Like many other posters from the "other side of the desk" who've had crappy experiences / perception of corporate infosec, you've got some pretty profound misapprehensions about what real infosec is all about. Security that gets in the way of people doing their jobs IS bad security, as a general rule, because as you observe they will route around it - and then you have a false sense of security, because now you don't know what insecure practices are going on, because the users are actively trying to conceal them from you. This is a Bad Thing. Seriously, I spend a lot of my time giving masses of positive reinforcement to people who do the right thing (like dropping me a mail saying "uh, it's probably nothing, but we're coding up this system which includes a secret admin backdoor, is that OK with you guys?" , and likewise making sure that users know to flag it up and complain, LOUDLY, if security does get in their way. When I get to hear about such issues I put of a lot of effort into addressing concerns in a fair way, explaining the risks that eg. rotating strong passwords is designed to protect against, providing tips and hints about how to generate memorable passwords (first letters of a line of a favourite song is one of my favourites), why it's actually OK to write them down on a slip of paper kept in your wallet and so on. I also try to make sure these efforts are highly visible - not because it's a security contest, but precisely because I want to reduce to the inevitable "look out, here come those goose-stepping bastards from security again" attitude to the absolute minimum possible. That's also why I try to take the time to chat to real end-users rather than just listening to what managers tell me their people are doing.
one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling,
That's what 802.1x is for, and why you spent all that time arguing about the wording of your AUP, and making sure that no-one can claim that they didn't know that installing a network backdoor was grounds for instant dismissal (eg. with regular mandatory refresher training, all@... emails and the like.
I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need
Actually, the "right" level of security is as long as a piece of string. What are your assets? What are the risks to them? What (to some arm-waving approximation) is the chance of something bad actually happening? Now compare the costs and benefits. Lo, there is no "one size fits all" solution. For instance my home WLAN is configured with a really crappy WEP encryption doobry, broadcasts it's SSID, etc. However only my Dad uses that connection, and the only plaintext stuff going over it is low-value general mail and web usage; on to of that we're miles out in the countryside, we know the families within wifi range personally and none of 'em have computers anyway... and I couldn't make his cheapo wifi dongle work with WPA2. Given that cat 5's impractical without cutting holes in doors (or drilling thru' 18" thick masonry walls and fitting proper conduit.) Oh and I don't run any a/v or firewall on my work machine; I use a hardened BSD and have no network services running apart from ssh on a high port. See what I mean?
There's not enough energy for sufficiently complex chemistry; the sun's too far away, it's too cold, and Titan doesn't get significantly Io or Europa-style tidal heating. It's 100 degrees Kelvin on Titan... Not gonna happen.
I'd be happy to be proved wrong, but as anyone following the wrangling over the next outer-planets flagship mission knows, we could easily not get a dedicated Titan mission for until the end of the decade after next.
The problem is with the users who are doing the wrong thing, and the solution is NOT to adapt their software to hide the consequences from them. The generic reply that many users aren't capable of understanding SSL (or can't bothered to do so) is moot. Yes, if you don't know what you're doing, you won't be able to do it any more. This is a bad thing?
The only real fix available now for the fundamental vulnerability is DNSSEC. There's an excellent doc up on ISC's site called DNSSEC in Six Minutes for those who read bothered to read Kaminsky's actual presentation (especially the last 40 or so slides on subtle ways security systems like SSL break when you can't trust DNS), put that together with the ten hour exploit for patched servers, and realised we're not out of the woods yet by a long chalk...
Me too, I was reading a story on El Reg the other day that asserted 29m (25m being the child benefit agency CD) - can't find it now, of course, but stumbled over this instead. No wait! here it is.
Non-Brits may not be aware that this morning's lead story on the Beeb (radio and web) was the loss of an unencrypted flash stick with details of all current guests of Her Majesty's pleasure by PA Consulting. Not quite sure how the tabloids will whip up a "think of the children" angle on it, but I'm sure they will. It's great they've been picking up on these stories, but typical that they've not worked out that the answer isn't "hire more clueful contractors", but "don't have the data in the first place" (at all if possible, but if really needed - obviously child benefit records and lists of prisoners are in the "essential" category - never allow records to be pulled onto client systems. And really drill it into people that they should flag up naughty behaviour they come across - ie., inculcate a security culture. That's the trickiest bit.
Talking of distro-specific reports: Flash works for me in Firefox 3 on Mandriva, but it did lock the browser up if you closed a tab when a Flash applet was playing. However the solution was to install NoScript, my definition of a win-win situation.
Yeah, but dammit I'm going to get Mark Williams' finest hour floated as a net-wide meme if it takes me a lifetime... *adopts steely expression*... an eventuality for which I am well prepared.
As you say, the camera platform (actually, the entire s/c) can't slew that fast.Cassini was turned so that the ISS imager was pointing backwards at closest approach. Check out sims (further up that thread) that were done showing a big black square of sky that suddenly fills with Enceladus at extreme close-up. This was the only way they were able to get images of this quality.
The other thing you're missing is that no-one's claiming this thing is ready for any market beyond the highly technically skilled early adopter phone development geeks.
My Linux-using colleagues at work looked at me like I was mad when I expressed stubborn antipathy towards the iPhone, iPods and other vileness vomited forth by Apple, the new evil empire (I make that three, after the Soviet Union and Microsoft) but you've summed it up in single line. Nice, thanks.
Hey, personally I just stopped watching telly about a decade back (hmmm, about the time Slashdot arrived, come to think of it...) I'm only just getting round to buying collected editions of some favourite shows, and some stuff that's come out in the meantime which I missed when it was broadcast, but heard about second hand - Black Books, f'rinstance.
Except that RIP, passed in 2000 (yes dear, pre-911) means you go to jail if you refuse to divulge your keys when asked (and if you let anyone else know that you've done so, even passively, e.g. by no longer replying to emails. Some of us protested about this at the time, and oh! how the tin-foil hat jokes flowed, yea verily even here on Slashdot if I remember right. And in real life - it was more a case of backing away carefully whilst smiling cheerfully and maintaining eye contact.
FWIW I donate to No2ID and Liberty, amongst other organisations active in this area. And I may even be holding my nose and voting Tory next time, if they make authoritative statements that they'll roll this crap back... something I swore I would never, ever do. (Leftie UK readers of a certain age will know what I mean.)
We've used several firms. Execs would never read the reports, no matter how much teh shiny and drool-proof the paper is. (Well OK, the IT management get it, all the way up to the level of "our" exec VP, who's tried many times to get the Board to give a fuck, without success.) But it's the Board, who sign off on budget, who we need to get through to.
ISO (or any other cert) is not orthogonal to really good security practices. It's rather like industry certs - be it MCSE, CCIE or CISSP. It's possible for drooling halfwits to get the letters after their name (OK, less so with CCIE, I grant you.) The cert tells you that the person in front of you at the interview has the basic minimum level of competence required to get them. I'm sure we all know people with letters who were clueless fuckwits, just as there are people with no letters with more knowledge experience and skill in their little finger than I'll ever have. Thus, a cert is "better than nothing", but certainly doesn't mean I rely on it. (I've been thru the 27001 process and know how far bullshit and bluster and having the right paperwork carries you -- a hell of a long way, especially if your sales droids don't mention (and the customers don't ask) what the scope of the cert actually is...
Management has no need to care about IT security -- that is the CIO's job
We don't have a CIO, any more than we have an IT Director or other exec post where you'd expect security to naturally sit.
If I'm the CEO of a commodity organization, I probably wouldn't care either.
We're not a "commodity organisation", we're an IT services / outsourcing firm with turnover in the $100m range. We handle lots of sensitive data from our large number of well-known business customers. We even tout security in our marketing. Yes, it makes me alternately angry and sick and incredibly anxious. Yes, I'm wondering whether it'll soon be time to bail out.
They flew over the south pole at a range of 30km at 50,000 relative speeds. The relative movement was so fast that they had to turn the entire s/c to point backwards before closest approach. There are some superb ("amateur") animations on the UMSF thread. (large, though, 60Mb or so each.) The realtime simulation is really mind-blowing. Just watch Enceladus scudding through the FoV of the ISS camera just after c/a. Superb, superb work by the Cassini team (as always!) This is certainly one of the biggest set-piece events of the entire mission after orbit insertion, others being Huygens, the first Titan flyby (that data took a lot of time to interpret, indeed the radar data is still being puzzled over as each narrow swath appears after another flyby - it's hard to do imaging through that pesky yet oh-so-interesting methane atmosphere) and the Iapetus encounter.
True, technology books ARE always out of date, but whilst it's a truism that things are always changing, it's also true that there's an linear relationship with the degree to which they stay the same. (I believe the French have a neat saying that encapsulates this notion.)
Slashdot Mirror
Like many other posters from the "other side of the desk" who've had crappy experiences / perception of corporate infosec, you've got some pretty profound misapprehensions about what real infosec is all about. Security that gets in the way of people doing their jobs IS bad security, as a general rule, because as you observe they will route around it - and then you have a false sense of security, because now you don't know what insecure practices are going on, because the users are actively trying to conceal them from you. This is a Bad Thing. Seriously, I spend a lot of my time giving masses of positive reinforcement to people who do the right thing (like dropping me a mail saying "uh, it's probably nothing, but we're coding up this system which includes a secret admin backdoor, is that OK with you guys?" , and likewise making sure that users know to flag it up and complain, LOUDLY, if security does get in their way. When I get to hear about such issues I put of a lot of effort into addressing concerns in a fair way, explaining the risks that eg. rotating strong passwords is designed to protect against, providing tips and hints about how to generate memorable passwords (first letters of a line of a favourite song is one of my favourites), why it's actually OK to write them down on a slip of paper kept in your wallet and so on. I also try to make sure these efforts are highly visible - not because it's a security contest, but precisely because I want to reduce to the inevitable "look out, here come those goose-stepping bastards from security again" attitude to the absolute minimum possible. That's also why I try to take the time to chat to real end-users rather than just listening to what managers tell me their people are doing.
one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling,
That's what 802.1x is for, and why you spent all that time arguing about the wording of your AUP, and making sure that no-one can claim that they didn't know that installing a network backdoor was grounds for instant dismissal (eg. with regular mandatory refresher training, all@... emails and the like.
I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need
Actually, the "right" level of security is as long as a piece of string. What are your assets? What are the risks to them? What (to some arm-waving approximation) is the chance of something bad actually happening? Now compare the costs and benefits. Lo, there is no "one size fits all" solution. For instance my home WLAN is configured with a really crappy WEP encryption doobry, broadcasts it's SSID, etc. However only my Dad uses that connection, and the only plaintext stuff going over it is low-value general mail and web usage; on to of that we're miles out in the countryside, we know the families within wifi range personally and none of 'em have computers anyway... and I couldn't make his cheapo wifi dongle work with WPA2. Given that cat 5's impractical without cutting holes in doors (or drilling thru' 18" thick masonry walls and fitting proper conduit.) Oh and I don't run any a/v or firewall on my work machine; I use a hardened BSD and have no network services running apart from ssh on a high port. See what I mean?
Either way, itsh time for a top-up. Cheersh!
I'd be happy to be proved wrong, but as anyone following the wrangling over the next outer-planets flagship mission knows, we could easily not get a dedicated Titan mission for until the end of the decade after next.
The problem is with the users who are doing the wrong thing, and the solution is NOT to adapt their software to hide the consequences from them. The generic reply that many users aren't capable of understanding SSL (or can't bothered to do so) is moot. Yes, if you don't know what you're doing, you won't be able to do it any more. This is a bad thing?
If you have fifty routers to manage - real routers - and you're using a web UI to do it, you don't really know what you're doing.
The only real fix available now for the fundamental vulnerability is DNSSEC. There's an excellent doc up on ISC's site called DNSSEC in Six Minutes for those who read bothered to read Kaminsky's actual presentation (especially the last 40 or so slides on subtle ways security systems like SSL break when you can't trust DNS), put that together with the ten hour exploit for patched servers, and realised we're not out of the woods yet by a long chalk...
Me too, I was reading a story on El Reg the other day that asserted 29m (25m being the child benefit agency CD) - can't find it now, of course, but stumbled over this instead. No wait! here it is. Non-Brits may not be aware that this morning's lead story on the Beeb (radio and web) was the loss of an unencrypted flash stick with details of all current guests of Her Majesty's pleasure by PA Consulting. Not quite sure how the tabloids will whip up a "think of the children" angle on it, but I'm sure they will. It's great they've been picking up on these stories, but typical that they've not worked out that the answer isn't "hire more clueful contractors", but "don't have the data in the first place" (at all if possible, but if really needed - obviously child benefit records and lists of prisoners are in the "essential" category - never allow records to be pulled onto client systems. And really drill it into people that they should flag up naughty behaviour they come across - ie., inculcate a security culture. That's the trickiest bit.
Talking of distro-specific reports: Flash works for me in Firefox 3 on Mandriva, but it did lock the browser up if you closed a tab when a Flash applet was playing. However the solution was to install NoScript, my definition of a win-win situation.
Yeah, but dammit I'm going to get Mark Williams' finest hour floated as a net-wide meme if it takes me a lifetime... *adopts steely expression*... an eventuality for which I am well prepared.
that'd be a Sequoia, right? Hence California.
....mine's the one with the little windmill on the lapel.
The buzz I've heard is that they're setting up a sting operation. Using a honey-pot.
Thanks, mine's the white boilersuit with the veil and hat on the next peg.
As you say, the camera platform (actually, the entire s/c) can't slew that fast.Cassini was turned so that the ISS imager was pointing backwards at closest approach. Check out sims (further up that thread) that were done showing a big black square of sky that suddenly fills with Enceladus at extreme close-up. This was the only way they were able to get images of this quality.
The other thing you're missing is that no-one's claiming this thing is ready for any market beyond the highly technically skilled early adopter phone development geeks.
My phone, like my computers, are for getting things done. Call me when this thing is useful and usable.
...and you're posting on Slashdot why, exactly? DroolingAppleFaboyboi.com is thataway --->
My Linux-using colleagues at work looked at me like I was mad when I expressed stubborn antipathy towards the iPhone, iPods and other vileness vomited forth by Apple, the new evil empire (I make that three, after the Soviet Union and Microsoft) but you've summed it up in single line. Nice, thanks.
This explains why Fields of the Nephilim had a lot more fans in, say, Leeds than London. Oh yes.
Hey, personally I just stopped watching telly about a decade back (hmmm, about the time Slashdot arrived, come to think of it...) I'm only just getting round to buying collected editions of some favourite shows, and some stuff that's come out in the meantime which I missed when it was broadcast, but heard about second hand - Black Books, f'rinstance.
Except that RIP, passed in 2000 (yes dear, pre-911) means you go to jail if you refuse to divulge your keys when asked (and if you let anyone else know that you've done so, even passively, e.g. by no longer replying to emails. Some of us protested about this at the time, and oh! how the tin-foil hat jokes flowed, yea verily even here on Slashdot if I remember right. And in real life - it was more a case of backing away carefully whilst smiling cheerfully and maintaining eye contact.
FWIW I donate to No2ID and Liberty, amongst other organisations active in this area. And I may even be holding my nose and voting Tory next time, if they make authoritative statements that they'll roll this crap back... something I swore I would never, ever do. (Leftie UK readers of a certain age will know what I mean.)
We've used several firms. Execs would never read the reports, no matter how much teh shiny and drool-proof the paper is. (Well OK, the IT management get it, all the way up to the level of "our" exec VP, who's tried many times to get the Board to give a fuck, without success.) But it's the Board, who sign off on budget, who we need to get through to.
ISO (or any other cert) is not orthogonal to really good security practices. It's rather like industry certs - be it MCSE, CCIE or CISSP. It's possible for drooling halfwits to get the letters after their name (OK, less so with CCIE, I grant you.) The cert tells you that the person in front of you at the interview has the basic minimum level of competence required to get them. I'm sure we all know people with letters who were clueless fuckwits, just as there are people with no letters with more knowledge experience and skill in their little finger than I'll ever have. Thus, a cert is "better than nothing", but certainly doesn't mean I rely on it. (I've been thru the 27001 process and know how far bullshit and bluster and having the right paperwork carries you -- a hell of a long way, especially if your sales droids don't mention (and the customers don't ask) what the scope of the cert actually is...
Management has no need to care about IT security -- that is the CIO's job
We don't have a CIO, any more than we have an IT Director or other exec post where you'd expect security to naturally sit.
If I'm the CEO of a commodity organization, I probably wouldn't care either.
We're not a "commodity organisation", we're an IT services / outsourcing firm with turnover in the $100m range. We handle lots of sensitive data from our large number of well-known business customers. We even tout security in our marketing. Yes, it makes me alternately angry and sick and incredibly anxious. Yes, I'm wondering whether it'll soon be time to bail out.
Are US Voters Informed Enough About Science?
Why yes, of course they are. Damn silly question. Next!
See Emily Lakdawalla's pre-encounter blog piece for the Planetary Society, and follow-ups as the data's arriving.
They flew over the south pole at a range of 30km at 50,000 relative speeds. The relative movement was so fast that they had to turn the entire s/c to point backwards before closest approach. There are some superb ("amateur") animations on the UMSF thread. (large, though, 60Mb or so each.) The realtime simulation is really mind-blowing. Just watch Enceladus scudding through the FoV of the ISS camera just after c/a. Superb, superb work by the Cassini team (as always!) This is certainly one of the biggest set-piece events of the entire mission after orbit insertion, others being Huygens, the first Titan flyby (that data took a lot of time to interpret, indeed the radar data is still being puzzled over as each narrow swath appears after another flyby - it's hard to do imaging through that pesky yet oh-so-interesting methane atmosphere) and the Iapetus encounter.
Nah, we do them all the time. It doesn't help.
True, technology books ARE always out of date, but whilst it's a truism that things are always changing, it's also true that there's an linear relationship with the degree to which they stay the same. (I believe the French have a neat saying that encapsulates this notion.)
The MULTICS pentest paper and it's review 30 years later are cases in point. See also Thompson, K., "Reflections on Trusting Trust", a matter which Kaminsky, D., has recently demonstrated is as true today as it was then (in a context which is completely different, yet exactly the same.)