru make), giving the greatest opportunity to retain some traction/ability to retain control.
This issue is not US specific, I think that almost all Western nations are facing similar futures.
I think that whenever a country gets itself so bogged down in legislation and legal protectionism, that its scientific and research and development future (naturally risky endeavours) is short lived. While laws such as SOX, OSHA, and others are ostensibly for the protection of the community (i.e. protecting against the greed of the business world), the restrictions tend to mean that more time is spent complying than actually researching.
Patent and trademark law also stifles innovation, especially when IP holders exert their authority. This is one of the reasons cited for the near death of the early powered flight industry in the US (the Wright brothers were asserting their IP rights), and the location of the major Hollywood studios on the West Coast (apart from the improved climate, it was an attempt to evade the protectionism on the East Coast).
The prevailing theology would be the third leg of the stool, with significant historical injustices being carried out in the name of religion (and historical revisionism). There is no problem with science and theology / philosophy co-existing. The problem arises whenever ethical decisions are required for future research tracks, or when one tries to undermine the other (such as there is no higher being because we can't see it/them/her/him). Sometimes faith is just that, faith. It doesn't need to be rational (although it helps), and a faith in the scientific process is as valid as a faith in the intangible.
Of course, declining academic results, low birth rates, the MTV generation, the offshoring of high tech industry, the turning of tomorrow's leaders into cannon fodder, protracted conflict, government corruption, mismanagement and the proliferation of the 'short term profit at all costs' ethos all play their part as well.
It would be great if a situation like this happened, but here in Australia, the Gamecube has pretty much been withdrawn from the market. The few stores that still have it (such as EB) have it at $99 AUD for a new console, when the XBox and PS2 are still above the $200 AUD mark. These remaining Gamecube consoles are not flying off the shelves, even though there are still over a hundred titles on the market for the Gamecube, and new titles are still coming out.
I've been holding off on getting a Gamecube, but the pricepoint means I will probably get one in time for Christmas. A loaner that I got my hands on saw the PS2 pushed out of the way while the GC was in the house, and saw the non-gamers in the house fighting over who got to play it next.
Hopefully the Revolution will make a bigger impact.
When establishing my companies, I made sure to separate the IP R&D from the commercialisation processes. Although a lot of the research that is coming out of the R&D company is patentable, the decision whether to patent has been a long and well thought out process.
Ultimately, a lot of the research will be protected under trade secret and standard copyright law. The process of patenting requires disclosure of methods and techniques (even with legalese), and places a small company in a bind when larger companies can infringe at will (when the cost of compliance is less than the profit they will make from infringement). By definition, the patent allows one skilled in the art to recreate the invention, so it puts on public record the specifics to allow a competitor to recreate the result that has come from our significant effort and expenditure.
While we hold nothing against software patents (when issued properly), we do have major concerns about the patent process, and the ability to patent processes instead of inventions. When the next global superpower, and some of the largest companies in the industry, have a history of subverting IP restrictions to suit their own ends, the presence of a patent only stops the honest from ripping off the work we have carried out (and they are getting fewer and fewer in number).
Even in discussion with the patent office, and the Government body established to promote and assist the patent process, they readily admit that the model is broken, but it is the best we have at the moment - so we need to keep supporting it (which is a cop out if I have ever heard one).
Without a warchest of millions to fight legal battles, or huge patent holdings, the little guys are running on hope that no one picks their patent for willful infringement.
Probably the best advice for people involved in IP development - get yourself good legal counsel (even at the start of the research process), and remember that there is more than one way to achieve the same outcome (so if you get sued for an implementation - change it to something else).
A couple of months ago, our local council sent letters to all the residents in our area, telling them that rats were breeding rapidly, and that they would soon start eradicating them if the trend continued. As we had two cats (normally inside cats), we decided to let the cats hunt outside for a few days.
We expected the large male cat to be the lead killer but, to our surprise, the small female cat was the one who took on the infestation. Within two days she started trotting up to the back door with rats half her size in her mouth, and very obviously still alive. Once she finished playing with them, a sharp bite to the neck and it was all over for the rat. In less than a week she had cleared out the infestation, including at least one nest of babies - leaving all the carcasses for me to clean up (at least she left them outside).
The whole time that we have had the cats, we have never had any mice or cockroaches or other pest infections inside the house, which more than pays for the upkeep of the cats.
The NVD isn't all that crash hot, actually.
While it does a good job in terms of listing vulnerabilities that exist in various software applications, it can lag other public disclosure by up to a week.
The argument of it providing information that has been vetted doesn't necessarily gel, given that sometimes it leads the disclosure with some fairly vague reports.
Having said that, it is one of the sources that we use for our Information Security Advisory mailing list, but it isn't really one of the primary sources (due to the delays in disclosure).
Even though the areas that you will go to will probably already have facilities and amenities being established, you should really plan on not using any resources that you haven't carried in. Also, remember that this is where people live (or lived), and you are essentially a guest in their county. Above all, listen, be patient, be humble, and be there for them. You might even find that the residents have a stronger need for spiritual help, than physical help.
Basically, as an extension to the above response - while the exact items can be left up to your imagination, so long as you are self-sufficient in the following needs (and in the following order), you will not burden locals, and can use your spare capacity to carry tools, and whatever you choose. This is basic survival (assuming you are going into a completely devastated area)
The most important thing to remember is that you need to take everything with you, don't expect help from the locals. If you end up in an area that is truly devastated, the above guidelines will keep you alive - maybe not as comfortable as you like, but you are essentially voluntarily entering a survival situation.
Wow, I could never think that someone finds the local circuit flying to be less of a hassle than out in the open skies.
The reason why people are there riding your ass to do things is to keep you safe. If they didn't do this, and you stumbled into their airspace and had a significant emergency, then you could find yourself in a much worse world of hurt than if you had listened to them in the first place. You need to remember that they don't want to annoy you, and would like to see you reach your destination in an expeditious manner, but to do so, you need to play their game for a little bit.
Ignoring the rules of the air leads to situations where you become a posthumous case study for the latest aviation safety papers.
If you think that the obligations faced by a PPL or CPL are onerous, it might be worthwhile looking into what military aircrew have to deal with. There is a reason why they have multi-crew aircraft with personnel whose primary role is communications. Not only do they have to play by the civilian rules, but they need to adhere to the military rules attached. While sometimes they get right of way (either if they are pushy, or you have stumbled into their airspace), you can bet that a nasty letter will be headed their way if they abuse their status to sidestep the civilian rules.
In less than a month, my company has notified over 600 sites that they have been defaced by 'Internet Hackers', and the majority do leave a political message. The flavour of the month seems to be Turkish hackers badmouthing AUS, UK, US and the 'War on Terrorism'.
The remainder are just the equivalent of 'I was here', or 'Our group R0xx0rs'. I think that the reason it has changed is that Internet defacements do not really reach out and touch people like worms do.
I do know of the 5/10 year split for Microsoft products, but I also believe that there will still be a large number of organisations running Windows 2000, come 2010, and they won't be upgrading. It is like the current concern over Cisco's IOS. Yes, they have patched the vulnerability Mike Lynn used as his example (stealthily in the April update), but there will be a not-insignificant number of network devices that will never see this patch, or others that are needed to protect against the newly described attack vector.
I know of some large government bodies interested in various matters of security and privacy, who are still stuck with NT4 on their outward facing systems (and internal). Where is the ongoing support for them? Yes, they probably should have upgraded by now, and they probably have already started a rollout, but it hasn't finished, and they possibly remain vulnerable, given the root of Win 2000, XP, 2003, which were all affected by these latest vulnerabilities.
The recent article on the front page here (2 down at the moment), talks about vulnerabilities linked to MS05-038 being in the wild in mid July (actually quite a bit earlier, but we will give them the benefit of the doubt). There have been a number of minor exploits in existence for at least a month and a half with respect to some image handling capabilities through IE (also MS05-038).
Security-Protocols claimed to have discovered the vulnerability linked to MS05-041, and there were some minor claims that other people had been able to make it into exploits which weren't widespread.
I initially thought that the Plug and Play vulnerability was linked to a report on an overflow with respect to handling USB devices (which has also been reported), but it seems to be much worse.
I am fully aware of the reasons why companies EOL their software, but Microsoft's cessation of mainstream support for Win 2000 might be coming back to bite them, given that Win 2000 is just as vulnerable to these exploits as Win XP and 2003, if not more so.
I do not deny that the Honeymonkey project is useful, and will be in the future (although the figures listed for number of sites with malware seems low).
Because there was a lot of contrary reporting and postings which appeared around the start of July, it is difficult to sort the wheat from the chaff in order to obtain accurate information, but I do remember reading that proof of concept code definitely existed, and was published, at the start of July, with one example being reported on the ISC Diary. I also recall a post on a mailing list that suggested that exploits were already circulating, but I can not track down a citation for that. I really would not call it a 0-day (which is probably semantics), but at least their project picked it up within two weeks of the POC being published.
To Microsoft's credit, they do publicly acknowledge SEC-Consult as being responsible for discovery of the initial flaws, on the patch information page.
Sticking with M05-38, the image handling errors which were fixed are another example where Microsoft ignored public disclosure, especially when the disclosure sparked a level of interest on the Full-Disclosure mailing list.
With respect to pen-testing, my approach has always been to obtain a copy of the target software, and to test locally, before heading out for the client systems. Although not automated like the Honeymonkeys, it achieves a similar purpose. I also think that the monkey component of the honeymonkey might refer to the crazed monkey(?) testing tool in the original Macs, which performed random input (mouse movement, clicks, keys (I think)) as part of testing for unexpected application behaviour.
I can't believe that people are lapping this up.
The so-called vulnerability that Microsoft claim to have found a 0-day for in the second week of July was actually discovered by SEC-Consult, and first published on June 29, having discovered it, and notified Microsoft on June 17. There was effectively nil response from Microsoft (they claimed to have not been able to reproduce the issue...).
While many people believe that the sample object used, the javaprxy.dll, was the flaw itself, the first paragraph of the advisory (the background) indicates that it is a COM level issue, and they identified at least 20 vulnerable objects on a standard XP installation.
It was this issue that Microsoft ignored until the recent Black Tuesday updates, and then claimed ownership of via the honey monkey project.
Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.
Ignoring the decision to bomb Hiroshima and Nagasaki, some of your points are a little off centre.
Germany and Japan started the war. Hmm, for a six word summary, it works. The counter argument here is that it was the Treaty of Versailles that was the impetus for WWII. The German people were subjugated (yeah, they lost the first time), and it created the turmoil which allowed the rise of Nazism. They were pushed so far down, that they felt it was important to fight back to the top in order to regain their status as a nation.
The Japanese, on the other hand had been fighting the Russians and Chinese for a while, and WWII gave them an opportunity to implement their expansionist plans on a wider scale (plus colonialism was an issue in Asia). I wouldn't say that Japan started WWII, but they were instrumental in bringing the US into the war with the Pearl Harbour Attack.
It has been suggested that the plans for the Holocaust were heavily influenced (or even created) by the Imam of Palestine, and Hitler found that it worked well with his Aryan ideals. For an interesting exercise, it is possible to trace direct links back to Hitler with the current Israeli / Palestinian issues (hint Arafat is the key). Remember that the Jews were not the only non-combatants placed in camps. My own grandfather (a Dutchman) was placed in a forced labour camp in Germany.
I will give you the Philippines for having been grateful to the US, especially as they were once a US colony themselves, but I disagree with your other points. Australia was never occupied by Japan. They were bombed a number of times, but no land war (although rumours suggest minor investigative probes on remote coastlines). It was Australian troops who first turned back the Japanese on land, in New Guinea, on the Kokoda Track, and who were instrumental in leading the clearance of Indonesia and Timor. West of Singapore, and on the mainland, it was mainly the British and the Commonwealth troops who fought the land and air war.
The Australians, as a general rule, resented the US military presence in Australia (read about the riots in Brisbane).
Where the US was instrumental was in the Island and Naval war that was needed to clear out the Japanese from the actual Pacific theatre.
My final year undergrad project at University was to write a two-dimensional flight simulator (really only one dimension of control - pitch, the second is throttle) in Macromedia Director (using the inbuilt scripting language Lingo).
It was the pet of the head of the Aeronautical and Mechanical Engineering School, and I took over from a PHD student who had managed to mangle it pretty badly, and it was still not workable after two years.
The intent was to provide a learning tool for first and second year Aeronautical Engineering students to provide practical display of the theory being studied.
When I started reading the code, I quickly decided that the easiest way to refactor it was to nuke most of it and start again. The logic was very poorly presented, and poorly documented, but there were some inspired elements which were worth keeping.
Inside of six months, I had managed to deliver above and beyond what the School Head was expecting, and had a fully functional simulator, with some interesting additions. Unlike MS FS, which uses approximations and predetermined limits for a flight model (which doesn't really exist), the simulator used the base theoretical models as applied to a true NACA aerofoil. The difficulty was determining the lift curve when the aerofoil was travelling in a reverse flow (i.e. backwards), allowing demonstration of tail slides and horizontal aircraft movement when the aircraft is pointed straight up or down.
One of the best moments came early in testing when the model demonstrated a pilot induced oscillation recovery perfectly, telling me that the model worked. At the end of the project, even I was amazed that such a piece of crap as Director could be hammered into submission for such a project, but just because it can be done, doesn't always mean that it should.
In response to your query about 'if ... leadership can be effective once [groupthink] has become prevalent ...', then the short answer is no.
Long answer, not exactly.
Once Groupthink has become entrenched, it requires a leader with a very high ability to mix the charisma, logic, and personality required in order to sway the mindset of the group.
If the leader is respected, then their dissenting opinion should carry more weight than a dissension from within the group. Once the respect is lost, then the group takes control, and the dissension from the leader is ignored.
Based on your comment, I think you are referring to Groupthink, the unique behavioural trait that sometimes expresses itself whenever otherwise rational people get together in a group, whereupon they make decisions that they wouldn't accept individually.
Some commentators suggest that it is due to a dissociation of responsibility and guilt, e.g. 'I wasn't the only one who backed it.'
Good leadership (even mediocre leadership) should be able to identify this pattern, and stop it. The problem, especially when dealing with Government agencies, or contracted Government work, is that the mediocre tend to rise to the top, as the talented leave at the lower levels, and the people in the positions of responsibility are not adequately equipped to carry out those duties, or accept that responsibility. It's easy when you are only in a position for five years, and the negative effects won't be seen for fifteen.