Anyone using Word in any kind of sensitive capacity needs to know how to make sure the changes are all really gone. Training should address this specifically. Other word processors also store deleted text within a document and users of those need to also know how to make sure deleted text is really deleted.
There's a school of thought in software design which says "When lots of users keep on making the same mistake, the problem lies with the software, not the user".
Myself, I'm thinking it makes some sense to be able to nail Word to never keep changes and roll this setting out across an entire network - perhaps through Group Policy or similar. If you need to track changes that badly, store the document in a proper document management system.
Yeah, but it costs money to set up and the only real benefit to MS is to sit there laughing at the cheaters all playing each other. Given the proportion of people running modded XBoxes, I doubt they'd see the money back out of "number of people with modded XBoxes who haven't cancelled their Live subscription because they can still log on".
I remember when I was 9 or 10 and the family computer could hold 20 megs. That was nearly unfillable at the time.
I also remember when I was 5 or 6 and the family computer didn't have a hard disk - it had a 5.25" single density floppy drive.
I even remember my late father bringing home a Jupiter Ace, which had (IIRC) 4KB of RAM, loaded programs from an analogue audio cassette and was programmed in FORTH.
Would anyone be surprised if the exchange captured most of those cost savings for themselves?
I would be. They're almost certainly migrating from IBM mainframes, and they're migrating most of the really important bits to AIX on pSeries.
IBM have been managing transitions like this for years. It's some of their bread and butter work with large financial organisations, and the cost of the consultancy to do it will probably pay for itself in a couple of years' with the support contract becoming cheaper.
Nah, the convicts would probably be too good at it. I suspect the main difference between a politician and a convict is the politician is better at covering their tracks.
TBH, I've never paid for Gold support on a laptop because I keep one or two spare for such an occasion. There may well be a separate number for Gold support for desktops/laptops which gets you through to someone who speaks English.
As tegards software tests - if a software fitness test told me the sky was blue I'd look outside. I'm not 100% certain, but I'm pretty sure that it's mathematically impossible for any Turing-complete machine to self-diagnose with perfect reliability.
Re:ISO to the rescue (somewhere in the future) ?
on
Security Metrics
·
· Score: 1
We didn't even get a report on compliance or otherwise. The contractor was hired to write a security policy which complied with the British Standard - AFAICT, he did so by the simple expedient of copying the standard word for word except for the bit about "there's no such thing as a generic standard".
I'd argue that option 1 is even more impossible than it sounds initially.
A "terrorist" is, most of the time, a normal person with a family, a job, friends..Sometimes they communicate with others in a cell, sometimes those "others" are no more than a small handful of people. If a large number of ostensibly normal Afghan (or Iraqi, or Pakistani, or Syrian) people suddenly disappear off the face of the earth, people will start talking. Congratulations, you've just produced a most efficient terrorist recruiting tool. (Incidentally, despite what others on/. seem to think, we in the UK did trample over quite a few rights in our attempts to solve the Irish problem. See here. Apparently it was the best recruiting tool the IRA had ever had).
This leaves option 2. Now, we all talk about "ignoring them" - has any government anywhere ever tried this? I certainly can't think of one. At the very least, anyone who can be tracked down for carrying out bombings is certainly going to find themselves on the wrong end of the law. However, the strong political desire to capture and bring someone to justice has led to grevious miscarriages of justice in an attempt to punish the perpetrators. See the cases of the Birmingham Six and Guildford Four in the UK.
Does the USA have no equivalent of the UK Rehabilitation of Offenders Act?
I'm a bit hazy on the details, but I think it's something along the lines of "after a certain amount of time post-punishment, you're not obliged to reveal a criminal past to an employer, even if they ask". There are other details - it doesn't apply for some types of job, such as national security, and the length of time may vary depending on the crime/punishment. Some crimes you have to reveal for life.
Do not confuse Dell's server support with their desktop support. Servers make Dell money. Desktops make them well-known.
I don't know how it works in other parts of the world, but here in the UK the routine is:
1. Call Dell Technical Support. 2. Give the service tag to the call handler (always sounds like an Indian accent, but ICBW). 3. If the service tag refers to a desktop/laptop, regardless of the level of support, it goes to India and deal with the communication issues that so often seems to entail. Server calls go to Ireland and communication issues are non-existent. 4. The level of support you've paid for now comes into play. Depending on what you've chosen, parts may be drop-shipped within 4 hours and an engineer should arrive to fit them also within that time, or an engineer will arrive next day - or, if you're a cheapskate, you'll have to ship the item back to Dell at your own expense and it'll come back to you when it comes back. Customers with a Gold (24x7) contract can also ask their account manager for the telephone number of the appropriate team which is manned 24 hours a day, rather than the number on the website which cuts over to a recorded message after working hours to say "please call back tomorrow".
And yes, I have made support calls under such contracts with Dell and also with other companies. In my experience, as soon as you're talking about real hardware rather than desktop PCs and you're paying real money for the support, the level of service you get is not bad.
Re:ISO to the rescue (somewhere in the future) ?
on
Security Metrics
·
· Score: 4, Interesting
If it's anything like the British Standard (BS7799, IIRC) which is supposed to do the same thing, it will do nothing of the sort, mainly because these standards are all too often used as a box-ticking exercise.
A little example for you:
A few years ago, I used to work for a large UK company. My manager, conscious that information security is something which you have to take seriously these days, commissioned a consultant to come in and write up a security policy which would comply with the British Standard.
The consultant came in for a while, and in due course produced a document which was generally criticised for being extremely vague, but my manager brushed this off. As far as he was concerned, we needed a piece of paper which complied with the British Standard. This was such a piece of paper, so he was happy.
However, seeing as I was tasked with looking over the paper, I asked my manager a question. "This British Standard it complies with. Have you read the standard itself?"
No, he hadn't. He hadn't even looked into the cost of buying a copy of it, thinking it would be "too expensive" (yet he was prepared to pay a consultant to come in and write the policy - go figure). So I went to a library and had a look at a copy of the British Standard.
I'm paraphrasing here because this was a few years ago. But, broadly speaking, it said:
Every company has different needs and different systems. Therefore, it's not possible to write a generic standard. However, this standard lists the sort of things that a company writing a security policy should consider (emphasis mine).
This was followed by several pages of very vague descriptions of the sorts of things which should be included - things like segregated access, password expiration and re-use policies and all sorts of other stuff besides - which, by an amazing and spooky coincidence, were practically identical to the policy which we'd paid the consultant for. If I didn't know any better, I'd say the consultant retyped the British Standard almost verbatim, leaving out the bit about how "it's not possible to write a generic standard".
The point is, Sarah didn't know him from Adam yet with no evidence or sign off or anything, reset his password.
He could just as easily have called up, claimed to have "just got back from holiday and forgotten my login details" and given Sarah his boss' name. 30 seconds later, he's got his boss' user ID and the password reset on the boss' account.
I'd like at least a clue of how such a gigantic "oops" could have happened. Is there a similarity with their e-mail address and someone else's? Perhaps a disgruntled GOP member didn't so much misaddress the e-mails?
Agreed. A handful of emails may occasionally get sent to the wrong person, perhaps because you've got two people with similar names in your address book.
500, however, getting "misaddressed" and winding up at an attorney's office - an attorney who was involved in the case because one of those emails basically said "sack him" is far too much of a coincidence for my liking.
A songbook publisher doesn't like the idea of guitar tabs made available free.
No kidding.
In related news, Turkeys are said to be very concerned about the celebration of Christmas and US-based turkeys have expressed concern over thanksgiving.
Furthermore, the Pope shits in the woods and bears are generally catholic.
Don't know if a corporate can sue for defamation, which is broadly what you're describing.
What I am sure of (though IANAL) is even if they can, they'd have to prove that they'd somehow suffered as a direct result of this defamation.
The only way I can see this happening is if IBM can dig out a few PHBs who said "We were just about to pay IBM for a lot of Linux consultation when we heard about this, and we decided to use Windows instead". I imagine by the time you're in a position to hire IBM, you're not likely to be too concerned that you or they might be sued for patent infringement as a direct result of the work IBM does for you.
Bank servers are likely to be reasonably secure, audited and should anything untoward be detected, the authorites will be alerted so quickly that you wouldn't even get time to hit Ctrl-C. Furthermore, it's pretty unusual to read your email or browse the web from the host running the Internet banking application.
Ditto military. You'd have to be either pretty sure of yourself or pretty stupid to attack them.
Not so a typical Windows PC. Now granted, your software may only get onto one PC in ten thousand, and out of all of those there may only be juicy information on one in a thousand. But if there's one thing that the internet is absolutely great at, it's getting a piece of information - or indeed code - to a lot of systems very quickly - so scalability problems like that soon vanish. One PC in ten million worldwide is easily enough to ensure a regular influx of tidbits worth investigating.
All of what you say is correct. However, IMO you've missed the most important thing:
Attack Vectors
The great majority of malware on Windows today has one of two attack vectors:
1. Exploit vulnerabilities in the userspace client software (eg. browser or email client) to run arbitary code. 2. Exploit vulnerabilities in human nature to run arbitary code, eg. "Your Computer is Running Slowly! Click Here" or "please open the attached love letter from me".
Note that neither of these attack vectors are OS-specific. Indeed, I can think of quite a few things which a piece of malware could happily do in Linux which would be damaging, including:
1. Sit on an IRC channel awaiting further instructions. 2. Grep through a users home directory for any files which look like they contain bank account information and email them to a particular address. 3. Intercept an HTTPS browser session and send information silently home - that wouldn't take more than a few holes in the wrong place in Mozilla Firefox. If those holes are in the plugin interface, then you could have truly cross-platform malware. 4. Silently twiddle numbers in any spreadsheet it finds in the user's home directory. Tell me, how did you fare in the investigation from the tax office? 5. Delete all a users' data.
It was the 30/10/2006 release I was wrestling with. To be perfectly honest with you, after a week of wrestling I was prepared to give up my IT career and grow begonias.
It's nice to know there's been some work on the quality of the product. Do you know if anything's been done to make upgrading from earlier releases more reliable?
Their products are free to the consumer. Subject to one or two provisos.
Disney buys advertising ("Own The Little Hans Christian Andersen Rip-Off on DVD Today!") but they also sell advertising on their own channels. Same goes for Time-Warner, NBC, Fox and more or less any television station the world over.
And when another TV network, either in the US or elsewhere, shows a Disney cartoon or a Fox show, Disney/Fox/Insert Company Here gets paid.
You can be reasonably certain they'll also be selling ads. What, you thought that free 2 hour movie you just downloaded was 2 hours of movie? No way. 100 minutes of movie, 20 of ads. You want the high-resolution version with no ads? (Or, for that matter, the last 10 minutes of that TV show where you find out that the chauffer killed the prince)? Well, that can be yours for just $9.99.
Anyone using Word in any kind of sensitive capacity needs to know how to make sure the changes are all really gone. Training should address this specifically. Other word processors also store deleted text within a document and users of those need to also know how to make sure deleted text is really deleted.
There's a school of thought in software design which says "When lots of users keep on making the same mistake, the problem lies with the software, not the user".
Myself, I'm thinking it makes some sense to be able to nail Word to never keep changes and roll this setting out across an entire network - perhaps through Group Policy or similar. If you need to track changes that badly, store the document in a proper document management system.
No idea how easy this is, though.
Yeah, but it costs money to set up and the only real benefit to MS is to sit there laughing at the cheaters all playing each other. Given the proportion of people running modded XBoxes, I doubt they'd see the money back out of "number of people with modded XBoxes who haven't cancelled their Live subscription because they can still log on".
Ah, bless.
I remember when I was 9 or 10 and the family computer could hold 20 megs. That was nearly unfillable at the time.
I also remember when I was 5 or 6 and the family computer didn't have a hard disk - it had a 5.25" single density floppy drive.
I even remember my late father bringing home a Jupiter Ace, which had (IIRC) 4KB of RAM, loaded programs from an analogue audio cassette and was programmed in FORTH.
Would anyone be surprised if the exchange captured most of those cost savings for themselves?
I would be. They're almost certainly migrating from IBM mainframes, and they're migrating most of the really important bits to AIX on pSeries.
IBM have been managing transitions like this for years. It's some of their bread and butter work with large financial organisations, and the cost of the consultancy to do it will probably pay for itself in a couple of years' with the support contract becoming cheaper.
Maybe they'll do some arithmetic in 128 bits of precision but I doubt the address space will be 128 bits.
2^64 is a big number. In bytes, it's 16 exabytes. Even 2^40 (the useable address space in a current 64-bit CPU), works out at a terabyte.
Nah, the convicts would probably be too good at it. I suspect the main difference between a politician and a convict is the politician is better at covering their tracks.
TBH, I've never paid for Gold support on a laptop because I keep one or two spare for such an occasion. There may well be a separate number for Gold support for desktops/laptops which gets you through to someone who speaks English.
As tegards software tests - if a software fitness test told me the sky was blue I'd look outside. I'm not 100% certain, but I'm pretty sure that it's mathematically impossible for any Turing-complete machine to self-diagnose with perfect reliability.
We didn't even get a report on compliance or otherwise. The contractor was hired to write a security policy which complied with the British Standard - AFAICT, he did so by the simple expedient of copying the standard word for word except for the bit about "there's no such thing as a generic standard".
If you're not going to rely on the remote-controllable aspect you get from cellphones, why bother using a phone at all?
The Provisional IRA proved on a number of occasions that a simple timing device is perfectly adequate.
I'd argue that option 1 is even more impossible than it sounds initially.
.Sometimes they communicate with others in a cell, sometimes those "others" are no more than a small handful of people. If a large number of ostensibly normal Afghan (or Iraqi, or Pakistani, or Syrian) people suddenly disappear off the face of the earth, people will start talking. Congratulations, you've just produced a most efficient terrorist recruiting tool. (Incidentally, despite what others on /. seem to think, we in the UK did trample over quite a few rights in our attempts to solve the Irish problem. See here. Apparently it was the best recruiting tool the IRA had ever had).
A "terrorist" is, most of the time, a normal person with a family, a job, friends.
This leaves option 2. Now, we all talk about "ignoring them" - has any government anywhere ever tried this? I certainly can't think of one. At the very least, anyone who can be tracked down for carrying out bombings is certainly going to find themselves on the wrong end of the law. However, the strong political desire to capture and bring someone to justice has led to grevious miscarriages of justice in an attempt to punish the perpetrators. See the cases of the Birmingham Six and Guildford Four in the UK.
Does the USA have no equivalent of the UK Rehabilitation of Offenders Act?
I'm a bit hazy on the details, but I think it's something along the lines of "after a certain amount of time post-punishment, you're not obliged to reveal a criminal past to an employer, even if they ask". There are other details - it doesn't apply for some types of job, such as national security, and the length of time may vary depending on the crime/punishment. Some crimes you have to reveal for life.
The scientists inferred free will from observing the fruit fly apply for a job in Dell desktop support.
(It was turned down due to being overqualified).
Do not confuse Dell's server support with their desktop support. Servers make Dell money. Desktops make them well-known.
I don't know how it works in other parts of the world, but here in the UK the routine is:
1. Call Dell Technical Support.
2. Give the service tag to the call handler (always sounds like an Indian accent, but ICBW).
3. If the service tag refers to a desktop/laptop, regardless of the level of support, it goes to India and deal with the communication issues that so often seems to entail. Server calls go to Ireland and communication issues are non-existent.
4. The level of support you've paid for now comes into play. Depending on what you've chosen, parts may be drop-shipped within 4 hours and an engineer should arrive to fit them also within that time, or an engineer will arrive next day - or, if you're a cheapskate, you'll have to ship the item back to Dell at your own expense and it'll come back to you when it comes back. Customers with a Gold (24x7) contract can also ask their account manager for the telephone number of the appropriate team which is manned 24 hours a day, rather than the number on the website which cuts over to a recorded message after working hours to say "please call back tomorrow".
And yes, I have made support calls under such contracts with Dell and also with other companies. In my experience, as soon as you're talking about real hardware rather than desktop PCs and you're paying real money for the support, the level of service you get is not bad.
A little example for you:
A few years ago, I used to work for a large UK company. My manager, conscious that information security is something which you have to take seriously these days, commissioned a consultant to come in and write up a security policy which would comply with the British Standard.
The consultant came in for a while, and in due course produced a document which was generally criticised for being extremely vague, but my manager brushed this off. As far as he was concerned, we needed a piece of paper which complied with the British Standard. This was such a piece of paper, so he was happy.
However, seeing as I was tasked with looking over the paper, I asked my manager a question. "This British Standard it complies with. Have you read the standard itself?"
No, he hadn't. He hadn't even looked into the cost of buying a copy of it, thinking it would be "too expensive" (yet he was prepared to pay a consultant to come in and write the policy - go figure). So I went to a library and had a look at a copy of the British Standard.
I'm paraphrasing here because this was a few years ago. But, broadly speaking, it said: Every company has different needs and different systems. Therefore, it's not possible to write a generic standard. However, this standard lists the sort of things that a company writing a security policy should consider (emphasis mine).
This was followed by several pages of very vague descriptions of the sorts of things which should be included - things like segregated access, password expiration and re-use policies and all sorts of other stuff besides - which, by an amazing and spooky coincidence, were practically identical to the policy which we'd paid the consultant for. If I didn't know any better, I'd say the consultant retyped the British Standard almost verbatim, leaving out the bit about how "it's not possible to write a generic standard".
TBH I didn't read it that closely. But the AC I was replying to clearly has even poorer comprehension skills.
The point is, Sarah didn't know him from Adam yet with no evidence or sign off or anything, reset his password.
He could just as easily have called up, claimed to have "just got back from holiday and forgotten my login details" and given Sarah his boss' name. 30 seconds later, he's got his boss' user ID and the password reset on the boss' account.
I'd like at least a clue of how such a gigantic "oops" could have happened. Is there a similarity with their e-mail address and someone else's? Perhaps a disgruntled GOP member didn't so much misaddress the e-mails?
Agreed. A handful of emails may occasionally get sent to the wrong person, perhaps because you've got two people with similar names in your address book.
500, however, getting "misaddressed" and winding up at an attorney's office - an attorney who was involved in the case because one of those emails basically said "sack him" is far too much of a coincidence for my liking.
A songbook publisher doesn't like the idea of guitar tabs made available free.
No kidding.
In related news, Turkeys are said to be very concerned about the celebration of Christmas and US-based turkeys have expressed concern over thanksgiving.
Furthermore, the Pope shits in the woods and bears are generally catholic.
Don't know if a corporate can sue for defamation, which is broadly what you're describing.
What I am sure of (though IANAL) is even if they can, they'd have to prove that they'd somehow suffered as a direct result of this defamation.
The only way I can see this happening is if IBM can dig out a few PHBs who said "We were just about to pay IBM for a lot of Linux consultation when we heard about this, and we decided to use Windows instead". I imagine by the time you're in a position to hire IBM, you're not likely to be too concerned that you or they might be sued for patent infringement as a direct result of the work IBM does for you.
Bank servers are likely to be reasonably secure, audited and should anything untoward be detected, the authorites will be alerted so quickly that you wouldn't even get time to hit Ctrl-C. Furthermore, it's pretty unusual to read your email or browse the web from the host running the Internet banking application.
Ditto military. You'd have to be either pretty sure of yourself or pretty stupid to attack them.
Not so a typical Windows PC. Now granted, your software may only get onto one PC in ten thousand, and out of all of those there may only be juicy information on one in a thousand. But if there's one thing that the internet is absolutely great at, it's getting a piece of information - or indeed code - to a lot of systems very quickly - so scalability problems like that soon vanish. One PC in ten million worldwide is easily enough to ensure a regular influx of tidbits worth investigating.
All of what you say is correct. However, IMO you've missed the most important thing:
Attack Vectors
The great majority of malware on Windows today has one of two attack vectors:
1. Exploit vulnerabilities in the userspace client software (eg. browser or email client) to run arbitary code.
2. Exploit vulnerabilities in human nature to run arbitary code, eg. "Your Computer is Running Slowly! Click Here" or "please open the attached love letter from me".
Note that neither of these attack vectors are OS-specific. Indeed, I can think of quite a few things which a piece of malware could happily do in Linux which would be damaging, including:
1. Sit on an IRC channel awaiting further instructions.
2. Grep through a users home directory for any files which look like they contain bank account information and email them to a particular address.
3. Intercept an HTTPS browser session and send information silently home - that wouldn't take more than a few holes in the wrong place in Mozilla Firefox. If those holes are in the plugin interface, then you could have truly cross-platform malware.
4. Silently twiddle numbers in any spreadsheet it finds in the user's home directory. Tell me, how did you fare in the investigation from the tax office?
5. Delete all a users' data.
it's that he *sells* more due to volume than you, on a factor of around 10,000 to 1 in operating systems alone.
Really? Bill Gates sells 10,000 copies of an OS for every one I sell?
Can I have 1/10000th of the revenues made by Windows please?
Hello Richie,
It was the 30/10/2006 release I was wrestling with. To be perfectly honest with you, after a week of wrestling I was prepared to give up my IT career and grow begonias.
It's nice to know there's been some work on the quality of the product. Do you know if anything's been done to make upgrading from earlier releases more reliable?
Their products are free to the consumer. Subject to one or two provisos.
Disney buys advertising ("Own The Little Hans Christian Andersen Rip-Off on DVD Today!") but they also sell advertising on their own channels. Same goes for Time-Warner, NBC, Fox and more or less any television station the world over.
And when another TV network, either in the US or elsewhere, shows a Disney cartoon or a Fox show, Disney/Fox/Insert Company Here gets paid.
You can be reasonably certain they'll also be selling ads. What, you thought that free 2 hour movie you just downloaded was 2 hours of movie? No way. 100 minutes of movie, 20 of ads. You want the high-resolution version with no ads? (Or, for that matter, the last 10 minutes of that TV show where you find out that the chauffer killed the prince)? Well, that can be yours for just $9.99.
Tech company sue it's own customers?
= 8452800
Well, it wouldn't be the first time:
http://yro.slashdot.org/comments.pl?sid=99137&cid