I swear 30% of the responses I see talk about CEOs as borderline-psychopathic bullies who won't ever take no for an answer - and anyone who even tries to refuse a demand is escorted out the door before they've even finished saying the word "no".
Thing is, I don't believe I've ever known such a person to run a company. I've worked under at least one such little hitler (who was a middle manager), but IME those at the top know full well that they don't know everything, that delegation means you have to trust your staff to make sensible decisions and sometimes stop you from doing something silly.
Sounds like the GP works in healthcare - IIRC it's a legal requirement in US healthcare that you operate end-to-end security. Which means not only can he say "no" to a director, his employer's in more trouble than he is if the issue is pushed.
I would argue that the old adage "there are two types of people in this world - those who take backup seriously and those who've never lost data" could be extended to say "there are two types of people in this world - those who take IT security seriously and those who have never had to deal with the aftermath of a security breach".
Right. Okay. Because malware only ever affects people over the age of 25, everyone under that age has perfectly updated systems, malware protection that works a treat and more sense than to click a facebook link saying "See Osama Being Shot Here!!11oneone".
The problem you describe isn't exclusive to the Linux kernel by any means. I have seen more-or-less the same sequence appear in all sorts of places - OpenLDAP's done it with multimaster replication (and still is doing it with server-side sorts), FreeBSD has done it with journalled filesystems, The Gimp is doing it with CMYK support and I don't doubt there are other pieces of software doing the same thing.
The sequence of events generally goes something like this:
A specific F/OSS product is missing a particular feature. It may or may not be particularly important, but it's missing for whatever reason.
That feature starts to appear in other software. Maybe commercial software, maybe other free software. In any case, it starts to appear. The person(s) behind the product being discussed don't think it's particularly important and make the conscious decision to ignore it.
It becomes apparent that the feature in question is actually quite useful. But it still doesn't get implemented because that would mean the person who made the original decision not to would have to admit they were wrong - something that many people find very difficult. Anyone questioning this is told "submit a patch" - but it's far more likely they'll just use something else, something that does meet their needs.
It becomes apparent that the feature in question is not useful, it's essential. Still it doesn't get implemented - if anything, the person who decided not to implement it will become ever more vocal in their criticism of the feature. I have actually seen people put together stonking great essays on how the feature is unnecessary - maybe even harmful - to back up this view. It's far too late, of course - by this time it's crystal clear to any impartial observer that the original decision was poor, and anyone still defending it is deluded.
A patch to implement the feature is accepted and the feature is announced with much fanfare at the next major release. No mention of the previous view is made.
Windows actually has most of the features necessary to make it a lot more secure. The problem is that very few people use them (hell, many people don't even know they exist) because of the inconvenience such features would incur. To make life easier, Microsoft even released a tool for XP and Vista called SteadyState.
Windows 7 has most of the same features baked in but I reckon it's a step back because SteadyState provided a nice, unified, idiotproof GUI for setting the system up in this fashion that didn't require you to step through several hundred irrelevant options. That aspect of SteadyState hasn't been baked into Windows 7.
I don't think Linux is the solution it's sometimes painted as for a number of reasons:
1. Many pieces of malware don't depend on OS behaviour to spread, they depend on human behaviour. Which you can't patch by upgrading the OS their PC runs. 2. As Linux distributions mature, they're appealing to people who don't understand (and don't wish to understand) any of the underlying technology. Case in point: the number of people in any Linux discussion who say "I don't like SuSE because it didn't set up (whatever), but Ubuntu did". Even though the (whatever) in question invariably has more to do with underlying tools common to any Linux distribution, and it's just that Ubuntu ships with a configuration that suits the user better. It would have been considerably less upheaval to learn how to configure the underlying tool than to wipe and rebuild, but that would require learning beyond what the GUI provides.
It's only a matter of time before someone puts together a Linux distribution that uses something like an SQLite database to store configuration and includes an application that automagically generates appropriate config files at boot - and therefore such config files must be treated as readonly because they'll be wiped at boot. I already know of one embedded product that does almost exactly this.
The post you're replying to is using 8 year old experiences as a reference.
Back then, many ISPs didn't give you a router, they gave you a USB modem. Your PC connected, got a public IP address your ISPs own support desk told you not to use a firewall of any description because they wouldn't support it. Windows XP didn't get its own built-in firewall until service pack 2, released in 2004 - by then it was sorely needed. There were so many portscanners and Microsoft took such a laissez-faire approach to security that the average time between plugging a Windows PC into the public Internet without a firewall and finding it utterly pwned was about 15-20 minutes - and you didn't even need to bring up a web browser.
More to the point - the Apple malware right now is still social-engineering based. It requires you to actively give it your admin password so it can install.
Linux on the server isn't particularly vulnerable to this because nobody in their right mind is surfing the web from their webserver.
Hate to break it to you, but worldwide a LOT of mobile operators - who have historically operated a simple billing system of "customer uses more, we charge them more" have spotted that bandwidth has a habit of getting cheaper, noted that 4G essentially eliminates dedicated voice traffic altogether (it's all VoIP) and are more than a little concerned.
There are two obvious solutions to this:
1. Keep the bandwidth cheap and make up the difference in numbers by encouraging more people to use the network more.
Paradoxically, this is quite expensive. Many operators already find that their network is bursting at the seams, and a significant capacity upgrade is financially out of the question.
2. Find some way of fiddling with the traffic so you can advertise cheap bandwidth but at the same time massage its usage so as to keep the money coming in.
I'm talking about things like blocking any sort of voice traffic except that which goes through their own network that they can charge you separately for - and using DPI to ensure skype can't get around this. You'd be amazed how poor things like SSL are at defeating this. If push comes to shove, the carrier will simply block any traffic that consists of a constant two-way stream of small packets going over a single connection - typical for voice, unusual for, say, HTTPS.
There is also an element of security in the design. If someone steals my handset, they can't switch to another SIM without going through my PIN to start the phone.
The PIN's associated with the SIM card, not the phone. Most phones do allow you to set a phone-specific PIN but AFAIK most people don't bother.
Acorn had a PC Emulator in - ooh, 1987? 1988? which ran DOS quite happily (albeit rather slowly;) on an 8MHz ARM2.
Probably not terribly relevant these days as I would be astonished if any modern version of Windows even runs on something without some sort of FPU, but there you go.
Exactly. IIRC his counter-argument was "Nobody I could hand passwords over to is competent to manage the systems, and because it's public sector there are actual laws complete with prison sentences associated with giving access to someone incompetent".
I don't buy that for a minute. Those laws are there to stop staff doing something stupid, not to allow rogue staff to hold the government to ransom. If it's that big a deal, I can think of a few simple ways around that issue straight off the top of my head - hand over details in a sealed envelope to be passed to someone competent in exchange for a letter confirming that no further action will be taken? - which would probably have made the whole lot go away in the space of a few hours. Instead, he refused to hand over the information to anyone under any circumstances.
That is not the behaviour of a competent IT professional. It's the behaviour of a five year old in the body of an adult.
"it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
Come on, we shouldn't be defending this guy otherwise we're no better than the corrupt politicians that occasionally crop up on/. stories.
We all know he was in charge of much of the city's network infrastructure and that ultimately the city dealt with him and his role rather badly - that's not particularly unusual in the public sector anywhere in the world. What's important is how he reacted to it. From what I've heard, his reaction was to say "Fine, if that's going to be your attitude I'll take the passwords to my network and go home!" like a petulant child. But it wasn't his network to take - and I don't believe the arguments that to hand over access to someone unqualified would have put him in greater trouble than refusal to. Faced with an enemy with so much more resources, the sensible thing to do would be to negotiate a way out of any possible repercussions instead of throwing a tantrum.
I don't see it'd make much difference. The reason is that tax law tends to be quite complicated, and there is no law against moving your assets and debts around in such a way as to minimise your tax liability. As such, these tax dodges tend to be perfectly legal. The only grey areas are where it depends on a specific interpretation of the law where there isn't existing case law, and in such cases it's not at all unknown for the company to go to court to claim that their interpretation is correct and get clarification.
I'm given to understand that a European country (may have been Denmark but ICBW) completely overhauled their entire tax system, and just put a flat tax rate on everything - a rate that was more in line with their lower rates than their higher.
Tax coming in actually went up - with fewer nuances, there were fewer places to hide money from the tax authorities.
A spot of creative accounting can easily deal with that. I wonder how many companies - on paper at least - already make practically zero profit for tax reasons?
I've already commented so I can't mod you. Which is a shame because I think you're absolutely right. Put simply, terrorism is not that big a threat - and even when it is, the single worst thing you can do is declare "war" on the terrorists. It doesn't work because as a rule, armies aren't really trained to deal with guerilla warfare. Police are better because they're generally locals who know the area and know who's likely to be a troublemaker - but you don't often find effective police forces in countries where you've just gone and destroyed the entire government machinery.
That's one measurement, but the other one that the OP refers to is: How many of the following incidents have occurred?
1. Passenger stopped, arrested, charged and convicted of terrorism-related acts. 2. Bombs prevented from being allowed on board.
It'd be absolute political gold to be able to say "I supported the acts that led to the TSA, since then it's been directly responsible for all of these things!".
But that hasn't happened. Instead, the best they can do is point to an impossible to quantify deterrent effect and claim everything else is classified.
Lest we forget, hijackings are (and always have been, even prior to 9/11) extremely rare and almost invariably unsuccessful. The usual result has always been for the hijackers to wind up face down on the tarmac with a couple of bullets in the back of their head. It's really not a long-term career plan.
There is actually some logic to this. A company is more than just the big guns at the top, and bankrupting it would put a lot of people out of work - including people who had nothing to do with the fraud.
It'd make far more sense to levy a stonking great fine against the company and allow prosecutors to lift the corporate veil in sufficiently large cases to hold directors personally liable.
Many businesses have a fairly similar view - there's a damn good reason that businesses don't go around suing their business customers all the time. By the time you get to that point, any relationship that might have existed between two businesses is more-or-less dead.
The reason the BSA is strong is that a number of pieces of software have become effective monopolies in their niche. Office and Photoshop are the obvious examples, but I'm sure there are many others. They can get away with suing customers quite easily because the customer feels they're stuck - much as they'd love to say "Fine. Here's your settlement, but we're never using any of your products again", they can't. Even today, it's a rare business owner that will follow Ernie Ball's example (which has been trotted out on/. more times than I care to remember) and refuse to run anything which Microsoft have touched, regardless of how much work that will involve.
The easiest way to gut the BSA would be for there to be some real competition in the market. They'd be a lot more hesitant about threatening legal proceedings against companies that have paid for some but not all of their software if the general feeling amongst businesses were "If (Microsoft|Adobe|Software Vendor) want to take that attitude, fine, but they won't keep us as customers".
Slashdot Mirror
I swear 30% of the responses I see talk about CEOs as borderline-psychopathic bullies who won't ever take no for an answer - and anyone who even tries to refuse a demand is escorted out the door before they've even finished saying the word "no".
Thing is, I don't believe I've ever known such a person to run a company. I've worked under at least one such little hitler (who was a middle manager), but IME those at the top know full well that they don't know everything, that delegation means you have to trust your staff to make sensible decisions and sometimes stop you from doing something silly.
Sounds like the GP works in healthcare - IIRC it's a legal requirement in US healthcare that you operate end-to-end security. Which means not only can he say "no" to a director, his employer's in more trouble than he is if the issue is pushed.
You're wasting your time, even on /.
I would argue that the old adage "there are two types of people in this world - those who take backup seriously and those who've never lost data" could be extended to say "there are two types of people in this world - those who take IT security seriously and those who have never had to deal with the aftermath of a security breach".
Right. Okay. Because malware only ever affects people over the age of 25, everyone under that age has perfectly updated systems, malware protection that works a treat and more sense than to click a facebook link saying "See Osama Being Shot Here!!11oneone".
At least there's a good chance a rooted box WILL be reimaged.
Given the societal upheaval going around at the time, you did not need to be the son of God to predict the destruction of the temple.
It's vanishingly unlikely a monarch would refuse to give royal assent. The last time it happened was 1707.
The problem you describe isn't exclusive to the Linux kernel by any means. I have seen more-or-less the same sequence appear in all sorts of places - OpenLDAP's done it with multimaster replication (and still is doing it with server-side sorts), FreeBSD has done it with journalled filesystems, The Gimp is doing it with CMYK support and I don't doubt there are other pieces of software doing the same thing.
The sequence of events generally goes something like this:
(WTF slashdot? No ordered lists?)
Solution to 1 and 2: Statically-linked binaries.
In fact, I'm pretty sure it's a solution to 3 as well. Does the ELF format even include a specification for signed binaries?
You've touched on something that will help with 4. Mounting /home with noexec is the final piece of the puzzle.
Windows actually has most of the features necessary to make it a lot more secure. The problem is that very few people use them (hell, many people don't even know they exist) because of the inconvenience such features would incur. To make life easier, Microsoft even released a tool for XP and Vista called SteadyState.
Windows 7 has most of the same features baked in but I reckon it's a step back because SteadyState provided a nice, unified, idiotproof GUI for setting the system up in this fashion that didn't require you to step through several hundred irrelevant options. That aspect of SteadyState hasn't been baked into Windows 7.
I don't think Linux is the solution it's sometimes painted as for a number of reasons:
1. Many pieces of malware don't depend on OS behaviour to spread, they depend on human behaviour. Which you can't patch by upgrading the OS their PC runs.
2. As Linux distributions mature, they're appealing to people who don't understand (and don't wish to understand) any of the underlying technology. Case in point: the number of people in any Linux discussion who say "I don't like SuSE because it didn't set up (whatever), but Ubuntu did". Even though the (whatever) in question invariably has more to do with underlying tools common to any Linux distribution, and it's just that Ubuntu ships with a configuration that suits the user better. It would have been considerably less upheaval to learn how to configure the underlying tool than to wipe and rebuild, but that would require learning beyond what the GUI provides.
It's only a matter of time before someone puts together a Linux distribution that uses something like an SQLite database to store configuration and includes an application that automagically generates appropriate config files at boot - and therefore such config files must be treated as readonly because they'll be wiped at boot. I already know of one embedded product that does almost exactly this.
No problem, they'll block IPSec unless you're on a more expensive business contract.
The post you're replying to is using 8 year old experiences as a reference.
Back then, many ISPs didn't give you a router, they gave you a USB modem. Your PC connected, got a public IP address your ISPs own support desk told you not to use a firewall of any description because they wouldn't support it. Windows XP didn't get its own built-in firewall until service pack 2, released in 2004 - by then it was sorely needed. There were so many portscanners and Microsoft took such a laissez-faire approach to security that the average time between plugging a Windows PC into the public Internet without a firewall and finding it utterly pwned was about 15-20 minutes - and you didn't even need to bring up a web browser.
More to the point - the Apple malware right now is still social-engineering based. It requires you to actively give it your admin password so it can install.
Linux on the server isn't particularly vulnerable to this because nobody in their right mind is surfing the web from their webserver.
Hate to break it to you, but worldwide a LOT of mobile operators - who have historically operated a simple billing system of "customer uses more, we charge them more" have spotted that bandwidth has a habit of getting cheaper, noted that 4G essentially eliminates dedicated voice traffic altogether (it's all VoIP) and are more than a little concerned.
There are two obvious solutions to this:
1. Keep the bandwidth cheap and make up the difference in numbers by encouraging more people to use the network more.
Paradoxically, this is quite expensive. Many operators already find that their network is bursting at the seams, and a significant capacity upgrade is financially out of the question.
2. Find some way of fiddling with the traffic so you can advertise cheap bandwidth but at the same time massage its usage so as to keep the money coming in.
I'm talking about things like blocking any sort of voice traffic except that which goes through their own network that they can charge you separately for - and using DPI to ensure skype can't get around this. You'd be amazed how poor things like SSL are at defeating this. If push comes to shove, the carrier will simply block any traffic that consists of a constant two-way stream of small packets going over a single connection - typical for voice, unusual for, say, HTTPS.
You're probably underestimating the number ;)
Looking at Google Insights, the top 10 searches in the UK for the last 30 days are:
1. facebook
2. youtube
3. bbc
4. hotmail
5. you
6. google (WTF?!)
7. ebay
8. mail
9. yahoo
10. weather
There is also an element of security in the design. If someone steals my handset, they can't switch to another SIM without going through my PIN to start the phone.
The PIN's associated with the SIM card, not the phone. Most phones do allow you to set a phone-specific PIN but AFAIK most people don't bother.
Acorn had a PC Emulator in - ooh, 1987? 1988? which ran DOS quite happily (albeit rather slowly ;) on an 8MHz ARM2.
Probably not terribly relevant these days as I would be astonished if any modern version of Windows even runs on something without some sort of FPU, but there you go.
Exactly. IIRC his counter-argument was "Nobody I could hand passwords over to is competent to manage the systems, and because it's public sector there are actual laws complete with prison sentences associated with giving access to someone incompetent".
I don't buy that for a minute. Those laws are there to stop staff doing something stupid, not to allow rogue staff to hold the government to ransom. If it's that big a deal, I can think of a few simple ways around that issue straight off the top of my head - hand over details in a sealed envelope to be passed to someone competent in exchange for a letter confirming that no further action will be taken? - which would probably have made the whole lot go away in the space of a few hours. Instead, he refused to hand over the information to anyone under any circumstances.
That is not the behaviour of a competent IT professional. It's the behaviour of a five year old in the body of an adult.
From TFS:
"it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
Come on, we shouldn't be defending this guy otherwise we're no better than the corrupt politicians that occasionally crop up on /. stories.
We all know he was in charge of much of the city's network infrastructure and that ultimately the city dealt with him and his role rather badly - that's not particularly unusual in the public sector anywhere in the world. What's important is how he reacted to it. From what I've heard, his reaction was to say "Fine, if that's going to be your attitude I'll take the passwords to my network and go home!" like a petulant child. But it wasn't his network to take - and I don't believe the arguments that to hand over access to someone unqualified would have put him in greater trouble than refusal to. Faced with an enemy with so much more resources, the sensible thing to do would be to negotiate a way out of any possible repercussions instead of throwing a tantrum.
I don't see it'd make much difference. The reason is that tax law tends to be quite complicated, and there is no law against moving your assets and debts around in such a way as to minimise your tax liability. As such, these tax dodges tend to be perfectly legal. The only grey areas are where it depends on a specific interpretation of the law where there isn't existing case law, and in such cases it's not at all unknown for the company to go to court to claim that their interpretation is correct and get clarification.
I'm given to understand that a European country (may have been Denmark but ICBW) completely overhauled their entire tax system, and just put a flat tax rate on everything - a rate that was more in line with their lower rates than their higher.
Tax coming in actually went up - with fewer nuances, there were fewer places to hide money from the tax authorities.
A spot of creative accounting can easily deal with that. I wonder how many companies - on paper at least - already make practically zero profit for tax reasons?
I've already commented so I can't mod you. Which is a shame because I think you're absolutely right. Put simply, terrorism is not that big a threat - and even when it is, the single worst thing you can do is declare "war" on the terrorists. It doesn't work because as a rule, armies aren't really trained to deal with guerilla warfare. Police are better because they're generally locals who know the area and know who's likely to be a troublemaker - but you don't often find effective police forces in countries where you've just gone and destroyed the entire government machinery.
That's one measurement, but the other one that the OP refers to is: How many of the following incidents have occurred?
1. Passenger stopped, arrested, charged and convicted of terrorism-related acts.
2. Bombs prevented from being allowed on board.
It'd be absolute political gold to be able to say "I supported the acts that led to the TSA, since then it's been directly responsible for all of these things!".
But that hasn't happened. Instead, the best they can do is point to an impossible to quantify deterrent effect and claim everything else is classified.
Lest we forget, hijackings are (and always have been, even prior to 9/11) extremely rare and almost invariably unsuccessful. The usual result has always been for the hijackers to wind up face down on the tarmac with a couple of bullets in the back of their head. It's really not a long-term career plan.
There is actually some logic to this. A company is more than just the big guns at the top, and bankrupting it would put a lot of people out of work - including people who had nothing to do with the fraud.
It'd make far more sense to levy a stonking great fine against the company and allow prosecutors to lift the corporate veil in sufficiently large cases to hold directors personally liable.
Many businesses have a fairly similar view - there's a damn good reason that businesses don't go around suing their business customers all the time. By the time you get to that point, any relationship that might have existed between two businesses is more-or-less dead.
The reason the BSA is strong is that a number of pieces of software have become effective monopolies in their niche. Office and Photoshop are the obvious examples, but I'm sure there are many others. They can get away with suing customers quite easily because the customer feels they're stuck - much as they'd love to say "Fine. Here's your settlement, but we're never using any of your products again", they can't. Even today, it's a rare business owner that will follow Ernie Ball's example (which has been trotted out on /. more times than I care to remember) and refuse to run anything which Microsoft have touched, regardless of how much work that will involve.
The easiest way to gut the BSA would be for there to be some real competition in the market. They'd be a lot more hesitant about threatening legal proceedings against companies that have paid for some but not all of their software if the general feeling amongst businesses were "If (Microsoft|Adobe|Software Vendor) want to take that attitude, fine, but they won't keep us as customers".