If I didn't like a Web site and felt it had stagnated and was full of useless marketing and "ignorant hypocrisy" I wouldn't waste my time hanging around that site talking about how much I don't like it. Instead, I would go to a site more to my liking.
You're a fairly active poster. You went to the trouble of creating multiple accounts. You obviously invest a chunk of your time in this site. Now you complain about how much you don't like it. That is "ignorant hypocrisy" and it's yours.
I anticipate you'll do some more name-calling, talk about how badass you are because you use what you claim to be your real name, etc. The one thing you could do that would surprise anyone would be to answer me and explain why you're not the very hypocrite you're whining about. That is because the facts are clearly against you and you, sir, are too cowardly to admit when you're wrong. It's the one thing you don't have the guts to do.
Maybe you can fix that character flaw of yours before calling anyone else a coward or telling them how pathetic they are.
Guy gets a ticket, goes to court dressed respectfully, treats the judge with deference, geeks out to a clueless judge about his nifty new GPS toy, asks the cop something he heard a previous defendant's lawyer ask about lack of evidence that worked, and is found not guilty. The judge goes out of his way to note the GPS evidence played no part in the decision. How is this a story about a smart phone getting someone out of a ticket?
None really; this is just another "but with a computer!" type of story. The only notable aspect to it is that the judge was willing to consider both sides and didn't instantly assume that anyone who contradicts a cop must be a liar. That is, most traffic violations do ultimately boil down to your word against the cop's especially when it's something other than speeding.
I wonder if the guy had to pay any fees. In my state, they have a nice racket going. Here, you have to pay a "court fee" that's sometimes more than the cost of the ticket itself. You have to pay this even if you simply pay the ticket and never go to court to dispute it. You have to pay this even if you dispute the ticket and are found not guilty, so a cop can be completely wrong and still make you pay something (isn't that nice?). I wonder what my state tax dollars are being used for if they are not funding basic government functions such as the court system.
It's like objecting to the highway because then people speed. No, the highway is the perfect place to put up a speed trap.
Nevermind that many highways are built like drag strips, it's for your safety!
Besides, the summary mentions about 330 crimes associated with the site. How many millions of users does it have? I wish major metropolitan areas had crime rates like that.
I think this is another one of those "... but with a computer!" type of stories.
Hilariously, Paypal was actually started by a libertarian as some sort of "resist the man and his fiat currency's dead hand on trade." kind of thing. Now it voluntarily licks the boots of those who would suppress the entirely legal efforts of an advocacy group to secure a man a fair trial(rather than the present detention-without-trial-of-indefinite-length...)
All hail the private sector, defender of liberty!
Far as I can tell Paypal is just another pro-Establishment tool despite any intentions of its founder. Wikileaks has been accused of no crime in any jurisdiction, but they irritate a lot of powerful people. So Paypal interferes with the effort to support Wikileaks by using Paypal to make donations. Manning is currently facing some serious accusations; he is accused of leaking information that ended up in Wikileaks which again pisses off a lot of powerful people. So Paypal freezes the account that would have been used to fund his legal defense.
This is opinionated speculation only, but I really wonder what kind of favors or kickbacks Paypal is going to receive in the future. They have faithfully served their masters it would seem, and that's obviously not its users and customers. Fascism is the merging of corporate and government power. Corporations doing what is convenient for the government and acting against people government doesn't like, in the absence of any actual requirement to do so, is a step in that direction for certain.
Even those who are guilty as sin deserve a fair trial. So long as their fair trials are funded voluntarily there is nothing that needs to be stopped.
There really is no excuse for this at all. We're all entitled to a fair trial and the best legal defense available to us. This signifies that Paypal doesn't support the constitution or the rule of law. Shameful.
Paypal is a private entity. Unfortunately, it's not doing anything illegal or unconstitutional, as far as I can tell, by choosing not to do business with someone.
Too many arguments go like this. I believe it misses the real point being made. It was already well-established by the summary that Paypal has no legal obligation here.
If you truly support the Constitution and principles like rule of law and due process, then you adhere to them even if the government is not going to use force to make you adhere to them. Anywhere that there is a choice in the matter, you get to see what people really believe in. Paypal wouldn't even provide a copy of the relevant portions of their policy.
The funny thing is the implied hypocrisy. If any of the decision-makers at Paypal did find themselves in violation of the law, they'd never surrender their rights to due process. They'd want to know which law they are being accused of having broken. They'd want the prosecution to have to prove every claim it makes. But in their own little kingdom where they both make and enforce the rules, they want the ability to arbitrarily shut anyone down without ever having to demonstrate that they violeted the rules or even citing which rules would apply.
In my opinion, they're assholes and if you do business with them, it is because you want assholes to prosper. Like you, I have never onced used Paypal and because of behavior like this, I never will. This is not remotely the first example of pathological behavior from this company.
Managing an IT shop at a school, my biggest problem with the student workers was beating the "anyone who doesn't give a shit about computers is a stupid idiot" out of them.
I know it's a stage all geeks go through, but man is it irritating. The only thing that kept my rage in check was the knowledge that I was an even bigger douchebag at their age.
The thing to keep in mind is that for most of the planet computers are a means to an end. They are (and should be) practically invisible to the user when they work. The fact that we have to constantly harass users into sane behavior (e. g. "don't open that, it's a goddamn virus") isn't a reflection of their intelligence, it's a reflection of POOR DESIGN.
That's one "side" of it if you like. Certainly I have never advocated that we make things needlessly complex.
I am wondering how best to explain this because it's a mentality, a willingness to invest, a recognition of a certain mental laziness. I'll concentrate on some basic everyday things, for computers have become everyday tools.
I know more about driving today than back when I first obtained my driver's license. I have learned by doing, through experience. Specifically this has to do with defensive driving, with leaving margin for error for both myself and other drivers, with not surprising other drivers, not being surprised by them even when they screw up royally, etc. I pick up things from time to time after having observed them empirically.
I know more about how to manage money today than I did back when I got my very first bank account. Same deal for the driving; I pick things up over time and I make it a point to remember them. For the 401(k) I learned where the money was actually going, what the various funds represent, how much risk they each involve, etc. In other words, I did my homework even though at least some of the time I could leave it alone and trust someone else to take care of it.
Now in both cases I could balk at the effort. I could refuse to invest in the things I do daily. Especially for driving I could make a bunch of excuses about how "it's not FAIR" that it can be so dangerous sometimes, that this isn't my fault, that everybody else should always obey the law, that I shouldn't be expected to have split-seconds to deal with the situations created when they don't, etc etc... basically the equivalent of "I am not a computer expert!" when what you're asking for is basic competence.
Likewise, "it's not FAIR" that some bad people just love to break into computers and use them for evil purposes. Am I going to whine about that and resent anyone who points out that I can take steps to mitigate it? Or am I going to accept it as a fact of life and plan accordingly, which (here's the apparently painful part for mainstream America) might involve having to read up on the subject? I know which one I would choose.
Besides which you actually enjoy life a bit more when you are more involved in how it plays out. When you actually have some appreciation for the interconnected complexity of the things around you, some sense of awe that it works like it does. When everything you touch isn't some black box but instead, a system that has fundamental principles which people have learned to harness. Especially when you have some confidence that you can handle unexpected problems that come up, not because you are such an expert but because you understand fundamental problem-solving and it's okay to have to do it sometimes.
Like I said I am attempting to describe a mentality. I believe this mentality, like so many things, is being sacrificed at the altar of convenience. The funny thing about that, is that few things would seem as inconvenient to me as the predictable, preventable problems so many people are having. Yet the idea that one should grow in knowledge and experience with sufficient time is one they soundly reject, and for that there are consequences. Not because I say so, of course, but because that's the nature of the situation and no amount of denial will change that.
Thank you, Anonymous Coward. You've helped me to figure out exactly why Linux is more secure than Windows. It isn't the operating system. It isn't the user. It isn't any application, set of applications, or combination of utilities. It's right there in your post. "average users wont start giving a damn" For the most part, Linux users are those who give a damn. The attitude - nothing more, nothing less. You've got to give a damn, or the best system is just a non-secure mess of code!
I would add that there are reasons why systems like Linux appeal so much to this kind of user.
The biggest single one is that it doesn't assume you're an idiot. The system is built for users who intend to gradually become more and more familiar with how their systems work and how to maintain them. Users who traverse the learning curve at their own pace are rewarded with more and more ability to assume control and enjoy a system that does what they want the way they want to do it. You can also peek under the hood and see for yourself how things really work, with your skill level being the only limit. Generally things are made as simple as possible but no simpler, unlike Windows.
I would not classify Windows as easy to use, myself. I would call it easy to learn. Linux is quite easy to use if you have learned it. Learning how to use it is a one-time investment that continues to pay off. You can learn all about Windows but that won't make it much more convenient to automate, won't stop it from getting in your way whenever you try to do something advanced, and it won't stop it from trying to make you do things the way Microsoft intended.
The culture around Windows tends to encourage treating it like a black box and memorizing a set of steps to take in order to accomplish a specific task. The culture around Linux and Unix tends to encourage actually understanding how and why the tools work.
Linux also tends to be logical and predictable, the way you'd expect a machine to function. If something breaks, it broke for a good reason. It will stay broken until you fix it. When you fix it, it will stay fixed. You can actually get a meaningful error message that really does help you identify and isolate the problem. Windows has come a long, long way on these two points but it has yet to match the elegance of Linux and Unix. It's also helpful that all of the important configuration ultimately resides in plain text files. There is no opaque single point of failure like the Windows registry, which is a binary database that tends to become a mess over time.
I'd also say that the package management systems that come with Linux distros are vastly superior to the way software is acquired and installed on Windows. Instead of each third-party program having to chase down its own updates, often popping up nag screens requiring the user to complete the final step, you can update every last piece of software on your system with a single command. It's neater, less error-prone, and frankly less annoying. That counts for a lot considering how important it is to keep your system updated, considering how many Windows machines are compromised by exploiting already-patched vulnerabilities. Unfortunately I do not believe central software repositories would be possible on Windows, as the proprietary licenses of most Windows software would not allow third parties to redistribute them.
The users contributing the most to the rampant security problems are what I call permanent newbies. They hate learning new things. Somehow, they can use a tool for ten years without ever knowing much more about it than when they started. They don't even pick up knowledge here and there over time, let alone would they actively study anything. It is like they are too proud to do that. Asking them to do a bit of light reading for their own good is like asking an aristocrat to "fraternize with the help". It is a mentality to which I cannot easily relate. I cannot name anything non-trivial I do on a daily basis that I never learn new things about as I acquire more experience.
I must not be up to current events, but from what I see, Ubuntu is still a very strong distribution being arguably the front-runner when it comes to the desktop Linux offerings.
Every distro has their growing pains. RedHat went through theirs, Slackware had its trials, and so on.
Regardless of the drama that might surround Ubuntu, it still will be one of the top distributions out there. Of course, there may be forks, but Ubuntu has a solid development effort behind it and is standing up to the test of time.
I don't see any "bad linux" distros in the mainstream. In my book, only way a distro can be "bad" is if they stomp on GPL requirements and refuse to have source code available as per the license. Or if they are outrageously sloppy in how they build binaries, so the executables might not be what the source code compiles to.
For some reason this is discussed as though it were a Linux issue. It isn't; not to a philosopher anyway.
The pattern occurs in a very wide range of otherwise unrelated subjects. It can be summarized easily. Canonical is not forcing anyone to use its distros. If you don't like something, don't use it, don't listen to it, don't watch it, don't practice it, don't support it, etc. The problem is, that isn't good enough for many people. They won't be happy until everyone else feels the same, like it personally offends and affronts them that someone else would choose differently.
That's the real driving force behind this phony controversy. Yes this is a flamebait story and that driving force is what makes it successful flamebait. Even the most humble propagandists and marketers know how to exploit these things to get more page views. Some of you would be horrified to see what the truly skilled manipulators can do.
I've used UNIX for ~20 years and have NEVER used a GNOME desktop.
Linux != UNIX
What do those two sentences have to do with each other?
GNOME is available for many Unix and Unix-like systems. It is not exclusive to Linux. You may have never used or even seen a Linux PC but could still have used GNOME.
There was a GQ article interviewing Billy Ray Cyrus recently (I read it out of the perverse curiousity you have when you come from the same hometown) and he mentioned there's a sign in LA. Adopt-a-Highway, Atheists United. While Mr. Cyrus' interpretation left something to be desired, I thought it was neat - a group of actual civic minded atheists working together long enough to clean up a highway? Where can I find those people?
Most well-adjusted atheists don't flock together under that banner. Not anymore than they'd flock together over their lack of belief in Santa Claus. They may get together to support or oppose some legislation or incident on that basis though.
Note I am not an Atheist but still I think it's a good thing when a group of people band together and show that you don't need a church, a religion, or to be threatened with some kind of guilt-trip in order to pitch in and try to make your community a better place. In fact I'd rather people do such things because they believe them to be a truly worthy and constructive use of their time, glady and voluntarily, and not through some kind of coercion or pressure of feeling like they're supposed to. I most certainly don't need to identify with Atheists as a group, believe what they believe, or agree with them on a set of issues (i.e. petty considerations) in order to appreciate what this particular group is doing and honor the example they are setting.
You don't need to be so blatant. Just show up with an *athiest* sign on your shirt. Then you can't possibly be held in contempt, and no one will pick you anyhow. You know us Godless heathens can't be trusted!!;-)
The urge to advertise your personal beliefs about God and insert them into unrelated discussions about jury selection is what is difficult to trust. I am not saying there is anything wrong with discussing such topics, in fact that's what I am about to do now that it's come up. It just seems out of place or off-topic in this particular discussion, like it's not driven by a desire to elaborate on the jury selection process at all but instead by the way the less-enlightened respond to what you believe.
It reminds me of those Christians who think every discussion about every subject is an opportunity to evangelize. The disservice they do to Christianity is tremendous. I say that as someone who does not believe that spirituality is something which can be organized and institutionalized. Herding the genuinely spiritual would be about as easy as herding cats. The self-aware understand the folly of group identities and the undue importance they are given. For that reason I ask that you please do not paint me with the brush of mainstream Churchianity. My point is, I believe that to a lesser degree, the disservice you are doing to Atheism is similar.
I realize you were making a joke but all the same it reflects a feeling of persecution. It sounds like you have been treated differently and maybe downright discriminated against because of your Atheism or you have seen this done to other Atheists. When Jesus taught people to love their neighbor he didn't say "oh, unless he doesn't believe what you believe". Therefore, the "Christians" who would learn you are Atheist and then treat you with anything other than genuine kindness and respect are phony because they don't really understand what they profess to believe.
It reminds me of what Mahatma Ghandi said. As a Hindu, he said "I like your Christ. I do not like your Christians. They are nothing like your Christ." You don't have to identify yourself as a Christian to understand that; all it takes is the ability to think for yourself. Ghandi certainly had that talent. I don't know if this would apply to you so please forgive me for being forced to generalize here: most Atheists I have personally met weren't terribly pro-Atheism. They were anti-religion. They didn't talk very much about rationality, logic, philosophy, etc. They primarily talked about religious people. It's sort of like most US elections -- few vote for a candidate they like. Instead they vote against a candidate they really don't like.
Sadly it is rare for me to meet an Atheist who wants to edify himself and build himself up; they were far too preoccupied with trying to take religion down a peg or two despite generally being smart people, the kind with whom one can reason. That is not an attack on Atheism because it is not unique to them. If anything, it's a lament about the human condition for this pattern is not at all limited to the subject of religion. It tells me something, at least about those particular Atheists I have personally known: they have been as damaged by organized religion as any of its followers and do not wish to let that go and deepen their understanding of who they are and what they believe.
but my guess it that the ministry is trying to control what people do on the internet
That's about the size of it. It's amazing how threatened so many governments feel by the unrestricted free flow of information.
and maybe they can justify their reasoning, but from my perspective, they are overstepping their boundaries.
Of course they can make justifications (i.e. excuses) for it. Every last fascist, authoritarian, power-tripping fevered ego that ever existed has always had one powerful tool: a well-articulated bureaucracy. The tyrant (which may be a person or an organization) intentionally lies and makes excuses for why it's really an act of overwhelming benevolence. Then the more naive people eat it up and become what are known as "useful idiots".
We have those in the 'States too. They're generally the ones who don't study much history. When you point out a recurring pattern and explain why it's not a good thing to support, they call you a tinfoil hat-wearing nutter. They think every instance of an organization acting against our interests requires a pre-arranged back-room type of conspiracy, when really all it requires is a lot of selfishness and apathy. They definitely don't say "here is where you are mistaken, and this is my evidence or my sound reasoning". If hardcore tyranny should come to the USA it will be because they and their "we are somehow special, it can't ever never ever happen here so let's get complacent!" attitude played an instrumental role.
So yes, I am absolutely certain the Vietnamese government will justify (rationalize) their position. That's a prerequisite, a necessary ability they must secure prior to taking an action like this. That is how it has always happened throughout history. Politicians as people generally don't become dictators by openly announcing "hey, I want to be a tyrant, vote for me!" Likewise, governments as organizations don't generally expand their power by saying "we just want to oppress you". It's always for your own good, to protect you from something or another, to deal with some hated enemy, etc.
Just finding parallels. Like I said, I agree with you. Many of these wars could be easily solved legislatively: the illegality of drugs is unconstitutional; see the 1920s for the test.
I believe it is unconstitutional as well. I never understood how it is that a Constitutional amendment was required in order to give the government the authority to enact alcohol prohibition, was later repealed, yet somehow the government still has the authority to enact drug prohibition. There seriously needs to be a way for citizens to challenge the Constitutionality of laws, as in it should be assumed that since all citizens are subject to the law, all citizens have standing to challenge a law. We need something to counterbalance the fact that one friendly judge who thinks the Commerce Clause means "do whatever the hell you want" dooms us to nearly a century of suffering bad laws that can't even accomplish their stated goals.
The war on obesity can be won by eliminating the government subsidy for the corn growers (HFCS, to spell it out).
You're unusually well-informed to so unequivocally realize this. There is a tremendous amount of (bought and paid for) disinformation about this one. It's as bad as trying to research fluoride and possibly worse. Unfortunately yet quite deliberately, the public schools do not equip people to sort the truth from the disinformation and propaganda. If they did, well that would make them unsusceptible to advertising, radically change the nature of politics, and generally might upset the precious status quo.
The war on terror can be won by keeping our troops on domestic soil.
Agreed. Another step in the right direction would be to discard every "finding" of the 9/11 Commission and conduct a serious investigation into all of the unanswered questions about the 9/11 attacks. The two most important questions would be: why did a plane used as a fuel-air bomb produce a collapse that looked so much like a controlled demolition and how did the towers collapse faster than a free-fall from that height in a vacuum; and why did Building 7, which was not struck by any plane, also collapse in a way that looked so much like a controlled demolition?
A nice third question would be, why is it that other skyscrapers of similar construction have both been struck by jet aircraft, and had fires that burned for DAYS (not hours like 9/11) yet not one has ever collapsed? A nice fourth question would be, why were there no engines recovered from the "jet aircraft" that hit the Pentagon when such engines could easily survive atmospheric re-entry from space?
As a people we really have some fucking nerve to invade a sovereign nation before answering these questions and truly putting the matter to rest.
The reason these individuals were not fired is because it's a merit-based organization. A meritocracy penalizes failure and rewards success. By penalizing honest mistakes the people who end up on top may not be those with the most merit, but those who hide their mistakes the best. This has the added detriment of not allowing the organization to learn from its failures.
Two things. One, if the Department of Agriculture made this mistake then I'd say ok, they just got conned, hope they catch the bastard. I wouldn't expect them to be any more difficult to con than any private business or individual. It's different when you have a Department of Homeland Security with all sorts of forensic, investigatory and other law enforcement powers available to it and they're still vulnerable to a common thief. I'm betting that catching the really hardcore terrorists is going to be much more difficult than not falling victim to a common thief. That's the difference, or if you like, that's where there is a demonstrable lack of merit. It calls into question their basic ability to fulfill their stated purpose. A wisely managed organization provides answers to such questions in the form of accountability.
Second, why is it OK for the government to "make an example" of the citizens by handing out extremely harsh penalties that grossly exceed what would fit the crime/tort in the case of things like computer intrusion or copyright infringement, but not OK to make an example of bureaucrats who should know better and then make idiotic decisions that waste our money? The institution can learn from its mistakes by getting rid of people who show such incompetence. The people who remain will understand that they need to get their shit together. Their replacements can be briefed on why there was a job opening for them. Getting rid of the incompetents and allowing the institution to learn from its mistakes are not mutually exclusive.
A third point could be made. The DHS falls under the law enforcement powers of government. It is also a political institution. It is staffed by people who want power and want us to believe that they can be trusted to use it properly. With that power needs to come responsibility and accountability. Therefore, I consider each one of their jobs to be expendable. If they are incompetent, not only should they be fired; they should have never been hired in the first place. I'd be far more sympathetic if this happened to the employees of a company that makes widgets, because none of them are demanding political power.
If we have this solid evidence, file suit against the government for criminal negligence. Do something that will force them to lay punishment down on the lying son of a bitch.
If they have a mind to prosecute him, then he may just discover that at least some of the time, Uncle Sam will spend ten million dollars to get his five cents back.
The government trying to save face is merely a symptom, and should be treated as such.
It certainly does make them look stupid when they're supposed to be protecting us from a big, determined, ruthless threat like Al-Qaeda and it ends up that they can't even protect themselves from simple fraud. It makes them look unnecessary, too, and that's the part they can't stand. It's the sort of thing that can make the political pressures no longer operate in their favor. Until this event they had the whole "be afraid!" thing working well for them.
The only things I can think of that would discourage this behavior is active prevention through transparency and follow-up enforcement when that fails.
In any kind of merit-based organization that would mean firing and replacing every decision-maker who chose to invest in this software. That's how they could regain credibility, by showing that they won't tolerate such gross incompetence within their ranks. Otherwise the question remains valid: how do they propose to protect the entire country from shadowy underground terrorist organizations bent on our destruction if they cannot even protect themselves from a common con-man?
To give a recent example of why that isn't sufficient, look at the HBGary hack. [arstechnica.com] These guys were self-proclaimed security "experts," who were summarily stomped by a combination of SQL injection, lousy passwords, lousy encryption, unpatched servers, and social engineering. Some expertise.
My very point is this: suppose there were security regulations that came not from security experts, but rather from politicians. How would that have prevented HBGary from having such glaring flaws? The only difference it would make is that when they claim to have expertise, they could add "according to the government" to the statement. If the politicians admitted they know nothing about computer security and instead responded to the actual experts in the industry, perhaps HBGary would have been a tougher target.
Mind you, which is the more likely outcome of this certification? That companies who hire security consultants will be able to demand a certain quality of service? Or that security consultants will be able to hide their incompetence behind a government rubber stamp? I think we both know the answer to that one.
I fully agree with you. However, I don't think it has to be this way. I believe it got to be this way because of a lot of ignorance and complacency. Both of those are curable. Both of those also acquire inertia, so the sooner they are addressed the less of an effort the change needs to be.
I was really hoping so, though I have to balance that with how many times I've had to explain such things. Not so many folks are willing to decide "if it doesn't fit the scenario I first conceptualized, perhaps another valid scenario is a better fit"; they'd rather assume you're a moron. So I erred on the side of giving you redundant information.
You're looking at it from the perspective of an employee, looking up, who's asked to "obey." But the laws themselves are drafted for the benefit of the business owner, who never knows when his employees might screw up, leaving him exposed to legal liability. By codifying practices that business can "certify" against, laws like this put legal tools in the hands of business owners that can shield them from lawsuits. The point of the law is not to make businesses more secure. The point of the law is to create a legal framework by which businesses can reduce risk.
Two points here. First of all, any such "risk" is caused by the very same legal system in the form of otherwise frivolous lawsuits that may still succeed. That's the location of the problem and it is there that any solution needs to be applied. You are admitting that such laws have nothing whatsoever to do with actual security, only compliance. The real crux of the problem is that compliance with the laws and real security are two different things. That's the fault. The mandate should be consistent with what actually provides security.
Second, the business owners already have a method to shield themselves from lawsuits. It's called the corporate veil. They are not personally liabile for the honest mistakes and failures of their corporation. So that part is taken care of.
Here is how things are supposed to work: the government is by The People and for The People. Said government grants a corporate charter to a business because a responsibly operated business also serves The People by providing a useful good/service at a price they are willing to bear (i.e. without force or fraud). The People as customers benefit when a business does not lose control over sensitive customer data. The People as shareholders benefit when a business does not lose control over sensitive management/shareholder data. No one benefits ultimately from insecure systems that somehow manage to meet all the legal requirements. A government of The People would not so grossly fail to meet the real security needs of The People while satisfying some fictitious legal need.
That's why the security requirements need to start from first principles (bottom-up) and not from authoritarian fiat to meet some arbitrary set of legal requirements (top-down). The former comes from experts in the field who can make a solid case for their position. The latter comes from what is politically expedient which, in turn, mostly boils down to who has clout, money, and lobbyists. I know which one I'd want to guard my data.
Look, if we're no longer willing to expect things to work this way, then let's give up all principle entirely and just admit that the corporatocracy has won and we are no longer a representative republic. If we're not yet prepared to do that then let's recognize such tendencies as failures and try to fix them with an awareness of why they are flawed.
"holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley"
Sure. Ask all those shareholders left holding the bag of excrement at Lehman Brothers, Countrywide Financial, GMAC, Wachovia, CitiBank,... even though the SarbOx forms were filled out and signed by the respective CEO (not one of which has been "held accountable").
Are not the shareholders ultimately responsible for the management they permit and the company in which they have chosen to invest? Note, I don't dispute that CEOs should be more personally accountable for dishonest corporations. They absolutely should. But the CEO is the CEO because the board of shareholders has permitted it.
The "get out of jail free" card already exists in some situations. HIPAA and HITECH set forth huge penalties for losing track of personal medical data, unless that data's on an encrypted device, sufficiently separated from whatever makes it personal, or a few other exemptions I don't remember offhand. It makes sense to me. If the information can't be accessed or linked to any particular person, losing it really doesn't matter.
I think a certification could work similarly. If whatever's being protected (for example, storing usernames and passwords) is sufficiently mitigated by the minimum certification requirements (such as using a strong hash with a salt everywhere the password's kept), then it might be just fine to escape liability. If nothing else, being able to cut some liability provides a nice boost to the cost/benefit analysis, so the managers will decide it's worth the cost to follow decent security practices. Again, that's only if the minimum is sufficient for the situation.
I really want to believe that it would work out as you describe.
However, experience teaches me that the well-funded guy in an expensive suit who can put on a compelling presentation will lobby the decision-makers to make certain that any requirements are thoroughly divorced from realistic practices that truly yield better security.
Unfortunately we do not live in anything like a meritocracy. Becoming one of the decision-makers means knowing the right people, knowing on which side your bread is buttered, saying the right catch-phrases when prompted, being impressed with a person's credentials or position and not with the person's expertise, and putting on a good show. It has nothing whatsoever to do with merit, technical skill, critical thought, logic, or anything like that. It is not a technical game of skill. It is a social game of presentation and a willingness to put aside one's integrity in order to play the game.
While I completely agree with you, I feel that you're attacking the problem from the wrong angle. I mean, within our bodies, we may be fighting off multiple infections at once, so there's a biological analogy that perfectly matches the US government's behavior. Not that it's right; the US government is fighting off beneficial bacteria as well as detrimental. But it is entirely possible and logical to fight multiple wars on multiple fronts. Again, I agree that these "wars on existence" should be stopped.
Yeah, but have you looked at these "wars" critically?
Let's take the easiest one to deconstruct: the War on (some) Drugs. Both the drug dealers and the drug users are willing participants. There is no victim. No victim of force or fraud means no legitimate reason to involve law enforcement. Yet law enforcement is involved and the result is that the worst criminal elements have a ready source of black-market funding.
How about the War on Obesity? Personally, I think parents of obese children should be charged with child abuse unless a licensed physician can demonstrate that there is a thyroid disorder or other reason why obesity cannot be remedied. Otherwise, when dealing with adults, it is terrible decision-making but they are entitled to damage their own bodies if that's really what they wish to do. They can even adopt and defend a victim mentality where it's always the fault of genetics, big bones, McDonalds, or some other excuse for why they repeatedly and consistently choose to consume more calories than they burn (basic thermodynamics -- if you burn more calories than you eat you absolutely will lose weight, otherwise you just disproved all of modern physics). They have that right as adults. What is there to fight? How do you make a case for the legislature and law enforcement powers of government to become involved in this?
Ok then, how about the War on Terror? Well, let's see now. We have a long history of using our intelligence agencies to overthrow democratically elected leaders and replace them with dictators more willing to play ball with the US's interests. Think that might create some enemies? Think some of those enemies might be desperate? No, they hate us for our freedoms, yeah, sure, ok. It's an easy line to buy for the patriotic egotist, that we are so great that others would envy us so much that they'd want to attack us out of spite and for no other reason. The problem is, it ignores the cause-and-effect. So what do we do about this? Oh yeah, we invade a sovereign nation (Iraq) and demolish its government, kill many of its civilians, and act shocked when the natives treat us like the uninvited invaders that we are and fight back, as if we wouldn't do the same to an Iraqi army that marched on American soil. Whoopsy, turns out we had "bad intelligence" and didn't actually have a reason to invade, so uh, uhm... uh... yeah, well we just wanted to liberate them from Saddam, sure that was our intent all along, we just uhm forgot to mention that from the beginning.
The immune system within our own bodies is not nearly as stupid, not nearly as psychopathic. It's almost an insult against nature to equate the two. Hell, I could remove the word "almost" from that previous sentence and retain accuracy.
Not quite. Suits like it when government sets a bar because it gives them a bar to aim for, no matter how meaningless that bar might be. When your goal is to defend your company from lawsuits, it helps to have boxes you can check off that can be admitted as evidence. It's not about being "obedient." It's about being able to do what you like, but having a pass in your back pocket that exonerates you in the event of a legal challenge. Vague "best practices" and "reasonable steps" in the eyes of "a thinking man" do no good to anybody in the current legal environment.
And what is "the current legal environment" if not a top-down approach of mandating the way things should be, largely by those who have no expertise in the field of computer and network security? You are actually affirming my point. When speaking of a legal system, obedience is everything because disobedience is severely punished.
For what it's worth, I was speaking in terms of an IT worker who must relate to corporate management. You expanded the scope of the idea to include the larger legal framework but I maintain that the general concept applies there as well. As above, so below.
This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.
-Someone who does this for a living
Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.
Is it any surprise that whenever government systems are audited for security they tend to do so poorly? Security is something that simply has to be right and declaration by fiat won't change what the right thing is. More than most other subjects, it exposes the crippling weaknesses of the top-down authoritarian approach and reveals the strengths of hiring people for their expertise and then listening to them so long as they remain reasonable.
As a nation, we are fighting either politically or violently on too many fronts here. We have too many wars going on. To name a few:
War on (some) Drugs
War on Poverty
War on Terror
War on Obesity
Now there's "cyberwar". There should be no new wars until we declare victory or admit defeat on some of the existing ones. Actually when I consider how successful the ones in the (incomplete) list above have been, I think we can save a great deal of time just admitting defeat on all of them. Then, instead of a retaliatory "cyberwar" we can do something rational like secure our systems.
Is that really so much to ask? It'd be easier than what we are doing now.
Slashdot Mirror
i've never been to 4chan. you're an idiot.
cower some more, feeb.
you're completely pathetic
You're leaving one thing unexplained.
If I didn't like a Web site and felt it had stagnated and was full of useless marketing and "ignorant hypocrisy" I wouldn't waste my time hanging around that site talking about how much I don't like it. Instead, I would go to a site more to my liking.
You're a fairly active poster. You went to the trouble of creating multiple accounts. You obviously invest a chunk of your time in this site. Now you complain about how much you don't like it. That is "ignorant hypocrisy" and it's yours.
I anticipate you'll do some more name-calling, talk about how badass you are because you use what you claim to be your real name, etc. The one thing you could do that would surprise anyone would be to answer me and explain why you're not the very hypocrite you're whining about. That is because the facts are clearly against you and you, sir, are too cowardly to admit when you're wrong. It's the one thing you don't have the guts to do.
Maybe you can fix that character flaw of yours before calling anyone else a coward or telling them how pathetic they are.
Guy gets a ticket, goes to court dressed respectfully, treats the judge with deference, geeks out to a clueless judge about his nifty new GPS toy, asks the cop something he heard a previous defendant's lawyer ask about lack of evidence that worked, and is found not guilty. The judge goes out of his way to note the GPS evidence played no part in the decision. How is this a story about a smart phone getting someone out of a ticket?
None really; this is just another "but with a computer!" type of story. The only notable aspect to it is that the judge was willing to consider both sides and didn't instantly assume that anyone who contradicts a cop must be a liar. That is, most traffic violations do ultimately boil down to your word against the cop's especially when it's something other than speeding.
I wonder if the guy had to pay any fees. In my state, they have a nice racket going. Here, you have to pay a "court fee" that's sometimes more than the cost of the ticket itself. You have to pay this even if you simply pay the ticket and never go to court to dispute it. You have to pay this even if you dispute the ticket and are found not guilty, so a cop can be completely wrong and still make you pay something (isn't that nice?). I wonder what my state tax dollars are being used for if they are not funding basic government functions such as the court system.
Nevermind that many highways are built like drag strips, it's for your safety!
Besides, the summary mentions about 330 crimes associated with the site. How many millions of users does it have? I wish major metropolitan areas had crime rates like that.
I think this is another one of those "... but with a computer!" type of stories.
Hilariously, Paypal was actually started by a libertarian as some sort of "resist the man and his fiat currency's dead hand on trade." kind of thing. Now it voluntarily licks the boots of those who would suppress the entirely legal efforts of an advocacy group to secure a man a fair trial(rather than the present detention-without-trial-of-indefinite-length...)
All hail the private sector, defender of liberty!
Far as I can tell Paypal is just another pro-Establishment tool despite any intentions of its founder. Wikileaks has been accused of no crime in any jurisdiction, but they irritate a lot of powerful people. So Paypal interferes with the effort to support Wikileaks by using Paypal to make donations. Manning is currently facing some serious accusations; he is accused of leaking information that ended up in Wikileaks which again pisses off a lot of powerful people. So Paypal freezes the account that would have been used to fund his legal defense.
This is opinionated speculation only, but I really wonder what kind of favors or kickbacks Paypal is going to receive in the future. They have faithfully served their masters it would seem, and that's obviously not its users and customers. Fascism is the merging of corporate and government power. Corporations doing what is convenient for the government and acting against people government doesn't like, in the absence of any actual requirement to do so, is a step in that direction for certain.
Even those who are guilty as sin deserve a fair trial. So long as their fair trials are funded voluntarily there is nothing that needs to be stopped.
Too many arguments go like this. I believe it misses the real point being made. It was already well-established by the summary that Paypal has no legal obligation here.
If you truly support the Constitution and principles like rule of law and due process, then you adhere to them even if the government is not going to use force to make you adhere to them. Anywhere that there is a choice in the matter, you get to see what people really believe in. Paypal wouldn't even provide a copy of the relevant portions of their policy.
The funny thing is the implied hypocrisy. If any of the decision-makers at Paypal did find themselves in violation of the law, they'd never surrender their rights to due process. They'd want to know which law they are being accused of having broken. They'd want the prosecution to have to prove every claim it makes. But in their own little kingdom where they both make and enforce the rules, they want the ability to arbitrarily shut anyone down without ever having to demonstrate that they violeted the rules or even citing which rules would apply.
In my opinion, they're assholes and if you do business with them, it is because you want assholes to prosper. Like you, I have never onced used Paypal and because of behavior like this, I never will. This is not remotely the first example of pathological behavior from this company.
Managing an IT shop at a school, my biggest problem with the student workers was beating the "anyone who doesn't give a shit about computers is a stupid idiot" out of them.
I know it's a stage all geeks go through, but man is it irritating. The only thing that kept my rage in check was the knowledge that I was an even bigger douchebag at their age.
The thing to keep in mind is that for most of the planet computers are a means to an end. They are (and should be) practically invisible to the user when they work. The fact that we have to constantly harass users into sane behavior (e. g. "don't open that, it's a goddamn virus") isn't a reflection of their intelligence, it's a reflection of POOR DESIGN.
That's one "side" of it if you like. Certainly I have never advocated that we make things needlessly complex.
I am wondering how best to explain this because it's a mentality, a willingness to invest, a recognition of a certain mental laziness. I'll concentrate on some basic everyday things, for computers have become everyday tools.
I know more about driving today than back when I first obtained my driver's license. I have learned by doing, through experience. Specifically this has to do with defensive driving, with leaving margin for error for both myself and other drivers, with not surprising other drivers, not being surprised by them even when they screw up royally, etc. I pick up things from time to time after having observed them empirically.
I know more about how to manage money today than I did back when I got my very first bank account. Same deal for the driving; I pick things up over time and I make it a point to remember them. For the 401(k) I learned where the money was actually going, what the various funds represent, how much risk they each involve, etc. In other words, I did my homework even though at least some of the time I could leave it alone and trust someone else to take care of it.
Now in both cases I could balk at the effort. I could refuse to invest in the things I do daily. Especially for driving I could make a bunch of excuses about how "it's not FAIR" that it can be so dangerous sometimes, that this isn't my fault, that everybody else should always obey the law, that I shouldn't be expected to have split-seconds to deal with the situations created when they don't, etc etc... basically the equivalent of "I am not a computer expert!" when what you're asking for is basic competence.
Likewise, "it's not FAIR" that some bad people just love to break into computers and use them for evil purposes. Am I going to whine about that and resent anyone who points out that I can take steps to mitigate it? Or am I going to accept it as a fact of life and plan accordingly, which (here's the apparently painful part for mainstream America) might involve having to read up on the subject? I know which one I would choose.
Besides which you actually enjoy life a bit more when you are more involved in how it plays out. When you actually have some appreciation for the interconnected complexity of the things around you, some sense of awe that it works like it does. When everything you touch isn't some black box but instead, a system that has fundamental principles which people have learned to harness. Especially when you have some confidence that you can handle unexpected problems that come up, not because you are such an expert but because you understand fundamental problem-solving and it's okay to have to do it sometimes.
Like I said I am attempting to describe a mentality. I believe this mentality, like so many things, is being sacrificed at the altar of convenience. The funny thing about that, is that few things would seem as inconvenient to me as the predictable, preventable problems so many people are having. Yet the idea that one should grow in knowledge and experience with sufficient time is one they soundly reject, and for that there are consequences. Not because I say so, of course, but because that's the nature of the situation and no amount of denial will change that.
Thank you, Anonymous Coward. You've helped me to figure out exactly why Linux is more secure than Windows. It isn't the operating system. It isn't the user. It isn't any application, set of applications, or combination of utilities. It's right there in your post. "average users wont start giving a damn" For the most part, Linux users are those who give a damn. The attitude - nothing more, nothing less. You've got to give a damn, or the best system is just a non-secure mess of code!
I would add that there are reasons why systems like Linux appeal so much to this kind of user.
The biggest single one is that it doesn't assume you're an idiot. The system is built for users who intend to gradually become more and more familiar with how their systems work and how to maintain them. Users who traverse the learning curve at their own pace are rewarded with more and more ability to assume control and enjoy a system that does what they want the way they want to do it. You can also peek under the hood and see for yourself how things really work, with your skill level being the only limit. Generally things are made as simple as possible but no simpler, unlike Windows.
I would not classify Windows as easy to use, myself. I would call it easy to learn. Linux is quite easy to use if you have learned it. Learning how to use it is a one-time investment that continues to pay off. You can learn all about Windows but that won't make it much more convenient to automate, won't stop it from getting in your way whenever you try to do something advanced, and it won't stop it from trying to make you do things the way Microsoft intended.
The culture around Windows tends to encourage treating it like a black box and memorizing a set of steps to take in order to accomplish a specific task. The culture around Linux and Unix tends to encourage actually understanding how and why the tools work.
Linux also tends to be logical and predictable, the way you'd expect a machine to function. If something breaks, it broke for a good reason. It will stay broken until you fix it. When you fix it, it will stay fixed. You can actually get a meaningful error message that really does help you identify and isolate the problem. Windows has come a long, long way on these two points but it has yet to match the elegance of Linux and Unix. It's also helpful that all of the important configuration ultimately resides in plain text files. There is no opaque single point of failure like the Windows registry, which is a binary database that tends to become a mess over time.
I'd also say that the package management systems that come with Linux distros are vastly superior to the way software is acquired and installed on Windows. Instead of each third-party program having to chase down its own updates, often popping up nag screens requiring the user to complete the final step, you can update every last piece of software on your system with a single command. It's neater, less error-prone, and frankly less annoying. That counts for a lot considering how important it is to keep your system updated, considering how many Windows machines are compromised by exploiting already-patched vulnerabilities. Unfortunately I do not believe central software repositories would be possible on Windows, as the proprietary licenses of most Windows software would not allow third parties to redistribute them.
The users contributing the most to the rampant security problems are what I call permanent newbies. They hate learning new things. Somehow, they can use a tool for ten years without ever knowing much more about it than when they started. They don't even pick up knowledge here and there over time, let alone would they actively study anything. It is like they are too proud to do that. Asking them to do a bit of light reading for their own good is like asking an aristocrat to "fraternize with the help". It is a mentality to which I cannot easily relate. I cannot name anything non-trivial I do on a daily basis that I never learn new things about as I acquire more experience.
Just upgrade to tinydns/dnscache and forget about security bugs...
Yeah, this surprised me just about as much as an exploit for Sendmail.
In other unrelated news, users of Windows, IIS, and IE have more malware problems than users of OpenBSD.
I must not be up to current events, but from what I see, Ubuntu is still a very strong distribution being arguably the front-runner when it comes to the desktop Linux offerings.
Every distro has their growing pains. RedHat went through theirs, Slackware had its trials, and so on.
Regardless of the drama that might surround Ubuntu, it still will be one of the top distributions out there. Of course, there may be forks, but Ubuntu has a solid development effort behind it and is standing up to the test of time.
I don't see any "bad linux" distros in the mainstream. In my book, only way a distro can be "bad" is if they stomp on GPL requirements and refuse to have source code available as per the license. Or if they are outrageously sloppy in how they build binaries, so the executables might not be what the source code compiles to.
For some reason this is discussed as though it were a Linux issue. It isn't; not to a philosopher anyway.
The pattern occurs in a very wide range of otherwise unrelated subjects. It can be summarized easily. Canonical is not forcing anyone to use its distros. If you don't like something, don't use it, don't listen to it, don't watch it, don't practice it, don't support it, etc. The problem is, that isn't good enough for many people. They won't be happy until everyone else feels the same, like it personally offends and affronts them that someone else would choose differently.
That's the real driving force behind this phony controversy. Yes this is a flamebait story and that driving force is what makes it successful flamebait. Even the most humble propagandists and marketers know how to exploit these things to get more page views. Some of you would be horrified to see what the truly skilled manipulators can do.
I've used UNIX for ~20 years and have NEVER used a GNOME desktop.
Linux != UNIX
What do those two sentences have to do with each other?
GNOME is available for many Unix and Unix-like systems. It is not exclusive to Linux. You may have never used or even seen a Linux PC but could still have used GNOME.
There was a GQ article interviewing Billy Ray Cyrus recently (I read it out of the perverse curiousity you have when you come from the same hometown) and he mentioned there's a sign in LA. Adopt-a-Highway, Atheists United. While Mr. Cyrus' interpretation left something to be desired, I thought it was neat - a group of actual civic minded atheists working together long enough to clean up a highway? Where can I find those people?
Most well-adjusted atheists don't flock together under that banner. Not anymore than they'd flock together over their lack of belief in Santa Claus. They may get together to support or oppose some legislation or incident on that basis though.
Note I am not an Atheist but still I think it's a good thing when a group of people band together and show that you don't need a church, a religion, or to be threatened with some kind of guilt-trip in order to pitch in and try to make your community a better place. In fact I'd rather people do such things because they believe them to be a truly worthy and constructive use of their time, glady and voluntarily, and not through some kind of coercion or pressure of feeling like they're supposed to. I most certainly don't need to identify with Atheists as a group, believe what they believe, or agree with them on a set of issues (i.e. petty considerations) in order to appreciate what this particular group is doing and honor the example they are setting.
You don't need to be so blatant. Just show up with an *athiest* sign on your shirt. Then you can't possibly be held in contempt, and no one will pick you anyhow. You know us Godless heathens can't be trusted!! ;-)
The urge to advertise your personal beliefs about God and insert them into unrelated discussions about jury selection is what is difficult to trust. I am not saying there is anything wrong with discussing such topics, in fact that's what I am about to do now that it's come up. It just seems out of place or off-topic in this particular discussion, like it's not driven by a desire to elaborate on the jury selection process at all but instead by the way the less-enlightened respond to what you believe.
It reminds me of those Christians who think every discussion about every subject is an opportunity to evangelize. The disservice they do to Christianity is tremendous. I say that as someone who does not believe that spirituality is something which can be organized and institutionalized. Herding the genuinely spiritual would be about as easy as herding cats. The self-aware understand the folly of group identities and the undue importance they are given. For that reason I ask that you please do not paint me with the brush of mainstream Churchianity. My point is, I believe that to a lesser degree, the disservice you are doing to Atheism is similar.
I realize you were making a joke but all the same it reflects a feeling of persecution. It sounds like you have been treated differently and maybe downright discriminated against because of your Atheism or you have seen this done to other Atheists. When Jesus taught people to love their neighbor he didn't say "oh, unless he doesn't believe what you believe". Therefore, the "Christians" who would learn you are Atheist and then treat you with anything other than genuine kindness and respect are phony because they don't really understand what they profess to believe.
It reminds me of what Mahatma Ghandi said. As a Hindu, he said "I like your Christ. I do not like your Christians. They are nothing like your Christ." You don't have to identify yourself as a Christian to understand that; all it takes is the ability to think for yourself. Ghandi certainly had that talent. I don't know if this would apply to you so please forgive me for being forced to generalize here: most Atheists I have personally met weren't terribly pro-Atheism. They were anti-religion. They didn't talk very much about rationality, logic, philosophy, etc. They primarily talked about religious people. It's sort of like most US elections -- few vote for a candidate they like. Instead they vote against a candidate they really don't like.
Sadly it is rare for me to meet an Atheist who wants to edify himself and build himself up; they were far too preoccupied with trying to take religion down a peg or two despite generally being smart people, the kind with whom one can reason. That is not an attack on Atheism because it is not unique to them. If anything, it's a lament about the human condition for this pattern is not at all limited to the subject of religion. It tells me something, at least about those particular Atheists I have personally known: they have been as damaged by organized religion as any of its followers and do not wish to let that go and deepen their understanding of who they are and what they believe.
That's about the size of it. It's amazing how threatened so many governments feel by the unrestricted free flow of information.
Of course they can make justifications (i.e. excuses) for it. Every last fascist, authoritarian, power-tripping fevered ego that ever existed has always had one powerful tool: a well-articulated bureaucracy. The tyrant (which may be a person or an organization) intentionally lies and makes excuses for why it's really an act of overwhelming benevolence. Then the more naive people eat it up and become what are known as "useful idiots".
We have those in the 'States too. They're generally the ones who don't study much history. When you point out a recurring pattern and explain why it's not a good thing to support, they call you a tinfoil hat-wearing nutter. They think every instance of an organization acting against our interests requires a pre-arranged back-room type of conspiracy, when really all it requires is a lot of selfishness and apathy. They definitely don't say "here is where you are mistaken, and this is my evidence or my sound reasoning". If hardcore tyranny should come to the USA it will be because they and their "we are somehow special, it can't ever never ever happen here so let's get complacent!" attitude played an instrumental role.
So yes, I am absolutely certain the Vietnamese government will justify (rationalize) their position. That's a prerequisite, a necessary ability they must secure prior to taking an action like this. That is how it has always happened throughout history. Politicians as people generally don't become dictators by openly announcing "hey, I want to be a tyrant, vote for me!" Likewise, governments as organizations don't generally expand their power by saying "we just want to oppress you". It's always for your own good, to protect you from something or another, to deal with some hated enemy, etc.
I believe it is unconstitutional as well. I never understood how it is that a Constitutional amendment was required in order to give the government the authority to enact alcohol prohibition, was later repealed, yet somehow the government still has the authority to enact drug prohibition. There seriously needs to be a way for citizens to challenge the Constitutionality of laws, as in it should be assumed that since all citizens are subject to the law, all citizens have standing to challenge a law. We need something to counterbalance the fact that one friendly judge who thinks the Commerce Clause means "do whatever the hell you want" dooms us to nearly a century of suffering bad laws that can't even accomplish their stated goals.
You're unusually well-informed to so unequivocally realize this. There is a tremendous amount of (bought and paid for) disinformation about this one. It's as bad as trying to research fluoride and possibly worse. Unfortunately yet quite deliberately, the public schools do not equip people to sort the truth from the disinformation and propaganda. If they did, well that would make them unsusceptible to advertising, radically change the nature of politics, and generally might upset the precious status quo.
Agreed. Another step in the right direction would be to discard every "finding" of the 9/11 Commission and conduct a serious investigation into all of the unanswered questions about the 9/11 attacks. The two most important questions would be: why did a plane used as a fuel-air bomb produce a collapse that looked so much like a controlled demolition and how did the towers collapse faster than a free-fall from that height in a vacuum; and why did Building 7, which was not struck by any plane, also collapse in a way that looked so much like a controlled demolition?
A nice third question would be, why is it that other skyscrapers of similar construction have both been struck by jet aircraft, and had fires that burned for DAYS (not hours like 9/11) yet not one has ever collapsed? A nice fourth question would be, why were there no engines recovered from the "jet aircraft" that hit the Pentagon when such engines could easily survive atmospheric re-entry from space?
As a people we really have some fucking nerve to invade a sovereign nation before answering these questions and truly putting the matter to rest.
The reason these individuals were not fired is because it's a merit-based organization. A meritocracy penalizes failure and rewards success. By penalizing honest mistakes the people who end up on top may not be those with the most merit, but those who hide their mistakes the best. This has the added detriment of not allowing the organization to learn from its failures.
Two things. One, if the Department of Agriculture made this mistake then I'd say ok, they just got conned, hope they catch the bastard. I wouldn't expect them to be any more difficult to con than any private business or individual. It's different when you have a Department of Homeland Security with all sorts of forensic, investigatory and other law enforcement powers available to it and they're still vulnerable to a common thief. I'm betting that catching the really hardcore terrorists is going to be much more difficult than not falling victim to a common thief. That's the difference, or if you like, that's where there is a demonstrable lack of merit. It calls into question their basic ability to fulfill their stated purpose. A wisely managed organization provides answers to such questions in the form of accountability.
Second, why is it OK for the government to "make an example" of the citizens by handing out extremely harsh penalties that grossly exceed what would fit the crime/tort in the case of things like computer intrusion or copyright infringement, but not OK to make an example of bureaucrats who should know better and then make idiotic decisions that waste our money? The institution can learn from its mistakes by getting rid of people who show such incompetence. The people who remain will understand that they need to get their shit together. Their replacements can be briefed on why there was a job opening for them. Getting rid of the incompetents and allowing the institution to learn from its mistakes are not mutually exclusive.
A third point could be made. The DHS falls under the law enforcement powers of government. It is also a political institution. It is staffed by people who want power and want us to believe that they can be trusted to use it properly. With that power needs to come responsibility and accountability. Therefore, I consider each one of their jobs to be expendable. If they are incompetent, not only should they be fired; they should have never been hired in the first place. I'd be far more sympathetic if this happened to the employees of a company that makes widgets, because none of them are demanding political power.
If we have this solid evidence, file suit against the government for criminal negligence. Do something that will force them to lay punishment down on the lying son of a bitch.
If they have a mind to prosecute him, then he may just discover that at least some of the time, Uncle Sam will spend ten million dollars to get his five cents back.
It certainly does make them look stupid when they're supposed to be protecting us from a big, determined, ruthless threat like Al-Qaeda and it ends up that they can't even protect themselves from simple fraud. It makes them look unnecessary, too, and that's the part they can't stand. It's the sort of thing that can make the political pressures no longer operate in their favor. Until this event they had the whole "be afraid!" thing working well for them.
In any kind of merit-based organization that would mean firing and replacing every decision-maker who chose to invest in this software. That's how they could regain credibility, by showing that they won't tolerate such gross incompetence within their ranks. Otherwise the question remains valid: how do they propose to protect the entire country from shadowy underground terrorist organizations bent on our destruction if they cannot even protect themselves from a common con-man?
My very point is this: suppose there were security regulations that came not from security experts, but rather from politicians. How would that have prevented HBGary from having such glaring flaws? The only difference it would make is that when they claim to have expertise, they could add "according to the government" to the statement. If the politicians admitted they know nothing about computer security and instead responded to the actual experts in the industry, perhaps HBGary would have been a tougher target.
I fully agree with you. However, I don't think it has to be this way. I believe it got to be this way because of a lot of ignorance and complacency. Both of those are curable. Both of those also acquire inertia, so the sooner they are addressed the less of an effort the change needs to be.
I was really hoping so, though I have to balance that with how many times I've had to explain such things. Not so many folks are willing to decide "if it doesn't fit the scenario I first conceptualized, perhaps another valid scenario is a better fit"; they'd rather assume you're a moron. So I erred on the side of giving you redundant information.
Two points here. First of all, any such "risk" is caused by the very same legal system in the form of otherwise frivolous lawsuits that may still succeed. That's the location of the problem and it is there that any solution needs to be applied. You are admitting that such laws have nothing whatsoever to do with actual security, only compliance. The real crux of the problem is that compliance with the laws and real security are two different things. That's the fault. The mandate should be consistent with what actually provides security.
Second, the business owners already have a method to shield themselves from lawsuits. It's called the corporate veil. They are not personally liabile for the honest mistakes and failures of their corporation. So that part is taken care of.
Here is how things are supposed to work: the government is by The People and for The People. Said government grants a corporate charter to a business because a responsibly operated business also serves The People by providing a useful good/service at a price they are willing to bear (i.e. without force or fraud). The People as customers benefit when a business does not lose control over sensitive customer data. The People as shareholders benefit when a business does not lose control over sensitive management/shareholder data. No one benefits ultimately from insecure systems that somehow manage to meet all the legal requirements. A government of The People would not so grossly fail to meet the real security needs of The People while satisfying some fictitious legal need.
That's why the security requirements need to start from first principles (bottom-up) and not from authoritarian fiat to meet some arbitrary set of legal requirements (top-down). The former comes from experts in the field who can make a solid case for their position. The latter comes from what is politically expedient which, in turn, mostly boils down to who has clout, money, and lobbyists. I know which one I'd want to guard my data.
Look, if we're no longer willing to expect things to work this way, then let's give up all principle entirely and just admit that the corporatocracy has won and we are no longer a representative republic. If we're not yet prepared to do that then let's recognize such tendencies as failures and try to fix them with an awareness of why they are flawed.
"holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley"
Sure. Ask all those shareholders left holding the bag of excrement at Lehman Brothers, Countrywide Financial, GMAC, Wachovia, CitiBank, ... even though the SarbOx forms were filled out and signed by the respective CEO (not one of which has been "held accountable").
Are not the shareholders ultimately responsible for the management they permit and the company in which they have chosen to invest? Note, I don't dispute that CEOs should be more personally accountable for dishonest corporations. They absolutely should. But the CEO is the CEO because the board of shareholders has permitted it.
The "get out of jail free" card already exists in some situations. HIPAA and HITECH set forth huge penalties for losing track of personal medical data, unless that data's on an encrypted device, sufficiently separated from whatever makes it personal, or a few other exemptions I don't remember offhand. It makes sense to me. If the information can't be accessed or linked to any particular person, losing it really doesn't matter.
I think a certification could work similarly. If whatever's being protected (for example, storing usernames and passwords) is sufficiently mitigated by the minimum certification requirements (such as using a strong hash with a salt everywhere the password's kept), then it might be just fine to escape liability. If nothing else, being able to cut some liability provides a nice boost to the cost/benefit analysis, so the managers will decide it's worth the cost to follow decent security practices. Again, that's only if the minimum is sufficient for the situation.
I really want to believe that it would work out as you describe.
However, experience teaches me that the well-funded guy in an expensive suit who can put on a compelling presentation will lobby the decision-makers to make certain that any requirements are thoroughly divorced from realistic practices that truly yield better security.
Unfortunately we do not live in anything like a meritocracy. Becoming one of the decision-makers means knowing the right people, knowing on which side your bread is buttered, saying the right catch-phrases when prompted, being impressed with a person's credentials or position and not with the person's expertise, and putting on a good show. It has nothing whatsoever to do with merit, technical skill, critical thought, logic, or anything like that. It is not a technical game of skill. It is a social game of presentation and a willingness to put aside one's integrity in order to play the game.
While I completely agree with you, I feel that you're attacking the problem from the wrong angle. I mean, within our bodies, we may be fighting off multiple infections at once, so there's a biological analogy that perfectly matches the US government's behavior. Not that it's right; the US government is fighting off beneficial bacteria as well as detrimental. But it is entirely possible and logical to fight multiple wars on multiple fronts. Again, I agree that these "wars on existence" should be stopped.
Yeah, but have you looked at these "wars" critically?
Let's take the easiest one to deconstruct: the War on (some) Drugs. Both the drug dealers and the drug users are willing participants. There is no victim. No victim of force or fraud means no legitimate reason to involve law enforcement. Yet law enforcement is involved and the result is that the worst criminal elements have a ready source of black-market funding.
How about the War on Obesity? Personally, I think parents of obese children should be charged with child abuse unless a licensed physician can demonstrate that there is a thyroid disorder or other reason why obesity cannot be remedied. Otherwise, when dealing with adults, it is terrible decision-making but they are entitled to damage their own bodies if that's really what they wish to do. They can even adopt and defend a victim mentality where it's always the fault of genetics, big bones, McDonalds, or some other excuse for why they repeatedly and consistently choose to consume more calories than they burn (basic thermodynamics -- if you burn more calories than you eat you absolutely will lose weight, otherwise you just disproved all of modern physics). They have that right as adults. What is there to fight? How do you make a case for the legislature and law enforcement powers of government to become involved in this?
Ok then, how about the War on Terror? Well, let's see now. We have a long history of using our intelligence agencies to overthrow democratically elected leaders and replace them with dictators more willing to play ball with the US's interests. Think that might create some enemies? Think some of those enemies might be desperate? No, they hate us for our freedoms, yeah, sure, ok. It's an easy line to buy for the patriotic egotist, that we are so great that others would envy us so much that they'd want to attack us out of spite and for no other reason. The problem is, it ignores the cause-and-effect. So what do we do about this? Oh yeah, we invade a sovereign nation (Iraq) and demolish its government, kill many of its civilians, and act shocked when the natives treat us like the uninvited invaders that we are and fight back, as if we wouldn't do the same to an Iraqi army that marched on American soil. Whoopsy, turns out we had "bad intelligence" and didn't actually have a reason to invade, so uh, uhm ... uh ... yeah, well we just wanted to liberate them from Saddam, sure that was our intent all along, we just uhm forgot to mention that from the beginning.
The immune system within our own bodies is not nearly as stupid, not nearly as psychopathic. It's almost an insult against nature to equate the two. Hell, I could remove the word "almost" from that previous sentence and retain accuracy.
And what is "the current legal environment" if not a top-down approach of mandating the way things should be, largely by those who have no expertise in the field of computer and network security? You are actually affirming my point. When speaking of a legal system, obedience is everything because disobedience is severely punished.
For what it's worth, I was speaking in terms of an IT worker who must relate to corporate management. You expanded the scope of the idea to include the larger legal framework but I maintain that the general concept applies there as well. As above, so below.
This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.
-Someone who does this for a living
Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.
Is it any surprise that whenever government systems are audited for security they tend to do so poorly? Security is something that simply has to be right and declaration by fiat won't change what the right thing is. More than most other subjects, it exposes the crippling weaknesses of the top-down authoritarian approach and reveals the strengths of hiring people for their expertise and then listening to them so long as they remain reasonable.
As a nation, we are fighting either politically or violently on too many fronts here. We have too many wars going on. To name a few:
Now there's "cyberwar". There should be no new wars until we declare victory or admit defeat on some of the existing ones. Actually when I consider how successful the ones in the (incomplete) list above have been, I think we can save a great deal of time just admitting defeat on all of them. Then, instead of a retaliatory "cyberwar" we can do something rational like secure our systems.
Is that really so much to ask? It'd be easier than what we are doing now.