Was it online? SANS used to track the time-to-infection for an unprotected system connection to the internet (it was between 10 and 15 minutes a few years ago) and noted that this was less than the time it took to download and install a firewall, updates, patches, etc.
Yes, you pay high taxes when you are working, but there's no fretting here "ohmygod, how is my family going to get by?"
I'm also former Navy. How did you wind up in Finland?
I came from a middle-class background, had no money for college, and between the experience and college money the service was great. I'm now working as a consultant and the salary and benefits are excellent; I'm thrifty, I save more than I spend, I keep minimal debt. Yet even in the states I basically financed my co-workers who have kids and a house (because I'm single and I rent) and I kind of resent it; it's like "You don't get to enjoy the fruits of your labor because Joe Schmoe forgot to use a rubber one night."
I have been fretting and scrambling to meet my goals for a couple of decades now...apparently if I lived in Finland I would be fretting and scrambling to meet your goals as well. I have nothing against you, but I have some issues with this.
What if I submit several statements as a string and the "command" is to concatenate and run them? I understand PHP won't do it (unless you fail to validate the input) but what about the server itself?
First off, why would you expect DHS to be secure? They get low scores on cybersecurity along with the rest of the government. Also, I know for experience what a soup sandwich their C4 systems are.
Second, imagine for a second how many websites are out there that present content using ASP and a SQL backend. Understand that the vast majority of their designers took the time to set permissions correctly and sanitize inputs, like good developers. That 500,000 of them failed to do so does not make it Microsoft's problem.
Um...are you sure? Not doubting you, but I'm pretty sure if I run something like
show tables;describe foo;drop table bar;
Then it will execute with no problems. Maybe I'm just not savvy enough with MySQL to understand what you're saying.
I do know that, for instance, this specific injection attack uses cursoring...sure, in MySQL cursoring is handled differently, that doesn't make Microsoft responsible for this "vulnerability." It's still the fault of the ASP developer for not sanitizing his inputs.
Nah. Any language is supposed to let you do EXACTLY what you want to do. It's just that people don't know how exact they have to be, or don't care. All of the mistakes in this case are the fault of the people who coded the ASP script running on the server, or who managed the server permissions.
Ahem. Schneier's change of focus is not a "trend." However, there is a "trend" of people in our industry abusing terms like "trend" and horribly mangling the underlying concepts and mathematics. This is why this book sounds so good to me: No more FUD. Just the facts.
1. Sometimes the need for secrecy outweighs the need for "innovation and efficiency."
2. People have plenty of data and are empowered to make decisions. But they don't know what to do; there is a fundamental education gap. These are the people who run random attachments they get from someone named "xplurg bffrgis" offering them "v14g r a." You think they're really equipped to make decisions on security?
The thing is, security is a risk management discipline. Most applications thereof don't have much of an ROI--why does the average user need to encrypt his drive when he really doesn't keep anything sensitive on it?--so you have to assess your risk and mitigate it using solutions that actually address your needs. So I would say we do need more diversity in offerings and solutions, but not really for the reasons you stated:)
Sure, if you were using this system for profiling then you would need to establish some level of significance (let's ignore for the moment that "significance" is arbitrary). But all this system does is make it more difficult to predict what the cops are doing.
Also, there is actually a pretty large data set of terrorist attacks when you remember that there are parts of the world that are not America, plus everything DHS has generated simulating attacks (what they used to call "red teaming").
Actually I don't think you could separate a bot from a real person using statistical inference--plenty of people have to try more than 4 times to get it right, so 4 times is not going to be a significant difference. I've been looking into this and you'd have to require such a high confidence level that the applicant was a person that you would lose a ton of real applicants, which is bad for business.
It's like with that cable cut conspiracy nonsense from a month ago...the odds were pretty good that you could have 5 breaks in a 12-day period, therefore, number of cuts per unit time was a poor indicator if you were looking for conspiracies.
I really think multifactor authentication might be the way to go, but what a pain in the ass that'll be to implement...
Windows should only be bundled with non-competing, non-commercial apps.
That is, it's cool if Dell bundles MS Office, but it's not cool if Microsoft forces them to do this so OpenOffice can't compete. Most customers will want an office suite so something should be bundled, but it should be the decision of the manufacturer, not the OS provider.
You are really hitting on all the "misinterpret the argument" cylinders today, you know that?
Oh, the iPod works wonderfully with other online stores. But iTunes is worthless for other music players.
ITunes itself is not the store. It's just a manager (and not a very good one). If it were a commercial offering, then I would have an issue with it conflicting with other music managers or even WMP. But it's not, you can get free ones anywhere.
It seems like your objection is based on the fact that iPod has been successful. The weird thing to me is that iPod is inferior in many respects to other players in terms of UI and battery life--but people love the wheel thingy so they keep buying them.
If you buy A DELL COMPUTER and it comes bundled with stuff, that's ok. Those vendors all compete for Dell's attention and to get the contract for the bundle; this is called "capitalism."
If you buy WINDOWS and it comes bundled with stuff--even if it's just that Microsoft demanded it as part of its agreement with the hardware vendor, that's not good. That's the opposite of capitalism.
I'd give it more than 50 years. We still have South America and Africa to exploit (this time, with feeling!), and after another couple decades of the economy tanking, the US will itself be colonized, don't you think? Just because the bourgeoisie are no longer Westerners doesn't mean the system is going to change radically.
Also, "name" branding does have value. As with the appearance of the clothing itself and estimation of its "quality," it has a rather arbitrary value. With some goods the brand maps rather well to actual utility, as in, Mustang survival jackets are really warm. But this is not really necessary to sell.
The problem is mostly farm policy, which--like Social Security--seems to be too complicated a problem for our legislators to do anything about.
Yah, I guess this has always been true but not always so obvious to me...our leaders are not exactly our best and brightest, are they?
Why is that?
Seriously...you might say, well, smart people are too smart to get into shitty jobs like that. Why are the jobs shitty? We seem to enjoy bullshitting about them on/. all the time, there must be something interesting about solving farm policy or sussing out new business models for distributing music. So how come those jobs only attract dimwitted people who are only in it for money? Why do we have think tanks that make recommendations based on careful study, only to have politicians side with whatever lobbying group pays them the most?
First, a disagreement. People can subsist without music but they should not have to do without culture--art and music are among things that make life worth living. This is a little like saying, yeah, you don't NEED tasty food to survive, so we're going to put really draconian restrictions on "flavor."
Second, an agreement...the thing to do is definately to harness the power of greed to serve everyone. I *WANT* to pay the copyright holders for the music and TV shows I like, but why don't they have any way for me to get at them? I circumvent their controls because their controls are unreasonable. Likewise with Monsanto corn...their controls are unreasonable and unenforceable. They need to find another business model instead of screwing people over.
Here's some questions for you since you seem to know what you're talking about...
One, I have a friend, an aero engineer, who believes wholeheartedly that any kind of free will can be boiled down to the deterministic movement of particles. However, there are two problems with this--first, it seems like he is making the philosophical mistake you pointed out: if you assume that free will does not exist, you will not find it (I think we're talking way beyond simple "null hypothesis" caution here). Second, while chemistry might be reducible to atomic interactions, is it useful or meaningful to discuss chemistry in this manner? Is it useful to reduce biology to Newtonian motion? Useful meaning, "Does it help us understand what's going on?" What's your take?
Second, I have noticed more and more lately people attacking the concept of "free will." Noted feminist and "Battlestar Galactica" fan Amanda Marcotte has been pushing this idea that free will is a meaningless concept, or at least not useful, and probably doesn't exist. Where is this coming from? Has there been an ongoing debate about this, or is this something new--something riding along with the scientific backlash against the religious conservatives, perhaps? If you can suggest any reading on the history of the debate, I would like to read it.
Finally...why so often do we see people dedicated to science who are completely unfamiliar with its philosophical underpinnings? I don't know how many researchers I know who don't really know what "empiricism" is, but who will deride religion as "magical thinking" when they themselves maintain question-begging tautologies all the time. It bothers me when I meet people who have their PhD, and so have supposedly been taught experimental design and have contributed to the body of knowledge, but who turn out to be glorified technicians:\
I'm not disputing that your purchase will run Vista fine, just the idea that people who buy "disposable" computers are idiots.
Your 2.8ghz machine would go for chump change on craigslist today...and RAM upgrades would cost next to nothing (thanks, China!).
Those of us who buy "disposable" machines don't make any investment in technology. We buy cheapass machines that run the technology of the day very, very well. In the long run, since are not invested, we can afford frequent upgrades. In that timeframe, we were spending $1000 for computers that could handle XP (released in 2001). Today we might drop $1000 for a computer that can handle Vista...but are more likely to spend $300 on a box that can run XP. Exactly how much did your computer cost you in 2000?
Sadly, Sam Vimes' "Boots Theory" of economics does not hold true for computers.
The fact that Monty knows where the car is and communicates this (right?) makes all the difference in the world.
I think if he was picking randomly, which is how the problem is usually presented, then either switching or not switching would not alter your probability of success.
Yes, the majority of people who see Symantec products do see bloated crap. However, the majority of people who MAKE DECISIONS ABOUT SOFTWARE do not see bloated crap. Since they are generally better educated and more experienced than the helpdesk jockeys who complain about how their new Dell laptop came with Norton, their opinions weigh a bit more.
If you had Symantec come to secure your enterprise network, and you wound up with Internet Security, either you are incredibly cheap or you got handed the worst sales engineers ever.
Sophos is being really aggressive of late but they're not making a whole lot of headway over here. Because Symantec and Mcafee generally can coexist (with some notable exceptions), large corporate customers get more options, which they like...whereas Sophos insists you remove EVERYTHING from a competitor, including areas where they don't have a product. This is why they will continue to have a hard time breaking into the American market.
Ok...how do you determine what your "threshhold" value is? Most people I see use confidence intervals for this but whenever I see them do this, they invalidate the assumptions of the technique or accepted method of inference.
Ok, hotshot...define "typical," or better yet, explain how you arrive at the conclusion that this or that feature is "typical" or "atypical" and what you think a traffic "pattern" consists of.
No, seriously, go write a white paper...the security field is STARVING for this sort of thing. If you have a good method for doing this then you could be a serious asset!
Slashdot Mirror
Was it online? SANS used to track the time-to-infection for an unprotected system connection to the internet (it was between 10 and 15 minutes a few years ago) and noted that this was less than the time it took to download and install a firewall, updates, patches, etc.
I'm also former Navy. How did you wind up in Finland?
I came from a middle-class background, had no money for college, and between the experience and college money the service was great. I'm now working as a consultant and the salary and benefits are excellent; I'm thrifty, I save more than I spend, I keep minimal debt. Yet even in the states I basically financed my co-workers who have kids and a house (because I'm single and I rent) and I kind of resent it; it's like "You don't get to enjoy the fruits of your labor because Joe Schmoe forgot to use a rubber one night."
I have been fretting and scrambling to meet my goals for a couple of decades now...apparently if I lived in Finland I would be fretting and scrambling to meet your goals as well. I have nothing against you, but I have some issues with this.
What if I submit several statements as a string and the "command" is to concatenate and run them? I understand PHP won't do it (unless you fail to validate the input) but what about the server itself?
First off, why would you expect DHS to be secure? They get low scores on cybersecurity along with the rest of the government. Also, I know for experience what a soup sandwich their C4 systems are.
Second, imagine for a second how many websites are out there that present content using ASP and a SQL backend. Understand that the vast majority of their designers took the time to set permissions correctly and sanitize inputs, like good developers. That 500,000 of them failed to do so does not make it Microsoft's problem.
Not doubting you, but I'm pretty sure if I run something like
Then it will execute with no problems. Maybe I'm just not savvy enough with MySQL to understand what you're saying.
I do know that, for instance, this specific injection attack uses cursoring...sure, in MySQL cursoring is handled differently, that doesn't make Microsoft responsible for this "vulnerability." It's still the fault of the ASP developer for not sanitizing his inputs.
SQL injection is not a "Microsoft vulnerability." You find the same issues with Oracle, MySQL, postgresql, etc., they are simply executed differently.
Nah. Any language is supposed to let you do EXACTLY what you want to do. It's just that people don't know how exact they have to be, or don't care. All of the mistakes in this case are the fault of the people who coded the ASP script running on the server, or who managed the server permissions.
Ahem. Schneier's change of focus is not a "trend."
However, there is a "trend" of people in our industry abusing terms like "trend" and horribly mangling the underlying concepts and mathematics. This is why this book sounds so good to me: No more FUD. Just the facts.
I agree and disagree.
:)
1. Sometimes the need for secrecy outweighs the need for "innovation and efficiency."
2. People have plenty of data and are empowered to make decisions. But they don't know what to do; there is a fundamental education gap. These are the people who run random attachments they get from someone named "xplurg bffrgis" offering them "v14g r a." You think they're really equipped to make decisions on security?
The thing is, security is a risk management discipline. Most applications thereof don't have much of an ROI--why does the average user need to encrypt his drive when he really doesn't keep anything sensitive on it?--so you have to assess your risk and mitigate it using solutions that actually address your needs. So I would say we do need more diversity in offerings and solutions, but not really for the reasons you stated
Sure, if you were using this system for profiling then you would need to establish some level of significance (let's ignore for the moment that "significance" is arbitrary). But all this system does is make it more difficult to predict what the cops are doing.
Also, there is actually a pretty large data set of terrorist attacks when you remember that there are parts of the world that are not America, plus everything DHS has generated simulating attacks (what they used to call "red teaming").
Actually I don't think you could separate a bot from a real person using statistical inference--plenty of people have to try more than 4 times to get it right, so 4 times is not going to be a significant difference. I've been looking into this and you'd have to require such a high confidence level that the applicant was a person that you would lose a ton of real applicants, which is bad for business.
It's like with that cable cut conspiracy nonsense from a month ago...the odds were pretty good that you could have 5 breaks in a 12-day period, therefore, number of cuts per unit time was a poor indicator if you were looking for conspiracies.
I really think multifactor authentication might be the way to go, but what a pain in the ass that'll be to implement...
Windows should only be bundled with non-competing, non-commercial apps.
That is, it's cool if Dell bundles MS Office, but it's not cool if Microsoft forces them to do this so OpenOffice can't compete. Most customers will want an office suite so something should be bundled, but it should be the decision of the manufacturer, not the OS provider.
You are really hitting on all the "misinterpret the argument" cylinders today, you know that?
IIRC Amazon has sold non-DRM'd music for ~6 months now. You simply buy them and import them into iTunes.
Oh, the iPod works wonderfully with other online stores.
But iTunes is worthless for other music players.
ITunes itself is not the store. It's just a manager (and not a very good one).
If it were a commercial offering, then I would have an issue with it conflicting with other music managers or even WMP. But it's not, you can get free ones anywhere.
It seems like your objection is based on the fact that iPod has been successful. The weird thing to me is that iPod is inferior in many respects to other players in terms of UI and battery life--but people love the wheel thingy so they keep buying them.
You don't get it.
If you buy A DELL COMPUTER and it comes bundled with stuff, that's ok. Those vendors all compete for Dell's attention and to get the contract for the bundle; this is called "capitalism."
If you buy WINDOWS and it comes bundled with stuff--even if it's just that Microsoft demanded it as part of its agreement with the hardware vendor, that's not good. That's the opposite of capitalism.
Capisce?
I'd give it more than 50 years. We still have South America and Africa to exploit (this time, with feeling!), and after another couple decades of the economy tanking, the US will itself be colonized, don't you think? Just because the bourgeoisie are no longer Westerners doesn't mean the system is going to change radically.
Also, "name" branding does have value. As with the appearance of the clothing itself and estimation of its "quality," it has a rather arbitrary value. With some goods the brand maps rather well to actual utility, as in, Mustang survival jackets are really warm. But this is not really necessary to sell.
The problem is mostly farm policy, which--like Social Security--seems to be too complicated a problem for our legislators to do anything about.
/. all the time, there must be something interesting about solving farm policy or sussing out new business models for distributing music. So how come those jobs only attract dimwitted people who are only in it for money? Why do we have think tanks that make recommendations based on careful study, only to have politicians side with whatever lobbying group pays them the most?
Yah, I guess this has always been true but not always so obvious to me...our leaders are not exactly our best and brightest, are they?
Why is that?
Seriously...you might say, well, smart people are too smart to get into shitty jobs like that. Why are the jobs shitty? We seem to enjoy bullshitting about them on
Two things:
First, a disagreement. People can subsist without music but they should not have to do without culture--art and music are among things that make life worth living. This is a little like saying, yeah, you don't NEED tasty food to survive, so we're going to put really draconian restrictions on "flavor."
Second, an agreement...the thing to do is definately to harness the power of greed to serve everyone. I *WANT* to pay the copyright holders for the music and TV shows I like, but why don't they have any way for me to get at them? I circumvent their controls because their controls are unreasonable. Likewise with Monsanto corn...their controls are unreasonable and unenforceable. They need to find another business model instead of screwing people over.
Here's some questions for you since you seem to know what you're talking about...
:\
One, I have a friend, an aero engineer, who believes wholeheartedly that any kind of free will can be boiled down to the deterministic movement of particles. However, there are two problems with this--first, it seems like he is making the philosophical mistake you pointed out: if you assume that free will does not exist, you will not find it (I think we're talking way beyond simple "null hypothesis" caution here). Second, while chemistry might be reducible to atomic interactions, is it useful or meaningful to discuss chemistry in this manner? Is it useful to reduce biology to Newtonian motion? Useful meaning, "Does it help us understand what's going on?" What's your take?
Second, I have noticed more and more lately people attacking the concept of "free will." Noted feminist and "Battlestar Galactica" fan Amanda Marcotte has been pushing this idea that free will is a meaningless concept, or at least not useful, and probably doesn't exist. Where is this coming from? Has there been an ongoing debate about this, or is this something new--something riding along with the scientific backlash against the religious conservatives, perhaps? If you can suggest any reading on the history of the debate, I would like to read it.
Finally...why so often do we see people dedicated to science who are completely unfamiliar with its philosophical underpinnings? I don't know how many researchers I know who don't really know what "empiricism" is, but who will deride religion as "magical thinking" when they themselves maintain question-begging tautologies all the time. It bothers me when I meet people who have their PhD, and so have supposedly been taught experimental design and have contributed to the body of knowledge, but who turn out to be glorified technicians
No, not really.
I'm not disputing that your purchase will run Vista fine, just the idea that people who buy "disposable" computers are idiots.
Your 2.8ghz machine would go for chump change on craigslist today...and RAM upgrades would cost next to nothing (thanks, China!).
Those of us who buy "disposable" machines don't make any investment in technology. We buy cheapass machines that run the technology of the day very, very well. In the long run, since are not invested, we can afford frequent upgrades. In that timeframe, we were spending $1000 for computers that could handle XP (released in 2001). Today we might drop $1000 for a computer that can handle Vista...but are more likely to spend $300 on a box that can run XP. Exactly how much did your computer cost you in 2000?
Sadly, Sam Vimes' "Boots Theory" of economics does not hold true for computers.
The fact that Monty knows where the car is and communicates this (right?) makes all the difference in the world.
I think if he was picking randomly, which is how the problem is usually presented, then either switching or not switching would not alter your probability of success.
Yes, the majority of people who see Symantec products do see bloated crap.
However, the majority of people who MAKE DECISIONS ABOUT SOFTWARE do not see bloated crap.
Since they are generally better educated and more experienced than the helpdesk jockeys who complain about how their new Dell laptop came with Norton, their opinions weigh a bit more.
If you had Symantec come to secure your enterprise network, and you wound up with Internet Security, either you are incredibly cheap or you got handed the worst sales engineers ever.
Sophos is being really aggressive of late but they're not making a whole lot of headway over here. Because Symantec and Mcafee generally can coexist (with some notable exceptions), large corporate customers get more options, which they like...whereas Sophos insists you remove EVERYTHING from a competitor, including areas where they don't have a product. This is why they will continue to have a hard time breaking into the American market.
Ok...how do you determine what your "threshhold" value is?
Most people I see use confidence intervals for this but whenever I see them do this, they invalidate the assumptions of the technique or accepted method of inference.
Ok, hotshot...define "typical," or better yet, explain how you arrive at the conclusion that this or that feature is "typical" or "atypical" and what you think a traffic "pattern" consists of.
No, seriously, go write a white paper...the security field is STARVING for this sort of thing. If you have a good method for doing this then you could be a serious asset!