It's a big deal because it's fundamentally insane to write 200KB of code to do an EULA. Especially for the COMMAND-LINE ONLY tools. It defies all sense of rationality and common-sense.
A cavalier attitude of "oh it's no big deal to make programs bigger nowadays" is the reason why Windows 7 is a fucking resource pig compared to Linux. And frankly, Linux is a pig when you look at heavily optimized, lightweight OS's like QNX.
Er... sorry... rant mode off.
I wouldn't be surprised if there's hundreds more.... Only reason I don't post the mirror is because a) I don't want to be sued by MS and 2) I respect Mark's choice.
He certainly deserves big compensation for the amazing work he's done with SysInternals.
Yeah, me too. I was horrified.
In fact, as soon as I read that Mark was going to the dark side, I did a full rip of the entire SysInternals website, just to make sure I'd have an untainted copy of all his wonderful, useful Windows tools. I was very glad I did that when I saw Microsoft freaking triple the size of some of the binaries...
HP has an exclusive hardware contract with USPS for Intel-based servers, workstations and such. And for monitors. So all the Wintel servers are HP.
Still outnumbered by huge farm sof Solaris servers.
As for IFL, here's IBM's description of it.
And yeah, the GCN article sucks ass, but then journalists are pretty much computer illiterate and it doesn't help that they talk to managers and not the actual engineers.
The GCN article this is based on has many significant factual errors.
HP is not really involved.
The migration is to IBM's ZLinux, which is SuSE Linux running on the Z-Os platform, as virtual servers. Hewlett-Packard has nothing to do with it other than managing hardware. It certainly isn't "HP Linux".
The number of servers quoted is not how many are used for tracking. More like the total number being migrated.
Sadly, the part about the COBOL stuff is true, though only chunks of the app were written in COBOL (i.e. those that ran on the mainframes). Mostly it's the stuff that relates to finances, not surprisingly.
How completely trite and naive. People who intend to break the law should absolutely be afraid of their government.
Strictly speaking, governments do not enforce the law. That's the job of law enforcement agencies.
I feel you are being far more naive than I. You are giving Carte Blanche to a government to pass any laws it wants, because people should be too afraid to break them. There are real world examples of such governments. Iraq under Sadam Hussein was just one of them.[1]
Even you neolibertarians believe that the gov't should have police, and enforce some laws.
"some" being the critical word in your statement. The mere fact that a law exists does not make it just or good. Recent American history is rife with such examples.
What the hell is the point of punishing law breakers if not to deter other potential law breakers?
Sometimes punishing law breakers is about generating revenue. Sometimes the punishment (incarceration, execution) is more about removing a dangerous threat from society than about deterrance. Some even still feel that its about rehabilitating the criminals.
And what is deterence if not the fear of being the object of government power?
You suggest a world where the population lives in abject terror of the government and the law.
In reality, most people do not break the law for reasons beyond that of fear of government action. Morals. Ethics. A sense of self-worth. Empathy for others.
Ever since 9/11/01, the US Federal government has been passing laws and breaking laws in the name of increased security. Yet many of these actions have not increased security. Some of them have made it worse. Mr. Soghoian did something mildly irresponsible, perhaps criminal but hardly worthy of an FBI raid on his house and confiscation of his equipment.
Please, rather than being a smug pigeon-holer of people's political orientation, consider the possibility that our government has gone too far.
[1] And that's all I'll say about the Iraq war in this thread.
First off, the article is about a letter written by "children's experts". There's no research quoted or any specific, scientific basis given for the opinions expressed in the letter. This doesn't mean there's no truth to what they said, but it's more likely to be hysteria than fact.
I'm a father of a 3.5 year old girl who does occasionally get to watch TV or even play video games. But the majority of play time for her is to be used playing with toys, indoors or outdoors. Almost all her toys are traditional sort with no batteries or electronics (about 4 battery-powered toys that I can think of). She gets read to regularly and is now "reading" on her own (more like making up stories as she looks at the books). We encourage that sort of play heartily.
I feel many parents take the easy way out and do allow their kids to spend a lot of time watching TV or playing video games. Often my daughter wants me to play with her and will not always be in the mood to play on her own. She's not old enough to play outside without a ward, and the neighbor children aren't always available for playing. So sometimes she does get to watch some TV while I work on our bills or do some other mundane task requiring my full attention. However, even then she's restricted to specific shows (Tivo KidZone) such as Sesame Street or The Wiggles. For parents who don't have the time or patience to spend a lot of time with their kids and seek out alternative play options, the TV is a guaranteed way to distract a child.
Frankly, I don't think it's so much that kids can be developmentally damaged by spending too much time watching TV and playing video games. It's that their parents don't pay them enough attention, or simply don't interact with them enough.
After reading the article and the comments here, I have to say I'm surprised at how many folks here are quick to dismiss the idea of technological solutions and procedures to protect against internal threats. Lots of you seem to feel the best (or even only) option is to just:
Hire people you trust
Compensate them well
Don't do anything to hurt morale
Honestly, while those good pieces of advise, the naivety of so many Slashdotters surprises and depresses me. In very small companies, that may be all you need. And for business that don't have big revenue numbers or deal with innovation, espionage isn't much of an issue. I don't think a plumbing company needs to worry about espionage.
But banks, credit card companies, investment firms and brokerages, they do. As do many of the companies doing R&D in drugs, electronics, software, etc. When millions of dollars are at stake on pieces of information that can be copied to a USB flashdrive the size of a quarter, a smart businessman will not assume everyone can be trusted.
As IT professionals as well as hobbyists, we are used to having lots of access and power. It's what makes our jobs easier, more enjoyable and exciting. By nature we tend to be lazy and impatient, not wanting to do something in 4 steps when it can be done in 2 or 3 steps. We like to find ways to automate processes of all sorts. And we often are overworked and underappreciated.
Which means the IT profession is a good breeding ground for corruption. Roger Duronio felt like he wasn't being fairly compensated. Even when he got a year-end bonus of THIRTY-EIGHT THOUSAND dollars on top of his $100,000+ per year salary, he felt cheated. He wanted the full $50,000 bonus he could have received. So he gutted the companies servers, costing the entire business millions of dollars. He also tried to profit on this action, betting stocks would fall quickly enough for him to short sell at a profit (he failed there). Eventually he was caught, tried and found guilty. He really screwed up good, because he ended up not getting anything that he wanted, destroyed his career forever, betrayed both his family and co-workers, and hurt the image of Systems Administrators everywhere.
Roger Duronrio is not the first IT professional to have done something like this. His actions were amazingly succesful compared to many others, and the company was very much willing to publically bring the case to trial. But you can do searches on FBI cases for all sorts of similar situations.
Trust is really just saying you have faith in someone. No technology, procedures or policies can precisely mirror the emphereal nature of that faith. Which is why you don't rely on one or two or three methods to protect yourself and your business. You rely on hundreds of different methods and protections. It's called security in layers, and is such an essential concept of security that people always forget about it.
The article focuses a great deal on encryption, which is most definitely a good idea for all sensitive data in an organization. But that won't help you if you can't trust the keyholder. So what do you do? Well first off, you don't encrypt everything with one key. You use lots of different keys for different data, and lots of different keyholders. You break keys apart so a person only holds part of a key and two people need to work together in order to decyprt data. Or you use an external, third-party entity to escrow the keys. Better yet, you do all of those things, and more.
Make sure you do background checks on your employees
Make sure employees are fairly compensated. Everyone feels like they are entitled to more, and its a dangerous line from "I'm not fairly compensated, I deserve more" to "If you don't give me what I want, bad things can happen".
Cross-train employees so no one person is the only one who can do a particular task.
My wife worked for Nationwide for many years, doing some word processing initially and then application processing.
She, along with all the other employees in her teams, had no Internet access. In fact, all messaging was done internally with some sort of horrid AS/400-based application.
After a few years, employees were granted the ability to send and receive Internet e-mail. But only because it became impossible for them to do their jobs. However, they still did not have access to browse the net in any way.
Of course managers did have such access as did agents and others who'd need to use it. But for the low-level paper-pushers, it really wasn't necessary, and it's a smart move on Nationwide's part to prevent it
Of course their employee morale sucks and my wife left because of the general mis-treatment of employees, so it can backfire on you. Like any policy.
I don't think the author was narrowminded because they were focusing on espionage, so the primary concern was protecting the data from abuse by IT professionals, not just general security practices. I'll agree he should have mentioned something about role-based access controls, though.
I have to disagree with whoever modded this as "Insightful", as it's a fairly one-sided view and doesn't provide any sort of remarkable insight.
A company is worthless without good employees. Employees who know how to do their job, show up to work regularly, don't cause stupid office political brouhahas and basically get the job done. There's lots of people like that. But there's also lots of shiftless, lazy folks who'd rather spend all day surfing Slashdot (er... present company excepted, of course!:) ), downloading pr0n or otherwise not doing their job.
So this is a very real, true concern and hardly the result of paranoid executives. If anything, executives in most companies are way to complacent about the trustworthiness of their employees.
P.S.
I'm speaking here as both an IT professional and a CISSP.
Apparently not Time-Warner... When AOL and Time-Warner merged I was apalled that Time-Warner considered it a good long-term move. Even then, AOL was pretty much peaking in terms of membership. In just a few years it started to decline and the decline has accellerated. More folks moving to high-speed Internet, more "last mile" connects coming on-line, increased advertising and spamming from AOL itself, and of course the significant decline in original/useful content on AOL.
Unfortunately, I think this is going to be a long, slow-motion train wreck. Over the next four years or more we'll see the subscribership decline, revenue go down and cutbacks in staff. At some point, Time-Warner will attempt to sheld itself of the dried husk of AOL, but who knows if they will succeed.
I pretty much guarantee that at some point, AOL will do something really strange and/or stupid in an attempt to re-invent itself. Options include, but are not limited to:
Try and convert to an Information Security company
Transform into some sort of home-shopping network
Move into the business of manufacturing cheap home electronics
Here's a link to a PDF document from Akiken's website that gives some more details about the project. Unfortunately I can't read Japanese, so maybe someo kind soul can provide a translation? However, the PDF does have some additional pics, taken in sequence. I'm not sure but it seems like the oscillation affect takes a few moments to build (the 15 to 30 seconds I'm guessing) and then momentarily generate the character.
The nature of water being fluid means it would be unlikely the character would remain for long, unless the agitation level was very high. Which may well be the case... Water can seem pretty solid if it's under enough pressure and/or moving fast enough.
Also, based on the PDF and the Akiken website, looks like this was something they developed in 2004. But presumably it wasn't published at the time...
Sounds sort of like the process described in Kevin O'Donnell Jr.'s novel "Ora:Cle". Written twenty years ago, yet features a global internet as a prominent part of the storyline. Here's a review.
I think this sort of idea has been around a long time in one form or another. Theodore Sturgeon was fond of writing about gestalt humanity ("The Cosmic Rape" aka "To Marry Medusa", "More Than Human", various other short stories). In his books the mechanism for gestalt was generally psychic or otherwise ethereal. But the drive is the same-- The ability for an individual tap into the knowledge of a larger group, quickly and easily.
As for tainting of the knowledge, that's also been around a long time. Go to any library and you'll find the bookshelves lined with highly slanted material on any topic you choose. Even dictionaries and encyclopedias are not immune to such. My favorite dictionary was an old 1950's edition that gave the following definition for the word space: "Man will never venture into space". Kinda wish I'd held onto that book for amusement value...
You are confusing interactive SSH logins with VNC logins. Your message is, sadly, not informative and in fact misleading.
Tunneling a protocol over SSH does not eliminate the need to authenticate on that protocol! The very nature of tunneling means whatever protocol is carried down the tunnel is unmodified
Tunneling VNC over SSH simply means you establish a secure shell connection and do port forwarding between your target host and your client. Your client forwards connections to the localhost on a specified port (say, 5900) through the SSH connection to the remote host. So the traffic is encrypted the entire way, but unencrypted once it hits the remote host.
So here's a simple outline of the steps to do:
Let's say you are using a host named "Guido" and you want to securely VNC into a host named "Barbarella"
Establish an SSH connection to Barbarella from Guido, enabling port forwarding.
Let's say you decide to forward connections to 3145 on localhost (Guido, in this case since he's the system you are connecting from) to port 5900 on Barbarella (our target).
Bring up your favorite VNC client software on Guido and connect it to "127.0.0.1:3145"
The local SSH client is listening on port 3145 on the localhost (Guido) and detects the connection attempt.
Local SSH client on Guido forwards all the data it's getting from the 127.0.0.1:3145 connection down the encrypted connection on port 22 to the SSH server on Barbarella. This data is identified differently than standard SSH traffic (i.e. interactive keyboard traffic)
SSH server on Barbarella takes the forwarded traffic from Guido and sends it to port 5900 on 127.0.0.1 (in this case, Barbarella)
The VNC server on Barbarella detects an incoming connection and responds accordingly
The SSH server on Barbarella takes the response(s) from the VNC server and forwards them back down the encrypted pipe to the client (Guido)
The SSH client on Guido takes the forwarded VNC traffic from Barbarella and sends it to the local VNC client
Lather, rinse, repeat.
Profit!
This same procedure is used for any kind of protocol you want to forward over SSH. Note that this is NOT the same thing as the secure versions of some protocols that have been released (i.e. IMAPS, POPS and so-on). Those are modified versions of established protocols where encryption is written both into the protocol standard and the actual software. Most VNC servers do not have built-in encryption.
Note also that some VNC server solutions (such as UltraVNC) do support encryption from the client to server. UltraVNC does it with a plugin architecture, though it's not exactly perfect.
Other important things to note, and to clear-up the rampant confusion in this thread:
VNC authentication is not plain text. However, the encryption used is fairly weak. It can be decrypted with little effort if the authentication between a VNC server and client is sniffed. Thus, tunneling the VNC connection over SSH defeats that method. However, the password is stored locally on the server in equally weak form. If a person gets ahold of the encrypted form of the server password, they can decrypt it instantly using one of several different vnc password cracking tools (and no, it's not brute force)
I would not blindly trust the IntelliAdmin website's "proof of conecpt" webpage. They are not publishing this supposed exploit, nor the source to their testing page. So there's no way of knowing what they are doing. Additionally, you are assuming that they (or someone in their organization) will not abuse this access.
UltraVNC has support for doing Microsoft NTLM authentication, which despite what some may think is more secure than the default VNC authentication scheme.
Security is about layers. SSH tunnels are great. But you should still use a password on your VNC server and no, you should not tell everyone on Slashdot your password is "password". Even better, keep the VNC server turned off when you are not going to need it (hint: cron can be useful to down the server during the hours you are usually at home sleeping)
The postal service has its own TV network, called USPS-TV. Obviously only accessible in USPS premises. Mostly just worker safety and other programs required by HR.
Now, they did make a video at one mail processing plant of a package going through the system, from the point of view of the package. But all I've seen of that is a still shot, no actual video.:(
"First off, there's no "MIGHT" about it. He's a spammer,"
I didn't say he DIDN'T send SOMEONE a spam. I stated that he might have sent YOU a spam message. People around here were saying "Lock him up throw away the key" but they probably never got a spam from him.
So you're saying folks shouldn't have an opinion because they may not have personally been victimized by Jeremey Jaynes? I disagree, but this is a trivial point.
"Secondly, committing a crime and getting caught has consequences. "
No shit. I just don't think 9 years is appropriate for the crime.
I do. It's not just spamming, it's defrauding people of their money. Also known as theft. Which is a felony crime. The more you steal, the more serious the jail time. This is nothing new.
"I'm stunned to see how soft-hearted many of the Slashdot folks here are. He's not going to be tortured, he's not going to be wallowing in the worst conditions"
He's going to be in JAIL. He won't be able to leave. I don't care how fluffy you make this out to be, prison is crap no matter where it is.
Well no shit, Sherlock. It's mean to be a punishment. What the fuck man, are you like incapable of understanding the idea of punishment??
"After one or two years he'll be paroled to make room for someone else."
So what is it then? Do you think he deserves a nine year sentence or a one year sentence? I don't think it matter how long it will be before a likely paroll. His crime was non-violent, and it only theoretically hurt people in the pocketbook. Companies.
First off, several others have pointed out that in Virginia there is no parole. So I was incorrect in stating that. However my comment was meant to be a dispariging remark about paroling criminals early, so no I don't think he should only get a 1 year sentence.
Yes, his crime was non-violent. He's not a physical threat to society, he should only be in a minimum-security prison. After serving his time he should have every chance to rejoin society and try and make an honest living.
You, however, have absolutely no clue about the real damage spammers are doing. I know first hand the damage Jeremey has done just in regards to the company I worked for when he was spamming. I've still got all the complaints we received archived. There is no "theory" of the cost. He cost me a lot of time (fielding complaints, documenting incidents, reporting to my boss), he cost my manager time (reviewing my reports, arranging conference calls, consulting with our legal department). Legal departments are not cheap to maintain, and this was bullshit they had to deal with when more pressing business needed to be attended to.
And apparently you think it's ok for someone to commit a crime as long as it only affects "companies". If my company goes under I'm out of a job. And not all companies are large businesses, some are quite small with very delicate finances.
(Not to mention the many thousands of individuals who were fooled by his lies into spending money on bogus products. That's fraud. Do I need to explain fraud to you?)
"I'm stunned to see how soft-hearted many of the Slashdot folks here are."
I'm stunned that someone believes that nine years for sending spam messages is fair. It's cruel and unusual punishment.
Wow. I know pacifist, vegetarian left-wing liberal types who would think you were being soft on spammers. You're WAAAAAAY out there, dude.
But let me make this clear:
I do not think sending spam should carry a mandatory penalty of 9 years in prison without parole.
I think spamming should carry penalties in proportion to the damage level of the spam (i.e. it's volume, it's cost to individuals and businesses, etc).
For the specifics of this case, i.e. Jeremey Jaynes, I don't think 9 years is
It's easy for someone to say "LOCK THEM UP!!! LOL!!' But that's NINE YEARS of someone's life, because what, they MIGHT have sent you a spam message, that was probably filtered by your spam filter anyways?
First off, there's no "MIGHT" about it. He's a spammer, I've seen the spam equipment he used with my own eyes, there was ample evidence to convict him and apparently he's never claimed to not have sent e-mail.
Secondly, committing a crime and getting caught has consequences. I'm stunned to see how soft-hearted many of the Slashdot folks here are. He's not going to be tortured, he's not going to be wallowing in the worst conditions and he sure as hell isn't going to end-up serving nine years. After one or two years he'll be paroled to make room for someone else.
Oh, and don't for a second doubt he's not a criminal. I also fielded complaints about software piracy. He had a website setup distributing "bonus" packages to people who ordered whatever crap he was (pretending) to sell. These bonus items were illegal copies of software such as DVD copying programs, Pop-Up Blocker, etc. We ended up yanking his service due to that little escapade...
Let's not forget that Jeremy will probably be out on parole in a rather short time. Since his was not a violent crime, he's not likely to spend anything near the whole time in prison.
Nor will he be in a hardcore, maximum security facility. His crime was not much different than whitecollar crime.
And frankly, spam is a social problem. It causes quite a bit of financial loss and emotional stress to all sorts of people (the receipients of spam, helpdesk employees at ISPs, overworked sysadmins, etc). Some people's reputations have been damaged by spammers. It's not comparable to rape as a violent act, but it is comparable as being a form of violation.
People don't like being taken advantage of in any context. I don't think it's an extreme punishment at all.
Oh, and I worked for one of the ISPs that Jeremy was getting his bandwidth from not too long before he got nabbed. I've dealt with the complaints from his spam, and I've been on a conference call with him and other folks. He lied through his teeth in an appallingly blatant fashion on a variety of issues (including trying to claim that the spam compalints we got from Spamcop we're actually just his "competitors" trying to hurt his "multi-million dollar" business).
Doom ran fine on my punk-ass 486SX 20MHz box. Yeah, it was a 486. With no math co-processor and the LOWEST speed processor you could get. I think it maybe had 16 megs of RAM at best.
I'm trying to remember if you could run doom on a 386, and I think you could, it just wasn't very fast...
Remember kiddies, Doom was a VGA game. 320x200x256. Period.
Or you can signup with Grapevine and get a flat monthly service rate with all local and long distance included. They even throw in voicemail, three-way calling and Caller-ID. For those who make enough routine LD calls, it's a good deal.
Slashdot Mirror
It's a big deal because it's fundamentally insane to write 200KB of code to do an EULA. Especially for the COMMAND-LINE ONLY tools. It defies all sense of rationality and common-sense. A cavalier attitude of "oh it's no big deal to make programs bigger nowadays" is the reason why Windows 7 is a fucking resource pig compared to Linux. And frankly, Linux is a pig when you look at heavily optimized, lightweight OS's like QNX. Er... sorry... rant mode off.
I wouldn't be surprised if there's hundreds more.... Only reason I don't post the mirror is because a) I don't want to be sued by MS and 2) I respect Mark's choice. He certainly deserves big compensation for the amazing work he's done with SysInternals.
Yeah, me too. I was horrified. In fact, as soon as I read that Mark was going to the dark side, I did a full rip of the entire SysInternals website, just to make sure I'd have an untainted copy of all his wonderful, useful Windows tools. I was very glad I did that when I saw Microsoft freaking triple the size of some of the binaries...
Still outnumbered by huge farm sof Solaris servers.
As for IFL, here's IBM's description of it.
And yeah, the GCN article sucks ass, but then journalists are pretty much computer illiterate and it doesn't help that they talk to managers and not the actual engineers.
The GCN article this is based on has many significant factual errors. HP is not really involved. The migration is to IBM's ZLinux, which is SuSE Linux running on the Z-Os platform, as virtual servers. Hewlett-Packard has nothing to do with it other than managing hardware. It certainly isn't "HP Linux". The number of servers quoted is not how many are used for tracking. More like the total number being migrated. Sadly, the part about the COBOL stuff is true, though only chunks of the app were written in COBOL (i.e. those that ran on the mainframes). Mostly it's the stuff that relates to finances, not surprisingly.
Strictly speaking, governments do not enforce the law. That's the job of law enforcement agencies.
I feel you are being far more naive than I. You are giving Carte Blanche to a government to pass any laws it wants, because people should be too afraid to break them. There are real world examples of such governments. Iraq under Sadam Hussein was just one of them.[1]
Even you neolibertarians believe that the gov't should have police, and enforce some laws.
"some" being the critical word in your statement. The mere fact that a law exists does not make it just or good. Recent American history is rife with such examples.
What the hell is the point of punishing law breakers if not to deter other potential law breakers?
Sometimes punishing law breakers is about generating revenue. Sometimes the punishment (incarceration, execution) is more about removing a dangerous threat from society than about deterrance. Some even still feel that its about rehabilitating the criminals.
And what is deterence if not the fear of being the object of government power?
You suggest a world where the population lives in abject terror of the government and the law.
In reality, most people do not break the law for reasons beyond that of fear of government action. Morals. Ethics. A sense of self-worth. Empathy for others.
Ever since 9/11/01, the US Federal government has been passing laws and breaking laws in the name of increased security. Yet many of these actions have not increased security. Some of them have made it worse. Mr. Soghoian did something mildly irresponsible, perhaps criminal but hardly worthy of an FBI raid on his house and confiscation of his equipment.
Please, rather than being a smug pigeon-holer of people's political orientation, consider the possibility that our government has gone too far.
[1] And that's all I'll say about the Iraq war in this thread.
Remember, people should not be afraid of their governments.
I encourage all other security professionals to do the same.
I'm a father of a 3.5 year old girl who does occasionally get to watch TV or even play video games. But the majority of play time for her is to be used playing with toys, indoors or outdoors. Almost all her toys are traditional sort with no batteries or electronics (about 4 battery-powered toys that I can think of). She gets read to regularly and is now "reading" on her own (more like making up stories as she looks at the books). We encourage that sort of play heartily.
I feel many parents take the easy way out and do allow their kids to spend a lot of time watching TV or playing video games. Often my daughter wants me to play with her and will not always be in the mood to play on her own. She's not old enough to play outside without a ward, and the neighbor children aren't always available for playing. So sometimes she does get to watch some TV while I work on our bills or do some other mundane task requiring my full attention. However, even then she's restricted to specific shows (Tivo KidZone) such as Sesame Street or The Wiggles. For parents who don't have the time or patience to spend a lot of time with their kids and seek out alternative play options, the TV is a guaranteed way to distract a child.
Frankly, I don't think it's so much that kids can be developmentally damaged by spending too much time watching TV and playing video games. It's that their parents don't pay them enough attention, or simply don't interact with them enough.
Which is good. Implies that they have implemented appropriate delegation filters for the .cm zone.
or they've got a really broken DNS server set...
Honestly, while those good pieces of advise, the naivety of so many Slashdotters surprises and depresses me. In very small companies, that may be all you need. And for business that don't have big revenue numbers or deal with innovation, espionage isn't much of an issue. I don't think a plumbing company needs to worry about espionage.
But banks, credit card companies, investment firms and brokerages, they do. As do many of the companies doing R&D in drugs, electronics, software, etc. When millions of dollars are at stake on pieces of information that can be copied to a USB flashdrive the size of a quarter, a smart businessman will not assume everyone can be trusted.
As IT professionals as well as hobbyists, we are used to having lots of access and power. It's what makes our jobs easier, more enjoyable and exciting. By nature we tend to be lazy and impatient, not wanting to do something in 4 steps when it can be done in 2 or 3 steps. We like to find ways to automate processes of all sorts. And we often are overworked and underappreciated.
Which means the IT profession is a good breeding ground for corruption. Roger Duronio felt like he wasn't being fairly compensated. Even when he got a year-end bonus of THIRTY-EIGHT THOUSAND dollars on top of his $100,000+ per year salary, he felt cheated. He wanted the full $50,000 bonus he could have received. So he gutted the companies servers, costing the entire business millions of dollars. He also tried to profit on this action, betting stocks would fall quickly enough for him to short sell at a profit (he failed there). Eventually he was caught, tried and found guilty. He really screwed up good, because he ended up not getting anything that he wanted, destroyed his career forever, betrayed both his family and co-workers, and hurt the image of Systems Administrators everywhere.
Roger Duronrio is not the first IT professional to have done something like this. His actions were amazingly succesful compared to many others, and the company was very much willing to publically bring the case to trial. But you can do searches on FBI cases for all sorts of similar situations.
Trust is really just saying you have faith in someone. No technology, procedures or policies can precisely mirror the emphereal nature of that faith. Which is why you don't rely on one or two or three methods to protect yourself and your business. You rely on hundreds of different methods and protections. It's called security in layers, and is such an essential concept of security that people always forget about it.
The article focuses a great deal on encryption, which is most definitely a good idea for all sensitive data in an organization. But that won't help you if you can't trust the keyholder. So what do you do? Well first off, you don't encrypt everything with one key. You use lots of different keys for different data, and lots of different keyholders. You break keys apart so a person only holds part of a key and two people need to work together in order to decyprt data. Or you use an external, third-party entity to escrow the keys. Better yet, you do all of those things, and more.
She, along with all the other employees in her teams, had no Internet access. In fact, all messaging was done internally with some sort of horrid AS/400-based application.
After a few years, employees were granted the ability to send and receive Internet e-mail. But only because it became impossible for them to do their jobs. However, they still did not have access to browse the net in any way.
Of course managers did have such access as did agents and others who'd need to use it. But for the low-level paper-pushers, it really wasn't necessary, and it's a smart move on Nationwide's part to prevent it
Of course their employee morale sucks and my wife left because of the general mis-treatment of employees, so it can backfire on you. Like any policy.
I don't think the author was narrowminded because they were focusing on espionage, so the primary concern was protecting the data from abuse by IT professionals, not just general security practices. I'll agree he should have mentioned something about role-based access controls, though.
A company is worthless without good employees. Employees who know how to do their job, show up to work regularly, don't cause stupid office political brouhahas and basically get the job done. There's lots of people like that. But there's also lots of shiftless, lazy folks who'd rather spend all day surfing Slashdot (er... present company excepted, of course! :) ), downloading pr0n or otherwise not doing their job.
And of course there are those who feel they are entitled to more (whether they are or not), and resort to extreme measures to get what they want. Sometimes they get caught.
So this is a very real, true concern and hardly the result of paranoid executives. If anything, executives in most companies are way to complacent about the trustworthiness of their employees.
P.S.
I'm speaking here as both an IT professional and a CISSP.
Now I know they are deadly serious and won't tolerate the slightest infraction of the law, on pain of being made to cry for my mommy.
No wait. They are pussies. This just proves it. Comes from not being allowed to use guns, I guess...
(And yeah, I'm pretty sure someone from the UK will mod this down as flamebait or troll. Wah wah, like I care).
Unfortunately, I think this is going to be a long, slow-motion train wreck. Over the next four years or more we'll see the subscribership decline, revenue go down and cutbacks in staff. At some point, Time-Warner will attempt to sheld itself of the dried husk of AOL, but who knows if they will succeed.
I pretty much guarantee that at some point, AOL will do something really strange and/or stupid in an attempt to re-invent itself. Options include, but are not limited to:
- Try and convert to an Information Security company
- Transform into some sort of home-shopping network
- Move into the business of manufacturing cheap home electronics
- Sell insurance
All I can say really is... HAH HAH!The nature of water being fluid means it would be unlikely the character would remain for long, unless the agitation level was very high. Which may well be the case... Water can seem pretty solid if it's under enough pressure and/or moving fast enough. Also, based on the PDF and the Akiken website, looks like this was something they developed in 2004. But presumably it wasn't published at the time...
I think this sort of idea has been around a long time in one form or another. Theodore Sturgeon was fond of writing about gestalt humanity ("The Cosmic Rape" aka "To Marry Medusa", "More Than Human", various other short stories). In his books the mechanism for gestalt was generally psychic or otherwise ethereal. But the drive is the same-- The ability for an individual tap into the knowledge of a larger group, quickly and easily.
As for tainting of the knowledge, that's also been around a long time. Go to any library and you'll find the bookshelves lined with highly slanted material on any topic you choose. Even dictionaries and encyclopedias are not immune to such. My favorite dictionary was an old 1950's edition that gave the following definition for the word space: "Man will never venture into space". Kinda wish I'd held onto that book for amusement value...
Tunneling a protocol over SSH does not eliminate the need to authenticate on that protocol! The very nature of tunneling means whatever protocol is carried down the tunnel is unmodified
Tunneling VNC over SSH simply means you establish a secure shell connection and do port forwarding between your target host and your client. Your client forwards connections to the localhost on a specified port (say, 5900) through the SSH connection to the remote host. So the traffic is encrypted the entire way, but unencrypted once it hits the remote host.
So here's a simple outline of the steps to do:
Let's say you decide to forward connections to 3145 on localhost (Guido, in this case since he's the system you are connecting from) to port 5900 on Barbarella (our target).
This same procedure is used for any kind of protocol you want to forward over SSH. Note that this is NOT the same thing as the secure versions of some protocols that have been released (i.e. IMAPS, POPS and so-on). Those are modified versions of established protocols where encryption is written both into the protocol standard and the actual software. Most VNC servers do not have built-in encryption.
Note also that some VNC server solutions (such as UltraVNC) do support encryption from the client to server. UltraVNC does it with a plugin architecture, though it's not exactly perfect.
Other important things to note, and to clear-up the rampant confusion in this thread:
Oh, and my CISSP number is 81554.
Now, they did make a video at one mail processing plant of a package going through the system, from the point of view of the package. But all I've seen of that is a still shot, no actual video. :(
So you're saying folks shouldn't have an opinion because they may not have personally been victimized by Jeremey Jaynes? I disagree, but this is a trivial point.
I do. It's not just spamming, it's defrauding people of their money. Also known as theft. Which is a felony crime. The more you steal, the more serious the jail time. This is nothing new.
Well no shit, Sherlock. It's mean to be a punishment. What the fuck man, are you like incapable of understanding the idea of punishment??
First off, several others have pointed out that in Virginia there is no parole. So I was incorrect in stating that. However my comment was meant to be a dispariging remark about paroling criminals early, so no I don't think he should only get a 1 year sentence.
Yes, his crime was non-violent. He's not a physical threat to society, he should only be in a minimum-security prison. After serving his time he should have every chance to rejoin society and try and make an honest living.
You, however, have absolutely no clue about the real damage spammers are doing. I know first hand the damage Jeremey has done just in regards to the company I worked for when he was spamming. I've still got all the complaints we received archived. There is no "theory" of the cost. He cost me a lot of time (fielding complaints, documenting incidents, reporting to my boss), he cost my manager time (reviewing my reports, arranging conference calls, consulting with our legal department). Legal departments are not cheap to maintain, and this was bullshit they had to deal with when more pressing business needed to be attended to.
And apparently you think it's ok for someone to commit a crime as long as it only affects "companies". If my company goes under I'm out of a job. And not all companies are large businesses, some are quite small with very delicate finances.
(Not to mention the many thousands of individuals who were fooled by his lies into spending money on bogus products. That's fraud. Do I need to explain fraud to you?)
Wow. I know pacifist, vegetarian left-wing liberal types who would think you were being soft on spammers. You're WAAAAAAY out there, dude.
But let me make this clear:
I do not think sending spam should carry a mandatory penalty of 9 years in prison without parole.
I think spamming should carry penalties in proportion to the damage level of the spam (i.e. it's volume, it's cost to individuals and businesses, etc).
For the specifics of this case, i.e. Jeremey Jaynes, I don't think 9 years is
I stand corrected.
And good on Virginia!
First off, there's no "MIGHT" about it. He's a spammer, I've seen the spam equipment he used with my own eyes, there was ample evidence to convict him and apparently he's never claimed to not have sent e-mail.
Secondly, committing a crime and getting caught has consequences. I'm stunned to see how soft-hearted many of the Slashdot folks here are. He's not going to be tortured, he's not going to be wallowing in the worst conditions and he sure as hell isn't going to end-up serving nine years. After one or two years he'll be paroled to make room for someone else.
Oh, and don't for a second doubt he's not a criminal. I also fielded complaints about software piracy. He had a website setup distributing "bonus" packages to people who ordered whatever crap he was (pretending) to sell. These bonus items were illegal copies of software such as DVD copying programs, Pop-Up Blocker, etc. We ended up yanking his service due to that little escapade...
Let's not forget that Jeremy will probably be out on parole in a rather short time. Since his was not a violent crime, he's not likely to spend anything near the whole time in prison. Nor will he be in a hardcore, maximum security facility. His crime was not much different than whitecollar crime. And frankly, spam is a social problem. It causes quite a bit of financial loss and emotional stress to all sorts of people (the receipients of spam, helpdesk employees at ISPs, overworked sysadmins, etc). Some people's reputations have been damaged by spammers. It's not comparable to rape as a violent act, but it is comparable as being a form of violation. People don't like being taken advantage of in any context. I don't think it's an extreme punishment at all. Oh, and I worked for one of the ISPs that Jeremy was getting his bandwidth from not too long before he got nabbed. I've dealt with the complaints from his spam, and I've been on a conference call with him and other folks. He lied through his teeth in an appallingly blatant fashion on a variety of issues (including trying to claim that the spam compalints we got from Spamcop we're actually just his "competitors" trying to hurt his "multi-million dollar" business).
Doom ran fine on my punk-ass 486SX 20MHz box. Yeah, it was a 486. With no math co-processor and the LOWEST speed processor you could get. I think it maybe had 16 megs of RAM at best. I'm trying to remember if you could run doom on a 386, and I think you could, it just wasn't very fast... Remember kiddies, Doom was a VGA game. 320x200x256. Period.
Or you can signup with Grapevine and get a flat monthly service rate with all local and long distance included. They even throw in voicemail, three-way calling and Caller-ID. For those who make enough routine LD calls, it's a good deal.