uhmm, it would be REALLY easy for sony to create a program to monitor what movies you watch through your ps3 and look at what content your streaming servers are offering, then report it back to sony. Since sony is part of the RIAA/MPAA i could see this as being very likely (not by targeting me personally). As far as the network security goes that's actually what I did last night, went out and bought a new media player and set up my ps3 in a DMZ. My network was/is set up securely enough so that they can't sniff traffic but they could interact with other machines on my network since it needed to access the media server. The only way it could have been more secure is if it was in a dmz and could only access the streaming media service on my network (which would still not solve the situation I'm describing) but since the ps3 wasn't available to arbitrary incoming traffic from the internet before I didn't see it as necessary. Now that it is (or it may be, i'm still not totally convinced this article is legit), the machine now needs to be isolated from the rest of my network (for general security reasons, not just attacks from sony).
as i somewhat stated in another thread, the problem is that the firmware updates held sony responsible for what your ps3 did. as in anything unethical/illegal could be tracked down to a firmware update. Now sony could cause your ps3 to do whatever it wants whenever it wants and you can't prove that they did it.
the problem is that now they can sniff your home network to see what you're doing. They can run a search on your network for any shares/media streams with "pirated" movies/media then start investigating/prosecute you. They could also try to monitor what else you're doing on your network/internet. Before you would hope that the firmware updates wouldn't do that, but if so you could figure out what firmware it was and hold sony responsible. Now they could connect to your ps3 whenever they want and run whatever they want (provided your ps3 is turned on).
On top of that, installing something like this opens a vector for malicious hackers to bypass your firewall/router and have free reign of your home network.
i have no idea what point you were trying to make. you can boot os x into run level 3 and do everything from a console if you want. i was just pointing out that of the 3 things he listed 2 of them were the same. I use my OSX macbook almost identically to how I use my linux laptop. I open up firefox, thunderbird and a terminal and I do all of my "computer stuff" through the terminal.
The main reason i see for it is in comparison to most other OSs, everything* can be accessed as a file. This includes most devices and sockets. That has made unix very agile and has allowed it to adapt with the times. The only OS i can think of that goes further than unix in this respect is plan 9, which was also designed by bell labs as the successor to unix. Plan 9 goes as far as allowing peripherals on the network to be accessed as files.
i do agree with you about companies not usually doing an accurate assessment of how much time/money it would cost to fill the gap of a knowledgeable employee leaving but supply and demand has a huge noticeable affect on the IT field. The old developer should have been willing to learn this new technology and hopefully even knew it before the client came asking for it. If the average pay rate is N dollars for someone who knows X technology and the average pay rate N2 for X2 technology is less, then the old developer should have been learning X technology instead of being stagnant. Had this of been the case, the old developer could have got a raise to N dollars and the company could have hired a junior developer that knew X2 technology at a lower rate than N2. Company would have saved money, the old developer would have got a raise and X technology probably would have been developed better.
perhaps if your asshole coworker knew that his coworkers thought he was an asshole he would try not to be? even if he doesn't try to be better what's the worst he's going to do? be an asshole? At some point if he's a big enough asshole he will get fired or at least put in a position where he doesn't interact with his coworkers. The reality of the situation is you're afraid this asshole will not respect you if he knows you think he's an asshole.
As for the "very good, pointed, question" it's really not that good of a question and I wouldn't have answered it either. It is obvious what his answer is to it since he released them. That question is really only valid to find a third parties reaction to what was done and from what I've gathered from wikileaks position is that they believe people need to know this information and they can decide if they need/want it or not.
One thing that no one seems to be paying attention to is that all this information was gathered on an insecure network which could have easily been accessed by any agency who managed to get a VERY low level spy in (or simply breaking into a computer of a low level government employee). Had our government not been doing a HORRIBLE job on network security, these leaks wouldn't have came out and we wouldn't have risked whatever enemies we have being able to access more informative information that isn't being released by wikileaks.
you're confusing the AV market with the security market. the AV market is always behind the new virus'/worms because that's what they do, wait for some virus to come out and once it gets popular create a definition for it. The security industry on the other hand is constantly finding and reporting new vulnerabilities in software. Sure there's still something to be desired with the security vendors but they are definitely stepping up to brawl with state funded players. Well maybe not qualys or rapid 7, they're too busy boasting and lying (respectively) to their customers to bother producing anything useful.
"While Microsoft is chided for creating more insecurity than security, it is worth noting that no organization in the world has spent more on training its staff and developers on security than Microsoft. "
That's not worth noting at all, microsoft has a bigger staff than any software development company in the world. Them spending $10 to train each employee on security would still be more than spending $100,000 to train each employee at a small 9 employee security firm.
if you have physical access to the network you can simply spoof the proxy (or a target on the network). This would be especially easy to do since that proxy is being used to encrypt traffic for the network and would therefor be sending plain text over the network.
I have no idea what you're trying to argue because on one hand you want everything encrypted but on the other hand you have no problem with everything being plain text over the dmz. I also just noticed you said "Using a DMZ is secure, since the unencrypted network is not publicly visible." which is scary.
I'm not about to waste the time pricing out anything because I simply know that 3 servers cost more than 1. You could as you said buy a card which will encrypt the data for you however if you're building a server farm, one of those is going to add on about a 1/3 of the cost of each server (based on the last time i saw the price of one which was probably 5 years ago). Can you even do https over an rsa card? because the whole point here is to make traffic for public websites (and other services) encrypted.
I never said that there's no value in an it department that loses money, I said that there's no value in an it department if it's losing money for the company. That's why companies create budgets for departments, they know that having this department can increase their sales X dollars so the company will be willing to spend X - Y dollars on it.
Finally regarding context, there are much more efficient ways of removing context than trying to encrypt everything. Just because all you have is a hammer doesn't mean everything is a nail.
uhmm actually i work in the security industry and your setup just failed a simple pci audit.
"A diskless, OS-less proxy is virtually impossible to compromise" If you think this is a valid statement you have no business maintaining any network.
I also have no idea what point you're trying to argue. I simply said that providing encryption for all traffic of a high traffic site isn't practical. If you have a high traffic site, then most of your data sent doesn't need to be secure. Of course there are a few exceptions such as banks, but then they should be used to not being practical and can afford a more expensive set up. You in turn have argued that you should encrypt all traffic over the internet but its ok to have plain text over your internal network.
The reality of it is that there are budgets that IT departments have to stay within otherwise there's no reason for them to have a site/network/whatever because they'll be losing money on it. Encrypting all your traffic when in reality only 0.001% needs to be encrypted will balloon your costs.
you've just made so many holes in the setup with what you've said and your DoD statement is incorrect. Per what you said, the DoD wants you to use encryption as soon as possible to avoid saying anything over unencrypted talk. That means they do trust encryption (obviously only to a point). There are plenty of ways to get information pre/post encryption which is what they're worried about and what you've presented with your other solutions.
it's too bad you're getting a negative score cause what you said is very true. even with myself, if i have to use some other linux distro than the one i'm used to/like, my productivity goes down.
The key here to migrating people away from windows (or any os) is let them do it at their own pace. The only people that you should force to switch are your low level people who should only be using their computer for their specific job (such as people doing phone support). If you set it up correctly and their system is crashing less than their previous system and it's running much faster they'll quickly forget about not using what they're comfortable with. Another thing you can do (which i did when migrating an old office of mine away from windows) is make sure their home directory is actually a network share (and login is done over the network) so that they can have the exact same interface no matter what computer they sit down at. That's one thing that's very noticeable to everyone in the office. Once others using the old system start having problems with their system again (eventually it will slow down as all windows systems do over time), they'll be interested in trying out the new systems.
asking for cash is a bit different. you can however get a pizza delivered to someone and when it arrives the recipient can call the store and ask for a certificate for a new pizza for whatever reason. This argument also doesn't hold up because technically you're supposed to show the CC when the pizza arrives so you can't order pizza for someone else.
"Not fulfilling that contract requires her up-front informed and clear consent." there could easily be a screen stating that this customer has signed up for the bad gift program and as a result may modify the item sent for an item of the same value.
I think this would be ok to do as it would be considered returning/exchanging the item for another. As long as the recipient received a notice saying "Aunt Milly bought you a pocket pussy, would you like to exchange it for another item? Suggestions: dildo, blow up sheep, miniature jesus" I think it would count as them receiving the product.
it may just be me, but as someone who has been a sysadmin and developer for high traffic sites, making everything on a site https isn't practical at all. https uses a LOT more resources than http. you would roughly need 3 times the number of servers to hide something that's already encrypted. a MUCH better solution would be to use only strong, non-anonymous ciphers for your encrypted pages.
actually you're wrong, they do distribute the source code to their applications whenever they can (their code is often just modifications to proprietary software at which point they can't redistribute it). SELinux is a good example of this, it was started and originally released/maintained by the NSA.
There is absolutely no reason (other than copyright violations) for the NSA (or any other government agency) to not release more secure methods/code. Doing so will provide our nation with a more secure infrastructure making their job easier. Things such applications to break security are a different subject though.
I'm sure they have plenty of those applications which they don't want released to the public so that people don't know how to protect against that.
you do realize that switching to ARM laptops would fuck up a lot more software than the OS right? also the laptop would be fucking expensive because the ARM architecture doesn't have a shitload of manufacturers developing pc peripherals for it (there's a reason apple switch away from ppc).
also a good majority of manufacturers are contributing to linux drivers, whether it's actual drivers or just specs so someone else can write the drivers.
my room mate didn't know anything about computers then went to some trade school for game programming when he was like 18-19 and is now a developer for video games. No idea how good of a developer he is but you don't need that much of a head start. When I was 18 I showed a friend what an IP address was, then another friend showed him some more stuff. He went on within a few years to be a great unix sys admin and eventually a CTO and my boss. I guess that's what you get when you spend your teens learning to socialize instead of sitting in front of a computer.
Slashdot Mirror
By the DHS making restitution I assume you mean our military spending will increase.
uhmm, it would be REALLY easy for sony to create a program to monitor what movies you watch through your ps3 and look at what content your streaming servers are offering, then report it back to sony. Since sony is part of the RIAA/MPAA i could see this as being very likely (not by targeting me personally). As far as the network security goes that's actually what I did last night, went out and bought a new media player and set up my ps3 in a DMZ. My network was/is set up securely enough so that they can't sniff traffic but they could interact with other machines on my network since it needed to access the media server. The only way it could have been more secure is if it was in a dmz and could only access the streaming media service on my network (which would still not solve the situation I'm describing) but since the ps3 wasn't available to arbitrary incoming traffic from the internet before I didn't see it as necessary. Now that it is (or it may be, i'm still not totally convinced this article is legit), the machine now needs to be isolated from the rest of my network (for general security reasons, not just attacks from sony).
as i somewhat stated in another thread, the problem is that the firmware updates held sony responsible for what your ps3 did. as in anything unethical/illegal could be tracked down to a firmware update. Now sony could cause your ps3 to do whatever it wants whenever it wants and you can't prove that they did it.
the problem is that now they can sniff your home network to see what you're doing. They can run a search on your network for any shares/media streams with "pirated" movies/media then start investigating/prosecute you. They could also try to monitor what else you're doing on your network/internet. Before you would hope that the firmware updates wouldn't do that, but if so you could figure out what firmware it was and hold sony responsible. Now they could connect to your ps3 whenever they want and run whatever they want (provided your ps3 is turned on).
On top of that, installing something like this opens a vector for malicious hackers to bypass your firewall/router and have free reign of your home network.
they also only said that mcafee would continue to support amd, not be optimized for it.
i have no idea what point you were trying to make. you can boot os x into run level 3 and do everything from a console if you want. i was just pointing out that of the 3 things he listed 2 of them were the same. I use my OSX macbook almost identically to how I use my linux laptop. I open up firefox, thunderbird and a terminal and I do all of my "computer stuff" through the terminal.
hows the saying go... the friend of my enemy is my friend too?
actually it seems to address that when it states that it can't do stuff without the consumers permission.
OSX is unix with an aqua graphical user interface/theme.
The main reason i see for it is in comparison to most other OSs, everything* can be accessed as a file. This includes most devices and sockets. That has made unix very agile and has allowed it to adapt with the times. The only OS i can think of that goes further than unix in this respect is plan 9, which was also designed by bell labs as the successor to unix. Plan 9 goes as far as allowing peripherals on the network to be accessed as files.
i do agree with you about companies not usually doing an accurate assessment of how much time/money it would cost to fill the gap of a knowledgeable employee leaving but supply and demand has a huge noticeable affect on the IT field. The old developer should have been willing to learn this new technology and hopefully even knew it before the client came asking for it. If the average pay rate is N dollars for someone who knows X technology and the average pay rate N2 for X2 technology is less, then the old developer should have been learning X technology instead of being stagnant. Had this of been the case, the old developer could have got a raise to N dollars and the company could have hired a junior developer that knew X2 technology at a lower rate than N2. Company would have saved money, the old developer would have got a raise and X technology probably would have been developed better.
perhaps if your asshole coworker knew that his coworkers thought he was an asshole he would try not to be? even if he doesn't try to be better what's the worst he's going to do? be an asshole? At some point if he's a big enough asshole he will get fired or at least put in a position where he doesn't interact with his coworkers. The reality of the situation is you're afraid this asshole will not respect you if he knows you think he's an asshole.
As for the "very good, pointed, question" it's really not that good of a question and I wouldn't have answered it either. It is obvious what his answer is to it since he released them. That question is really only valid to find a third parties reaction to what was done and from what I've gathered from wikileaks position is that they believe people need to know this information and they can decide if they need/want it or not.
One thing that no one seems to be paying attention to is that all this information was gathered on an insecure network which could have easily been accessed by any agency who managed to get a VERY low level spy in (or simply breaking into a computer of a low level government employee). Had our government not been doing a HORRIBLE job on network security, these leaks wouldn't have came out and we wouldn't have risked whatever enemies we have being able to access more informative information that isn't being released by wikileaks.
you're confusing the AV market with the security market. the AV market is always behind the new virus'/worms because that's what they do, wait for some virus to come out and once it gets popular create a definition for it. The security industry on the other hand is constantly finding and reporting new vulnerabilities in software. Sure there's still something to be desired with the security vendors but they are definitely stepping up to brawl with state funded players. Well maybe not qualys or rapid 7, they're too busy boasting and lying (respectively) to their customers to bother producing anything useful.
"While Microsoft is chided for creating more insecurity than security, it is worth noting that no organization in the world has spent more on training its staff and developers on security than Microsoft. "
That's not worth noting at all, microsoft has a bigger staff than any software development company in the world. Them spending $10 to train each employee on security would still be more than spending $100,000 to train each employee at a small 9 employee security firm.
if you have physical access to the network you can simply spoof the proxy (or a target on the network). This would be especially easy to do since that proxy is being used to encrypt traffic for the network and would therefor be sending plain text over the network.
I have no idea what you're trying to argue because on one hand you want everything encrypted but on the other hand you have no problem with everything being plain text over the dmz. I also just noticed you said "Using a DMZ is secure, since the unencrypted network is not publicly visible." which is scary.
I'm not about to waste the time pricing out anything because I simply know that 3 servers cost more than 1. You could as you said buy a card which will encrypt the data for you however if you're building a server farm, one of those is going to add on about a 1/3 of the cost of each server (based on the last time i saw the price of one which was probably 5 years ago). Can you even do https over an rsa card? because the whole point here is to make traffic for public websites (and other services) encrypted.
I never said that there's no value in an it department that loses money, I said that there's no value in an it department if it's losing money for the company. That's why companies create budgets for departments, they know that having this department can increase their sales X dollars so the company will be willing to spend X - Y dollars on it.
Finally regarding context, there are much more efficient ways of removing context than trying to encrypt everything. Just because all you have is a hammer doesn't mean everything is a nail.
uhmm actually i work in the security industry and your setup just failed a simple pci audit.
"A diskless, OS-less proxy is virtually impossible to compromise"
If you think this is a valid statement you have no business maintaining any network.
I also have no idea what point you're trying to argue. I simply said that providing encryption for all traffic of a high traffic site isn't practical. If you have a high traffic site, then most of your data sent doesn't need to be secure. Of course there are a few exceptions such as banks, but then they should be used to not being practical and can afford a more expensive set up.
You in turn have argued that you should encrypt all traffic over the internet but its ok to have plain text over your internal network.
The reality of it is that there are budgets that IT departments have to stay within otherwise there's no reason for them to have a site/network/whatever because they'll be losing money on it. Encrypting all your traffic when in reality only 0.001% needs to be encrypted will balloon your costs.
you've just made so many holes in the setup with what you've said and your DoD statement is incorrect. Per what you said, the DoD wants you to use encryption as soon as possible to avoid saying anything over unencrypted talk. That means they do trust encryption (obviously only to a point). There are plenty of ways to get information pre/post encryption which is what they're worried about and what you've presented with your other solutions.
it's too bad you're getting a negative score cause what you said is very true. even with myself, if i have to use some other linux distro than the one i'm used to/like, my productivity goes down.
The key here to migrating people away from windows (or any os) is let them do it at their own pace. The only people that you should force to switch are your low level people who should only be using their computer for their specific job (such as people doing phone support). If you set it up correctly and their system is crashing less than their previous system and it's running much faster they'll quickly forget about not using what they're comfortable with. Another thing you can do (which i did when migrating an old office of mine away from windows) is make sure their home directory is actually a network share (and login is done over the network) so that they can have the exact same interface no matter what computer they sit down at. That's one thing that's very noticeable to everyone in the office. Once others using the old system start having problems with their system again (eventually it will slow down as all windows systems do over time), they'll be interested in trying out the new systems.
asking for cash is a bit different. you can however get a pizza delivered to someone and when it arrives the recipient can call the store and ask for a certificate for a new pizza for whatever reason. This argument also doesn't hold up because technically you're supposed to show the CC when the pizza arrives so you can't order pizza for someone else.
"Not fulfilling that contract requires her up-front informed and clear consent."
there could easily be a screen stating that this customer has signed up for the bad gift program and as a result may modify the item sent for an item of the same value.
I think this would be ok to do as it would be considered returning/exchanging the item for another. As long as the recipient received a notice saying "Aunt Milly bought you a pocket pussy, would you like to exchange it for another item? Suggestions: dildo, blow up sheep, miniature jesus" I think it would count as them receiving the product.
it may just be me, but as someone who has been a sysadmin and developer for high traffic sites, making everything on a site https isn't practical at all. https uses a LOT more resources than http. you would roughly need 3 times the number of servers to hide something that's already encrypted. a MUCH better solution would be to use only strong, non-anonymous ciphers for your encrypted pages.
actually you're wrong, they do distribute the source code to their applications whenever they can (their code is often just modifications to proprietary software at which point they can't redistribute it). SELinux is a good example of this, it was started and originally released/maintained by the NSA.
There is absolutely no reason (other than copyright violations) for the NSA (or any other government agency) to not release more secure methods/code. Doing so will provide our nation with a more secure infrastructure making their job easier. Things such applications to break security are a different subject though.
I'm sure they have plenty of those applications which they don't want released to the public so that people don't know how to protect against that.
wow, that is amazing, i could get a toshiba netbook with under a quarter of the specs of my toshiba laptop for the same price!
you do realize that switching to ARM laptops would fuck up a lot more software than the OS right? also the laptop would be fucking expensive because the ARM architecture doesn't have a shitload of manufacturers developing pc peripherals for it (there's a reason apple switch away from ppc).
also a good majority of manufacturers are contributing to linux drivers, whether it's actual drivers or just specs so someone else can write the drivers.
my room mate didn't know anything about computers then went to some trade school for game programming when he was like 18-19 and is now a developer for video games. No idea how good of a developer he is but you don't need that much of a head start. When I was 18 I showed a friend what an IP address was, then another friend showed him some more stuff. He went on within a few years to be a great unix sys admin and eventually a CTO and my boss. I guess that's what you get when you spend your teens learning to socialize instead of sitting in front of a computer.