The Belgian court's decision in the Google case creates an interesting precedent. This decision could be used by anyone in Belgium whose content is the target of a link. On the basis of a link to.be, anyone could find themselves targetted and fined by a Belgian court.
Every so often a court emits a ruling that makes it impossible to know what's legal and what's not, and leaves one open to liabilities that could not possibly be predicted. This, like the EU's rulings against Microsoft (also out of Brussels), are of this kind, and the only rational response is to withdraw completely and wait for more predictable circumstances.
If I was Google's (or any other search service') lawyer, my advice would be to (1) immediately remove all.be links, (2) stop indexing.be and (3) set up an opt-in protocol that would restore indexing to any.be site that supplies a legally-binding authorization to index. Since the Belgian court has decreed that Belgians are too stupid to understand robots.txt, a corresponding opt-in flag would be insufficient.
On a positive note: nothing much of interest happpens in Belgium, so if the world is spared headlines about the rising price of mussels in Brussels, we aren't likely to notice.
If Symantec and McAfee can disable Windows security, so can any passing malware.
I have never had problems with malware anywhere near as troublesome as the problems I have had with so-called anti-virus software that behaves more like a virus itself. My workstation solution is to run only enough of one well-behaved package (F-Secure) to warn me when an application I haven't cleared tries to access the internet. The rest is safe practices and a very effective SPI firewall protecting the LAN. It works.
I want code buried deep in the OS to tell me when some process is trying to disable or bypass security and to give me a choice between letting it, stopping it, or stopping it and wiping the offending process and all of its related code from my system (particularly the last part). It should be so intertwined with the OS that it can't be disabled without killing the OS. If XP had this feature it would have saved me days of effort recovering from the ill-considered installation of virus-like applications such as Norton, McAfee and Macromedia Flash.
This sounds an awful lot like the rending of shirts and tearing of hair that once accompanied any percieved commercial material on usenet when the net was still a closed research and education toy.
When Jack Rickard's army of sysops ripped up the Internet Acceptable Use Policy and opened the net to the rest of the world, they also brought an end to the non-commercial purity of the net. The idea that there should be any public forum on the net that magically retains that old-fashioned purity is somewhat naive.
To repeat oft-given advice: If you don't like it—fork it! Build your own and censor the ads. Maybe you'll find a following.
Every Windows system ships with VBScript and JScript, both of which are easier to code and more powerful than the earlier Basics when used in command-line mode. The problem is not the lack of an easy and accessible line-oriented language—it's the confused and crappy-to-nonexistent documentation for these scripting languages and wsh. It doesn't help that MS seems to want to keep them a secret.
This shortfall extends to every beginning Windows book I've seen. It seems that even the cheerleaders are unaware of these resources.
Doesn't anybody bother to look at the source data before flaming? Or is this news "too good to check"?
This is the EPA engaging in political tactics. To begin with, they haven't yet been asked to cut their budget, and they may never be. The closing of libraries is not Bush's idea--it's EPA bureaucrats saying "Look what you made us do!"
The proposed budget cut constitutes a fraction of of a percent of the EPA's budget, and it could be achieved with a minor reduction in the EPA's bloated administrative costs.
This is a standard tactic in every government in the world. Faced with budget cuts, the bureaucrats respond by threatening to terminate one of the few things they do that actually provides a service. The mystery is that they often get away with it.
The special irony in this item is that the EPA isn't planning to cut the service—just the way it's delivered.
Sorry Laura—Maybe you or I today can't predict when a nucleus is going to blow apart, but that doesn't mean it's forever unpredictable, and I certainly can't prove that my bitstream generator doesn't have something in the design or the particle source that makes the generated stream partially or completely predictable with a suitable amount of effort and data. The best I can say is that no one has found a weakness in it.
Our experience with radioactive decay strongly suggests that it's unpredictable, but there's no proof of it.
This is why I described cryptography as tidy science: Any claims of security can't be proven—only falsified.
"The only encryption scheme I know of that is provably unbreakable is the one-time pad."
A curious thing about that: In theory, the one-time pad is provably unbreakable. In practice, no specific implementation of a one-time pad is provably unbreakable. The problem is that there is no provably unpredictable source of data for the pad.
In this sense, cryptography is remarkably tidy science; a claim that a particular system, even a one-time pad, provides a particular level of security cannot be proven—only falsified. Our confidence in any particular system is based on it having survived cryptanalysis by many experts, at which time we accept the claim as a usable theory—not as proven.
We don't need to knock communism—it does a great job of knocking itself.
I know they don't teach history in CS streams, but look it up. Communism has failed everywhere it has been tried, in spite of using force to keep everybody inside. You don't see a whole lot of American refugees lining up to become Cuban citizens. Ask your parents about the Aquarian 60's and the thousands of communes that formed in the US and Canada and lasted about two weeks before the cooperative spirit waned.
Business organizations where everyone is a stakeholder are called co-ops. They've been around for a long time and every capitalist society has a small number of them. They work especially well when the only reason for belonging is to save money. The successful ones have a permanent management team that really makes all the decisions while everyone else just harvests the benefits and goes to the occasional meeting to vote unanimously in favor of management proposals.
-- What America needs is a president who can save the world while humping chubby jewish girls in the oval office.
but some ass hat probably pasted it into MS Word to spell check the summary, and word resolves -- to it's funky double wide hyphen character.
The "double wide hyphen character" is called a dash—not funky at all—and it's common punctuation among the literate. Word's substitution is handy in place of Alt+0151. When you see a double-hyphen in Ascii text, the writer is asking you to read them as a dash.
Quite a few fonts will connect a pair of hyphens to look like a single dash. The technical term is em-dash and the HTML entity name is —.
In any case, the substitution is only done during typing, and even then only where it's used correctly. So you can't blame Word for this one.
I suppose I should be more positive and describe this as the "least useful" article I've read in some time. The writers have found eighteen ways to say "Ooooh, it's going to be terrible. Apply the patch!" without saying anything substantive about the threat.
What's the penetration vector? How is it transmitted? How is it initialized? Is the patch the only protection, or is it enough to make sure no one executes mail attachments? Can it get through firewall NAT and SPI? Etc.?
There are a lot of questions that could have been answered in the last seventeen paragraphs of the article instead of finding seventeen alternative ways of repeating the same message.
If, as is likely, there is nothing of substance in the article because there is nothing of substance in the threat, it would seem that this is just another attention-getting device by a organization whose revenue depends on FUD. Isn't "Y2K" a verb yet?
Let me get this straight: A PR firm posts a video that's assumed to be more credible because it seems to come from a kid whose closest brush with reality comes from flipping burgers.
This article is about protecting sensitive data from IT staff disclosure or modifications. Given that this is slashdot, an IT folk watering hole, it should come as no surprise that most of the replies blame the problem on
Users
Management
The Bush administration
Experience shows that employees are your biggest security risk and that employees with the greatest access present the greatest risk. That's the way it is; live with it.
Also relevant: anyone following the various forums like slashdot, where the computer guys hang out, will have noticed that, as a group, they have little or no loyalty to their employers and an excess of self-righteous zeal. As a security guy, I have to treat this as a clear and present danger.
Mitigating this risk calls for encrypting sensitive data in a way that only those with need to know can decrypt it. Closely-guarded administrative keys are used to deal with forgotten keys and re-keying when someone leaves (the keeper of the keys doesn't work in IT). Backup isn't a problem, because the only thing on the servers is encrypted volumes.
Most of the rest of the risks are handled by treating user workstations as part of the user, rather than part of the system, and taking the appropriate precautions to protect the workstations from unauthorized tampering (e.g. whole disk encryption) and the system from workstations and their users. Serious, carefully-managed compartmentalization is an indispensable tool.
The best thing about this approach is that it can be done with minimal impact on users or user productivity. It is hard on IT administrative staff, but I'd rather annoy a handful of techies than hundreds of users--especially since it's the latter that are paying the bills.
Both the citation and the headline misrepresent the results of the "study". What Sophos unearthed with great difficulty is not that the Mac is more secure than Windows, only that it's less-threatened. Security is more than being absent from the scene.
So the 10 most common trojans are written for Windows (Uh, duh!) The 10 most common productivity applications are written for Windows. Both target Windows for the same reason. It's not the volume that matters—it's the effectiveness.
The sensitive information is not Theo's address or phone number. It is the fact that Theo, or you, or I, downloaded the data sheet for a crypto device. In the recent past, and possibly again under a future government, that in and of itslf could be considered suspicious behavior.
For an off-the-wall point of view, consider that crypto is still officially "munitions"--arms. Maintaining a registry of citizens in possession of such arms is arguably a violation of the Second Amendment.
There is no economic oxygen in OSS; that's the whole point, isn't it?
In any case, there's unlikely to be peace with Microsoft until this generation of linuchim grows up. The adults I know use one, the other, or both as the situation suits. It's good for us that Microsoft will be working for interoperability; it would never happen if left up to the petulant mob driving FOSS.
Quite right. There's a significant difference between the size of toner dust and laser printer resolution.
The interesting bit that most people don't know is that each "grain" of a particular brand of toner is just like every other, and each is a precision manufactured thing with internal structure.
The neatest toner is used in Delphax printers: Each grain is crunchy on the outside, with a chewy inside, and a tiny magnetite rock at the center.
It's a fundamental rule of systems engineering that workstations are part of the user, not part of the system. This is especially true of laptops.
Any sysadmin that thinks limiting user privileges on the workstation is solving a security problem is fooling herself. System security needs to be set up on the assumption that all workstations are hostile.
Slashdot Mirror
The Belgian court's decision in the Google case creates an interesting precedent. This decision could be used by anyone in Belgium whose content is the target of a link. On the basis of a link to .be, anyone could find themselves targetted and fined by a Belgian court.
Every so often a court emits a ruling that makes it impossible to know what's legal and what's not, and leaves one open to liabilities that could not possibly be predicted. This, like the EU's rulings against Microsoft (also out of Brussels), are of this kind, and the only rational response is to withdraw completely and wait for more predictable circumstances.
If I was Google's (or any other search service') lawyer, my advice would be to (1) immediately remove all .be links, (2) stop indexing .be and (3) set up an opt-in protocol that would restore indexing to any .be site that supplies a legally-binding authorization to index. Since the Belgian court has decreed that Belgians are too stupid to understand robots.txt, a corresponding opt-in flag would be insufficient.
On a positive note: nothing much of interest happpens in Belgium, so if the world is spared headlines about the rising price of mussels in Brussels, we aren't likely to notice.
If Symantec and McAfee can disable Windows security, so can any passing malware.
I have never had problems with malware anywhere near as troublesome as the problems I have had with so-called anti-virus software that behaves more like a virus itself. My workstation solution is to run only enough of one well-behaved package (F-Secure) to warn me when an application I haven't cleared tries to access the internet. The rest is safe practices and a very effective SPI firewall protecting the LAN. It works.
I want code buried deep in the OS to tell me when some process is trying to disable or bypass security and to give me a choice between letting it, stopping it, or stopping it and wiping the offending process and all of its related code from my system (particularly the last part). It should be so intertwined with the OS that it can't be disabled without killing the OS. If XP had this feature it would have saved me days of effort recovering from the ill-considered installation of virus-like applications such as Norton, McAfee and Macromedia Flash.
This sounds an awful lot like the rending of shirts and tearing of hair that once accompanied any percieved commercial material on usenet when the net was still a closed research and education toy.
When Jack Rickard's army of sysops ripped up the Internet Acceptable Use Policy and opened the net to the rest of the world, they also brought an end to the non-commercial purity of the net. The idea that there should be any public forum on the net that magically retains that old-fashioned purity is somewhat naive.
To repeat oft-given advice: If you don't like it—fork it! Build your own and censor the ads. Maybe you'll find a following.
Every Windows system ships with VBScript and JScript, both of which are easier to code and more powerful than the earlier Basics when used in command-line mode. The problem is not the lack of an easy and accessible line-oriented language—it's the confused and crappy-to-nonexistent documentation for these scripting languages and wsh. It doesn't help that MS seems to want to keep them a secret.
This shortfall extends to every beginning Windows book I've seen. It seems that even the cheerleaders are unaware of these resources.
Doesn't anybody bother to look at the source data before flaming? Or is this news "too good to check"?
This is the EPA engaging in political tactics. To begin with, they haven't yet been asked to cut their budget, and they may never be. The closing of libraries is not Bush's idea--it's EPA bureaucrats saying "Look what you made us do!"
The proposed budget cut constitutes a fraction of of a percent of the EPA's budget, and it could be achieved with a minor reduction in the EPA's bloated administrative costs.
This is a standard tactic in every government in the world. Faced with budget cuts, the bureaucrats respond by threatening to terminate one of the few things they do that actually provides a service. The mystery is that they often get away with it.
The special irony in this item is that the EPA isn't planning to cut the service—just the way it's delivered.
Sorry Laura—Maybe you or I today can't predict when a nucleus is going to blow apart, but that doesn't mean it's forever unpredictable, and I certainly can't prove that my bitstream generator doesn't have something in the design or the particle source that makes the generated stream partially or completely predictable with a suitable amount of effort and data. The best I can say is that no one has found a weakness in it.
Our experience with radioactive decay strongly suggests that it's unpredictable, but there's no proof of it.
This is why I described cryptography as tidy science: Any claims of security can't be proven—only falsified.
--Marc
"The only encryption scheme I know of that is provably unbreakable is the one-time pad."
A curious thing about that: In theory, the one-time pad is provably unbreakable. In practice, no specific implementation of a one-time pad is provably unbreakable. The problem is that there is no provably unpredictable source of data for the pad.
In this sense, cryptography is remarkably tidy science; a claim that a particular system, even a one-time pad, provides a particular level of security cannot be proven—only falsified. Our confidence in any particular system is based on it having survived cryptanalysis by many experts, at which time we accept the claim as a usable theory—not as proven.
We don't need to knock communism—it does a great job of knocking itself.
I know they don't teach history in CS streams, but look it up. Communism has failed everywhere it has been tried, in spite of using force to keep everybody inside. You don't see a whole lot of American refugees lining up to become Cuban citizens. Ask your parents about the Aquarian 60's and the thousands of communes that formed in the US and Canada and lasted about two weeks before the cooperative spirit waned.
Business organizations where everyone is a stakeholder are called co-ops. They've been around for a long time and every capitalist society has a small number of them. They work especially well when the only reason for belonging is to save money. The successful ones have a permanent management team that really makes all the decisions while everyone else just harvests the benefits and goes to the occasional meeting to vote unanimously in favor of management proposals.
--
What America needs is a president who can save the world while humping chubby jewish girls in the oval office.
but some ass hat probably pasted it into MS Word to spell check the summary, and word resolves -- to it's funky double wide hyphen character.
The "double wide hyphen character" is called a dash—not funky at all—and it's common punctuation among the literate. Word's substitution is handy in place of Alt+0151. When you see a double-hyphen in Ascii text, the writer is asking you to read them as a dash.
Quite a few fonts will connect a pair of hyphens to look like a single dash. The technical term is em-dash and the HTML entity name is —.
In any case, the substitution is only done during typing, and even then only where it's used correctly. So you can't blame Word for this one.
I suppose I should be more positive and describe this as the "least useful" article I've read in some time. The writers have found eighteen ways to say "Ooooh, it's going to be terrible. Apply the patch!" without saying anything substantive about the threat.
What's the penetration vector? How is it transmitted? How is it initialized? Is the patch the only protection, or is it enough to make sure no one executes mail attachments? Can it get through firewall NAT and SPI? Etc.?
There are a lot of questions that could have been answered in the last seventeen paragraphs of the article instead of finding seventeen alternative ways of repeating the same message.
If, as is likely, there is nothing of substance in the article because there is nothing of substance in the threat, it would seem that this is just another attention-getting device by a organization whose revenue depends on FUD. Isn't "Y2K" a verb yet?
Let me get this straight: A PR firm posts a video that's assumed to be more credible because it seems to come from a kid whose closest brush with reality comes from flipping burgers.
Huh?
This article is about protecting sensitive data from IT staff disclosure or modifications. Given that this is slashdot, an IT folk watering hole, it should come as no surprise that most of the replies blame the problem on
Experience shows that employees are your biggest security risk and that employees with the greatest access present the greatest risk. That's the way it is; live with it.
Also relevant: anyone following the various forums like slashdot, where the computer guys hang out, will have noticed that, as a group, they have little or no loyalty to their employers and an excess of self-righteous zeal. As a security guy, I have to treat this as a clear and present danger.
Mitigating this risk calls for encrypting sensitive data in a way that only those with need to know can decrypt it. Closely-guarded administrative keys are used to deal with forgotten keys and re-keying when someone leaves (the keeper of the keys doesn't work in IT). Backup isn't a problem, because the only thing on the servers is encrypted volumes.
Most of the rest of the risks are handled by treating user workstations as part of the user, rather than part of the system, and taking the appropriate precautions to protect the workstations from unauthorized tampering (e.g. whole disk encryption) and the system from workstations and their users. Serious, carefully-managed compartmentalization is an indispensable tool.
The best thing about this approach is that it can be done with minimal impact on users or user productivity. It is hard on IT administrative staff, but I'd rather annoy a handful of techies than hundreds of users--especially since it's the latter that are paying the bills.
Intriguing--this sounds like what real engineers call engineering. Summarizing:
Both the citation and the headline misrepresent the results of the "study". What Sophos unearthed with great difficulty is not that the Mac is more secure than Windows, only that it's less-threatened. Security is more than being absent from the scene.
So the 10 most common trojans are written for Windows (Uh, duh!) The 10 most common productivity applications are written for Windows. Both target Windows for the same reason. It's not the volume that matters—it's the effectiveness.
The sensitive information is not Theo's address or phone number. It is the fact that Theo, or you, or I, downloaded the data sheet for a crypto device. In the recent past, and possibly again under a future government, that in and of itslf could be considered suspicious behavior.
For an off-the-wall point of view, consider that crypto is still officially "munitions"--arms. Maintaining a registry of citizens in possession of such arms is arguably a violation of the Second Amendment.
That sex and competition are what make human evolution run.
Liberal attitudes toward porn and conflict are what, thankfully, will ultimately relegate liberal-socialist ideas to the trashbins of history.
There is no economic oxygen in OSS; that's the whole point, isn't it?
In any case, there's unlikely to be peace with Microsoft until this generation of linuchim grows up. The adults I know use one, the other, or both as the situation suits. It's good for us that Microsoft will be working for interoperability; it would never happen if left up to the petulant mob driving FOSS.
Just how flamingly liberal do you have to be to refer to Justice Sandra Day O'Connor as "moderate"?
"makes the pads even more secure."
Now that is funny. "Which Quasar and at what time" is an absurdedly short key.
The pad may be random, but it isn't all that unpredictable. In cryptography, unpredictability is more important than randomness.
The horsepucky in this is the part about stronger and more frequent hurricanes.
It seems like they are getting worse because more people are moving into the areas the hurricanes like to play, so they do more damage.
The data, on the other hand, shows no significant change in the overall hurricane pattern.
My fired what?
The interesting bit that most people don't know is that each "grain" of a particular brand of toner is just like every other, and each is a precision manufactured thing with internal structure.
The neatest toner is used in Delphax printers: Each grain is crunchy on the outside, with a chewy inside, and a tiny magnetite rock at the center.
Switchable ten-micron elements?! 2500 dpi?! Probably not.
The "docking port" connection is cute, but it provides no functional advantage while it restricts layout options.
As for the rest--can anyone say "SCSI"?
It's a fundamental rule of systems engineering that workstations are part of the user, not part of the system. This is especially true of laptops.
Any sysadmin that thinks limiting user privileges on the workstation is solving a security problem is fooling herself. System security needs to be set up on the assumption that all workstations are hostile.