That being said, if a competent leader with vision takes over a mediocre IT shop, how long do you think it's going to take them to find the redundancies and waste going on there, and begin streamlining and automating?
Vision and leadership in IT doesn't necessarily equate to more jobs, just better use of resources, and thus more money to hire people to help turn IT from a cost center into a force multiplier (or even money maker) wherever possible. And those people are usually in the top 20% of the market, not just guys off the street.
If the bottom 20% of the IT market (Help Desk, Jr. sysadmins, Jr. programmers) is in a constant ebb and flow, is that really bad for the industry?
IANAL, but these people may have a case. Under the Fair Labor Standards Act, workers can be classified as exempt only under certain circumstances, and changes to the FLSA made in 2004 included a number of controversial changes regarding the the definition of exempt employees.
After some poking around, I found this which shows California rules for classifying workers as "managerial" and therefore automatically exempt:
"For an employee to be exempt as a manager s/he must:
1. Have primary duties and responsibilities that involve the management of the enterprise.
2. Customarily and regularly direct the work of two or more other employees.
3. Have the authority to hire or fire other employees or to make suggestions, which will be given particular weight, about personnel decisions regarding other employees.
4. Customarily and regularly exercise discretionary power.
5. Spend more than 50 percent of his or her time engaged in managerial duties that meet the tests in Items 1 through 4 and
6. Earn a monthly salary equivalent to at least two times the state minimum wage for full-time employment. The current minimum salary for someone to be categorized as an exempt employee is $2,340 a month, which is twice the starting minimum wage for full-time employment."
So we are talking about hourly workers who may be shoehorned into exempt status because of some vague wording, such as "management of the enterprise" or "exercise discretionary power".
Given the complexity of the issue and the visibility and power of Apple, it's hard to believe that this is a purely frivolous lawsuit. California has had a number of successful multimillion-dollar settlements of overtime claims in past years. I'd be interested in reading the filing.
I have done dozens of Security Assessments/Risk Assessments for City/County/State Govts. In almost every instance, one of the major findings is 'key man risk'. Inevitably, there's always some guy who is the only one who knows the voodoo to make it all work - the whole IT department is one really smart guy, a dozen meatheads, and some management people (sometimes good, mostly bad). If the smart guy gets hit by a bus or quits, the org loses a year trying to catch back up.
You also tend to see a lot of multi-hat positions (Chief Security Engineer/Firewall SME/Lead Network Admin), and mentioning security best practices such as Duty Rotation and Separation of Duties is usually met with a "yeah, right..." smirk and chuckle.
Unfortunately, it's all usually a function of budget + quality of applicants + total inability to communicate effectively with City Council/County Board/etc. to explain why what the PHBs want needs to be properly funded and staffed.
Inevitably, the powers that be decide they need something, and all heads in the room turn to the resident nerd-genius, who immediately geeks out about how he could accomplish it technically using spit and duct tape. The managers unclench when they realize they aren't going to actually have to do their job; what little money there is money gets blown on hardware and software, and the whole thing gets wired up in a perfect example of 'just barely good enough engineering' or a hobbyist project.
It's not really how you expect your local gov't to operate, but they do it all the time. It's kind of like knowing where sausage comes from. Just don't ask.
Why is TFA from a UK site (which the submitter has as his link) when both companies are based in the US? Couldn't we use a more mainstream site like CNet or ZDNet? I mean, come on...
I remember reading about blue laser storage technology in 1998. The Blu-Ray format was not agreed upon until 2003, Blu-Ray players were demoed at CES in 2004, the first retail unit shipped in 2006, and it took until mid to late 2007 for the early-adoption phase and format wars to end. One could argue that we are still in the early-adoption phase, since prices are still slightly out of reach for many consumers.
Even under ideal circumstances, this new technology will not be realized as a production-ready proof of concept for 1-2 years, take another 2-3 years to go to market, and then another 2-3 years for full market penetration, right about the time you start seeing off-brand 17" combo Blu-Ray/LCD TVs for $199 at Costco.
Besides, Blu-Ray is backwards compatible with DVDs and CDs, why would this be any different?
Perhaps because they want to be front-and-center to help define a newer vision? Microsoft is not going to fall over dead anytime soon, despite Vista's suckitude. Now that Gates is gone, (and Ballmer may not be far behind, on his own or by coup d'etat) there will be a need for new leadership. And those who are there the firstest with the mostest will be well-positioned to be part of that leadership.
All of our internal websites have self-signed certs. Once I added the permanent exception once, I never got another popup - unlike on FFX2 which gave me a box every time....
anti-child porn activists urged the Senators to increase the FBI's budget for combating child porn online
Oh yeah? So what did the pro-child porn activists have to say about that?
Oh. Nothing? I guess NAMBLA doesn't have a lobbying firm. Yet.
Not to be a dick, but where in the world do you live where things are getting better, not worse when it comes to personal freedoms?
Certainly not the UK, the EU, Sweden, or Australia. That doesn't leave many industrialized democratic nations, bub.
Well, one MAJOR difference (and I'm not of either of these vendors) is that OSS gladly and freely makes its gospels and religious texts available for you to read, such as The Cathedral and the Bazaar, plethoras of organizations willing to mail you free software, etc. Of course these organizations have their own reasons for doing this beyond pure altruism, such as hoping you'll convert, and either donate money or services back to them.
Microsoft, however, keeps its religious texts secret and hidden, and you are not allowed to view them until you buy the product. So if you decide to set off on the path of becoming a Microsoftie, you have no idea what beliefs you're ultimately going to be expected to hold until you've already spent considerable time and money to make it to high-enough level to be justified to view those texts. And at that point you've invested enough time and money that you won't want to back out, etc.
I also think that in Microsoft if you decide to leave the 'Church' then other MCSEs are required to shun you. And considering that one needs to invest years to advance to the higher levels and that a significant fraction of their friends will be vendor-locked, this makes it even difficult to leave the Church of Microsoft."
Now does it make sense? Scientology is obviously closed-source.
The number of applications this device provides that are both legitimate and useful are near zero.
If you are legitimately authorized to do scans, why not do it with proper equipment? I used to warwalk all the time with an open laptop in plain view, and if anyone stopped me, I had a letter from the CIO in my hand.
If you want to truly test security are you gonna hand an idiot-proof device to some intern and tell them to push the pretty red button and run around with it? No, you are going to hire a security expert who will likely prefer proper tools.
From TFA: "...mostly from law enforcement agencies looking to do covert hacking on sensitive networks."
Whee! Illegal wiretapping! I'm sure that's kosher. If you have a warrant, then you shouldn't have any problems. See above. (Oops, I forgot that's 'legal' now. Oh well.)
Also from TFA: "It's aimed at the non-technical user interested in doing drive-by pen-tests. You start it, run a scan, connect, run your exploit, get an HTML report of what was done."
No responsible pentester runs around with surreptitious devices in 'fuck you' mode on production networks. It's a quick ticket to being fired, sued and/or arrested. Pen testing and vulnerability testing is done under strict Rules of Engagement which rarely include secondary exploitation anymore. Most organizations want you to be as hands-off and low-impact as possible. Detect a possible vulnerability, record it, and move on. If they want you to eliminate false positives and/or verify a particular vulnerability later, then you do it carefully. Cutesy shit like grabbing files, printing "OWNZORED" on network printers and AllYourBase.txt in \root is the mark of amateurs.
Nothing to see here. It's a cool toy, but if you want to do this kind of stuff on a real network, hire a real security company.
The only useful thing I see here is that the barrier to entry for wireless shenanigans has just fallen to the floor and organizations had better start ditching WEP and WPA/WPA2 and moving to 802.1X/EAP/EAPOL.
People who feel they can't communicate one way will communicate another way. Kinda like cats. You go away for a couple of days, and BAM - poop in the shoes.
I'm not a fan of Yahoo myself, but my 20, 25, and 30-year old non-technical siblings grew up using Yahoo. They don't want or need the laser focus of information retrieval that a search engine like Google provides. They just want to go on the web and be presented with interesting, entertaining or diversionary content. Yahoo.com and MSN.com are perfect for that.
If they want to know what's going on in the world, they don't have to craft a clever search query, or know what RSS Aggregators are. They can go to www.yahoo.com and get a little of everything.
It's easy to say Yahoo.com and MSN.com suck, but until every netizen is as Internet-savvy as the average Slashdot reader, portals aren't going away, and they will continue to get and keep eyeballs.
I've met some smelly artists in my time, too, but that's pretty harsh.
Amines have strong, characteristic, disagreeable odors, and are toxic. The smells of ammonia, fish, urine, rotting flesh and sperm are all mainly composed of amines.
> Why is America the only country that has to defend having sports other than soccer take center stage?
Why is America the only country that has to defend...well, pretty much anything they do or are?:p
I personally don't have issues with America not liking soccer. I'm American, I played soccer as a kid, and went to a lot of Division I games in college, but I don't follow any kind of soccer US or otherwise. I'm thoroughly ambivalent about the entire sport. But I couldn't really tell you why. Many of my non-American friends ask me why American soccer isn't more popular, and after a lot of thought and discussion, "unique and dominant" was the best answer I could come up with, but IANA Cultural Anthropologist.
Soccer is *not* relatively young in the U.S. It has been a member of FIFA since 1914, and was one of 13 nations in the first World Cup in 1930.
There are over 200 NCAA Division I men's soccer teams, and yet professional soccer in the U.S. is a curiosity at best. Why is this? I think the reasons may be more deeply rooted in the American need to be unique and dominant (see "American-invented sports" such as baseball, football, basketball, NASCAR, etc.) rather than in soccer's popularity or approachability. I will posit that *at least* 1 in 4 kids in the U.S. have played soccer at some point in their youths.
But to say that soccer is not popular in this country because it is 'young' is patently false.
TITLE: Method and apparatus for applying if-then-else rules to data sets in a relational data base and generating from the results of application of said rules a database of diagnostics linked to said data sets to aid executive analysis of financial data
Abstract:
A system for applying artificial intelligence technology to data stored in databases and generates diagnostics that are user definable interpretations of information in the database. The diagnostics are stored in a database which can be queried with downdrilling to the associated data which generated the diagnostic. A set of bidirectional links is maintained between selected data items in the first database and the corresponding diagnostics in the second database. The system acts as an information compiler in developing a map of the raw data dimension into the structured dimension of intelligent interpretation of the data in the diagnostic database.
Look it up in the USPTO. This is more than just some VB app that does a whiz-bang conversion. Upon cursory examination it seems like it was originally an experiment in AI: " the invention represents a new AI technology allowing managers to control and exploit information, rather than passively react to it. " (from TFP)
Security Guy: "Maybe we should call the authorities." CIO: "Doesn't that mean they will probably send forensics guys down here, quarantine some servers, start raking through our data for evidence and generally be up our asses for a week or so?" Security Guy: "Possibly..." CIO: "Sounds like a lot of paperwork...How about we just patch the boxes, write up the report and call it a day? When is the last time you slept anyway?"
As networks become increasingly complex and increasingly interconnected, the difficulty in adequately securing them properly increases exponentially.
If you're housing millions+ of dollars in data/IP/personal information or are protecting government assets/secrets, well you are probably REQUIRED to comply with DITSCAP/HIPAA/Sarbanes-Oxley or some other mandated standard...and by god you need a security infrastructure. And more and more organizations are beginning to realize how difficult it is to do it right.
Standard security procedures:
- Lock down the perimeter
- Lock down the servers
- Lock down the desktops
- Limit data portability (thumbdrives/USB drives/CD-R(W))
- Limit external access by employees
- Partition your network into secure zones
- ACLs on everything that sends or recieves a packet
- Encryption for sensitive data
- Monitor everything and *gasp* actually review the logs
- Make passwords be strong and expire often
- Quarantine your remote users/connections
- Checks and balances in the 'meat-space' authorization process
- 3+ factor authentication (SecurID, biometrics, certificates, PKI)
- Redundancy, redundancy, redundancy
- Incident response capability
- Off-site data storage and recovery
- Conduct regular security audits and reviews
And this is just for the small business networks I deal with. Sounds like a lot, but it STILL will not meet some security standards.
Now lets take a fictional mid-size company: 500 employees over 3 sites, 30 file/database/infrastructure servers, 4 public servers, dial-up PPP RAS. The company requires persistent/semi-persistent connections to 3 other organizations. The desktops are a mishmash of XP/2000/NT4, the servers range from NT4-2003, a couple Netware boxes, a couple of Solaris machines running unpatched Oracle 9i and you are using a half-dozen proprietary closed-source apps that connect to the Internet in some fashion. They recently landed a contract as a sub to Lockheed-Martin and are going to be handling sensitive documents. You've just been hired as CIO and your first priority as dictated by the CEO is to 'secure the network'. Your IT staff consists of a DBA, 2 MCSDs, a Unix guru, 4 MCSEs, 7 A+ techs, a dozen secretaries with rudimentary troubleshooting skills and the PHB who lords over them. So now how much money do you think you need?
when the info they had is worth next to nothing or it is even public
Value is in the eye of the beholder. There's very little data that you can make money off of that isn't valuable to someone. You think that PeopleSoft database might not be worth a few bucks to the right person?
This started to look a little bit like the Y2K craze
Increased awareness creating increased vigilance does not mean the issue is self-created.
Check here in the Incidents Reported section. That 1394% increase between 1999 and 2003 kinda reaches out and grabs ya.
He is also the Chief Scientist for a company that sells commercial code-auditing products and services.
His points may be valid, but when people preach a methodology that coincidentally augments thier personal wealth and well-being, I tend to be skeptical about it.
I don't like being sold things under the guise of some higher rationale, and neither do most free-thinking people.
Slashdot Mirror
I agree wholeheartedly.
That being said, if a competent leader with vision takes over a mediocre IT shop, how long do you think it's going to take them to find the redundancies and waste going on there, and begin streamlining and automating?
Vision and leadership in IT doesn't necessarily equate to more jobs, just better use of resources, and thus more money to hire people to help turn IT from a cost center into a force multiplier (or even money maker) wherever possible. And those people are usually in the top 20% of the market, not just guys off the street.
If the bottom 20% of the IT market (Help Desk, Jr. sysadmins, Jr. programmers) is in a constant ebb and flow, is that really bad for the industry?
IANAL, but these people may have a case. Under the Fair Labor Standards Act, workers can be classified as exempt only under certain circumstances, and changes to the FLSA made in 2004 included a number of controversial changes regarding the the definition of exempt employees.
After some poking around, I found this which shows California rules for classifying workers as "managerial" and therefore automatically exempt:
"For an employee to be exempt as a manager s/he must:
1. Have primary duties and responsibilities that involve the management of the enterprise.
2. Customarily and regularly direct the work of two or more other employees.
3. Have the authority to hire or fire other employees or to make suggestions, which will be given particular weight, about personnel decisions regarding other employees.
4. Customarily and regularly exercise discretionary power.
5. Spend more than 50 percent of his or her time engaged in managerial duties that meet the tests in Items 1 through 4 and
6. Earn a monthly salary equivalent to at least two times the state minimum wage for full-time employment. The current minimum salary for someone to be categorized as an exempt employee is $2,340 a month, which is twice the starting minimum wage for full-time employment."
So we are talking about hourly workers who may be shoehorned into exempt status because of some vague wording, such as "management of the enterprise" or "exercise discretionary power".
Given the complexity of the issue and the visibility and power of Apple, it's hard to believe that this is a purely frivolous lawsuit. California has had a number of successful multimillion-dollar settlements of overtime claims in past years. I'd be interested in reading the filing.
I have done dozens of Security Assessments/Risk Assessments for City/County/State Govts. In almost every instance, one of the major findings is 'key man risk'. Inevitably, there's always some guy who is the only one who knows the voodoo to make it all work - the whole IT department is one really smart guy, a dozen meatheads, and some management people (sometimes good, mostly bad). If the smart guy gets hit by a bus or quits, the org loses a year trying to catch back up.
You also tend to see a lot of multi-hat positions (Chief Security Engineer/Firewall SME/Lead Network Admin), and mentioning security best practices such as Duty Rotation and Separation of Duties is usually met with a "yeah, right..." smirk and chuckle.
Unfortunately, it's all usually a function of budget + quality of applicants + total inability to communicate effectively with City Council/County Board/etc. to explain why what the PHBs want needs to be properly funded and staffed.
Inevitably, the powers that be decide they need something, and all heads in the room turn to the resident nerd-genius, who immediately geeks out about how he could accomplish it technically using spit and duct tape. The managers unclench when they realize they aren't going to actually have to do their job; what little money there is money gets blown on hardware and software, and the whole thing gets wired up in a perfect example of 'just barely good enough engineering' or a hobbyist project.
It's not really how you expect your local gov't to operate, but they do it all the time. It's kind of like knowing where sausage comes from. Just don't ask.
Why is TFA from a UK site (which the submitter has as his link) when both companies are based in the US? Couldn't we use a more mainstream site like CNet or ZDNet? I mean, come on...
Nothing to see here...
I remember reading about blue laser storage technology in 1998. The Blu-Ray format was not agreed upon until 2003, Blu-Ray players were demoed at CES in 2004, the first retail unit shipped in 2006, and it took until mid to late 2007 for the early-adoption phase and format wars to end. One could argue that we are still in the early-adoption phase, since prices are still slightly out of reach for many consumers.
Even under ideal circumstances, this new technology will not be realized as a production-ready proof of concept for 1-2 years, take another 2-3 years to go to market, and then another 2-3 years for full market penetration, right about the time you start seeing off-brand 17" combo Blu-Ray/LCD TVs for $199 at Costco.
Besides, Blu-Ray is backwards compatible with DVDs and CDs, why would this be any different?
Perhaps because they want to be front-and-center to help define a newer vision? Microsoft is not going to fall over dead anytime soon, despite Vista's suckitude. Now that Gates is gone, (and Ballmer may not be far behind, on his own or by coup d'etat) there will be a need for new leadership. And those who are there the firstest with the mostest will be well-positioned to be part of that leadership.
Less forgiving? Maybe the first time.
All of our internal websites have self-signed certs. Once I added the permanent exception once, I never got another popup - unlike on FFX2 which gave me a box every time....
Oh yeah? So what did the pro-child porn activists have to say about that?
Oh. Nothing? I guess NAMBLA doesn't have a lobbying firm. Yet.
Not to be a dick, but where in the world do you live where things are getting better, not worse when it comes to personal freedoms? Certainly not the UK, the EU, Sweden, or Australia. That doesn't leave many industrialized democratic nations, bub.
Now does it make sense? Scientology is obviously closed-source.
Where do I start with this thing?
The number of applications this device provides that are both legitimate and useful are near zero.
If you are legitimately authorized to do scans, why not do it with proper equipment? I used to warwalk all the time with an open laptop in plain view, and if anyone stopped me, I had a letter from the CIO in my hand.
If you want to truly test security are you gonna hand an idiot-proof device to some intern and tell them to push the pretty red button and run around with it? No, you are going to hire a security expert who will likely prefer proper tools.
From TFA: "...mostly from law enforcement agencies looking to do covert hacking on sensitive networks."
Whee! Illegal wiretapping! I'm sure that's kosher. If you have a warrant, then you shouldn't have any problems. See above. (Oops, I forgot that's 'legal' now. Oh well.)
Also from TFA: "It's aimed at the non-technical user interested in doing drive-by pen-tests. You start it, run a scan, connect, run your exploit, get an HTML report of what was done."
No responsible pentester runs around with surreptitious devices in 'fuck you' mode on production networks. It's a quick ticket to being fired, sued and/or arrested. Pen testing and vulnerability testing is done under strict Rules of Engagement which rarely include secondary exploitation anymore. Most organizations want you to be as hands-off and low-impact as possible. Detect a possible vulnerability, record it, and move on. If they want you to eliminate false positives and/or verify a particular vulnerability later, then you do it carefully. Cutesy shit like grabbing files, printing "OWNZORED" on network printers and AllYourBase.txt in \root is the mark of amateurs.
Nothing to see here. It's a cool toy, but if you want to do this kind of stuff on a real network, hire a real security company.
The only useful thing I see here is that the barrier to entry for wireless shenanigans has just fallen to the floor and organizations had better start ditching WEP and WPA/WPA2 and moving to 802.1X/EAP/EAPOL.
Oh, I still long for the days when "Reveal Codes" would save me hours and hours of formatting frustration...
Well what about this metric?
I'm not a fan of Yahoo myself, but my 20, 25, and 30-year old non-technical siblings grew up using Yahoo. They don't want or need the laser focus of information retrieval that a search engine like Google provides. They just want to go on the web and be presented with interesting, entertaining or diversionary content. Yahoo.com and MSN.com are perfect for that.
If they want to know what's going on in the world, they don't have to craft a clever search query, or know what RSS Aggregators are. They can go to www.yahoo.com and get a little of everything.
It's easy to say Yahoo.com and MSN.com suck, but until every netizen is as Internet-savvy as the average Slashdot reader, portals aren't going away, and they will continue to get and keep eyeballs.
I've met some smelly artists in my time, too, but that's pretty harsh.
http://en.wikipedia.org/wiki/Amine
> Why is America the only country that has to defend having sports other than soccer take center stage?
:p
Why is America the only country that has to defend...well, pretty much anything they do or are?
I personally don't have issues with America not liking soccer. I'm American, I played soccer as a kid, and went to a lot of Division I games in college, but I don't follow any kind of soccer US or otherwise. I'm thoroughly ambivalent about the entire sport. But I couldn't really tell you why. Many of my non-American friends ask me why American soccer isn't more popular, and after a lot of thought and discussion, "unique and dominant" was the best answer I could come up with, but IANA Cultural Anthropologist.
The inventor was Canadian, but the sport was invented in Springfield, Massachusetts in 1891.
Soccer is *not* relatively young in the U.S. It has been a member of FIFA since 1914, and was one of 13 nations in the first World Cup in 1930.
There are over 200 NCAA Division I men's soccer teams, and yet professional soccer in the U.S. is a curiosity at best. Why is this? I think the reasons may be more deeply rooted in the American need to be unique and dominant (see "American-invented sports" such as baseball, football, basketball, NASCAR, etc.) rather than in soccer's popularity or approachability. I will posit that *at least* 1 in 4 kids in the U.S. have played soccer at some point in their youths.
But to say that soccer is not popular in this country because it is 'young' is patently false.
According to to the Web Application Security Consortium, there were 58 web hacking attacks in 2005.
According to zone-h.org, there were 494,988 web hacking attacks in 2005.
Close enough.
United States Patent 5,701,400
TITLE: Method and apparatus for applying if-then-else rules to data sets in a relational data base and generating from the results of application of said rules a database of diagnostics linked to said data sets to aid executive analysis of financial data
Abstract: A system for applying artificial intelligence technology to data stored in databases and generates diagnostics that are user definable interpretations of information in the database. The diagnostics are stored in a database which can be queried with downdrilling to the associated data which generated the diagnostic. A set of bidirectional links is maintained between selected data items in the first database and the corresponding diagnostics in the second database. The system acts as an information compiler in developing a map of the raw data dimension into the structured dimension of intelligent interpretation of the data in the diagnostic database.
Look it up in the USPTO. This is more than just some VB app that does a whiz-bang conversion. Upon cursory examination it seems like it was originally an experiment in AI: " the invention represents a new AI technology allowing managers to control and exploit information, rather than passively react to it. " (from TFP)
working with the authorities after incidents
Security Guy: "Maybe we should call the authorities."
CIO: "Doesn't that mean they will probably send forensics guys down here, quarantine some servers, start raking through our data for evidence and generally be up our asses for a week or so?"
Security Guy: "Possibly..."
CIO: "Sounds like a lot of paperwork...How about we just patch the boxes, write up the report and call it a day? When is the last time you slept anyway?"
As networks become increasingly complex and increasingly interconnected, the difficulty in adequately securing them properly increases exponentially.
If you're housing millions+ of dollars in data/IP/personal information or are protecting government assets/secrets, well you are probably REQUIRED to comply with DITSCAP/HIPAA/Sarbanes-Oxley or some other mandated standard...and by god you need a security infrastructure. And more and more organizations are beginning to realize how difficult it is to do it right.
Standard security procedures:
- Lock down the perimeter
- Lock down the servers
- Lock down the desktops
- Limit data portability (thumbdrives/USB drives/CD-R(W))
- Limit external access by employees
- Partition your network into secure zones
- ACLs on everything that sends or recieves a packet
- Encryption for sensitive data
- Monitor everything and *gasp* actually review the logs
- Make passwords be strong and expire often
- Quarantine your remote users/connections
- Checks and balances in the 'meat-space' authorization process
- 3+ factor authentication (SecurID, biometrics, certificates, PKI)
- Redundancy, redundancy, redundancy
- Incident response capability
- Off-site data storage and recovery
- Conduct regular security audits and reviews
And this is just for the small business networks I deal with. Sounds like a lot, but it STILL will not meet some security standards.
Now lets take a fictional mid-size company: 500 employees over 3 sites, 30 file/database/infrastructure servers, 4 public servers, dial-up PPP RAS. The company requires persistent/semi-persistent connections to 3 other organizations. The desktops are a mishmash of XP/2000/NT4, the servers range from NT4-2003, a couple Netware boxes, a couple of Solaris machines running unpatched Oracle 9i and you are using a half-dozen proprietary closed-source apps that connect to the Internet in some fashion. They recently landed a contract as a sub to Lockheed-Martin and are going to be handling sensitive documents. You've just been hired as CIO and your first priority as dictated by the CEO is to 'secure the network'. Your IT staff consists of a DBA, 2 MCSDs, a Unix guru, 4 MCSEs, 7 A+ techs, a dozen secretaries with rudimentary troubleshooting skills and the PHB who lords over them. So now how much money do you think you need?
when the info they had is worth next to nothing or it is even public
Value is in the eye of the beholder. There's very little data that you can make money off of that isn't valuable to someone. You think that PeopleSoft database might not be worth a few bucks to the right person?
This started to look a little bit like the Y2K craze
Increased awareness creating increased vigilance does not mean the issue is self-created.
Check here in the Incidents Reported section. That 1394% increase between 1999 and 2003 kinda reaches out and grabs ya.
He is also the Chief Scientist for a company that sells commercial code-auditing products and services.
His points may be valid, but when people preach a methodology that coincidentally augments thier personal wealth and well-being, I tend to be skeptical about it.
I don't like being sold things under the guise of some higher rationale, and neither do most free-thinking people.
I know mine does!...I mean...I know this guy...er...