I managed a very small ISP for a while on the 90s, and have my own mail and web servers to this day.
The definition of 'lowest-hanging fruit' for all the attackers out there is much broader than you implied. If you have a host accessible via the Internet, you ARE a target. You are being attacked now, this very minute. That you deflect those attacks ahead of the host at firewall, router, or application level doesn't change that. It just makes your logs bigger or smaller.
Your operating system choice makes no difference. They attack everything. You just use different tools and methods depending on what's available and what works.
I know what you mean. I run a very small-scale personal-use SFTP server (no shell access for any account) so I can access some of my files remotely. I use SSHGuard to hinder brute-force attacks and LogSentry to keep abreast of the activity. I constantly receive attacks at all hours of the day. They're quite dumb and have little or no sophistication; most are just trying to guess default passwords for system accounts and such.
I have told many people the same thing you just said. I have explained that if you run any sort of Internet-facing network service, you will get attacked and probably with high frequency. There is no such thing as "so obscure and small-scale that you're under the radar". Expect it and plan for it. The people who are surprised when this happens are the easy targets.
I disagree that my choice of OS makes no difference. I submit that my Gentoo Hardened system with very strict security policies is more difficult to compromise than a Windows installation on the same hardware offering the same SFTP service. When you build everything from source, you can implement protections against buffer overflows and other vulnerabilities that aren't available on a closed-source OS. With a *nix system, the tools I am using are not some black box. I can take them apart, examine them, and really understand how they work before integrating them into my system. The system itself is transparent. If something goes wrong, I can always find out why and can almost always do something about it. If something breaks, it broke for a good reason, it'll stay broken until I fix it, and when I fix it it'll stay fixed. My experience with Windows has been nothing like this.
I am not saying that one cannot run a very secure Windows system. I am saying it's easier to achieve the same level of security with a *nix system. More than that, it's easier to actually understand what you are guarding against and why your measures are effective. I think the importance of that last point is underappreciated. It cannot be properly appreciated in the realm of "run this anti-malware product and hope it takes care of things for you" and the mentality that goes along with it.
That's a typical form of response when someone realizes that you made a solid point that they cannot easily dispute, yet they emotionally don't like the point you have made because it raises questions about their own behavior that they consider uncomfortable. It's basic rationalization of an urge to "shoot the messenger" or in this case, "discredit the messenger". People who do this don't seem to realize how transparent it really is.
I believe the Ubuntu screensaver issue was from the Gnome-Look.org site, not the official repositories. My apologies if you're referring to different virus I have no knowledge of. That said, you are correct, unix and linux are not remotely immune.
The difference is that *nix systems in their various incarnations have had decades of exposure to all sorts of attacks and have evolved accordingly. I would not call them immune, I would call them resistant. There are many good tools available to secure them and, unlike Windows, these tend to be considered standard system utilities not third-party add-ons.
I believe the whole "anti-virus, anti-malware" mentality of removing an infection after a compromise has taken place is fundamentally broken as a security measure. That's because it is not security at all; it is damage control. After your security has failed it might be useful for containment but that's about it. The correct way to respond to a system compromise is to format the drives and reinstall the OS from known good media. Real security systems are designed to prevent compromises, not to remove malware after a compromise has happened and malware has been installed. This is what you find on *nix. It's not just systems and tools, it's a mentality that goes with them.
This is why there tend not to be successful viruses (I use the term loosely to also include worms and such) propagating in the wild on *nix systems. There do exist viruses for *nix systems; they're called proofs-of-concept. Like all self-replicating forms of malware, they have something in common: they must compromise the system (either a user account or root) before they can do anything else. That is what *nix systems are good at preventing. It also helps tremendously that *nix systems tend not to be the "write once, compromise millions of machines" monoculture that you find on Windows.
The last thing I'll say is that average *nix users tend to be more competent and more knowledgable than average Windows users. They're more likely to know a risk when they take one. They're more likely to understand why Flash and other software with a terrible security track record is not trustworthy and should be treated as such. They tend to have habits that reduce their exposure. Overall, they are harder targets and don't represent the low-hanging fruit. None of this amounts to "perfect immunity" of course, but represents a hell of an improvement over the average.
Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea?... Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor.
You have a very narrow view of what is and isn't a vulnerablility on the internet.
We're not just talking phishing sites and nigerian scammers. Man-in-the-middle attacks, fake certs, Pakistan accidentally nuking YouTube with faulty BGP routing info, etc etc etc. The status quo is almost entirely trust based and in the long run, cannot stand.
The nice thing about trust-based situations is that you can choose to regard them as untrustworthy and proceed accordingly. It's a rare day indeed that I hear of a compromise where someone chose to do this.
Uh, no. With MITM attacks, spoofing raised to a fine art, SSL hijacks of any number of diffeent methods, fake/spoofed/stolen certificates, it can be very, very hard to avoid making a mistake and trusting something you should not.
I agree that there are sophisticated methods by which a determined adversary concentrating his efforts against a particular target might effect a compromise. However, if all compromises were of this type only, then ID theft would be a nearly unknown crime and botnets unheard-of. That's because an attack this effective and sophisticated does not easily lend itself to automation. Criminals can't compromise tens of thousands of machines or build large lists of account numbers that way. If the level of sophistication you mention were the bare minimum requirement to break the security of the average user, we'd have a global Heaven on Earth in terms of network security.
The vast, vast majority of phishing attacks are quite crude by comparison. They are crude because crude works. People fall for it, all the time. These simpler, less sophisticated attacks are easy to automate and send to thousands of users. When a criminal can send a simpler attack to many thousands, only a small percentage need to get suckered for him to profit immensely. This is where most of the problems are coming from, not dedicated personal efforts against specific targets that require a lot of manpower and expertise to execute. I think the latter is within the realm of statistical noise by comparison.
Yup. It's a fine line between security and oppression.
Security of the "be responsible for your own host and your own network because it's in your interests to prevent their compromise" doesn't lend itself to oppression. Security of the "we will be the central authority who will do everything for you" variety certainly does, not to mention it probably won't work. I think when it comes to security, it's perfectly reasonable to say "if you don't care, neither should we." It really doesn't take much to be a much harder target than the lowest-hanging fruit.
Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea?
Oh please, I think Sony put an end to the delusion that only grandmas and morons are susceptible to phishing or malware. Allow me to give you an example which most people here won't be able to do detect instantaneously: zero-day exploit in Flash + rootkit + trojan. I run a tight ship like the next nerd, but my AV software still flags trojans that somehow make it onto my system from time to time, and those are only the ones that it CAN detect.
And yes, there are zealots who will undoubtedly say things like "Flash is for suckers" or "what do you expect with Windows?", but these people should consider the fact that (a) not everyone lives in caves, and (b) some people just have more important things to worry about, like losing their homes.
Flash is known insecure software with a terrible track record, and I treat it as such. I obviously can't make others do the same but they're crazy not to. It undoubtedly helps that I am not using Windows (just why that helps is a separate debate). That to me is basic common sense combined with a few minutes of Googling. If that's the standard now for "living in a cave" then the standards these days are quite low. For your item "b" there, it's a lot easier to keep your home when some criminal hasn't drained your bank accounts for you.
It's not about Flash, Windows, living in caves, or having other concerns in life. No, those are all distractions from the actual issue, and you can tell because they're always said in the same irritated emotional tone. It's about two different mentalities. They come up in lots of otherwise unrelated issues including those that are much more political in nature. One mentality wants to look after its own interests and equip itself in order to protect itself. The other believes that is too much of a bother, not their problem, or otherwise is someone else's job. I do not exaggerate in the least when I say that big government of the "we know what's good for you" variety derives most of its existence from the latter because these people want someone to take care of them, almost like children.
So I secure my systems after teaching myself how to do so, and I study good practices. Another person thinks this is too much of a bother and goes with whatever vendor defaults his system came with because to him, security is that vendor's problem only. Guess who gets compromised? Which do you suppose is an easier target? It's not about time or any of those other excuses because you always have time for something you consider important. "I don't have time" is a cute way of saying "this is not a priority". It's about personal responsibility and whether you realize that no one wants to protect your interests quite as much as you do, that all the tools and information you need are out there. Do I have time to be personally responsible and take only the amount of risk I want to take instead of being helplessly dependent on someone else to protect me? Yes, I do have time for that, no caves required.
Additional pragmatic ideas that Menn suggests are to legalize and regulate online gambling, more funding to teach safer computing in schools, and for a complete re-engineering of the Internet, in order to build in the necessary security functionality which should have been in there in the first place. As part of the process to re-engineer the Internet, Menn suggests designs that create accountability into the Internet fabric.
Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea? No thanks. A fool and his money are soon parted and there's not much you're going to change about that. Also, I'm sure that "accountability" is a euphamism for "tracked everywhere you go even more than you are now". Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor.
a settlement that legal experts said was significant because it implied that the rights of research subjects can be violated when they are not fully informed about how their DNA might be used
I'll say the same thing here that has occurred to me with several other decisions. It's amazing to me that there could be any controversy over this or otherwise a widespread view that there is any other way to handle it. I wouldn't even want to lend my car to someone without having an idea of what they plan to do with it and that's far less of a privacy/security issue than DNA and medical records. To put this another way, what's the good reason (that doesn't involve covering up abuses) why full disclosure and informed consent should not be standard policy?
I use Boxee in this case as there is some integration made for Hulu.
Problem I see with Hulu is the limited number of shows (incomplete full seasons).
I wish they'd delete every 4-minute "excerpt" clip and use the space to host more complete episodes, myself. I never knew that brief clips from the middle of a show with little or no context were so popular, yet they are a large amount of the offerings on Hulu and a *majority* of the available videos on Adultswim.com.
That and anyway it is not often that so big ass clouds happen. So what if air travel stops for a day or two every 20 years? Honestly it doesn't justify spending billions to R&D on how to improve the plane designs for it.
I was wondering if I was the only person who thought this whole incident is not the big deal it's portrayed as. I view this as an inconvenience at best, yet I keep hearing from various media about "dire economic impacts" and such. I don't recall the nautical shipping industry panicking like this over the fact that they can't reasonably send ships through a hurricane, and those happen much more frequently than volcanic eruptions of this magnitude. I get the impression that the rarity of this event that the airliners should be thankful for is also the very reason they are overreacting to it.
Maybe we can't do better because the design of a jet engine is to suck in as much air as possible with tiny blades, compress it, then spit it out at an extremely high temperature that happens to remelt ash?
Is it safe to assume that prop planes are not affected by aerial concentrations of volcanic ash? If so, how difficult would it be for the airliner to rent/lease a fleet of prop planes for the duration of this problem? I realize that no prop plane is going to have the passenger capacity of a jumbo jet and that this is a far less than ideal solution. Still, in the face of losing "millions a day" or in terms of "it's either this option or you're stranded here", does it become better than nothing?
By clicking on a link and connecting to a "poisoned" Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.
Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...
Messenger was just a way to launch the system default web browser to load the URL. Loading the browser independently and then typing that same URL into the address bar would have done the same thing. The browser and its vulnerability to the malicious contents of that URL are at issue here. My bet is that the OS was Windows and the browser was IE, in which case it's perfectly reasonable to say that Microsoft and its products were involved here. Unfortunately the article does not specify the browser that was used, but Microsoft Messenger does strongly indicate a Windows system so IE was at least available.
This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.
So don't use their services except perhaps for their search engine, and even then in a highly controlled fashion (NoScript, no cookies, no redirections, no HTTP Ping, no Google Analytics, etc). It's how I deal with my concerns about them.
As Bruce Schenier said, security through obscurity does not work...
That has been a mantra on slashdot since it started and I have never been convinced that it's necessarily true. There are plenty of examples where a security hole was discovered in 10+ years old open source code. On the other hand, there's no way of knowing how many security holes are never exploited because the company whose systems have it keeps quiet.
If you want a more clear example, do some research on encryption algorithms and what it takes before they are considered secure enough for general use.
Cause we all know doctor's offices are impenetrable.
Two things about that:
One, someone who wants to break-and-enter into a doctor's office is going to leave behind physical evidence. It's the sort of crime likely to be solved through old-fashioned police work. It also can't be done from halfway around the world.
Two, that doesn't permit anyone to gain massive numbers of medical records. A thief who breaks into a doctor's office to obtain medical records is going to get the records for that doctor's patients only. With each break-in to each office, the chances of the thief getting caught increase substantially. Compare to a large centralized online database where potentially millions of records could be obtained in a single compromise by an attacker located anyplace there is an Internet connection.
In the sciences you put a huge effort into quantifying error. A result might be quoted as:
60
+- 2 due to limited sampling in a Monte Carlo experiment (statistical error)
+- 0.5 due to uncertainties in a previous result that this one relies on
+- 0.2 due to using an approximation in our math
+- 0.8 due to uncertainties in how we corrected for a bias (systematic error)
The presidential pollsters do this: they'd quote some number as "58% for Obama, with a 2 percent statistical margin of error, and an additional 1 percent error coming from the fact that we're not quite sure if we're over- or under-sampling cellphone-only voters."
If your estimates aren't *precise*, that's okay. You can still give an honest estimate with a large error bar. Do it, and honestly quantify your uncertainty.
Indeed, but since when was the average person educated enough about science and statistics to understand the importance of what you are saying, or to competently criticize the methods used and claims made by the copyright interests?
Actually that'd be natural selection unless a new, never-before-seen species is created. That's not how superbugs originate. Instead, antibiotics kill less than 100% of an existing species of bacteria. Let's say antibiotics can kill 99.5% of them. The 0.5% that survive the antibiotic continue to metabolize and reproduce until they replace the numbers that were lost to the antibiotic (and bacteria can often reproduce very quickly). Now you have a resistant population that originated with those individual bacteria that were able to survive that antibiotic. That is natural selection of the fittest in response to a change in the environment (the introduction of an antibiotic) but is not the evolution of a new species.
In fact, it reduces the genetic diversity of the original population by causing only members with certain traits to survive and reproduce. All members which had different genetic traits are now dead, killed by the antibiotic. As bacteria typically reproduce asexually through mitosis, restoring that original diversity would be challenging. None of this is the "amoeba to human" (to use a figure of speech) evolution that explains the appearance of highly complex organisms on Earth. In fact I've never seen a scientific, proven example of a mutation that added new genetic information that did not previously exist. It would be sort of like expecting entropy to lead to a more highly ordered state. None of this proves or disproves the concept of evolution, but it does make it a much more mysterious process than we are usually led to believe. It's the kind of thing I hope science one day has a better understanding of.
Last year the NYPD discovered over 6,000 victims of caller ID spoofing, who together lost a total of $15 million.
It's this already called fraud?
If the intended victim doesn't fall for it, or if the fraudster doesn't even try it (after getting some information from intended victim and decides to move on), it's not so clear if it's fraud. But under this bill, it'll still be a caller ID spoofing crime.
Since when does a crime have to be successful (i.e. obtain the criminal's intended result) in order to be a crime? For example, say you take a swing at someone but at the last moment they dodge your punch. You are telling me you could only possibly be charged with assault if the punch connected? I have a hard time believing that. Or let's say you forge a check (fraud) and the bank you give that check to immedietely notices that it has been forged. Are you telling me they would not be able to charge you with fraud?
Bail bondsman, police, etc. attempting to locate a fugitive without spooking them. A call from Mom is more likely to be answered than one from Bounty Hunter Bill.
If you have a known valid telephone number then you have already located your fugitive. That's either because it's a landline assigned to a particular physical address or it's a mobile phone the signal of which can be triangulated. No phone call has to be made to use either approach.
You're not preventing the problem, you're adding to the list of offenses you can charge people with while you investigate the actual crime.
That's my problem with it. I don't share the vindictive urge to nail people with as many charges as possible. Instead, I'd rather see fewer criminals.
I think if you're going to have caller ID you should be able to trust it. At the same time, it would be better to educate people that people can sneak into other people's houses or businesses and legitimately be calling from the phone, but not actually being the trusted person. Or picking up someone's cell phone that doesn't have password-protection. It's not foolproof.
A law against spoofing CallerID does not make CallerID more trustworthy so long as it's still technically feasible to perform the spoofing. This is for the same reason that the laws against fraud have not made phishing sites go away, the laws against illegal drugs have not prevented people from doing drugs, and the laws concerning gun-control have not made it difficult for criminals to obtain firearms. We just don't want to learn this lesson, but that doesn't make it less true.
Meantime, Congress gave additional powers to law enforcement so they can hold someone longer for questioning. Is that good or bad? Depends.
That's universally bad. Law enforcement already has a way to hold someone for a good long time: collect enough evidence to charge them with a crime. If there is no such evidence, law enforcement should kindly fuck off. It's that simple. A few criminals who get away with it or are more difficult to catch means absolutely nothing in the face of the kind of threat that unmitigated police power poses to free society. Think of it this way: if criminal activity causes us to become a non-free society because of the ever-increasing expansion of state power, then the criminals have won because they've done the greatest possible damage to our way of life.
You, sir, have just uncovered the glaring flaw of gun control legislation. Guess what - only criminals use guns to commit murder. If you're willing to commit murder, then illegally purchasing a firearm is child's play by comparison.
The willful ignorance of this self-evident fact tells me that gun-control is more like a religious issue. Statism is definitely on the rise in the USA and has been for quite a long time. Statism is all about expanding governmental size and power for the sake of power alone. A citizenry that can readily defend themselves are less dependent on police protection, and police power is the major vehicle for the expansion of state power. In order to have a steady supply of excuses for expanding government, you must have a dependent, helpless citizenry that fears events which government can try to regulate. Personal physical safety is such a category that is unusually close to home, especially when compared to more abstract economic issues.
The legally-recognized ability to defend yourself from physical threat is also an extremely individualistic quality. There is something of a war against individualism because it is contrary to the homogeneous, conformist, docile, group-think society that readily lends itself to central control. Along with this comes the weakening of the importance of the nuclear family, since that's a unit of society that could have its own customs, traditions, and independent thought and therefore does not lead to the desired homogenization. That's why there is so much emphasis in the media placed on group identities such as membership in a protected minority. It's the exact opposite of regarding people as individuals who should be dealt with on the basis of the content of their character, like Dr. Martin Luther King Jr. advocated. It's also why any talk of "diversity" is about people who superficially look different and rarely has anything to do with a diversity of ideas and philosophies.
On a more practical note, as soon as they figure out how to keep drugs and weapons out of high-security prisons, then and only then will it be reasonable to discuss keeping such items out of the rest of society. Until then, the correct approach is to harden the targets of crimes. That's why every state which has enabled conceal-carry permits has seen significant reductions in violent crime. Even those who do not carry guns benefit from those who do, because the nature of concealment means that a criminal has no way to know if a given target is armed or not.
Slashdot Mirror
I managed a very small ISP for a while on the 90s, and have my own mail and web servers to this day.
The definition of 'lowest-hanging fruit' for all the attackers out there is much broader than you implied. If you have a host accessible via the Internet, you ARE a target. You are being attacked now, this very minute. That you deflect those attacks ahead of the host at firewall, router, or application level doesn't change that. It just makes your logs bigger or smaller.
Your operating system choice makes no difference. They attack everything. You just use different tools and methods depending on what's available and what works.
I know what you mean. I run a very small-scale personal-use SFTP server (no shell access for any account) so I can access some of my files remotely. I use SSHGuard to hinder brute-force attacks and LogSentry to keep abreast of the activity. I constantly receive attacks at all hours of the day. They're quite dumb and have little or no sophistication; most are just trying to guess default passwords for system accounts and such.
I have told many people the same thing you just said. I have explained that if you run any sort of Internet-facing network service, you will get attacked and probably with high frequency. There is no such thing as "so obscure and small-scale that you're under the radar". Expect it and plan for it. The people who are surprised when this happens are the easy targets.
I disagree that my choice of OS makes no difference. I submit that my Gentoo Hardened system with very strict security policies is more difficult to compromise than a Windows installation on the same hardware offering the same SFTP service. When you build everything from source, you can implement protections against buffer overflows and other vulnerabilities that aren't available on a closed-source OS. With a *nix system, the tools I am using are not some black box. I can take them apart, examine them, and really understand how they work before integrating them into my system. The system itself is transparent. If something goes wrong, I can always find out why and can almost always do something about it. If something breaks, it broke for a good reason, it'll stay broken until I fix it, and when I fix it it'll stay fixed. My experience with Windows has been nothing like this.
I am not saying that one cannot run a very secure Windows system. I am saying it's easier to achieve the same level of security with a *nix system. More than that, it's easier to actually understand what you are guarding against and why your measures are effective. I think the importance of that last point is underappreciated. It cannot be properly appreciated in the realm of "run this anti-malware product and hope it takes care of things for you" and the mentality that goes along with it.
Swing and a miss. That's not the point at all.
That's a typical form of response when someone realizes that you made a solid point that they cannot easily dispute, yet they emotionally don't like the point you have made because it raises questions about their own behavior that they consider uncomfortable. It's basic rationalization of an urge to "shoot the messenger" or in this case, "discredit the messenger". People who do this don't seem to realize how transparent it really is.
I believe the Ubuntu screensaver issue was from the Gnome-Look.org site, not the official repositories. My apologies if you're referring to different virus I have no knowledge of. That said, you are correct, unix and linux are not remotely immune.
The difference is that *nix systems in their various incarnations have had decades of exposure to all sorts of attacks and have evolved accordingly. I would not call them immune, I would call them resistant. There are many good tools available to secure them and, unlike Windows, these tend to be considered standard system utilities not third-party add-ons.
I believe the whole "anti-virus, anti-malware" mentality of removing an infection after a compromise has taken place is fundamentally broken as a security measure. That's because it is not security at all; it is damage control. After your security has failed it might be useful for containment but that's about it. The correct way to respond to a system compromise is to format the drives and reinstall the OS from known good media. Real security systems are designed to prevent compromises, not to remove malware after a compromise has happened and malware has been installed. This is what you find on *nix. It's not just systems and tools, it's a mentality that goes with them.
This is why there tend not to be successful viruses (I use the term loosely to also include worms and such) propagating in the wild on *nix systems. There do exist viruses for *nix systems; they're called proofs-of-concept. Like all self-replicating forms of malware, they have something in common: they must compromise the system (either a user account or root) before they can do anything else. That is what *nix systems are good at preventing. It also helps tremendously that *nix systems tend not to be the "write once, compromise millions of machines" monoculture that you find on Windows.
The last thing I'll say is that average *nix users tend to be more competent and more knowledgable than average Windows users. They're more likely to know a risk when they take one. They're more likely to understand why Flash and other software with a terrible security track record is not trustworthy and should be treated as such. They tend to have habits that reduce their exposure. Overall, they are harder targets and don't represent the low-hanging fruit. None of this amounts to "perfect immunity" of course, but represents a hell of an improvement over the average.
Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea? ... Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor.
You have a very narrow view of what is and isn't a vulnerablility on the internet.
We're not just talking phishing sites and nigerian scammers. Man-in-the-middle attacks, fake certs, Pakistan accidentally nuking YouTube with faulty BGP routing info, etc etc etc. The status quo is almost entirely trust based and in the long run, cannot stand.
The nice thing about trust-based situations is that you can choose to regard them as untrustworthy and proceed accordingly. It's a rare day indeed that I hear of a compromise where someone chose to do this.
I agree that there are sophisticated methods by which a determined adversary concentrating his efforts against a particular target might effect a compromise. However, if all compromises were of this type only, then ID theft would be a nearly unknown crime and botnets unheard-of. That's because an attack this effective and sophisticated does not easily lend itself to automation. Criminals can't compromise tens of thousands of machines or build large lists of account numbers that way. If the level of sophistication you mention were the bare minimum requirement to break the security of the average user, we'd have a global Heaven on Earth in terms of network security.
The vast, vast majority of phishing attacks are quite crude by comparison. They are crude because crude works. People fall for it, all the time. These simpler, less sophisticated attacks are easy to automate and send to thousands of users. When a criminal can send a simpler attack to many thousands, only a small percentage need to get suckered for him to profit immensely. This is where most of the problems are coming from, not dedicated personal efforts against specific targets that require a lot of manpower and expertise to execute. I think the latter is within the realm of statistical noise by comparison.
Security of the "be responsible for your own host and your own network because it's in your interests to prevent their compromise" doesn't lend itself to oppression. Security of the "we will be the central authority who will do everything for you" variety certainly does, not to mention it probably won't work. I think when it comes to security, it's perfectly reasonable to say "if you don't care, neither should we." It really doesn't take much to be a much harder target than the lowest-hanging fruit.
Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea?
Oh please, I think Sony put an end to the delusion that only grandmas and morons are susceptible to phishing or malware. Allow me to give you an example which most people here won't be able to do detect instantaneously: zero-day exploit in Flash + rootkit + trojan. I run a tight ship like the next nerd, but my AV software still flags trojans that somehow make it onto my system from time to time, and those are only the ones that it CAN detect.
And yes, there are zealots who will undoubtedly say things like "Flash is for suckers" or "what do you expect with Windows?", but these people should consider the fact that (a) not everyone lives in caves, and (b) some people just have more important things to worry about, like losing their homes.
Flash is known insecure software with a terrible track record, and I treat it as such. I obviously can't make others do the same but they're crazy not to. It undoubtedly helps that I am not using Windows (just why that helps is a separate debate). That to me is basic common sense combined with a few minutes of Googling. If that's the standard now for "living in a cave" then the standards these days are quite low. For your item "b" there, it's a lot easier to keep your home when some criminal hasn't drained your bank accounts for you.
It's not about Flash, Windows, living in caves, or having other concerns in life. No, those are all distractions from the actual issue, and you can tell because they're always said in the same irritated emotional tone. It's about two different mentalities. They come up in lots of otherwise unrelated issues including those that are much more political in nature. One mentality wants to look after its own interests and equip itself in order to protect itself. The other believes that is too much of a bother, not their problem, or otherwise is someone else's job. I do not exaggerate in the least when I say that big government of the "we know what's good for you" variety derives most of its existence from the latter because these people want someone to take care of them, almost like children.
So I secure my systems after teaching myself how to do so, and I study good practices. Another person thinks this is too much of a bother and goes with whatever vendor defaults his system came with because to him, security is that vendor's problem only. Guess who gets compromised? Which do you suppose is an easier target? It's not about time or any of those other excuses because you always have time for something you consider important. "I don't have time" is a cute way of saying "this is not a priority". It's about personal responsibility and whether you realize that no one wants to protect your interests quite as much as you do, that all the tools and information you need are out there. Do I have time to be personally responsible and take only the amount of risk I want to take instead of being helplessly dependent on someone else to protect me? Yes, I do have time for that, no caves required.
Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea? No thanks. A fool and his money are soon parted and there's not much you're going to change about that. Also, I'm sure that "accountability" is a euphamism for "tracked everywhere you go even more than you are now". Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor.
I'll say the same thing here that has occurred to me with several other decisions. It's amazing to me that there could be any controversy over this or otherwise a widespread view that there is any other way to handle it. I wouldn't even want to lend my car to someone without having an idea of what they plan to do with it and that's far less of a privacy/security issue than DNA and medical records. To put this another way, what's the good reason (that doesn't involve covering up abuses) why full disclosure and informed consent should not be standard policy?
I use Boxee in this case as there is some integration made for Hulu. Problem I see with Hulu is the limited number of shows (incomplete full seasons).
I wish they'd delete every 4-minute "excerpt" clip and use the space to host more complete episodes, myself. I never knew that brief clips from the middle of a show with little or no context were so popular, yet they are a large amount of the offerings on Hulu and a *majority* of the available videos on Adultswim.com.
Global warming and volcanoes are related.
What's your source for this?
Google. Try it yourself, sometime. It would take about as much time as the post you wrote to get started.
Yes.
Then I wondered how they have so many letters for 3 syllables.
Maybe they were influenced by the French.
Not a completely bad analogy, but can Slashdot please give us a "Gross, -1" moderation for such cases?
First we need a "-1, Factually Incorrect" moderation.
That and anyway it is not often that so big ass clouds happen. So what if air travel stops for a day or two every 20 years? Honestly it doesn't justify spending billions to R&D on how to improve the plane designs for it.
I was wondering if I was the only person who thought this whole incident is not the big deal it's portrayed as. I view this as an inconvenience at best, yet I keep hearing from various media about "dire economic impacts" and such. I don't recall the nautical shipping industry panicking like this over the fact that they can't reasonably send ships through a hurricane, and those happen much more frequently than volcanic eruptions of this magnitude. I get the impression that the rarity of this event that the airliners should be thankful for is also the very reason they are overreacting to it.
Maybe we can't do better because the design of a jet engine is to suck in as much air as possible with tiny blades, compress it, then spit it out at an extremely high temperature that happens to remelt ash?
Is it safe to assume that prop planes are not affected by aerial concentrations of volcanic ash? If so, how difficult would it be for the airliner to rent/lease a fleet of prop planes for the duration of this problem? I realize that no prop plane is going to have the passenger capacity of a jumbo jet and that this is a far less than ideal solution. Still, in the face of losing "millions a day" or in terms of "it's either this option or you're stranded here", does it become better than nothing?
By clicking on a link and connecting to a "poisoned" Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.
Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...
Messenger was just a way to launch the system default web browser to load the URL. Loading the browser independently and then typing that same URL into the address bar would have done the same thing. The browser and its vulnerability to the malicious contents of that URL are at issue here. My bet is that the OS was Windows and the browser was IE, in which case it's perfectly reasonable to say that Microsoft and its products were involved here. Unfortunately the article does not specify the browser that was used, but Microsoft Messenger does strongly indicate a Windows system so IE was at least available.
This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.
So don't use their services except perhaps for their search engine, and even then in a highly controlled fashion (NoScript, no cookies, no redirections, no HTTP Ping, no Google Analytics, etc). It's how I deal with my concerns about them.
As Bruce Schenier said, security through obscurity does not work... That has been a mantra on slashdot since it started and I have never been convinced that it's necessarily true. There are plenty of examples where a security hole was discovered in 10+ years old open source code. On the other hand, there's no way of knowing how many security holes are never exploited because the company whose systems have it keeps quiet.
If you want a more clear example, do some research on encryption algorithms and what it takes before they are considered secure enough for general use.
Cause we all know doctor's offices are impenetrable.
Two things about that:
One, someone who wants to break-and-enter into a doctor's office is going to leave behind physical evidence. It's the sort of crime likely to be solved through old-fashioned police work. It also can't be done from halfway around the world.
Two, that doesn't permit anyone to gain massive numbers of medical records. A thief who breaks into a doctor's office to obtain medical records is going to get the records for that doctor's patients only. With each break-in to each office, the chances of the thief getting caught increase substantially. Compare to a large centralized online database where potentially millions of records could be obtained in a single compromise by an attacker located anyplace there is an Internet connection.
Last time I checked I was definitely not American. However you, sir, are most definitely a troll.
Does that mean you're knowingly feeding them?
In the sciences you put a huge effort into quantifying error. A result might be quoted as:
60 +- 2 due to limited sampling in a Monte Carlo experiment (statistical error) +- 0.5 due to uncertainties in a previous result that this one relies on +- 0.2 due to using an approximation in our math +- 0.8 due to uncertainties in how we corrected for a bias (systematic error)
The presidential pollsters do this: they'd quote some number as "58% for Obama, with a 2 percent statistical margin of error, and an additional 1 percent error coming from the fact that we're not quite sure if we're over- or under-sampling cellphone-only voters."
If your estimates aren't *precise*, that's okay. You can still give an honest estimate with a large error bar. Do it, and honestly quantify your uncertainty.
Indeed, but since when was the average person educated enough about science and statistics to understand the importance of what you are saying, or to competently criticize the methods used and claims made by the copyright interests?
No. The hospital super-bugs - staph or strep. Because they show evolution in action.
http://en.wikipedia.org/wiki/Super_bug_(bacteria)
Actually that'd be natural selection unless a new, never-before-seen species is created. That's not how superbugs originate. Instead, antibiotics kill less than 100% of an existing species of bacteria. Let's say antibiotics can kill 99.5% of them. The 0.5% that survive the antibiotic continue to metabolize and reproduce until they replace the numbers that were lost to the antibiotic (and bacteria can often reproduce very quickly). Now you have a resistant population that originated with those individual bacteria that were able to survive that antibiotic. That is natural selection of the fittest in response to a change in the environment (the introduction of an antibiotic) but is not the evolution of a new species.
In fact, it reduces the genetic diversity of the original population by causing only members with certain traits to survive and reproduce. All members which had different genetic traits are now dead, killed by the antibiotic. As bacteria typically reproduce asexually through mitosis, restoring that original diversity would be challenging. None of this is the "amoeba to human" (to use a figure of speech) evolution that explains the appearance of highly complex organisms on Earth. In fact I've never seen a scientific, proven example of a mutation that added new genetic information that did not previously exist. It would be sort of like expecting entropy to lead to a more highly ordered state. None of this proves or disproves the concept of evolution, but it does make it a much more mysterious process than we are usually led to believe. It's the kind of thing I hope science one day has a better understanding of.
Last year the NYPD discovered over 6,000 victims of caller ID spoofing, who together lost a total of $15 million.
It's this already called fraud?
If the intended victim doesn't fall for it, or if the fraudster doesn't even try it (after getting some information from intended victim and decides to move on), it's not so clear if it's fraud. But under this bill, it'll still be a caller ID spoofing crime.
Since when does a crime have to be successful (i.e. obtain the criminal's intended result) in order to be a crime? For example, say you take a swing at someone but at the last moment they dodge your punch. You are telling me you could only possibly be charged with assault if the punch connected? I have a hard time believing that. Or let's say you forge a check (fraud) and the bank you give that check to immedietely notices that it has been forged. Are you telling me they would not be able to charge you with fraud?
Bail bondsman, police, etc. attempting to locate a fugitive without spooking them. A call from Mom is more likely to be answered than one from Bounty Hunter Bill.
If you have a known valid telephone number then you have already located your fugitive. That's either because it's a landline assigned to a particular physical address or it's a mobile phone the signal of which can be triangulated. No phone call has to be made to use either approach.
That's my problem with it. I don't share the vindictive urge to nail people with as many charges as possible. Instead, I'd rather see fewer criminals.
A law against spoofing CallerID does not make CallerID more trustworthy so long as it's still technically feasible to perform the spoofing. This is for the same reason that the laws against fraud have not made phishing sites go away, the laws against illegal drugs have not prevented people from doing drugs, and the laws concerning gun-control have not made it difficult for criminals to obtain firearms. We just don't want to learn this lesson, but that doesn't make it less true.
That's universally bad. Law enforcement already has a way to hold someone for a good long time: collect enough evidence to charge them with a crime. If there is no such evidence, law enforcement should kindly fuck off. It's that simple. A few criminals who get away with it or are more difficult to catch means absolutely nothing in the face of the kind of threat that unmitigated police power poses to free society. Think of it this way: if criminal activity causes us to become a non-free society because of the ever-increasing expansion of state power, then the criminals have won because they've done the greatest possible damage to our way of life.
You, sir, have just uncovered the glaring flaw of gun control legislation. Guess what - only criminals use guns to commit murder. If you're willing to commit murder, then illegally purchasing a firearm is child's play by comparison.
The willful ignorance of this self-evident fact tells me that gun-control is more like a religious issue. Statism is definitely on the rise in the USA and has been for quite a long time. Statism is all about expanding governmental size and power for the sake of power alone. A citizenry that can readily defend themselves are less dependent on police protection, and police power is the major vehicle for the expansion of state power. In order to have a steady supply of excuses for expanding government, you must have a dependent, helpless citizenry that fears events which government can try to regulate. Personal physical safety is such a category that is unusually close to home, especially when compared to more abstract economic issues.
The legally-recognized ability to defend yourself from physical threat is also an extremely individualistic quality. There is something of a war against individualism because it is contrary to the homogeneous, conformist, docile, group-think society that readily lends itself to central control. Along with this comes the weakening of the importance of the nuclear family, since that's a unit of society that could have its own customs, traditions, and independent thought and therefore does not lead to the desired homogenization. That's why there is so much emphasis in the media placed on group identities such as membership in a protected minority. It's the exact opposite of regarding people as individuals who should be dealt with on the basis of the content of their character, like Dr. Martin Luther King Jr. advocated. It's also why any talk of "diversity" is about people who superficially look different and rarely has anything to do with a diversity of ideas and philosophies.
On a more practical note, as soon as they figure out how to keep drugs and weapons out of high-security prisons, then and only then will it be reasonable to discuss keeping such items out of the rest of society. Until then, the correct approach is to harden the targets of crimes. That's why every state which has enabled conceal-carry permits has seen significant reductions in violent crime. Even those who do not carry guns benefit from those who do, because the nature of concealment means that a criminal has no way to know if a given target is armed or not.