Should it be legal to drive a tank? After all, it is the pesronal responsibility of the person driving the tank to not..you know.. kill everyone. Yet we restrict access to tanks, because letting an individual own a tank is just not in the publics best interest.
There is a guy here in town that owns a tank. He needs permission to take it on public roads, because of the potential damage to public property, but her does own one and drive it on his own land.
We let government regulate someones actions for the greater good. Freedom certainly has limits, and it is up to the government to set those limits.
Actually, we theoretically allow the government to arbitrate certain freedoms and situations where one person's freedoms come in conflict with others. For example, your freedom to fire a cannon, is restricted by the damage it causes to the property of physical persons of others. So long as you're firing it on private property and not damaging anything belonging to another, or hurting anyone the government has no legal or ethical right to restrict you. Realistically, the government has become corrupt and exceeded their authority by claiming additional power for a few individuals who would be our rulers.
The problem is determining what is truly in the best interest of a society is REALLY hard.
No it isn't. The US was founded on the principal that consolidated decision making is dangerous, because overriding the decisions of individuals easily leads to abuse and power corrupts. Thus, the government must demonstrate not only a majority opinion, but an overriding public interest in some action that does not conflict with a predefined set of rights and which is within certain areas the government is allowed to regulate. Take the issue of video games. Will playing a video game result in a person becoming a murderer? Can you prove that with reasonable scientific certainty? If so then, with two thirds or representatives voting you can overturn the freedom of speech that allows people to distribute said video game. Otherwise, the government has no business and the choice should be left to the individual (or individual's parents) to decide.
Those are the types of questions we face, and we (as a world community) will be struggling with them for as long as we exist.
Certainly individuals should be considering these issues, but until there is a real, provable consensus and a clear mandate from the people, governments should not.
Given that the "secondhand-smoke" hysteria genuinely was shoddy pseudoscience as a pretext to legislate lifestyle...
Why would you consider that a given?
...how useful is it to tie global warming to it?
Useful to whom? We're just bringing up facts here. The usefulness of those facts and how they influence your decisions is irrelevant.
Or am I supposed to read about Big Tobacco, think "Ohmigod, it's *big*!" and fall under my desk in terror?
Umm, yeah, I think I read in the Bible or Qur'an you're supposed to do that. Please do.
So does Big Oil (Aaaugghhh! Under the desk!!!) get some sort of apology now that it turns out that these groups were actually some sort of bizarre tobacco PR scheme?
Even the summary mentions funding comes from both a large tobacco firm and a large oil company. Why should anyone apologize to the oil companies because they are not the only ones funding lies?
Sweet, so you're saying that when I start boxing next month I'll finally start beating my girlfriend and robbing banks? Why oh why didn't I start sooner?
I didn't state a causation and even if I did that does not make it a reliable predictor. Maybe boxers get brain damage, take drugs, are part of a certain culture, or their testosterone levels go up which influences their behavior. Maybe people with very high testosterone, or who like to hurt other tend to become boxers. Maybe both. I know boxers who are very friendly, controlled people with no apparent desire to hurt anyone. I also know boxers who are borderline homicidal and admitted rapists. I'm not going to prejudge you or anyone else based upon choosing a sport and that is the point. Pass laws against assault and rape and punish those who commit them. Don't try to stop these things from happening by banning random, correlative factors.
A atock AK trigger has a much heavier pull than a mouse button. With enough practice you get used to it.
From my experience, you'll be lucky to hit a target that size at that distance with the average AK, regardless the trigger pull or your skill. Some of the russian made ones might do it, but the sheer number of crappy chinese and eastern european ones flooding the marketplace is insane. I've put oblong holes from tumbling rounds in a target from as little as 15 yards.
Amusingly, modern historians have pretty well established that chess reached Europe in the 700's and became popular in many parts of Europe by the turn of the millennium, a few generations before the first crusade. Coincidence or Causation?
So, if studies consistently showed a mirror neuron response while playing shooters, would we not be obliged to take violent games off the shelf...?
No, we wouldn't. It undermines several principals of our government. The first is liberty. You might note boxing is not illegal. Watching boxing is a lot more likely to stimulate that part of the brain than video games are. Participating in boxing has been statistically shown to correlate with violent crime and sexual assault. It doesn't matter. We have free will and are responsible for what we do. Does red meat increase testosterone and increase the likelihood of violence? If so should we ban it? Meat in general? All sports? Walking into high oxygen areas in lower altitudes? Not taking hormone suppressants and sedatives to keep us passive and nonviolent?
It is not the government's job to take measures to force individuals to not take any action that might increase their chances of commiting crimes by running their lives for them. Arguably it is the job of parents to do that for their children, but never the government.
I'm relatively sure the crusades came before pac-man. . . So my guess is the violence, just a hunch though.
Yeah, they intentionally phrased the question so as to mislead you. The crusades were started by people influenced by the graphically violent board game chess, which has since become a video game. It is games in general that are the root of all violent behavior, not just video games.
One thing i can't get over is how this is still happening?
Motivation. What is MS's motivation to fix this? Will fewer people buy Windows because IE is broken? Nope, more people will because it locks them in.
The ammount[sic] of stigma now attached to IE has really damaged the product.
Has it? Has MS's market share for the Windows+IE bundle dropped or are they selling more of it?
If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life.
They could buy an existing engine, but it would cost them money. They could move to open source, but it would make it easier to switch away from Windows and cost them money. They could just change the name of IE and it would cost them nothing, but it is not even clear that such a PR move would help in any way.
I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE;).
Unless you've switched away from Windows, why should MS care? You paid for the development of IE when you bought a machine that came with Windows and had it bundled. MS has been paid, after that, all they care about is lock-in. Your switching decreases that, but not enough to effect sales. So long as the majority is on IE, they are happy.
You have one of my employer's credit cards in your wallet. Tell me again that we are "paranoid" to block IM...or would you be happy with the possibility of your personal account information being sent out via chat?
Truthfully, I'd much rather you allowed IM and provided an official IM server for a number of reasons. First, this will let you monitor IM traffic and perhaps even look for CC numbers in the outgoing messages. Second, if someone is IM'ing large amounts of data, I'd rather it was on a separate port you can monitor, rather than hidden on port 80 amidst all the Web traffic. Third, if you employee feels he is trusted, he is a lot less likely to betray that trust and sell my info. Fourth, I'm not confident your facility is sufficiently locked down that said employee can't e-mail the info out, or copy it into a Web blog or print it on paper, or transfer it to a USB drive, or take a pic with their phone. Given that they have so many mechanisms to transfer the data, I'd rather they felt that they were breaking a good employer's trust by doing so, rather than succeeding in their struggle against an oppressive company that has no trust in them and whose relationship to them is impersonal and adversarial.
But I take a more holistic view of security that does not ignore the human element and is designed to get results, not to appear to be due diligence when I'm sued.
A few requests out to a website for a picture would hardly be considered an anomaly. I'm pretty sure our corporate proxy sees a few dozen requests to/. every minute. I'm sure CNN is much higher than that.
Well, it is grabbing a.exe file in this case, not a picture, but if it is in your signature database requests to that host will show up as that worm traffic. If not, then the series of repeated requests to a series of servers as this runs its chain of attacks and then starts talking on a control channel, on several different hosts will certainly show up as a probable worm propagation on a good IDS.
If there is no signature, how would it be listed as worm at all? Are you talking signature based on an IPS? Because those things aren't exactly very reliable (read: not at all) on catching unknown attacks. Trust me, I spent about 5 months testing them.
I'm talking about a good IDS, such as many enterprises run, including at least two of those mentioned in the list above. The one we use here, works to catch propagation traffic very well, and this is a classic match for that pattern.
How does it know who's infected? After its started its botnet spamings?
If you don't have tools that let you grab a list of hosts whose traffic over the last 2 days have matched this signature of downloads from particular servers then opening a port and starting an IRC connection to a control channel, and you work at a major company like those listed, then your security guys should be fired today.
You're playing cleanup at this point. Being reactive to IT security is the last thing you want to do.
Yes you're reacting, but quickly enough to stop major damage, while at the same time, not working on a policy of "security by DoSing ourselves and disabling communication channels out of fear." A few infections is enough for detection. Before it hits more than a few, you should have automatically isolated those hosts and filtered this worm traffic to stop it hitting any more.
At this point they'd have to be completely cut off until their computer is cleaned. How do you know what port to block with the ACL?
Your IDS automatically generates an ACL to remove the worm traffic, which is forwarded to the routers that divide your network segments. That ACL is constructed to not block your vital business connection, which you've predefined and which are based upon learned, normal traffic.
Factor in the IT guy who has to clean it/rebuild the OS...etc etc. How much time does it take a few IT guys to clean a hundred computers again?
If it hit 100 hosts, you've reacted slowly, but even then it is a lot better to have an IT guy waste a month cleaning them, then to lose a multimillion dollar sale because the other company was IM'ing the buyer on his PDA while you were waiting on e-mail.
Since when is taking a reactive approach to security ever a good thing? Slapping a corporate policy in a users face isn't going to do you jack for security.
It is better than overly restrictive policies that make it harder to get work done and less pleasant for employees whose happiness is vital to your success. More importantly it does not motivate those employees to work around your security, opening up more serious and harder to track down holes.
If IM is just like email, why not just use email? What's wrong with the phone?
IM is just like e-mail in that it is a common communication mechanism, ideal for some kinds of communication. It is faster and more interactive than e-mail. Unlike phone calls it allows a user accessible record to be kept, long strings of numbers to be easily copied and pasted, files to be transferred, and you can easily carry on multiple IM conversations at once. That is to say, it is superior to the phone or e-mail for some communications, especially sales in some markets.
So this brings me back to my original reply up top. Any company w
Do some research on corporate psychology, particularly on motivation and you'll find plenty of research. There are several good books out. Or, for a quick and dirty statistics for the layman, pick up the book "Freakonomics" and read the chapter on honesty in the workplace. It will take you all of five minutes and give you the basic concepts.
You do not have to set up another user account. The default option is to run the selected program without permissions to access your documents and settings, just as I said.
It doesn't work for me, right now. Right clicking gives me options of other user accounts, but no default that I see.
Of course this does not matter, since almost all users are running an admin account since that is what the Windows installer prompts them to make and no non-techie understands that adding a non-admin user on a single user machine is needed in order to run software pseudo-safely.
A computer does not know what you mean by "don't do anything bad" unless you actually tell it what "bad" equates to.
True these are called, sane defaults (like no access to the e-mail address book unless you're the pre-installed e-mail client) and asking the user in plain English and with a good UI when an aberration occurs. "Computers are too stupid" is a cop out for programmers don't want to do it right because it is hard and we have a monopoly so giving customers a good product does not matter.
Run a jabber server and filter the connections through there? GET REAL! Besides, most of these things have web based clients anyway, and admitidly I dont know exactly how this "jabber server proxy" would work but I doubt it even goes near port 80.
I'm not sure I understand what you're getting at. Do you mean to say you think it is a good idea to move more services to port 80 within your network (with or without your knowledge), rather than having them on individual ports where you can properly administer and monitor them?
bwahahaha. yes. maybe you have these sorts of employees where you work, but mine can barely determine if their monitor is plugged in.
So your company hires incompetent people and you think this qualifies you as the model of how things should work? Okay then. Just don't expect to be able to attract good employees with policies that are authoritarian for no good reason.
I still use IE as my default browser, simply because it loads *fast*.
That is such an amusing statement. I mean, how often do you restart programs and why? My Web browser has been running for six days, since it crashed when I found a fun new bug in some weird javascript I was developing. Previous to that it was running for a few weeks (I had to restart to install some updates). It is not uncommon for my browser to be running for a month or more. It could take two minutes to start and I really wouldn't care much at all.
I suppose the difference is I use an operating system with both reasonable reliability and fair multitasking. As a result, there is no reason to close my browser. It does not leak memory and if it did the OS would clean up after it. If it is idle in the background or not in view, it has very low priority to resources so there is no reason to shut it down if I'm playing a game or using some resource intensive application. My portable sleeps instantly when I close it, so there is no real point to shutting it down, unless I plan to leave it unplugged for the week it takes to run down in sleep mode. The fact that this criteria even matters to you is most likely a sad commentary on the state of your OS of choice.
you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.
The problem is, to do this you have to have set up a different user account and it has access to all of those files and settings. This is broken conceptually, and in practice for the average user does not create a second account and because the average user does not want a second account, they want run programs without letting them mess anything up. A file follows a desktop metaphor and is understandable. Likewise a user is understood to be a person with access to the machine. If there is only one person using the machine, it is counter-intuitive to create a second user account. Finally, it is unintuitive to have to right click to safely run a program, when it is a reasonable default behavior that most users assume the computer is already doing. Go ask 10 average people if they click on an image someone IM's them if they think that should let a program send e-mail from their computer without asking them. Go ask 10 users if they run a game they downloaded, if it should be able to read their e-mail address book without asking for permission. Most users not only think it shouldn't be able to, but they assume it can't. This is because computers are not designed to work sensibly and meet the reasonable expectations of the average user.
Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, instead of simply emailing or using a phone.
Actually I know some of the security guys at one of those companies and I can make a good guess as to how the decision was made. It was probably at a much higher level. "Well should we try to lock down each application on every desktop and have everyone trying to cram everything over port 80 or should we actually let everyone run things on the proper port and then filter things out as we need to?" I'll tell you what one of those companies does when this worm hits their network. They see the propagation behavior as a traffic anomaly on their control panel. Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm. Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns. Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations. The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.
And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.
Learn some basic sysadmin skills and you don't have to worry about programs not running more than once.
The sad thing is, on the world's most popular operating system people have to learn obscure methods that the average user will not comprehend or bother with in order to just run programs. Worse yet, on a consumer desktop where most people want to run executables they don't trust, there is no way to easily run them in an untrusted mode that does not give them default access to the entire user account. It is almost as though innovation had been stifled for the last decade due to some crazy subversion of capitalist market forces... like a monopoly.
was thinking of the larger ones (like the 200 and 500) with more connectors on them, as well as a Firewire interface.
Well, they have refurbished 500's for sale on their online store. New 500s are available from a number of resellers including macmall.com and www.dvd-rwmedia.com.
ur users do actually get alot of latitude with thier machines (programming shop, they have to have it) but there are certain things we do not allow. Public IM networks are one of them.
Having worked at a number of programming shops, that doesn't sound like a lot of latitude to me. If you can't install arbitrary software because of an AD policy and you audit people's machines it sounds like a very authoritarian place that does not trust the workers very much. Here we get a choice of computer brand (1 of 3), laptop or tower, any OS we want, and any software we feel like. We're also responsible for keeping our machines moderately secure. We have internal IRC servers and any IM we want is fine. Shop talk is encrypted by policy, either over Jabber or on top of a public network like AIM.
I think it is pretty darn useful. I have a lot of friends and colleagues on both of the aforementioned IM networks who I regularly consult and vice versus. This provides me with an additional resource as well as makes for a more relaxed atmosphere, like when I want to see if my girlfriend wants to meet me for lunch, or just want to chat with old college buddies. I think the fact that my company trusts me is a lot more valuable than tight security policies. Most serious compromises come from within. Because they trust me I'm happier and I'm also a lot less likely to sell them out. Contrary to what you may have heard, studies show the most effective motivation for not exploiting an employer is not fear of punishment or being fired or jail, but an ethical desire to not hurt those who trust you. If your company does not trust you (audits, arbitrary restrictions) then that motivation is removed.
Many, many companies block AIM at the firewall. Ask at your next interview.
There is more wrong with the above scenario than just that. Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid. At the former, the working conditions probably suck. At the latter, a competent admin will have a Jabber server that connects to AIM and filters for malware. Otherwise, technical employees are likely to bypass security by SSH tunneling their IM communications, which is a risk in and of itself.
The other thing wrong with this is paying for a propriety IM solution instead of going with a free, open, standard, interoperable, secure Jabber server. With jabber you can chat with any other Jabber server using a variety of clients on a variety of platforms. Internal communications are fully internal, running on your own server. External communications can be encrypted. Any company that pays for some other, proprietary IM server is probably run by incompetents and should be avoided.
Unfortunately, I looked at Elgato's site after I posted the link, and the "old style" breakout boxes are all gone in favor of that crappy USB dongle one.
Perhaps you're having difficulty with their odd Web site design? They seem to be selling 250, 310, 410, 610, as well as the USB dongles. The 250 is available directly from their store if that is what you're interested in. Here is a link.
I for one am actually surprised this hasn't happened yet. Say a worm that infects 20 others then formats the hard drive. Or perhaps break into a botnet (they are not that secure) and wipe some millions of Windows PCs at once. It would not be hard to do, let your Windows get infected, figure out how they control it and go off and get control. Time will tell, but I suspect sooner or later someone is going to do it.
Yeah but who will notice? Windows is hosed and won't boot? Well, time for a re-install. Honeypots would probably be how people found out about such a thing.
You wrote "the Gamecube failed because..." That certainly does include the inherent statement that the Gamecube did fail and you were the one who wrote it, whatever your intention.
I was merely going along with the tone of the article, which suggested that the N64 and the GC had failed because they were picked up by relatively few gamers.
I'm not sure just being agreeable is a valid justification. If you disagreed with that point in the article, you should have said so, rather than explaining reasons that might explain why the article is correct on that one point, but not on another. But, there is no reason to argue about it now.
Should it be legal to drive a tank? After all, it is the pesronal responsibility of the person driving the tank to not..you know.. kill everyone. Yet we restrict access to tanks, because letting an individual own a tank is just not in the publics best interest.
There is a guy here in town that owns a tank. He needs permission to take it on public roads, because of the potential damage to public property, but her does own one and drive it on his own land.
We let government regulate someones actions for the greater good. Freedom certainly has limits, and it is up to the government to set those limits.
Actually, we theoretically allow the government to arbitrate certain freedoms and situations where one person's freedoms come in conflict with others. For example, your freedom to fire a cannon, is restricted by the damage it causes to the property of physical persons of others. So long as you're firing it on private property and not damaging anything belonging to another, or hurting anyone the government has no legal or ethical right to restrict you. Realistically, the government has become corrupt and exceeded their authority by claiming additional power for a few individuals who would be our rulers.
The problem is determining what is truly in the best interest of a society is REALLY hard.
No it isn't. The US was founded on the principal that consolidated decision making is dangerous, because overriding the decisions of individuals easily leads to abuse and power corrupts. Thus, the government must demonstrate not only a majority opinion, but an overriding public interest in some action that does not conflict with a predefined set of rights and which is within certain areas the government is allowed to regulate. Take the issue of video games. Will playing a video game result in a person becoming a murderer? Can you prove that with reasonable scientific certainty? If so then, with two thirds or representatives voting you can overturn the freedom of speech that allows people to distribute said video game. Otherwise, the government has no business and the choice should be left to the individual (or individual's parents) to decide.
Those are the types of questions we face, and we (as a world community) will be struggling with them for as long as we exist.
Certainly individuals should be considering these issues, but until there is a real, provable consensus and a clear mandate from the people, governments should not.
Given that the "secondhand-smoke" hysteria genuinely was shoddy pseudoscience as a pretext to legislate lifestyle...
Why would you consider that a given?
Useful to whom? We're just bringing up facts here. The usefulness of those facts and how they influence your decisions is irrelevant.
Or am I supposed to read about Big Tobacco, think "Ohmigod, it's *big*!" and fall under my desk in terror?
Umm, yeah, I think I read in the Bible or Qur'an you're supposed to do that. Please do.
So does Big Oil (Aaaugghhh! Under the desk!!!) get some sort of apology now that it turns out that these groups were actually some sort of bizarre tobacco PR scheme?
Even the summary mentions funding comes from both a large tobacco firm and a large oil company. Why should anyone apologize to the oil companies because they are not the only ones funding lies?
Sweet, so you're saying that when I start boxing next month I'll finally start beating my girlfriend and robbing banks? Why oh why didn't I start sooner?
I didn't state a causation and even if I did that does not make it a reliable predictor. Maybe boxers get brain damage, take drugs, are part of a certain culture, or their testosterone levels go up which influences their behavior. Maybe people with very high testosterone, or who like to hurt other tend to become boxers. Maybe both. I know boxers who are very friendly, controlled people with no apparent desire to hurt anyone. I also know boxers who are borderline homicidal and admitted rapists. I'm not going to prejudge you or anyone else based upon choosing a sport and that is the point. Pass laws against assault and rape and punish those who commit them. Don't try to stop these things from happening by banning random, correlative factors.
A atock AK trigger has a much heavier pull than a mouse button. With enough practice you get used to it.
From my experience, you'll be lucky to hit a target that size at that distance with the average AK, regardless the trigger pull or your skill. Some of the russian made ones might do it, but the sheer number of crappy chinese and eastern european ones flooding the marketplace is insane. I've put oblong holes from tumbling rounds in a target from as little as 15 yards.
Actually, it was the other side who played chess.
Amusingly, modern historians have pretty well established that chess reached Europe in the 700's and became popular in many parts of Europe by the turn of the millennium, a few generations before the first crusade. Coincidence or Causation?
So, if studies consistently showed a mirror neuron response while playing shooters, would we not be obliged to take violent games off the shelf...?
No, we wouldn't. It undermines several principals of our government. The first is liberty. You might note boxing is not illegal. Watching boxing is a lot more likely to stimulate that part of the brain than video games are. Participating in boxing has been statistically shown to correlate with violent crime and sexual assault. It doesn't matter. We have free will and are responsible for what we do. Does red meat increase testosterone and increase the likelihood of violence? If so should we ban it? Meat in general? All sports? Walking into high oxygen areas in lower altitudes? Not taking hormone suppressants and sedatives to keep us passive and nonviolent?
It is not the government's job to take measures to force individuals to not take any action that might increase their chances of commiting crimes by running their lives for them. Arguably it is the job of parents to do that for their children, but never the government.
It's called personal responsibility.
I'm relatively sure the crusades came before pac-man. . . So my guess is the violence, just a hunch though.
Yeah, they intentionally phrased the question so as to mislead you. The crusades were started by people influenced by the graphically violent board game chess, which has since become a video game. It is games in general that are the root of all violent behavior, not just video games.
One thing i can't get over is how this is still happening?
Motivation. What is MS's motivation to fix this? Will fewer people buy Windows because IE is broken? Nope, more people will because it locks them in.
The ammount[sic] of stigma now attached to IE has really damaged the product.
Has it? Has MS's market share for the Windows+IE bundle dropped or are they selling more of it?
If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life.
They could buy an existing engine, but it would cost them money. They could move to open source, but it would make it easier to switch away from Windows and cost them money. They could just change the name of IE and it would cost them nothing, but it is not even clear that such a PR move would help in any way.
I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).
Unless you've switched away from Windows, why should MS care? You paid for the development of IE when you bought a machine that came with Windows and had it bundled. MS has been paid, after that, all they care about is lock-in. Your switching decreases that, but not enough to effect sales. So long as the majority is on IE, they are happy.
You have one of my employer's credit cards in your wallet. Tell me again that we are "paranoid" to block IM...or would you be happy with the possibility of your personal account information being sent out via chat?
Truthfully, I'd much rather you allowed IM and provided an official IM server for a number of reasons. First, this will let you monitor IM traffic and perhaps even look for CC numbers in the outgoing messages. Second, if someone is IM'ing large amounts of data, I'd rather it was on a separate port you can monitor, rather than hidden on port 80 amidst all the Web traffic. Third, if you employee feels he is trusted, he is a lot less likely to betray that trust and sell my info. Fourth, I'm not confident your facility is sufficiently locked down that said employee can't e-mail the info out, or copy it into a Web blog or print it on paper, or transfer it to a USB drive, or take a pic with their phone. Given that they have so many mechanisms to transfer the data, I'd rather they felt that they were breaking a good employer's trust by doing so, rather than succeeding in their struggle against an oppressive company that has no trust in them and whose relationship to them is impersonal and adversarial.
But I take a more holistic view of security that does not ignore the human element and is designed to get results, not to appear to be due diligence when I'm sued.
You don't see the dialog box...
The top option is greyed out on my machine.
A few requests out to a website for a picture would hardly be considered an anomaly. I'm pretty sure our corporate proxy sees a few dozen requests to /. every minute. I'm sure CNN is much higher than that.
Well, it is grabbing a .exe file in this case, not a picture, but if it is in your signature database requests to that host will show up as that worm traffic. If not, then the series of repeated requests to a series of servers as this runs its chain of attacks and then starts talking on a control channel, on several different hosts will certainly show up as a probable worm propagation on a good IDS.
If there is no signature, how would it be listed as worm at all? Are you talking signature based on an IPS? Because those things aren't exactly very reliable (read: not at all) on catching unknown attacks. Trust me, I spent about 5 months testing them.
I'm talking about a good IDS, such as many enterprises run, including at least two of those mentioned in the list above. The one we use here, works to catch propagation traffic very well, and this is a classic match for that pattern.
How does it know who's infected? After its started its botnet spamings?
If you don't have tools that let you grab a list of hosts whose traffic over the last 2 days have matched this signature of downloads from particular servers then opening a port and starting an IRC connection to a control channel, and you work at a major company like those listed, then your security guys should be fired today.
You're playing cleanup at this point. Being reactive to IT security is the last thing you want to do.
Yes you're reacting, but quickly enough to stop major damage, while at the same time, not working on a policy of "security by DoSing ourselves and disabling communication channels out of fear." A few infections is enough for detection. Before it hits more than a few, you should have automatically isolated those hosts and filtered this worm traffic to stop it hitting any more.
At this point they'd have to be completely cut off until their computer is cleaned. How do you know what port to block with the ACL?
Your IDS automatically generates an ACL to remove the worm traffic, which is forwarded to the routers that divide your network segments. That ACL is constructed to not block your vital business connection, which you've predefined and which are based upon learned, normal traffic.
Factor in the IT guy who has to clean it/rebuild the OS...etc etc. How much time does it take a few IT guys to clean a hundred computers again?
If it hit 100 hosts, you've reacted slowly, but even then it is a lot better to have an IT guy waste a month cleaning them, then to lose a multimillion dollar sale because the other company was IM'ing the buyer on his PDA while you were waiting on e-mail.
Since when is taking a reactive approach to security ever a good thing? Slapping a corporate policy in a users face isn't going to do you jack for security.
It is better than overly restrictive policies that make it harder to get work done and less pleasant for employees whose happiness is vital to your success. More importantly it does not motivate those employees to work around your security, opening up more serious and harder to track down holes.
If IM is just like email, why not just use email? What's wrong with the phone?
IM is just like e-mail in that it is a common communication mechanism, ideal for some kinds of communication. It is faster and more interactive than e-mail. Unlike phone calls it allows a user accessible record to be kept, long strings of numbers to be easily copied and pasted, files to be transferred, and you can easily carry on multiple IM conversations at once. That is to say, it is superior to the phone or e-mail for some communications, especially sales in some markets.
So this brings me back to my original reply up top. Any company w
I would love to read these studies you speak of.
Do some research on corporate psychology, particularly on motivation and you'll find plenty of research. There are several good books out. Or, for a quick and dirty statistics for the layman, pick up the book "Freakonomics" and read the chapter on honesty in the workplace. It will take you all of five minutes and give you the basic concepts.
You do not have to set up another user account. The default option is to run the selected program without permissions to access your documents and settings, just as I said.
It doesn't work for me, right now. Right clicking gives me options of other user accounts, but no default that I see.
Of course this does not matter, since almost all users are running an admin account since that is what the Windows installer prompts them to make and no non-techie understands that adding a non-admin user on a single user machine is needed in order to run software pseudo-safely.
A computer does not know what you mean by "don't do anything bad" unless you actually tell it what "bad" equates to.
True these are called, sane defaults (like no access to the e-mail address book unless you're the pre-installed e-mail client) and asking the user in plain English and with a good UI when an aberration occurs. "Computers are too stupid" is a cop out for programmers don't want to do it right because it is hard and we have a monopoly so giving customers a good product does not matter.
Run a jabber server and filter the connections through there? GET REAL! Besides, most of these things have web based clients anyway, and admitidly I dont know exactly how this "jabber server proxy" would work but I doubt it even goes near port 80.
I'm not sure I understand what you're getting at. Do you mean to say you think it is a good idea to move more services to port 80 within your network (with or without your knowledge), rather than having them on individual ports where you can properly administer and monitor them?
bwahahaha. yes. maybe you have these sorts of employees where you work, but mine can barely determine if their monitor is plugged in.
So your company hires incompetent people and you think this qualifies you as the model of how things should work? Okay then. Just don't expect to be able to attract good employees with policies that are authoritarian for no good reason.
I still use IE as my default browser, simply because it loads *fast*.
That is such an amusing statement. I mean, how often do you restart programs and why? My Web browser has been running for six days, since it crashed when I found a fun new bug in some weird javascript I was developing. Previous to that it was running for a few weeks (I had to restart to install some updates). It is not uncommon for my browser to be running for a month or more. It could take two minutes to start and I really wouldn't care much at all.
I suppose the difference is I use an operating system with both reasonable reliability and fair multitasking. As a result, there is no reason to close my browser. It does not leak memory and if it did the OS would clean up after it. If it is idle in the background or not in view, it has very low priority to resources so there is no reason to shut it down if I'm playing a game or using some resource intensive application. My portable sleeps instantly when I close it, so there is no real point to shutting it down, unless I plan to leave it unplugged for the week it takes to run down in sleep mode. The fact that this criteria even matters to you is most likely a sad commentary on the state of your OS of choice.
you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.
The problem is, to do this you have to have set up a different user account and it has access to all of those files and settings. This is broken conceptually, and in practice for the average user does not create a second account and because the average user does not want a second account, they want run programs without letting them mess anything up. A file follows a desktop metaphor and is understandable. Likewise a user is understood to be a person with access to the machine. If there is only one person using the machine, it is counter-intuitive to create a second user account. Finally, it is unintuitive to have to right click to safely run a program, when it is a reasonable default behavior that most users assume the computer is already doing. Go ask 10 average people if they click on an image someone IM's them if they think that should let a program send e-mail from their computer without asking them. Go ask 10 users if they run a game they downloaded, if it should be able to read their e-mail address book without asking for permission. Most users not only think it shouldn't be able to, but they assume it can't. This is because computers are not designed to work sensibly and meet the reasonable expectations of the average user.
Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, instead of simply emailing or using a phone.
Actually I know some of the security guys at one of those companies and I can make a good guess as to how the decision was made. It was probably at a much higher level. "Well should we try to lock down each application on every desktop and have everyone trying to cram everything over port 80 or should we actually let everyone run things on the proper port and then filter things out as we need to?" I'll tell you what one of those companies does when this worm hits their network. They see the propagation behavior as a traffic anomaly on their control panel. Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm. Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns. Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations. The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.
And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.
Learn some basic sysadmin skills and you don't have to worry about programs not running more than once.
The sad thing is, on the world's most popular operating system people have to learn obscure methods that the average user will not comprehend or bother with in order to just run programs. Worse yet, on a consumer desktop where most people want to run executables they don't trust, there is no way to easily run them in an untrusted mode that does not give them default access to the entire user account. It is almost as though innovation had been stifled for the last decade due to some crazy subversion of capitalist market forces... like a monopoly.
was thinking of the larger ones (like the 200 and 500) with more connectors on them, as well as a Firewire interface.
Well, they have refurbished 500's for sale on their online store. New 500s are available from a number of resellers including macmall.com and www.dvd-rwmedia.com.
ur users do actually get alot of latitude with thier machines (programming shop, they have to have it) but there are certain things we do not allow. Public IM networks are one of them.
Having worked at a number of programming shops, that doesn't sound like a lot of latitude to me. If you can't install arbitrary software because of an AD policy and you audit people's machines it sounds like a very authoritarian place that does not trust the workers very much. Here we get a choice of computer brand (1 of 3), laptop or tower, any OS we want, and any software we feel like. We're also responsible for keeping our machines moderately secure. We have internal IRC servers and any IM we want is fine. Shop talk is encrypted by policy, either over Jabber or on top of a public network like AIM.
I think it is pretty darn useful. I have a lot of friends and colleagues on both of the aforementioned IM networks who I regularly consult and vice versus. This provides me with an additional resource as well as makes for a more relaxed atmosphere, like when I want to see if my girlfriend wants to meet me for lunch, or just want to chat with old college buddies. I think the fact that my company trusts me is a lot more valuable than tight security policies. Most serious compromises come from within. Because they trust me I'm happier and I'm also a lot less likely to sell them out. Contrary to what you may have heard, studies show the most effective motivation for not exploiting an employer is not fear of punishment or being fired or jail, but an ethical desire to not hurt those who trust you. If your company does not trust you (audits, arbitrary restrictions) then that motivation is removed.
Many, many companies block AIM at the firewall. Ask at your next interview.
There is more wrong with the above scenario than just that. Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid. At the former, the working conditions probably suck. At the latter, a competent admin will have a Jabber server that connects to AIM and filters for malware. Otherwise, technical employees are likely to bypass security by SSH tunneling their IM communications, which is a risk in and of itself.
The other thing wrong with this is paying for a propriety IM solution instead of going with a free, open, standard, interoperable, secure Jabber server. With jabber you can chat with any other Jabber server using a variety of clients on a variety of platforms. Internal communications are fully internal, running on your own server. External communications can be encrypted. Any company that pays for some other, proprietary IM server is probably run by incompetents and should be avoided.
Unfortunately, I looked at Elgato's site after I posted the link, and the "old style" breakout boxes are all gone in favor of that crappy USB dongle one.
Perhaps you're having difficulty with their odd Web site design? They seem to be selling 250, 310, 410, 610, as well as the USB dongles. The 250 is available directly from their store if that is what you're interested in. Here is a link.
I for one am actually surprised this hasn't happened yet. Say a worm that infects 20 others then formats the hard drive. Or perhaps break into a botnet (they are not that secure) and wipe some millions of Windows PCs at once. It would not be hard to do, let your Windows get infected, figure out how they control it and go off and get control. Time will tell, but I suspect sooner or later someone is going to do it.
Yeah but who will notice? Windows is hosed and won't boot? Well, time for a re-install. Honeypots would probably be how people found out about such a thing.
It's certainly not *my* inherent statement.
You wrote "the Gamecube failed because..." That certainly does include the inherent statement that the Gamecube did fail and you were the one who wrote it, whatever your intention.
I was merely going along with the tone of the article, which suggested that the N64 and the GC had failed because they were picked up by relatively few gamers.
I'm not sure just being agreeable is a valid justification. If you disagreed with that point in the article, you should have said so, rather than explaining reasons that might explain why the article is correct on that one point, but not on another. But, there is no reason to argue about it now.