Why does anybody care what a 66-year-old doctor from Wyoming thinks about information security?
The report criticizes the DHS as ineffective at "cybersecurity" because of.. zero days or something.
It's clear that neither Coburn, nor the author of the report, understands infosec or how it is different from kinetic war. You can't amass troops or use force. It's very difficult to even know who attacked you.
You can do something like building defensive lines, but that's exactly what the report criticizes.
There has been a lot of this lately.. CEOs of companies with cutesy names like "SmartThings" and "Eyeotee" pitching their bullshit visions to posture as "thought leaders."
We have had internet-enabled devices for some time.
The only revolution here is that big business is trying to monetize your entire life, daily routines and all. They want you to trade all of your security and privacy for a crumb of convenience.
You are correct, if the DDoS relies on raw bandwidth.
Some DDoS attacks work closer to layer 7. E.g. ask the webserver to do something complicated and slow, maybe something that requires a bunch of database queries.
That kind of DDoS relies on asymmetry... The response is much more expensive than the request.
AFAIK nobody has said how the Christmas DDoS attacks worked.
1. The IPs they used for the DDoS are almost certainly known now. 2. There are several groups (Sony, FBI, probably Microsoft, some infosec companies) who want to see the botnet dismantled. 3. As each host is remediated or blocked (ISP walled garden), said botnet shrinks.
Unless these guys have some zero-days and malware kits up their sleeves, their DDoS capabilities will not be around for long.
We don't attack NK because they have enough bunkers on the North side of the DMZ to destroy Seoul. The bunkers are deep, and they could pound on Seoul with artillery for days before we could destroy all of them.
Accusing Republicans of passing the Patriot Act in 2000 â" the stupid law passed Congress 357 to 66, and Senate â" 98 to 1.
No, I said they rammed it through, which is different. The act was introduced by a Republican, and all House Repubs except 3 voted for it. For comparison, 62 Democrats opposed it.
Part of how Republicans rammed it through is by accusing Democrats of being weak on national security. I think you have an idea what I meant.
Accusing Republicans of introducing the civil forfeiture laws â" a mistake you've already acknowledged since.
No, I acknowledged there was history behind civil forfeiture.
It's interesting that you omitted the Comprehensive Crime Control Act of 1984, which was part of the Reagan-era ramp up of the War on Drugs. All the articles I've read call that act the turning point in Civil Forfeiture. Now who is lying by omission?
Implying, Republicans are the reason, our Second Amendment right is trampled â" and, at best, is treated as a mere privilege at best. You said nothing on this explicitly, but your post was a reply to mine, where I was talking about the Second Amendment and nothing else.
I don't think any reasonable person would read this thread and think I implied Republicans have trampled the second amendment.
No, you didn't explicitly say "Democrats are innocent", but a lie by omission is still a lie.
Talk about the pot calling the kettle black.. You have ignored many valid points that I've made (e.g. about NSA Warrantless surveillance) and have cherry-picked and flat-out put words in my mouth.
Let's not beat around the bush. Republicans have (throughout my lifetime) been the advocates of National Security at all costs, and Crime Control at all costs. They have pushed Democrats to the right on these issues by repeatedly accusing them of being weak of national defense, weak on terror, and weak on crime. You are right that Democrats have had a hand in it, but it is very reasonable to say Republicans have more culpability here.
I enjoy lively debate, and would continue this conversation if I thought you were serious about finding the truth. You only seem to want to argue in favor of your tribe, so I'm going to walk away from this conversation.
I didn't actually say anything about the Democrats, but I would agree that they are NOT our last bastion of personal freedoms.
I also would not say Clinton or Obama are especially liberal. To a first approximation, the modern Democratic party is almost exactly like the modern Republican party.
Yeah, you certainly have forgotten everything, that inconveniences your lie-telling...
I appreciate that I may have ruffled your feathers, but you have not come close to proving I've said any lies.
The way to prove or disprove my assertion that Republicans rammed through these laws would be to look at who introduced the indvidual acts, who cosponsored them, who voted for them, and why.
Thanks for the links about Civil Forfeiture laws, I wasn't familiar with all of that history. Personally, I'd like to see more Libertarianism, but I don't think most people who claim that moniker are actually Libertarians at all. If you don't agree with everything the ACLU does, you probably are not a Libertarian.
I agree, but good luck convincing HR departments and hiring managers. They all seem to think if you haven't been using that exact language for the past 5 years, you won't be able to do the job.
This doesn't surprise me. Some of the HFA people I've known take naturally to this kind of detail-oriented work that might seem tedious to other people.
I wonder how much of a market there is for high quality software testers. Based on what I've seen, software vendors care a lot about time-to-market, but not so much about software quality.
The ones that do care about quality don't test much beyond functional tests, and the QA folks they pay to break their software are marginalized.
Ok so reading the slides they're planning on doing network management (byebye NetworkManager), Local DNS cache (yes please), mDNS responder, LLMNR responder, DNSSEC verification, NTP, sandboxing services and applications, OS/App/Container image formats, stateless systems, atomic node initialisations and updates and more. That is freaking awesome. Not only does it bring Linux distributions closer together.. it also takes the distributions as a whole to a new level. Instead of a kernel + some packages the future will bring us a true (GNU/)Linux/systemd operating system. I can understand this may seem scary to some but personally I really think this is awesome.
Why do they need to reimplement all these things?
I use unbound for DNS, and it's great. It provides caching, DNSSEC, and more. It's a mature, stable project. Why rewrite it?
Same with NTP. Why do they need to sprinkle SysD dust on it? We already have NTP.
I hate NetworkManager, and I'm sure I'll hate whatever SysD project rewrites it. My desktop has a static place in the network. I don't need some bloatware screwing with all my network settings and crashing all the time.
Things I already have, that are reimplemented "the systemd way."
Another troubling thing is that I've never seen a good description of what "the systemd way" is, or what the grand vision is. It seems to be nebulous, constantly shifting, and constantly expanding with no clear boundaries.
From the first paragraph on Jude's blog listing fallacious arguments used to support systemd:
This blog post is meant to serve as a repository of common but invalid arguments for using systemd that I and others have had to refute multiple times.
And from the second paragraph:
Please be informed that this post is not meant to be a criticism of systemd or its authors.
The gist is not that systemd is bad, it's that proponents need to develop other arguments. Personally, I think Jude's blog is the most incisive at cutting through emotions and using reason to dissect the systemd controversy.
If Rightscorp has "overwhelming evidence" of repeat infringers (or really, any infringers), they need to sue the offender directly or f**k off. If they don't actually have evidence, then they need to f**k off, then die in a fire, then go f**k off again.
It's not Cox's job to enforce Rightscorp's allegations as if they were court orders.
Judging from the complaint, Cox must feel like it has staked out a secure legal position:
Cox's Privacy Counsel advised Plaintiffs' agent that it has implemented a "policy not to accept or to forward notices such as those sent to us by your firm."
Sounds like Rightscorp didn't like getting the finger, and now they've asked for a *jury* trial. LOL good luck with that, assholes.
NO HE DID NOT.
Sorry for yelling, but it's an important point.
Yep, I didn't see the NextWeb response until after my post.
I capitalized that phrase because the poster I was responding to (like many other posters) was confusing accessing data with sending data back to Uber servers. I wanted to draw attention to that distinction.
Go back and read the original GironSec blog post where he even acknowledges explicitly what he (inexcusably, IMHO) failed to do -- that others did after him and surprise! found nothing especially amiss -- before he wrote an inflammatory blog post based on supposition, conjecture and ignorance of context.
I re-read the blog post. I guess you mean in the comments section, where someone posts a link to the NextWeb article, GironSec responds:
I found code that might be used to spy. I didn't say they did. Hidden features.
Thanks for linking.
I don't see that GironSec supposed or assumed anything. The Gizmag blog post did, though.
GironSec did establish that:
The Uber app includes a roottools library that can detect and use root access.
The Uber app includes an semi-weaponized library that is marketed as anti-fraud protection for mobile banking
The next step would be to look through Uber's code and see where it calls these libraries and what triggers the calls. Regardless, this is worthy of security news (and is legitimate research). Uber is not marketed as an anti-fraud, anti-malware tool, and AFAIK it does not advertise extra features on rooted phones.
Those are legitimate explanations for the app to need said access, but that's not what the article is about. The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.
Sorry for yelling, but it's an important point.
Also, there is no good reason to report back your data pertaining to malware.
Product liability law says that manufacturers should be aware of the most current science related to manufacture of their product. They are on the hook for all manufacturing defects. Congress doesn't have to codify the state of the art.
The problem is that the law hasn't decided how software fits in to product liability law, so vendors can argue security defects are not manufacturing defects, but *design* flaws, and they have much less liability for design flaws.
Congress could fix this easily, but legislators are almost entirely hillbillies, low-tech businessmen, amd low-tech lawyers. This is why the USA has one foot firmly in the 20th century.
Slashdot Mirror
Why does anybody care what a 66-year-old doctor from Wyoming thinks about information security?
The report criticizes the DHS as ineffective at "cybersecurity" because of.. zero days or something.
It's clear that neither Coburn, nor the author of the report, understands infosec or how it is different from kinetic war. You can't amass troops or use force. It's very difficult to even know who attacked you.
You can do something like building defensive lines, but that's exactly what the report criticizes.
What?
Security = Confidentiality + Integrity + Availability
Resistance to a D-DoS attack is absolutely security.
Complain away.. this is NOT a free service.
They lock you out of hosting your own server so you have to subscribe to PSN.
I remember the days of Quake, when anybody could host their own server. If your server was popular, it became a virtual hangout.
Sony moved all the servers to their poorly built "PS Network" so they could control your experience and make you pay.
There has been a lot of this lately.. CEOs of companies with cutesy names like "SmartThings" and "Eyeotee" pitching their bullshit visions to posture as "thought leaders."
We have had internet-enabled devices for some time.
The only revolution here is that big business is trying to monetize your entire life, daily routines and all. They want you to trade all of your security and privacy for a crumb of convenience.
You are correct, if the DDoS relies on raw bandwidth.
Some DDoS attacks work closer to layer 7. E.g. ask the webserver to do something complicated and slow, maybe something that requires a bunch of database queries.
That kind of DDoS relies on asymmetry. .. The response is much more expensive than the request.
AFAIK nobody has said how the Christmas DDoS attacks worked.
1. The IPs they used for the DDoS are almost certainly known now.
2. There are several groups (Sony, FBI, probably Microsoft, some infosec companies) who want to see the botnet dismantled.
3. As each host is remediated or blocked (ISP walled garden), said botnet shrinks.
Unless these guys have some zero-days and malware kits up their sleeves, their DDoS capabilities will not be around for long.
Like many things in life, it's a popularity contest first, and a meritocracy second (at best).
We don't attack NK because they have enough bunkers on the North side of the DMZ to destroy Seoul. The bunkers are deep, and they could pound on Seoul with artillery for days before we could destroy all of them.
Oh yeah, and China would threaten us with war.
Are you suggesting that the power plant should not be air-gapped, or that it should be air-gapped with additional controls?
From the second paragraph of Schneider's paper:
Is "conservatively" an adjective now? Does nobody proofread their work anymore?
No, they just aren't anywhere "near-human."
No, I said they rammed it through, which is different. The act was introduced by a Republican, and all House Repubs except 3 voted for it. For comparison, 62 Democrats opposed it.
Part of how Republicans rammed it through is by accusing Democrats of being weak on national security. I think you have an idea what I meant.
No, I acknowledged there was history behind civil forfeiture.
It's interesting that you omitted the Comprehensive Crime Control Act of 1984, which was part of the Reagan-era ramp up of the War on Drugs. All the articles I've read call that act the turning point in Civil Forfeiture. Now who is lying by omission?
I don't think any reasonable person would read this thread and think I implied Republicans have trampled the second amendment.
Talk about the pot calling the kettle black.. You have ignored many valid points that I've made (e.g. about NSA Warrantless surveillance) and have cherry-picked and flat-out put words in my mouth.
Let's not beat around the bush. Republicans have (throughout my lifetime) been the advocates of National Security at all costs, and Crime Control at all costs. They have pushed Democrats to the right on these issues by repeatedly accusing them of being weak of national defense, weak on terror, and weak on crime. You are right that Democrats have had a hand in it, but it is very reasonable to say Republicans have more culpability here.
I enjoy lively debate, and would continue this conversation if I thought you were serious about finding the truth. You only seem to want to argue in favor of your tribe, so I'm going to walk away from this conversation.
I didn't actually say anything about the Democrats, but I would agree that they are NOT our last bastion of personal freedoms.
I also would not say Clinton or Obama are especially liberal. To a first approximation, the modern Democratic party is almost exactly like the modern Republican party.
I appreciate that I may have ruffled your feathers, but you have not come close to proving I've said any lies.
The way to prove or disprove my assertion that Republicans rammed through these laws would be to look at who introduced the indvidual acts, who cosponsored them, who voted for them, and why.
Thanks for the links about Civil Forfeiture laws, I wasn't familiar with all of that history. Personally, I'd like to see more Libertarianism, but I don't think most people who claim that moniker are actually Libertarians at all. If you don't agree with everything the ACLU does, you probably are not a Libertarian.
Because 9/11.
No, really. This was just another piece of police state bullshit rammed through by Republicans after 9/11, along with warrantless surveillance by the NSA, the Patriot Act, and civil forfeiture laws http://www.rollingstone.com/tv/videos/john-oliver-amplifies-the-absurdity-of-civil-forfeitures-20141006, which allow police to seize your property with only an accusation.
Remember this next time the Republicans get on their soapbox pretending to be Libertarians.
I agree, but good luck convincing HR departments and hiring managers. They all seem to think if you haven't been using that exact language for the past 5 years, you won't be able to do the job.
This doesn't surprise me. Some of the HFA people I've known take naturally to this kind of detail-oriented work that might seem tedious to other people.
I wonder how much of a market there is for high quality software testers. Based on what I've seen, software vendors care a lot about time-to-market, but not so much about software quality.
The ones that do care about quality don't test much beyond functional tests, and the QA folks they pay to break their software are marginalized.
Why do they need to reimplement all these things?
I use unbound for DNS, and it's great. It provides caching, DNSSEC, and more. It's a mature, stable project. Why rewrite it?
Same with NTP. Why do they need to sprinkle SysD dust on it? We already have NTP.
I hate NetworkManager, and I'm sure I'll hate whatever SysD project rewrites it. My desktop has a static place in the network. I don't need some bloatware screwing with all my network settings and crashing all the time.
This is one thing I don't like about systemd. All the selling points (e.g. almost everything at http://0pointer.de/blog/projects/why.html) seem to be either:
Another troubling thing is that I've never seen a good description of what "the systemd way" is, or what the grand vision is. It seems to be nebulous, constantly shifting, and constantly expanding with no clear boundaries.
I remember Fyodor of nmap claimed that any software that parsed the output from nmap was a derived work.
It sure seems like a stretch, but until there is some case law around this issue, nobody can say for sure.
Yeah, sorry, I thought you were responding to a different post.
I agree - I'm inclined against systemd, but really just want to see the strongest arguments from both sides so I can make up my mind.
From the first paragraph on Jude's blog listing fallacious arguments used to support systemd:
And from the second paragraph:
The gist is not that systemd is bad, it's that proponents need to develop other arguments. Personally, I think Jude's blog is the most incisive at cutting through emotions and using reason to dissect the systemd controversy.
If Rightscorp has "overwhelming evidence" of repeat infringers (or really, any infringers), they need to sue the offender directly or f**k off. If they don't actually have evidence, then they need to f**k off, then die in a fire, then go f**k off again.
It's not Cox's job to enforce Rightscorp's allegations as if they were court orders.
Judging from the complaint, Cox must feel like it has staked out a secure legal position:
Sounds like Rightscorp didn't like getting the finger, and now they've asked for a *jury* trial. LOL good luck with that, assholes.
Yep, I didn't see the NextWeb response until after my post.
I capitalized that phrase because the poster I was responding to (like many other posters) was confusing accessing data with sending data back to Uber servers. I wanted to draw attention to that distinction.
I re-read the blog post. I guess you mean in the comments section, where someone posts a link to the NextWeb article, GironSec responds:
I don't see that GironSec supposed or assumed anything. The Gizmag blog post did, though.
GironSec did establish that:
The next step would be to look through Uber's code and see where it calls these libraries and what triggers the calls. Regardless, this is worthy of security news (and is legitimate research). Uber is not marketed as an anti-fraud, anti-malware tool, and AFAIK it does not advertise extra features on rooted phones.
Those are legitimate explanations for the app to need said access, but that's not what the article is about. The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.
Sorry for yelling, but it's an important point.
Also, there is no good reason to report back your data pertaining to malware.
Product liability law says that manufacturers should be aware of the most current science related to manufacture of their product. They are on the hook for all manufacturing defects. Congress doesn't have to codify the state of the art.
The problem is that the law hasn't decided how software fits in to product liability law, so vendors can argue security defects are not manufacturing defects, but *design* flaws, and they have much less liability for design flaws.
Congress could fix this easily, but legislators are almost entirely hillbillies, low-tech businessmen, amd low-tech lawyers. This is why the USA has one foot firmly in the 20th century.