I see lots of people complaining above BH stories. While we cannot filter on the stories (only the editors), the web is OUR web. Tampermonkey script: http://userscripts.org/scripts...
I find it extremely interesting that Appendix E of that report does not discuss the NSA's role (or not) in twiddling with Dual EC DRBG. It's the only crypto component that they've been explicitly called out on, and it's not discussed.
NIST and NSA have all sorts of partnerships (look at NIAP as an example). On the whole, however, they are distinct organizations with some overlapping function. NIST, for example validates cryptography implementations through the CMVP and the CAVP. Also of note is that the NSA has two arms: an offensive arm and a defensive arm. I'm somewhat annoyed with the/. crowd for not recognizing this and realizing that it is the offensive NSA arm which is potentially responsible for deliberate cryptographic weakening.
Actually, although your message is clear, the details are not entirely correct. Regardless of how long you are outside of the country, if you have strong ties in Canada (a house, a wife/husband/children/family, bank accounts, etc.) then you are still considered a "factual" resident for tax purposes (http://www.cra-arc.gc.ca/tx/nnrsdnts/cmmn/rsdncy-eng.html). You must still FILE taxes, but you don't (necessarily) have to PAY taxes. You pay taxes only on income received from Canadian sources. Any so-called "Worldwide income" is exempt from Canadian taxation as long as there is a tax treaty with the counterparty country (http://www.cra-arc.gc.ca/E/pub/tg/t4131/t4131-e.html#P201_20183).
If you live outside of the country for more than 6 months (6 months plus one day), then you aren't afforded medical insurance. Hence, snow birds who fly back and forth from Canada every 6 months.
I've always been amazed at things like SAS 70 which, as the poster states, is based on self-defined criteria. The most shocking part, if I recall correctly, is that the criteria are not publicly consumable! This is the worst part of it all and the key part which needs to change.
Wow. The multi-target radar system is *more* complicated than your proposal, is it? I'd like to see how you quantify your variables and make it hold up in a court of law.
Look, I'm all for simplicity especially when it comes to rules and laws, but anything that is "relative" is asking for interpretation and hence, more complexity.
Actually, TFA believes that the vector was a removable drive by which they periodically update their map collections.
Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.
Remember, Canada is a big place. 75% of all Canadians live within 90 miles of the US border. So keep this in mind while you read all of the comments saying what a calamity this is for Canadians. Northern Canada -- and I say this as a Canadian, though some may disagree (like we disagree about what it means to be in Eastern Canada or Western Canada) -- generally are those who live above 55-60 degrees N which is an exceptionally small percentage of the total population.
I believe it was a multi-tiered attack in that Java, Flash, and PDF exploits were all tried. What is shown in the video is that the Java attack was successful.
TFA specifically uses an example of a failed hard drive to describe the workflow. You can see that a failed hard drive is something small, easily diagnosable, and -- in the greater scheme of things -- easily fixable.
Now, if you recall what happened with AWS in April, they had a low-bandwidth management network that all of a sudden had all primary EBS API traffic shunted to it. This was caused by a human flipping a network switch when they shouldn't have. Something like this is not something that happens all the time, has little, if any diagnosable features, is not well-defined to have a proper workflow attached to it, and needs human engineers to correct. This is an example of a complex, large-scale problem.
Read the article, it's actually quite interesting.
It doesn't sound like you read the article, but your questions are still just as valid. TFA states that they had not exhausted all non-GPS solutions to tracking him. But then it fails to go on the say why they felt they needed to track him in ANY capacity in the first place.
...but if I show up on time during the week and do my job
The TFA does indicate the employee "filed improper time sheets" and eluded to the fact that a "...pattern of misconduct and the difficulty of constant in-person surveillance justified the technique". Guess what, folks? It is not justified. Someone should be fired for this.
The vast majority of commentors I've seen on both/. and the article itself are all kinds of cynical and this does not help/., and it doesn't help the community. It makes me sad.
Yes, we realize that you are an amazing h4X0r capable of creating code devoid of buffer overflows, race-conditions, (all sorts of) injection attacks, etc. Perhaps you've forgotten there is a spectrum of programmers and like it or not, you are probably an AVERAGE coder. (They don't call it average because everyone thinks they are great.)
A programmer will always make assumptions about the underlying environment and will always have to sacrifice security functionality in the name of time/resource-savings. And in case you haven't noticed, some systems do not actually require DoD-level security with zero vulnerabilities. They merely require a level of security commensurate with the environment it runs in. It's one thing to design a system for physical attacks or reachable through a public IP and another thing entirely to protect against measured threats within a managed network environment or air-gapped system.
There is a wide spectrum of security risks and a wide spectrum of programmers and development practices. Corporations generally match them up appropriately, which is why you don't see outsourcing of internal top-secret DoD systems out on rent-a-coder.
There's nothing I can say that others haven't already said. I was introduced to this site in 2000-2001 and by then the uids were already in the high 5 digits. I also remember actually being able to have an email conversation with cmdrtaco about some bug or another on/. and being a little amazed at receiving an actual response within 15 minutes. It was - it *is* - the seeming connectedness of us nerds on/. that makes it one of the true cornerstones of the Internet.
You do realize that PCI compliance covers things like the PoS terminals and the like, right? PCI Compliance is a security guideline document that is supposed to be used if you receive customer credit card information at all.
Period.
Do you use a PoS to process those cards? Is it secured? Is it connected to an open network or on a dedicated line? Is the credit card number printed on the slip? Are those slips secured in a safe place? Does the minimum number of people have access to this slips? etc.
It is NOT a system just for web e-commerce, but most people seem to think that it is.
Actually, TFA states that if you purchase an MP3 from Amazon, it is automatically synced to their service. But other content will have to be uploaded, yes.
"...most bugs I find are from running through some kind of manual procedure and noticing something "odd" that an automated system wouldn't have picked up."
This is a valid point and underlines that automated testing can only be as good as the test designers. If the test designers fail to take into account proper bounds-handling, error conditions, interactions, etc. between modules, then you can -- at best -- protect yourself from regression issues.
I think of testing as an evolutionary process: keep with the tried and true (automation), but throw in some mutations (manual testing) to ensure you are capturing the full spectrum.
I recently saw a bamboo bicycle and was blown away by the look and feel. A biodegradable frame built out of material known for thousands of years to be highly durable and strong.
Slashdot Mirror
I see lots of people complaining above BH stories. While we cannot filter on the stories (only the editors), the web is OUR web. Tampermonkey script: http://userscripts.org/scripts...
You can understand the nature of the programs you are maintaining without viewing the material they collect.
If I am forced out of Classic, I will leave and never look back.
Fuck beta.
I find it extremely interesting that Appendix E of that report does not discuss the NSA's role (or not) in twiddling with Dual EC DRBG. It's the only crypto component that they've been explicitly called out on, and it's not discussed.
NIST and NSA have all sorts of partnerships (look at NIAP as an example). On the whole, however, they are distinct organizations with some overlapping function. NIST, for example validates cryptography implementations through the CMVP and the CAVP. Also of note is that the NSA has two arms: an offensive arm and a defensive arm. I'm somewhat annoyed with the /. crowd for not recognizing this and realizing that it is the offensive NSA arm which is potentially responsible for deliberate cryptographic weakening.
I just saw a TED talk in which the presenter asked this very question.
Actually, although your message is clear, the details are not entirely correct. Regardless of how long you are outside of the country, if you have strong ties in Canada (a house, a wife/husband/children/family, bank accounts, etc.) then you are still considered a "factual" resident for tax purposes (http://www.cra-arc.gc.ca/tx/nnrsdnts/cmmn/rsdncy-eng.html). You must still FILE taxes, but you don't (necessarily) have to PAY taxes. You pay taxes only on income received from Canadian sources. Any so-called "Worldwide income" is exempt from Canadian taxation as long as there is a tax treaty with the counterparty country (http://www.cra-arc.gc.ca/E/pub/tg/t4131/t4131-e.html#P201_20183).
If you live outside of the country for more than 6 months (6 months plus one day), then you aren't afforded medical insurance. Hence, snow birds who fly back and forth from Canada every 6 months.
Yahoo Answers is the only site I've ever decided needs to be worthy of the Google block.
I've always been amazed at things like SAS 70 which, as the poster states, is based on self-defined criteria. The most shocking part, if I recall correctly, is that the criteria are not publicly consumable! This is the worst part of it all and the key part which needs to change.
I think /. needs a "this" button. I'd mash it on this post.
Wow. The multi-target radar system is *more* complicated than your proposal, is it? I'd like to see how you quantify your variables and make it hold up in a court of law.
Look, I'm all for simplicity especially when it comes to rules and laws, but anything that is "relative" is asking for interpretation and hence, more complexity.
Actually, TFA believes that the vector was a removable drive by which they periodically update their map collections.
Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.
Remember, Canada is a big place. 75% of all Canadians live within 90 miles of the US border. So keep this in mind while you read all of the comments saying what a calamity this is for Canadians. Northern Canada -- and I say this as a Canadian, though some may disagree (like we disagree about what it means to be in Eastern Canada or Western Canada) -- generally are those who live above 55-60 degrees N which is an exceptionally small percentage of the total population.
I believe it was a multi-tiered attack in that Java, Flash, and PDF exploits were all tried. What is shown in the video is that the Java attack was successful.
TFA specifically uses an example of a failed hard drive to describe the workflow. You can see that a failed hard drive is something small, easily diagnosable, and -- in the greater scheme of things -- easily fixable.
Now, if you recall what happened with AWS in April, they had a low-bandwidth management network that all of a sudden had all primary EBS API traffic shunted to it. This was caused by a human flipping a network switch when they shouldn't have. Something like this is not something that happens all the time, has little, if any diagnosable features, is not well-defined to have a proper workflow attached to it, and needs human engineers to correct. This is an example of a complex, large-scale problem.
Read the article, it's actually quite interesting.
The TFA does indicate the employee "filed improper time sheets" and eluded to the fact that a "...pattern of misconduct and the difficulty of constant in-person surveillance justified the technique". Guess what, folks? It is not justified. Someone should be fired for this.
The vast majority of commentors I've seen on both /. and the article itself are all kinds of cynical and this does not help /., and it doesn't help the community. It makes me sad.
Yes, we realize that you are an amazing h4X0r capable of creating code devoid of buffer overflows, race-conditions, (all sorts of) injection attacks, etc. Perhaps you've forgotten there is a spectrum of programmers and like it or not, you are probably an AVERAGE coder. (They don't call it average because everyone thinks they are great.) A programmer will always make assumptions about the underlying environment and will always have to sacrifice security functionality in the name of time/resource-savings. And in case you haven't noticed, some systems do not actually require DoD-level security with zero vulnerabilities. They merely require a level of security commensurate with the environment it runs in. It's one thing to design a system for physical attacks or reachable through a public IP and another thing entirely to protect against measured threats within a managed network environment or air-gapped system.
There is a wide spectrum of security risks and a wide spectrum of programmers and development practices. Corporations generally match them up appropriately, which is why you don't see outsourcing of internal top-secret DoD systems out on rent-a-coder.
There's nothing I can say that others haven't already said. I was introduced to this site in 2000-2001 and by then the uids were already in the high 5 digits. I also remember actually being able to have an email conversation with cmdrtaco about some bug or another on /. and being a little amazed at receiving an actual response within 15 minutes. It was - it *is* - the seeming connectedness of us nerds on /. that makes it one of the true cornerstones of the Internet.
How much of this is attributed to excessive tweets due to, and in conjunction with, a highly volatile market?
You do realize that PCI compliance covers things like the PoS terminals and the like, right? PCI Compliance is a security guideline document that is supposed to be used if you receive customer credit card information at all.
Period.
Do you use a PoS to process those cards? Is it secured? Is it connected to an open network or on a dedicated line? Is the credit card number printed on the slip? Are those slips secured in a safe place? Does the minimum number of people have access to this slips? etc.
It is NOT a system just for web e-commerce, but most people seem to think that it is.
You can already do this with Amazon's Elastic Beanstalk. Yes, it costs. So would insurance.
Q: "Are you a rooted phone?"
A: "Ummm, why no, I'm not. Yessir. Not a rooted phone at all."
Actually, TFA states that if you purchase an MP3 from Amazon, it is automatically synced to their service. But other content will have to be uploaded, yes.
"...most bugs I find are from running through some kind of manual procedure and noticing something "odd" that an automated system wouldn't have picked up."
This is a valid point and underlines that automated testing can only be as good as the test designers. If the test designers fail to take into account proper bounds-handling, error conditions, interactions, etc. between modules, then you can -- at best -- protect yourself from regression issues.
I think of testing as an evolutionary process: keep with the tried and true (automation), but throw in some mutations (manual testing) to ensure you are capturing the full spectrum.
I recently saw a bamboo bicycle and was blown away by the look and feel. A biodegradable frame built out of material known for thousands of years to be highly durable and strong.