Ummm, I hope you pretend to an ignorance you do not possess. I can think of any number of reasons why such information could be of use in such a situation, and why making it available on a website (security?) might have its issues.
Granted! No argument here.
However, that has nothing to do with the post to which you responded, which had to do with whether or not evil neocons intend to exploit people's credit information for some kind of dubious security benefit.
I guess this is one of those cases where yer right, but yer also dead wrong.
Er...fair enough, but the point of the thread is to detail exactly how it has affected you personally, rather than bitch about it's being "misused" in generic terms. Innit?
I'm all in favor of extremely draconian measures requiring people who have custody of sensitive information to maintain strict access controls on it.
This kind of mindset has previously been the domain of government (and paranoid corporations). Organizations with access to classified material, for instance, must undergo certification processes that clear them to maintain the material onhand.
Lately I see it being pushed onto the public sector more and more (HIPAA is a good example, as are other initiatives DHS is trying to sell to the corporate world), and honestly, it's hard to see this as a bad thing. So far as I understand, it would involve government strongarming historically insecure entities in a position of responsibility into securing themselves.
The only situation with a potential for abuse that I can foresee would be if, instead of securing themselves, these entities ended up in the position of the government doing it for them. Then we could have issues. In any case, I'm sure someone here on/. will think of other ways.
Don't get me wrong, ISC is a great effort and the incident handlers are some of the best in the business. What is essentially a labor of love on their part is one of the best tools for security professionals to use.
But, from your statement, I wonder if you have ever dealt with anything having to do with US-CERT other than their "public" product (e.g. what's on their website).
More goes on behind the scenes than you may be aware of.
So. . . Stopping the selfish kid from taking all the other kid's toys is imposing one's will, is it?
Stopping the bullies of the world from raping and pillaging howsoever and however much they choose is, "imposing one's will"?
Er...yes, actually, it is.
Honestly, I don't think that "imposition of will" is a great criticism of liberalism. But "The Road to Serfdom" is a quite accurate portrayal of what many conservatives fear about the Left.
If that seems strange to you, understand that neoconservatives are not conservative. Neocons hate actual conservatives. They are "liberals" in a sense far removed from Jefferson or Lincoln (yes, I know Lincoln was a Republican) or even Marx. They are so in a progressive, highly corrosive sense usually attached to the worst kind of social engineers. Seriously, you can trace the evolution of their thought right back to Trotsky.
Both the Left and the Right in America are playing directly into their hands. I can't believe nobody sees it:\
Wow, congratulations on not making it past the first line of my reply!
What I was saying wasn't that NSA doesn't have hackers (which nobody can confirm nor deny, so you may actually have a good shot at losing "all your money" on that bet). Rather, the original post pointed out that we have hackers of our own, so North Korea having them is not a big deal. This is incorrect. We could have zero hackers of our own and this would not be a big deal if we were hard at work securing our own networks. Unfortunately, security professionals have to deal with IT professionals who, like yourself, are poorly informed (I won't go so far as to say clueless) as to what's really going on...so the work is not getting done.
None of which have any business being connected to the internet at large. Any jackass that does put mission-cricital services on the internet gets what they deserve.
This is your answer? Please tell me you're joking. In America, ~300 million people who had nothing to do with the decision would get what that jackass deserved.
Him, and the IT staff who convinced management that everything-over-IP is a good idea.
To defend against information warfare is not to conduct an offensive of your own. Rather, you need to secure your own infrastructure, which is not happening.
Obviously it depends how common the attacks are already
Right, because if you remember, when 9/11 occurred, increased security would not have been needed because nobody had flown jets into buildings yet.
No offense but many of the people are responding to this along the lines of "We haven't had an attack on the SCADA networks yet, so defending them is unnecessary," or "We should give out as much information about our infrastructure as possible, and terrorism is just a lame excuse not to." This shows a distinct lack of understanding of security and related disciplines (like risk management). There were some corporate entities which spent millions of dollars planning disaster response procedures for far-fetched scenarios, and they were thought to be paranoid at best, stupid at worst. But now nobody is laughing at Visa (for instance) for having a response plan for an airliner landing on one of their data centers.
What's happening to the US is this: the government, corporate America, etc. are waking up to the really absurd vulnerabilities that we have and do not fix. So, everyone is starting to get conscious of these issues, and as is typical with management, they are going to overreact and try to find a panacea (US PATRIOT ACT, etc.) or just throw lots of money and people at the solution (actually, it was probably their failure to do the latter that frustrated Amit Yoran).
The problem for citizens is to allow the government and corporate America and everyone else who maintains our critical infrastructure to close off the serious security holes without turning this place into Fortress America and without infringing our Constitutional rights. So, it is good in principle that people are arguing this point, but then again, this is a rather obvious vulnerability with a quick fix that doesn't really affect previous usage (companies can still get those data)...there are more worthy issues to take on, everyone.
I'm genuinely suprised that so few people posting here think sneaky enough to see why publicly disseminating this info is a Bad Idea.
The above example was not reaching at all. In Israel, terrorists have for some time studied the actions of first responders to determine how to disrupt them and exacerbate the damage of an attack.
In the US, you could disrupt random networks to see what effect it had. Keep in mind that the providers themselves don't typically know what effect a disruption would have--you don't know until it happens, and they don't simulate it, because, like you, they scoff at "security" measures.
But controversy over judicial activism have been around since Brown v. Board of Ed. Should I assume then that you have been ignoring this "buzzword" since the 1950s, or that (more likely) you perhaps have a little reading to catch up on?:)
Therefore they can make "unpopular" decisions, and strike down legislation without fear of being voted out of office.
This also means that the Judiciary can trump the actions of both the Executive and Legislative branches of government. One recent example is the Terri Schiavo case in Florida. If you believe USSC, then "precedent" (which the courts set, themselves) says that they can invalidate any law and place restrictions on the activity of the Executive. For democracy in general, this is a Bad Thing.
CAELA only forces communications providers to structure themselves to allow the (e.g.) FBI easy access.
So at issue here is not even whether or not the government should wiretap. It's whether or not corporate America should be made to bend over on demand. Whether they comply with CAELA or not, they will be forced to comply with the judiciary-approved demands of any law-enforcement agency.
Let me just make that point clear: Whether this is made into policy or not, law enforcement WILL be able to do wiretaps and so forth.
All of you bitching about whether or not wiretaps are wrong are in the wrong fucking thread.
The question is, should corporate America force the FBI to invent new and elaborate ways of wiretapping, reading your e-mail, and so forth--all of which will cost time and money and will detract from their mission, which you may remember, is tracking down criminals--or not?
No, it makes perfect sense. Management rarely sees the connection between security and job completiong (and thus, satisfying the demands of the shareholders, which is technically the reason why the corporation exists). You have to put it in terms they understand. This is why I'm in favor of separate security departments, for one, and also, why an integrated approach is the only one that will work (e.g. start everything with security in mind).
First of all, you really have no choice as to whether you live in this "civilised society" or not. This is forced upon you as surely is your own life.
Second, rather than state a moral absolute, it seems like you're qualifying it: "So long as everyone consents, it is ALWAYS OK--unless it is bad (e.g. murder), in which case, to prevent it from happening again, we can do something else bad." "Bad" in this case meaning that something is not consentual. So you have, essentially, that something is good unless it is bad, at which time you can do more bad to prevent it. No offense, but I think that thinking such as this is partially why America is as jacked-up as it is:)
Furthermore, what do you think of Lincoln's proposition that you have no right to do a wrong? E.g. simply because you agree to it by contract, a free person could not sell himself into bondage because liberty is a fundamental human right.
Actually, I don't think that's a straw man. The original argument basically stated "Nothing that feels good can be wrong" which is clearly not true.
Your definition is (correct me if I'm wrong) that something is wrong if it does not occur consentually. What about putting murderers in jail? I'm sure they don't want to go to jail.
It seems to me that your definitions may be incomplete.
At one point it was not necessary for the government to try and define what marraige or friendship was because people did not try to exploit the looseness of the "rules." The more people try to do that, the more restrictions we get.
It seems obvious that either people must place restrictions upon themselves, or that someone else will do it for them.
"2. Separate information security from IT" - idiots! It's IT that understands this stuff.
Out of the past thousand or so incidents I have handled or observed, maybe 900 of them involved some bungle by IT regarding: failure to patch systems (often while reporting that they had), failure to remove unnecessary services, failure to properly implement network and host security features (e.g. firewalls and IDSs installed imroperly, logging not turned on, etc.) failure to conduct account audits, failure to implement standing security policy.
The takeaway from this is that IT may be brilliant when it comes to setting up your network, and absolutely clueless when it comes to securing it. IT may understand the issues. However, their willingness to actually take care of the issues is in question (the common excuse is some variant on "I didn't think anyone would come after us!" (e.g. "Why would anyone want to steal our data?")).
Second, I do not believe that the issue is all about PHBs demanding that IT leave the systems open for their own convenience. I think this is little more than a myth invented by IT. Yes, management is as a rule dimwitted, but even PHBs understand terms like "accountability to shareholders" and "losing your job," or, my personal favorite, "If you do not take steps to secure your infrastructre you could be held personally responsible for hundreds of thousands of dollars."
In short, as the article noted, litigation is a great motivating factor for PHBs.
Anyway, as I noted before: some IT personnel are on the ball with this, but most of them are in a wholly different world.
Slashdot Mirror
You mean, IDDQD.
Or was it "-goobers" plus TAB-G?
how the hell are they going to regulate wireless systems? Anyone can make an antenna and broadcast from it for miles around.
:)
Replace "antenna" with "jammer" and you have answered your own question
Ummm, I hope you pretend to an ignorance you do not possess. I can think of any number of reasons why such information could be of use in such a situation, and why making it available on a website (security?) might have its issues.
Granted! No argument here. However, that has nothing to do with the post to which you responded, which had to do with whether or not evil neocons intend to exploit people's credit information for some kind of dubious security benefit.
I guess this is one of those cases where yer right, but yer also dead wrong.
Er...fair enough, but the point of the thread is to detail exactly how it has affected you personally, rather than bitch about it's being "misused" in generic terms. Innit?
Funny. I thought confidence intervals were a pretty weak method of testing a hypothesis.
it gushes from the toilets of Singapore instead of a bubbling spring
Did anyone else think this was about Coke trying to market "Dasani II?"
"...Now leave me alone--I need to go practice with my DNF clan."
I'm all in favor of extremely draconian measures requiring people who have custody of sensitive information to maintain strict access controls on it.
/. will think of other ways.
This kind of mindset has previously been the domain of government (and paranoid corporations). Organizations with access to classified material, for instance, must undergo certification processes that clear them to maintain the material onhand.
Lately I see it being pushed onto the public sector more and more (HIPAA is a good example, as are other initiatives DHS is trying to sell to the corporate world), and honestly, it's hard to see this as a bad thing. So far as I understand, it would involve government strongarming historically insecure entities in a position of responsibility into securing themselves.
The only situation with a potential for abuse that I can foresee would be if, instead of securing themselves, these entities ended up in the position of the government doing it for them. Then we could have issues. In any case, I'm sure someone here on
Don't get me wrong, ISC is a great effort and the incident handlers are some of the best in the business. What is essentially a labor of love on their part is one of the best tools for security professionals to use.
But, from your statement, I wonder if you have ever dealt with anything having to do with US-CERT other than their "public" product (e.g. what's on their website).
More goes on behind the scenes than you may be aware of.
Honestly, I don't think that "imposition of will" is a great criticism of liberalism. But "The Road to Serfdom" is a quite accurate portrayal of what many conservatives fear about the Left.
If that seems strange to you, understand that neoconservatives are not conservative. Neocons hate actual conservatives. They are "liberals" in a sense far removed from Jefferson or Lincoln (yes, I know Lincoln was a Republican) or even Marx. They are so in a progressive, highly corrosive sense usually attached to the worst kind of social engineers. Seriously, you can trace the evolution of their thought right back to Trotsky.
Both the Left and the Right in America are playing directly into their hands. I can't believe nobody sees it
Look, the bottomline is that if you want to survive a gunshot, you wear a bulletproof vest. Carrying a gun yourself does nothing.
Yeah, using guns to learn about ballistics and penetration is good, but in the end, an offensive weapon does not help your defense.
Wow, congratulations on not making it past the first line of my reply!
What I was saying wasn't that NSA doesn't have hackers (which nobody can confirm nor deny, so you may actually have a good shot at losing "all your money" on that bet). Rather, the original post pointed out that we have hackers of our own, so North Korea having them is not a big deal. This is incorrect. We could have zero hackers of our own and this would not be a big deal if we were hard at work securing our own networks. Unfortunately, security professionals have to deal with IT professionals who, like yourself, are poorly informed (I won't go so far as to say clueless) as to what's really going on...so the work is not getting done.
That is why this is a big deal.
Him, and the IT staff who convinced management that everything-over-IP is a good idea.
Er, no.
To defend against information warfare is not to conduct an offensive of your own. Rather, you need to secure your own infrastructure, which is not happening.
No offense but many of the people are responding to this along the lines of "We haven't had an attack on the SCADA networks yet, so defending them is unnecessary," or "We should give out as much information about our infrastructure as possible, and terrorism is just a lame excuse not to." This shows a distinct lack of understanding of security and related disciplines (like risk management). There were some corporate entities which spent millions of dollars planning disaster response procedures for far-fetched scenarios, and they were thought to be paranoid at best, stupid at worst. But now nobody is laughing at Visa (for instance) for having a response plan for an airliner landing on one of their data centers.
What's happening to the US is this: the government, corporate America, etc. are waking up to the really absurd vulnerabilities that we have and do not fix. So, everyone is starting to get conscious of these issues, and as is typical with management, they are going to overreact and try to find a panacea (US PATRIOT ACT, etc.) or just throw lots of money and people at the solution (actually, it was probably their failure to do the latter that frustrated Amit Yoran).
The problem for citizens is to allow the government and corporate America and everyone else who maintains our critical infrastructure to close off the serious security holes without turning this place into Fortress America and without infringing our Constitutional rights. So, it is good in principle that people are arguing this point, but then again, this is a rather obvious vulnerability with a quick fix that doesn't really affect previous usage (companies can still get those data)...there are more worthy issues to take on, everyone.
I'm genuinely suprised that so few people posting here think sneaky enough to see why publicly disseminating this info is a Bad Idea.
The above example was not reaching at all. In Israel, terrorists have for some time studied the actions of first responders to determine how to disrupt them and exacerbate the damage of an attack.
In the US, you could disrupt random networks to see what effect it had. Keep in mind that the providers themselves don't typically know what effect a disruption would have--you don't know until it happens, and they don't simulate it, because, like you, they scoff at "security" measures.
But controversy over judicial activism have been around since Brown v. Board of Ed. Should I assume then that you have been ignoring this "buzzword" since the 1950s, or that (more likely) you perhaps have a little reading to catch up on? :)
CAELA only forces communications providers to structure themselves to allow the (e.g.) FBI easy access.
So at issue here is not even whether or not the government should wiretap. It's whether or not corporate America should be made to bend over on demand. Whether they comply with CAELA or not, they will be forced to comply with the judiciary-approved demands of any law-enforcement agency.
Let me just make that point clear: Whether this is made into policy or not, law enforcement WILL be able to do wiretaps and so forth.
All of you bitching about whether or not wiretaps are wrong are in the wrong fucking thread.
The question is, should corporate America force the FBI to invent new and elaborate ways of wiretapping, reading your e-mail, and so forth--all of which will cost time and money and will detract from their mission, which you may remember, is tracking down criminals--or not?
The answer is, quite obviously, no.
No, it makes perfect sense. Management rarely sees the connection between security and job completiong (and thus, satisfying the demands of the shareholders, which is technically the reason why the corporation exists). You have to put it in terms they understand. This is why I'm in favor of separate security departments, for one, and also, why an integrated approach is the only one that will work (e.g. start everything with security in mind).
Couple of things.
:)
First of all, you really have no choice as to whether you live in this "civilised society" or not. This is forced upon you as surely is your own life.
Second, rather than state a moral absolute, it seems like you're qualifying it: "So long as everyone consents, it is ALWAYS OK--unless it is bad (e.g. murder), in which case, to prevent it from happening again, we can do something else bad." "Bad" in this case meaning that something is not consentual. So you have, essentially, that something is good unless it is bad, at which time you can do more bad to prevent it. No offense, but I think that thinking such as this is partially why America is as jacked-up as it is
Furthermore, what do you think of Lincoln's proposition that you have no right to do a wrong? E.g. simply because you agree to it by contract, a free person could not sell himself into bondage because liberty is a fundamental human right.
Actually, I don't think that's a straw man. The original argument basically stated "Nothing that feels good can be wrong" which is clearly not true.
Your definition is (correct me if I'm wrong) that something is wrong if it does not occur consentually. What about putting murderers in jail? I'm sure they don't want to go to jail.
It seems to me that your definitions may be incomplete.
Just something to think about:
At one point it was not necessary for the government to try and define what marraige or friendship was because people did not try to exploit the looseness of the "rules." The more people try to do that, the more restrictions we get.
It seems obvious that either people must place restrictions upon themselves, or that someone else will do it for them.
But, as demonstrated by American Law and numerous historical incidents, the definition of "person" is quite malleable.
Back to square one.
The takeaway from this is that IT may be brilliant when it comes to setting up your network, and absolutely clueless when it comes to securing it. IT may understand the issues. However, their willingness to actually take care of the issues is in question (the common excuse is some variant on "I didn't think anyone would come after us!" (e.g. "Why would anyone want to steal our data?")).
Second, I do not believe that the issue is all about PHBs demanding that IT leave the systems open for their own convenience. I think this is little more than a myth invented by IT. Yes, management is as a rule dimwitted, but even PHBs understand terms like "accountability to shareholders" and "losing your job," or, my personal favorite, "If you do not take steps to secure your infrastructre you could be held personally responsible for hundreds of thousands of dollars."
In short, as the article noted, litigation is a great motivating factor for PHBs.
Anyway, as I noted before: some IT personnel are on the ball with this, but most of them are in a wholly different world.