Canada clearly has a distinct culture, that many of its people want to preserve. However, it does seem that some Canadians do go a bit overboard with it.
When traveling across Europe, or Australia or NZ, it is quite easy to pick the Canadians out. It seems that a very large percentage keep a Maple leaf somewhere on their body or clothing. Evidently, they do not like people assuming that they are Americans due to their accent, so they over compensate.
Since many people have noticed this attitude from Canadians, they usually will not ask someone if they are American if they meet them, so as to avoid offending the Canadians. Instead, they inquire whether one is from Canada, since it seems rare for an American to be insulted by this question.
I think this is a little like a little brother / big brother rivalry. Although Canada is large geographically, it clearly does not have the population of the USA. As such, there is not a concerted effort of Americans trying to implement imperialism over Canada, it just happens due to the numbers. We can see similar examples of this in NZ and Australia. Another example would be Wales and England.
I cannot blame Canadians for trying to get their culture out there. However, going overboard just makes one look a bit silly.
Clearly the usual joke is how business in the pubs will increase due to this. However, I think there may be some truth to the joke.
Often times those with drinking habits/problems look for excuses as to why it is ok for them to drink. Some use silly rules such as I only drink after 5pm, others say they only binge on the weekends, and others say they are going to die anyway.
Depending on how this is reported, we may begin to see people lower their inhibition, or at a minimum be willing to take more chances with drinking, and use this as their enabler.
On the bright side, this is really cool stuff, and it is nice to see that lives may be able to be saved.
It is rare that I would get into a discussion like this, since it often will devolve into the equivalent of a perl vs python war, or at a minimum, vendors will try to sell their warez.
When hiring a company for an application penetration test, I like to look towards those who are actively involved in research within the security community, and hire people that contribute to the community heavily as well. For example, does the firm have people on staff that discovered and disclosed new vulnerabilities? Does the company have people that bring new ways of attacking to market, and what tools do they make available to the community.
Quite often this rules out a number of the large companies, like the big auditing firms. (Whilst in some cases they have intelligent people, I have met an awful lot of tool monkies that worked for these companies.
Some companies that I would usually consider include NGS software (David & Mark Litfield... known for a number of Oracle vulnerabily disclosures), Immunity Security (Dave Aitel, Kostya Kortchinsky, and Nico. These guys are very well known in the community, and are the brains behind Canvas, Spike Proxy, and others...), Security-assessment.com (Paul Craig, released iKat for kiosk hacking.), and finally, insomnia security (Brett Moore, this guy knows heaps about heaps.).
Which of these are the best will depend on the particular assessment you are having performed, and what the goal of the test is. These guys are damn smart, and very professional. Go to their sites and see what they do, and then talk to references. In the end you have to be comfortable with the company.
Whislt you have somewhat of a point, the odd occasion where one may forget something and try to access the LAN at his car is an outlier to the data set. If the system notices someone from that location connecting to the network, and can either force a new authentication event requiring a local cert, or can simply shut down the AP the external person is connecting to. (Preferably shutting it down.)
As an aside, the company can also have a policy explicitly forbidding access from the parking lot. If what they had to do is so important, they can either go into the building, or wait until they are home and use their VPN connection.
LOKI is a client/server program published in the online publication Phrack. This program is a working proof-of-concept to demonstrate that data can be transmitted somewhat secretly across a network by hiding it in traffic that normally does not contain payloads. The example code can tunnel the equivalent of a Unix RCMD/RSH session in either ICMP echo request (ping) packets or UDP traffic to the DNS port. This is used as a back door into a Unix system after root access has been compromised. Presence of LOKI on a system is evidence that the system has been compromised in the past. http://xforce.iss.net/xforce/xfdb/1452
(a) dishonestly obtains an electronic communications service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service,
Here are a few occasions instructing that using a wireless connection without payment, or without permission is illegal:
"Two people have been arrested in the UK for using another person's wireless internet access without permission. Neither was charged but both were cautioned for dishonestly obtaining electronic communications services with intent to avoid payment." http://www.out-law.com/page-7969
Another according to BBC NEWS where he was arrested for "Dishonestly obtaining free internet access is an offence under the Communications Act 2003 and a potential breach of the Computer Misuse Act." http://news.bbc.co.uk/2/hi/uk_news/england/london/6958429.stm
This wear leveling controller may help to more evenly distribute the read/writes, so that the drive can last longer, but it is also can be a boon to the folks into forensics or stealing data from "wiped" drives.
It sounds to me as if the engineers at NASA took Scotty's advice to heart when he was shocked that Geordi told the truth about how long it would take to make a repair. (TNG: Relics)
Under Promise and Underperform.
The flip side of this is that we have to wonder if there is a downside to the NASA engineers under promising? Is it possible that if they gave a more realistic estimate, better plans for research could have been developed?
Well...While it is not Kismet, Immunitysec is running their product called, "Silica" on the device. Silica is great for auditing your wireless networks and the security of systems connected to them. You can find it at http://www.immunitysec.com/products-silica.shtml
Actually a better example would be the testing that has already been performed on supposed "lie detectors."
Scientists have been working with showing images to people, and measuring their EEG trace (P300). If you recognized an image of a crime commited, it is thought you are the guilty person. Evidently we are unable to control the brains reaction to viewing these images.
Another issue is that your fingerprint must be stored somewhere else in a database. This leaves room for an attacker to use a digital copy of your fingerprint for other transactions.
Somebody please correct me if I am wrong, but this is nowhere as safe as a private/public key. If the external party saved your public key, there is no worry. However, your fingerprint does not have two version, one being public, and one being private for signing. On the bright side, they can combine a pin number with the fingerprint, but the stores I have visited (Farm Fresh) do not require a PIN. Only a fingerprint.
On the surface what you are saying is reasonable. Detroit is geologically stable, and there are few environmental disasters overall. (Other than snow storms and maybe tornados. Go underground for the tornado.) Additionally, I know of a very large data center in Philadephia. As most can imagine, downtown Philly is not much more secure of an area than Detroit.
Having said this, alot of effort would have to be placed into the security effort. Trying to secure a data center in Detroit would be like trying to secure Oracle. You can do it, but there are a lot of holes to patch.
Speaking as one who waited until his thirties to actually finish a college degree, I can say that one can be proficient, and fit into a corporate environment if he is either college educated, or high-school educated, and has a mature attitude and work ethic. Having said this, if one has a college degree, and attended business type classes in addition to the technical classes, he has an opportunity to develop better communication skills in the work place. For example, I recall an employee that I had who would merely blast off an e-mail saying, "Request Denied" when he thought it was improper to open a port on a firewall for a new application. If he was educated in comunication skills, he would have known to 1) Thank the person for the request, 2) explain the risk, 3) offer alternatives that provide an improved level of security while allowing the company to move forward with business.
Having said this, most of the value of my education was in the business area. After twenty years in the IT industry there was little the school could teach me in the technical areas. As such, once I completed the BS degree, I moved on to an MBA. Remember you are working for the business for the sake of improving shareholder wealth. (Ethically of course) Without working towards this goal, you will marginalize yourself in the long run.
Keep in mind that I am not a big fan of off-shoring any activities. However, many IT functions can be outsourced, and much of the risk can be managed. Not eradicated, but managed. Afterall, that is exactly what one does in Information Security, you manage risks, not eradicate risks.
Depending on the company's function, and the layout of the network and systems, the risk may be acceptable. For example, if the company places an application on an internal segment of a tiered network, and a local staff manages that small segment, the risk is much the same as having an application available on the Internet.
I doubt many people would suggest we all just shut down our e-commerce systems because there are too many "bad guys" on the net. Instead, a manager would examine the risk of being involved with ecommerce, and balance it with the potential gains.
I believe Ted Turner once explained that he would never use medication to control his manic depression. He believed his moments of mania to be responsible for much of his success like the creation of CNN.
Actually, in the United States, we use a form of government known as a "representative republic." Although it has some features of a democracy, it certainly is not a democracy. A democracy is a "tyranny of the majority."
To steal a quote:
"Democracy is two wolves and one sheep voting what they are having for dinner."
That is a good question.
Some financial institutions closely align themselves with NIST standards. The NIST standards are generally better than much of the home-brewed stuff coming out of some of these places. (I think they may have led to this direction since much of GLB disucsses agencies, and the agencies ten to use the NIST standards.) Having said this, the standards that are applied often have a lot to do with who audits the financial institution. Some seem to be more rigorous than others.
http://csrc.nist.gov/publications/nistpubs/
The problem here lies with the application of Gramm-Leach-Bliley. The regulation merely requires financial institutions to apply reasonable protections to the customers information. Unfortunately for most consumers, this bar lis lower than one would hope. The application of GLB, and most other federal regulations does not adequately protect the individual. This is why people should ensure they communication with the congressional representatives to get privacy laws with teeth in place.
Tragically, the privacy laws that are currently being evaluated at the federal level water down the requirements of many state laws. For example, California's SB-1386 requires a company to report to you that you information may have been inappropriately disclosed. However, the proposed federal legislation requires companies to only disclose this to you if they believe you are at risk from this exposure. It is easy for a company to say they do not think a disclosure of your information would harm you. If you do expereince ID theft, you wouldn't know what company was the source, so you would not have the ability to require the offending company to disclose the information exposure.
The upshot is...You MUST get involved in this. There are very high-paid lobbyists who want this lower level of protection for your private information. Ensure your congressional representative knows you want a law with real teeth. You can find who is your rep at: http://www.congress.org/congressorg/home/
Slashdot Mirror
Canada clearly has a distinct culture, that many of its people want to preserve. However, it does seem that some Canadians do go a bit overboard with it.
When traveling across Europe, or Australia or NZ, it is quite easy to pick the Canadians out. It seems that a very large percentage keep a Maple leaf somewhere on their body or clothing. Evidently, they do not like people assuming that they are Americans due to their accent, so they over compensate.
Since many people have noticed this attitude from Canadians, they usually will not ask someone if they are American if they meet them, so as to avoid offending the Canadians. Instead, they inquire whether one is from Canada, since it seems rare for an American to be insulted by this question.
I think this is a little like a little brother / big brother rivalry. Although Canada is large geographically, it clearly does not have the population of the USA. As such, there is not a concerted effort of Americans trying to implement imperialism over Canada, it just happens due to the numbers. We can see similar examples of this in NZ and Australia. Another example would be Wales and England.
I cannot blame Canadians for trying to get their culture out there. However, going overboard just makes one look a bit silly.
Clearly the usual joke is how business in the pubs will increase due to this. However, I think there may be some truth to the joke.
Often times those with drinking habits/problems look for excuses as to why it is ok for them to drink. Some use silly rules such as I only drink after 5pm, others say they only binge on the weekends, and others say they are going to die anyway.
Depending on how this is reported, we may begin to see people lower their inhibition, or at a minimum be willing to take more chances with drinking, and use this as their enabler.
On the bright side, this is really cool stuff, and it is nice to see that lives may be able to be saved.
Sorry mate, but if one goes to the site outside of the US, he gets the following:
"Please note that AmazonMP3.com is currently only available to US customers."
It is rare that I would get into a discussion like this, since it often will devolve into the equivalent of a perl vs python war, or at a minimum, vendors will try to sell their warez.
When hiring a company for an application penetration test, I like to look towards those who are actively involved in research within the security community, and hire people that contribute to the community heavily as well. For example, does the firm have people on staff that discovered and disclosed new vulnerabilities? Does the company have people that bring new ways of attacking to market, and what tools do they make available to the community.
Quite often this rules out a number of the large companies, like the big auditing firms. (Whilst in some cases they have intelligent people, I have met an awful lot of tool monkies that worked for these companies.
Some companies that I would usually consider include NGS software (David & Mark Litfield ... known for a number of Oracle vulnerabily disclosures), Immunity Security (Dave Aitel, Kostya Kortchinsky, and Nico. These guys are very well known in the community, and are the brains behind Canvas, Spike Proxy, and others...), Security-assessment.com (Paul Craig, released iKat for kiosk hacking.), and finally, insomnia security (Brett Moore, this guy knows heaps about heaps.).
Which of these are the best will depend on the particular assessment you are having performed, and what the goal of the test is. These guys are damn smart, and very professional. Go to their sites and see what they do, and then talk to references. In the end you have to be comfortable with the company.
I hope this helps..
Cy
Whislt you have somewhat of a point, the odd occasion where one may forget something and try to access the LAN at his car is an outlier to the data set. If the system notices someone from that location connecting to the network, and can either force a new authentication event requiring a local cert, or can simply shut down the AP the external person is connecting to. (Preferably shutting it down.)
As an aside, the company can also have a policy explicitly forbidding access from the parking lot. If what they had to do is so important, they can either go into the building, or wait until they are home and use their VPN connection.
From the ISS X-Force Database...
LOKI is a client/server program published in the online publication Phrack. This program is a working proof-of-concept to demonstrate that data can be transmitted somewhat secretly across a network by hiding it in traffic that normally does not contain payloads. The example code can tunnel the equivalent of a Unix RCMD/RSH session in either ICMP echo request (ping) packets or UDP traffic to the DNS port. This is used as a back door into a Unix system after root access has been compromised. Presence of LOKI on a system is evidence that the system has been compromised in the past. http://xforce.iss.net/xforce/xfdb/1452When I read the law, it seems pretty clear to me...
Communications Act 2003, section 125
Dishonestly obtaining electronic communications services
(1) A person who-
(a) dishonestly obtains an electronic communications service, and
(b) does so with intent to avoid payment of a charge applicable to the provision of that service,
Here are a few occasions instructing that using a wireless connection without payment, or without permission is illegal:
"Two people have been arrested in the UK for using another person's wireless internet access without permission. Neither was charged but both were cautioned for dishonestly obtaining electronic communications services with intent to avoid payment." http://www.out-law.com/page-7969
Another according to BBC NEWS where he was arrested for "Dishonestly obtaining free internet access is an offence under the Communications Act 2003 and a potential breach of the Computer Misuse Act." http://news.bbc.co.uk/2/hi/uk_news/england/london/6958429.stm
This wear leveling controller may help to more evenly distribute the read/writes, so that the drive can last longer, but it is also can be a boon to the folks into forensics or stealing data from "wiped" drives.
Since each write will be allocated to a different section, one does not really know if he is overwriting information that should be declassified. This may make it easier to recover information from the drive. See Forensic Data Recovery from Flash Memory by Marcel Breeuwsma, Martien de Jongh, Coert Klaver, Ronald van der Knijff and Mark Roeloffs.
It sounds to me as if the engineers at NASA took Scotty's advice to heart when he was shocked that Geordi told the truth about how long it would take to make a repair. (TNG: Relics)
Under Promise and Underperform.
The flip side of this is that we have to wonder if there is a downside to the NASA engineers under promising? Is it possible that if they gave a more realistic estimate, better plans for research could have been developed?
Regardless, I say good job NASA!
Well...While it is not Kismet, Immunitysec is running their product called, "Silica" on the device. Silica is great for auditing your wireless networks and the security of systems connected to them. You can find it at http://www.immunitysec.com/products-silica.shtml
I wonder if the Governments will have to pay the fee to allow their rootkits to work. This can be an interesting twist on spying.
Actually a better example would be the testing that has already been performed on supposed "lie detectors."
/ 200113631.html for more details.
Scientists have been working with showing images to people, and measuring their EEG trace (P300). If you recognized an image of a crime commited, it is thought you are the guilty person. Evidently we are unable to control the brains reaction to viewing these images.
Take a look at http://www.scienceblog.com/community/older/2001/C
Another issue is that your fingerprint must be stored somewhere else in a database. This leaves room for an attacker to use a digital copy of your fingerprint for other transactions.
Somebody please correct me if I am wrong, but this is nowhere as safe as a private/public key. If the external party saved your public key, there is no worry. However, your fingerprint does not have two version, one being public, and one being private for signing. On the bright side, they can combine a pin number with the fingerprint, but the stores I have visited (Farm Fresh) do not require a PIN. Only a fingerprint.
Now we have a real reason to fear the BSOD.
...And no one would ever need more than 640k RAM. ;)
Erm...640 I mean.
In related news...
Windows Vista is to ship this year.
We will no longer have to wait for Godot.
The second coming of Christ will come this year.
The US will pull out of Iraq this year.
The US will find Osama.
On the surface what you are saying is reasonable. Detroit is geologically stable, and there are few environmental disasters overall. (Other than snow storms and maybe tornados. Go underground for the tornado.) Additionally, I know of a very large data center in Philadephia. As most can imagine, downtown Philly is not much more secure of an area than Detroit.
Having said this, alot of effort would have to be placed into the security effort. Trying to secure a data center in Detroit would be like trying to secure Oracle. You can do it, but there are a lot of holes to patch.
Speaking as one who waited until his thirties to actually finish a college degree, I can say that one can be proficient, and fit into a corporate environment if he is either college educated, or high-school educated, and has a mature attitude and work ethic. Having said this, if one has a college degree, and attended business type classes in addition to the technical classes, he has an opportunity to develop better communication skills in the work place. For example, I recall an employee that I had who would merely blast off an e-mail saying, "Request Denied" when he thought it was improper to open a port on a firewall for a new application. If he was educated in comunication skills, he would have known to 1) Thank the person for the request, 2) explain the risk, 3) offer alternatives that provide an improved level of security while allowing the company to move forward with business.
Having said this, most of the value of my education was in the business area. After twenty years in the IT industry there was little the school could teach me in the technical areas. As such, once I completed the BS degree, I moved on to an MBA. Remember you are working for the business for the sake of improving shareholder wealth. (Ethically of course) Without working towards this goal, you will marginalize yourself in the long run.
Keep in mind that I am not a big fan of off-shoring any activities. However, many IT functions can be outsourced, and much of the risk can be managed. Not eradicated, but managed. Afterall, that is exactly what one does in Information Security, you manage risks, not eradicate risks.
Depending on the company's function, and the layout of the network and systems, the risk may be acceptable. For example, if the company places an application on an internal segment of a tiered network, and a local staff manages that small segment, the risk is much the same as having an application available on the Internet.
I doubt many people would suggest we all just shut down our e-commerce systems because there are too many "bad guys" on the net. Instead, a manager would examine the risk of being involved with ecommerce, and balance it with the potential gains.
You bring up a great point.
I believe Ted Turner once explained that he would never use medication to control his manic depression. He believed his moments of mania to be responsible for much of his success like the creation of CNN.
Actually, in the United States, we use a form of government known as a "representative republic." Although it has some features of a democracy, it certainly is not a democracy. A democracy is a "tyranny of the majority."
To steal a quote:
"Democracy is two wolves and one sheep voting what they are having for dinner."
That is a good question. Some financial institutions closely align themselves with NIST standards. The NIST standards are generally better than much of the home-brewed stuff coming out of some of these places. (I think they may have led to this direction since much of GLB disucsses agencies, and the agencies ten to use the NIST standards.) Having said this, the standards that are applied often have a lot to do with who audits the financial institution. Some seem to be more rigorous than others. http://csrc.nist.gov/publications/nistpubs/
As I read the proposed federal legislation, it is supposed to trump state law.
The problem here lies with the application of Gramm-Leach-Bliley. The regulation merely requires financial institutions to apply reasonable protections to the customers information. Unfortunately for most consumers, this bar lis lower than one would hope. The application of GLB, and most other federal regulations does not adequately protect the individual. This is why people should ensure they communication with the congressional representatives to get privacy laws with teeth in place.
Tragically, the privacy laws that are currently being evaluated at the federal level water down the requirements of many state laws. For example, California's SB-1386 requires a company to report to you that you information may have been inappropriately disclosed. However, the proposed federal legislation requires companies to only disclose this to you if they believe you are at risk from this exposure. It is easy for a company to say they do not think a disclosure of your information would harm you. If you do expereince ID theft, you wouldn't know what company was the source, so you would not have the ability to require the offending company to disclose the information exposure.
The upshot is...You MUST get involved in this. There are very high-paid lobbyists who want this lower level of protection for your private information. Ensure your congressional representative knows you want a law with real teeth. You can find who is your rep at: http://www.congress.org/congressorg/home/