Did anyone actually read the ruling? Of course not. It's also too much to expect the person who wrote the article to properly summarize it.
"{14} "i. The trial court erred by overruling defendant-appellant's motion for a directed verdict of acquittal as to the charge of unauthorized access of a computer, as there was insufficient evidence to establish the elements of a violation of ohio revised code section 2913.04(b). ""
But it also said "...in violation of established work practices..." so it wasn't real clear to me. I'd guess no explicite policy was put published as the article mentioned, but that his use violated basic work ethics (meaning he wasn't getting any work done).
Yup. MS shared the Win2k code with China. It is a coincidence that most of the zero-day exploits we find in Chinese network attacks exploit holes dating back to the Win2k code? Doubt it.
Having your code out in the open makes you more vulnerable to exploitation of software bugs because they're easier to find. I don't buy the BS argument that open source code is more vetted either. Go sift through any Linux bugzilla sight and see all the glaring bug reports. When basic features have serious unpatched holes, it certainly raises some doubt that minor, hidden security gotchas have all be caught.
I've seen to many examples of the NSA having insider information to believe that. We get told to change some obscure registry setting or files and then a month later MS quietly announces an update that fixes the problem. For example, we were had to go into the registry and gut the autorun function entirely instead of just using the GPO. At the time I thought it was a f'd up mandate, but alas 6 weeks later MS admits that disabling autorun via the normal policy did not disable it in certain situations. Think the NSA knew ahead of time?
Or how about their partnership with Symantec? Where the detections for some zero-day exploits are present in the symantec definitions files long before the zero-day exploit shows up in the wild?
The NSA basically scanned their network for known vulnerabilities and took advantage of them. I hardly call flooding someones email a sophisticated attack either. The NSA has a much bigger toolbox than we give them credit for. I'm sure there is a classified file somewhere with a list of zero-day exploits waiting for that "special occassion" when they'll be needed. Open source makes this much easier, btw.
Sorry, I quoted numbers from the article which stated 2000-miles along the mexican border and 25000 agents. The majority of the agents are along the Mexican border. Not a whole lot along the Canada border, and almost none in Fl as the CBP website would imply.
True. One of the biggest problems is not keeping an easily patrolled buffer zone. A buffer zone and some towers with snipers would be pretty effective. Think prison yards with an inner and out fence line, where anyone between the fence lines is fair game.
No I'm not kidding. Stop being a such a squeamish twat and realize that we need to defend our borders. From drugs, terrorists, swine flu, and freeloading Mexicans who burden our social service programs without contributing anything in return. Smacking them on the wrist like little children and sending them home obviously isn't working. Not to mention that method is costing at least 2 billion each year (estimating 25,000 border patrol agents at a burdened rate of 80k/yr). Raising the stakes and risks will end the problem pretty damn quick.
Try sneaking into Iran or Russia and see if they don't shoot at you. America being the land of plenty (debatable nowadays) does not automatically mean we let anyone in, unchecked. If they want to come into this country, they simply have to go through the accepted border checkpoints. If the US has decided not to let them in for what ever legal reason, then they get turned away.
And no I don't propose that I'm spared from this since I'm a US citizen. I'm not doing anything against US laws so I have no problem entering through customs like everyone else.
The border patrol has approx 25,000 officers to cover the 2,000 mile border. Assuming each officer covers a 40-hour week, thats roughly 3 officers per mile. These guys must have awefully poor eyesight! You can't even make the case that one man isn't enough since you have another 29 within a 5-minute response time.
Why the hell are we spending a huge chunk of money for a _detection_ system that still does nothing to prevent the intrusions? 6.7 billion would double the existing border patrol levels for 4 years.
I think we also need to aggressively defend out borders. Enough with this detain and deport strategy. You don't see other countries doing this.
Seriously. Spend $500m to buy mines, and $100m to lay them. Mines are about $3-5 actual manufacturing cost and that would give you a fairly high density of mines. I guarantee that midnight crossing would slow way down. Right now there's almost no risk to crossing the border illegally. Worst case they get detained and deported.
Well, most terrorist organizations are happy to stand up and announce they did it. If we are in the middle of open hostilities with a nation state, they would certainly be the first suspect but you couldn't rule out a third party trying to provoke the situation.
You would be surprised at the amount of IDS and monitoring going on at the DOD connection points to the general internet. They can produce packet captures months after the fact. Granted that only gives them the first hop, and no way to tell if that IP was compromised as is often the case. Blocking Chinese IPs is pointless because they simply rent or hack a US IP address as the launching point.
Yes, the insider threat is certainly part of the problem. I do agree that the DOD has too much of its network internet connected. A certain level of connectivity is needed for a number of functions though such as administrative, email, communicating with external contractors, etc. I believe as we move forward, you will see greater isolation. The NMCI network is a big improvement in many security aspects, but absolute homogeneity of the network is a huge risk as well.
I think it's a perfectly good answer. You don't want to tell China that a physical response is off the table, otherwise they'll get the idea that they can contine their cyber attacks without any danger of real consequences. So long as the response is in proportion to the offense, then there is no issue.
Remember if we can't consider it an act of war, then a physical response means we just started the war.
What happens if for example, they escalate from simple intrusions and information theft to destructive acts like dropping power grids or destroying systems. If it involves significant loss of life or property? Do we simply ignore it and pretend they haven't just committed an act of war? Do we cyber-hack them back? We'd probably target the building full of PLA that are actively hacking us with something stronger than an internet feed (and yes, we already know who they are and where they are operating out of).
Since when is Wikipedia an authoritative source? Curious that it pretty much ignores or seriously disregards the Eastern religious as "disorganized, not a single religion". I don't consider Catholics to be in the same category as "Christians". They might use the same bible, but in practice their rituals and believes are rather different. I think there's almost as much different between a baptist and a muslim.
Not sure why this is modded funny. It's very true. The funny part is that on the world-wide scheme of things Christianity could be considered a cult, as it's far smaller than the other religions and the US arrogance in world politics has made Christians unpopular.
Sounds like you need to figure out how remote desktop works. It's actually fairly efficient, and doesn't "send images" as you phrased it. It's actually quite usable over a 28k dialup. Try that with VNC.
It consists of nothing more than enabling some of the already present security features. XP has a huge number of security settings that are defaulted to disabled. Stuff like syn-attack protection shouldn't break anything. Locking down registry keys like class\appid and disabling remote dcom can break things, though.
If you truly want to go hog wild, use the DISA gold disk to enable all the settings. Or use the NSA Secure Technical Implementation Guide (STIG) to the letter. It's guaranteed to break a large portion of your software (which relied on these insecurities to work). If you're lucky the box will be partially useable afterwards.
Actually, you'd be surprised at the capability of the wireless defense and surveillance equipment. With 4 "sensors" located through a small to medium campus (some double as WAPS) you can geolocate any wireless source. They don't even have to connect. You know right away if someone sets up a new printer that has wireless. You see wireless PDAs. You see all the laptops that are broadcasting.
I think wireless can be almost as secure as wired, with the assumption of proper vpn software and encryption (which can be easily done on wired). It will never be as reliable or immune to outside interference though.
I'm referring to the case where you want something beyond the dirt simple owner-group-world permissions. For example a file server where you to assign permissions based on multiple groups. The basic Linux file permissions are incapable of this level of granularity. There are extended-file permissions capabilities in Linux, but as I mentioned you need the right filesystem/driver, and setting those permissions is not trivial. This exact problem is the main reason I don't use Samba.
I think you were referring to selinux in your last sentence? While selinux defaults to enabled in Fedora, the number of actual policies and their scope is pretty narrow and most of those are not enabled anyway. RedHat put a lot of effort into selinux in Fedora simply because its the testbed for RHEL. However, they left the default policies pretty thin because they felt it was causing problems for the average non-linux users they were targeting. Basically its there if the power users want it, but otherwise its kept out of the way.
Wait did I miss the 180* turn? Wasn't the linux community just bragging that they had ASLR, selinux, and signed rpms, etc? Once MS started implementing ASLR, better granularity on low level permissions, driver signing, and UAC then the linux community suddenly claims those features aren't necessarily desirable (or at least not worth the effort to implement consistently).
Make no mistake - Microsoft is rapidly improving security. I think they still have a long way to go, but in some areas they have Linux trumped. Very granular file permissions, registry and resource permissions. Implementing nice granular file permissions in Linux is not readily accomplished and depends on choosing the "right" file system with the right kernel support.
Not the entire US Govt - just the state department. It was a political pissing contest over which contract was used and that Congressman Wolf didn't get a kickback if the contract went through Lenovo who was doing business out of New York. If Chinese made computers or Chinese controlled companies were the issue, they wouldn't have bought any computers. There are no computers made solely with US parts on US soil.
Computers aren't that big of a deal. You inspect for physical anomalies, wipe the HD and install the OS. You never use the default factory install as its untrustworthy. Same reason you wipe thumb drives on a standalone computer before issuing to your users.
Now if you want to talk about untrustworthy sources - there are legitimate reasons for the US govt to avoid Kasperasky A/V as the company is owned by an ex-KGB type and has connections to russian hackers.
A full linux install being trustworthy is dependant on tens of thousands of coders all being trustworthy (since in practice, nobody checks one another's work, and no "real" security audits are being conducted.
Frankly, bullshit. Maybe some projects are run that way. The Linux Kernel certainly isn't.
He said a full linux install, not the kernel. The Linux kernel certainly has tighter review, but you can't say the same about the other packages you find rolled into a standard linux install. Nor can you say the same about all the packages you find in the third party repositories almost everyone adds so they can get drivers or codecs.
Slashdot Mirror
Did anyone actually read the ruling? Of course not. It's also too much to expect the person who wrote the article to properly summarize it. "{14} "i. The trial court erred by overruling defendant-appellant's motion for a directed verdict of acquittal as to the charge of unauthorized access of a computer, as there was insufficient evidence to establish the elements of a violation of ohio revised code section 2913.04(b). ""
But it also said "...in violation of established work practices..." so it wasn't real clear to me. I'd guess no explicite policy was put published as the article mentioned, but that his use violated basic work ethics (meaning he wasn't getting any work done).
Yup. MS shared the Win2k code with China. It is a coincidence that most of the zero-day exploits we find in Chinese network attacks exploit holes dating back to the Win2k code? Doubt it.
Having your code out in the open makes you more vulnerable to exploitation of software bugs because they're easier to find. I don't buy the BS argument that open source code is more vetted either. Go sift through any Linux bugzilla sight and see all the glaring bug reports. When basic features have serious unpatched holes, it certainly raises some doubt that minor, hidden security gotchas have all be caught.
I've seen to many examples of the NSA having insider information to believe that. We get told to change some obscure registry setting or files and then a month later MS quietly announces an update that fixes the problem. For example, we were had to go into the registry and gut the autorun function entirely instead of just using the GPO. At the time I thought it was a f'd up mandate, but alas 6 weeks later MS admits that disabling autorun via the normal policy did not disable it in certain situations. Think the NSA knew ahead of time?
Or how about their partnership with Symantec? Where the detections for some zero-day exploits are present in the symantec definitions files long before the zero-day exploit shows up in the wild?
No, NSA isn't ahed of the game at all....
The article never discusses whether he took actions to circumvent existing filtering or firewalls. If he did, they yes he is guilty of the crime.
The NSA basically scanned their network for known vulnerabilities and took advantage of them. I hardly call flooding someones email a sophisticated attack either. The NSA has a much bigger toolbox than we give them credit for. I'm sure there is a classified file somewhere with a list of zero-day exploits waiting for that "special occassion" when they'll be needed. Open source makes this much easier, btw.
Sorry, I quoted numbers from the article which stated 2000-miles along the mexican border and 25000 agents. The majority of the agents are along the Mexican border. Not a whole lot along the Canada border, and almost none in Fl as the CBP website would imply.
Hmmm. That sounds suspiciously like NAFTA.
True. One of the biggest problems is not keeping an easily patrolled buffer zone. A buffer zone and some towers with snipers would be pretty effective. Think prison yards with an inner and out fence line, where anyone between the fence lines is fair game.
No I'm not kidding. Stop being a such a squeamish twat and realize that we need to defend our borders. From drugs, terrorists, swine flu, and freeloading Mexicans who burden our social service programs without contributing anything in return. Smacking them on the wrist like little children and sending them home obviously isn't working. Not to mention that method is costing at least 2 billion each year (estimating 25,000 border patrol agents at a burdened rate of 80k/yr). Raising the stakes and risks will end the problem pretty damn quick.
Try sneaking into Iran or Russia and see if they don't shoot at you. America being the land of plenty (debatable nowadays) does not automatically mean we let anyone in, unchecked. If they want to come into this country, they simply have to go through the accepted border checkpoints. If the US has decided not to let them in for what ever legal reason, then they get turned away.
And no I don't propose that I'm spared from this since I'm a US citizen. I'm not doing anything against US laws so I have no problem entering through customs like everyone else.
The border patrol has approx 25,000 officers to cover the 2,000 mile border. Assuming each officer covers a 40-hour week, thats roughly 3 officers per mile. These guys must have awefully poor eyesight! You can't even make the case that one man isn't enough since you have another 29 within a 5-minute response time. Why the hell are we spending a huge chunk of money for a _detection_ system that still does nothing to prevent the intrusions? 6.7 billion would double the existing border patrol levels for 4 years. I think we also need to aggressively defend out borders. Enough with this detain and deport strategy. You don't see other countries doing this.
Seriously. Spend $500m to buy mines, and $100m to lay them. Mines are about $3-5 actual manufacturing cost and that would give you a fairly high density of mines. I guarantee that midnight crossing would slow way down. Right now there's almost no risk to crossing the border illegally. Worst case they get detained and deported.
Well, most terrorist organizations are happy to stand up and announce they did it. If we are in the middle of open hostilities with a nation state, they would certainly be the first suspect but you couldn't rule out a third party trying to provoke the situation.
You would be surprised at the amount of IDS and monitoring going on at the DOD connection points to the general internet. They can produce packet captures months after the fact. Granted that only gives them the first hop, and no way to tell if that IP was compromised as is often the case. Blocking Chinese IPs is pointless because they simply rent or hack a US IP address as the launching point.
Yes, the insider threat is certainly part of the problem. I do agree that the DOD has too much of its network internet connected. A certain level of connectivity is needed for a number of functions though such as administrative, email, communicating with external contractors, etc. I believe as we move forward, you will see greater isolation. The NMCI network is a big improvement in many security aspects, but absolute homogeneity of the network is a huge risk as well.
I think it's a perfectly good answer. You don't want to tell China that a physical response is off the table, otherwise they'll get the idea that they can contine their cyber attacks without any danger of real consequences. So long as the response is in proportion to the offense, then there is no issue.
Remember if we can't consider it an act of war, then a physical response means we just started the war.
What happens if for example, they escalate from simple intrusions and information theft to destructive acts like dropping power grids or destroying systems. If it involves significant loss of life or property? Do we simply ignore it and pretend they haven't just committed an act of war? Do we cyber-hack them back? We'd probably target the building full of PLA that are actively hacking us with something stronger than an internet feed (and yes, we already know who they are and where they are operating out of).
So the Amish would be a cult then? The few remaining Indian tribes?
Since when is Wikipedia an authoritative source? Curious that it pretty much ignores or seriously disregards the Eastern religious as "disorganized, not a single religion". I don't consider Catholics to be in the same category as "Christians". They might use the same bible, but in practice their rituals and believes are rather different. I think there's almost as much different between a baptist and a muslim.
Not sure why this is modded funny. It's very true. The funny part is that on the world-wide scheme of things Christianity could be considered a cult, as it's far smaller than the other religions and the US arrogance in world politics has made Christians unpopular.
Sounds like you need to figure out how remote desktop works. It's actually fairly efficient, and doesn't "send images" as you phrased it. It's actually quite usable over a 28k dialup. Try that with VNC.
It consists of nothing more than enabling some of the already present security features. XP has a huge number of security settings that are defaulted to disabled. Stuff like syn-attack protection shouldn't break anything. Locking down registry keys like class\appid and disabling remote dcom can break things, though.
If you truly want to go hog wild, use the DISA gold disk to enable all the settings. Or use the NSA Secure Technical Implementation Guide (STIG) to the letter. It's guaranteed to break a large portion of your software (which relied on these insecurities to work). If you're lucky the box will be partially useable afterwards.
Actually, you'd be surprised at the capability of the wireless defense and surveillance equipment. With 4 "sensors" located through a small to medium campus (some double as WAPS) you can geolocate any wireless source. They don't even have to connect. You know right away if someone sets up a new printer that has wireless. You see wireless PDAs. You see all the laptops that are broadcasting.
I think wireless can be almost as secure as wired, with the assumption of proper vpn software and encryption (which can be easily done on wired). It will never be as reliable or immune to outside interference though.
I'm referring to the case where you want something beyond the dirt simple owner-group-world permissions. For example a file server where you to assign permissions based on multiple groups. The basic Linux file permissions are incapable of this level of granularity. There are extended-file permissions capabilities in Linux, but as I mentioned you need the right filesystem/driver, and setting those permissions is not trivial. This exact problem is the main reason I don't use Samba.
I think you were referring to selinux in your last sentence? While selinux defaults to enabled in Fedora, the number of actual policies and their scope is pretty narrow and most of those are not enabled anyway. RedHat put a lot of effort into selinux in Fedora simply because its the testbed for RHEL. However, they left the default policies pretty thin because they felt it was causing problems for the average non-linux users they were targeting. Basically its there if the power users want it, but otherwise its kept out of the way.
Wait did I miss the 180* turn? Wasn't the linux community just bragging that they had ASLR, selinux, and signed rpms, etc? Once MS started implementing ASLR, better granularity on low level permissions, driver signing, and UAC then the linux community suddenly claims those features aren't necessarily desirable (or at least not worth the effort to implement consistently).
Make no mistake - Microsoft is rapidly improving security. I think they still have a long way to go, but in some areas they have Linux trumped. Very granular file permissions, registry and resource permissions. Implementing nice granular file permissions in Linux is not readily accomplished and depends on choosing the "right" file system with the right kernel support.
Not the entire US Govt - just the state department. It was a political pissing contest over which contract was used and that Congressman Wolf didn't get a kickback if the contract went through Lenovo who was doing business out of New York. If Chinese made computers or Chinese controlled companies were the issue, they wouldn't have bought any computers. There are no computers made solely with US parts on US soil.
Computers aren't that big of a deal. You inspect for physical anomalies, wipe the HD and install the OS. You never use the default factory install as its untrustworthy. Same reason you wipe thumb drives on a standalone computer before issuing to your users.
Now if you want to talk about untrustworthy sources - there are legitimate reasons for the US govt to avoid Kasperasky A/V as the company is owned by an ex-KGB type and has connections to russian hackers.
A full linux install being trustworthy is dependant on tens of thousands of coders all being trustworthy (since in practice, nobody checks one another's work, and no "real" security audits are being conducted.
Frankly, bullshit. Maybe some projects are run that way. The Linux Kernel certainly isn't.
He said a full linux install, not the kernel. The Linux kernel certainly has tighter review, but you can't say the same about the other packages you find rolled into a standard linux install. Nor can you say the same about all the packages you find in the third party repositories almost everyone adds so they can get drivers or codecs.