I have automatic updates every 3 days enabled on some of my servers. No problems in about 12 years now. Were does this stupidity about "no distro can function after 2 updates" come from? Are you utterly clueless what you are talking about?
This is probably some Windows front-end monitoring and configuration software for some SCADA or SCADA like systems. Since Windows has a tendency to break on updates, they probably just isolated the network and there was some report that an outside supplier brought the malware in by being sloppy.
The sane thing would of course be to put some hardened OS with low-risk patching on these machines (e.g. a hardened RHEL) and still have them on an isolated network. Would now likely also have been the cheaper thing. But you find this fragile Windows crap even on, say $10M MRI machines and the like, where it does not contribute in any meaningful way to the overall cost and doing it better would not be an issue. The problem is machine and automation designers without a clue about security and OSes.
Sure. Or rather, as long as the attacker has the skills, it is. But would anybody in their right mind do a targeted attack against a company, that could put a $10M price (or higher) on their head without any problems? It is good criminal practice to stay an annoyance and to not become a real threat. Competent criminals understand that.
Ah, yes. I have run into that stupidity as well. Many people just do not understand that maintenance is the majority of the cost in OS usage. Fortunately, our customers are usually migration from some commercial UNIX to Linux, and that is pretty painless. Also RHEL is maintaining old software with security and crash fixes forever, so updates are low-risk.
You are saying "Linux", I did not. One advantage of Linux is that it usually does not break on update, though. That is, before systemd. But there are other alternatives.
I know of a Fortune 500 company that will move to web-terminals after Win7, exactly because of all these problems. They found that qualifying Win7 and dealing with problems from all the updated and lack of security was more expensive than just making all their stuff (mostly custom applications) web-only in their intranet. There will not be any Win10 except by special permission.
The classical effect of mindless bean-counters that do not understand risk-management at all. Pathetic. And, since further up you usually find the same bean-counters, those that messed up massively here will likely not even be fired.
This isn't something that AI will be able to successfully figure out for quite some time yet. Over time it should get better and get there, but I expect that to take a long time. Intuition and creative problem solving are going to be some of the last things that AI is going to be able to tackle.
At the moment there is no indication these systems will ever be able to tackle these. Don't forget that we do not have AI at all. All we have is dumb statistical classificators called (weak) AI for marketing purposes (i.e. lying to make thinks look massively better than they are).
Indeed. Hype driven by the incompetent that hope there will _finally_ be a magic technology that will help them to not suck at their job. Reminds me of the ever ongoing search for a magic programming language that will make language that will make bad coders write code that does not suck. Completely impossible, obviously as that is not where the problem lies.
Since artificial stupidity has no understanding of anything and can just sort-of replicate labelled training data statistically when used as a classifier in this way, it will have exactly the same problems as the training data, plus a few more. And the training data will be biased and bad, because if we could do this better, we would.
It cannot. Oh, maybe it can identify low-skill, low-problem candidates, but these you do not want to hire in the first place. Any job that requires any kind of actual skill will be filled in different ways by different people, because you have to bring your personality into it if skill is needed. Since artificial stupidity has absolutely no understanding of anything, it cannot determine whether anybody is a match for any job requiring actual skill. This is just more of the stupidity that you can successfully hire (and manage) people without seeing them as people. That is not possible.
First, you cannot tell the difference between good security and bad security.
I disagree. The people who can are out there and you can hire them. Not cheap and they will tell you things you will not want to hear. But you can get them to look at your situation, tell you were you stand, and what you need to do to keep that standing or to improve it.
I do agree (basically summarizing the rest of your points, my apologies), that it also takes real insight to recognize these experts and that hiring them and doing what they recommend is often politically problematic and often actually impossible without getting yourself fired. But the problem is neither on the technology side, nor on the risk-management side. Both can be done. The problem is purely political.
Indeed. Most of these "leaders" will repeat history because they are unable to learn from it. The thing that really makes me angry is the sheer stupidity involved.
Almost all IT security these days is "cheaper than possible" because the people in charge are not able to do risk management. Until there are "reference catastrophes" of sufficient magnitude, they will mistakenly believe they are safe and do nothing. Then they will find out that decades of mismanagement are not easy to fix. It is always the same story. It is always utterly stupid. It is always completely obvious to actual experts what is going on, but nobody listens to them.
The leadership we have on all levels is not modern, educated, enlightened. It is cave men (and the occasional cave-woman) dressed in suits, full of themselves, greedy, corrupt and utterly incompetent and unsuitable to fill their core responsibilities.
It can also be pretty stressful if you are an outside consultant being brought in after others have done it wrong for some time. I do agree that management is the main root-cause of the problems in almost all cases though.
Why would that prove anything? If Apple is going to deceive you in front of lawmakers. Why not release source without the offending code, and compile and send a different branch with it.
Indeed. The source is valuable if a) somebody really digs through it and b) it is that basis of the installation you do. Otherwise, it is just a heap of code lines without much meaning.
Slashdot Mirror
I have automatic updates every 3 days enabled on some of my servers. No problems in about 12 years now. Were does this stupidity about "no distro can function after 2 updates" come from? Are you utterly clueless what you are talking about?
This is probably some Windows front-end monitoring and configuration software for some SCADA or SCADA like systems. Since Windows has a tendency to break on updates, they probably just isolated the network and there was some report that an outside supplier brought the malware in by being sloppy.
The sane thing would of course be to put some hardened OS with low-risk patching on these machines (e.g. a hardened RHEL) and still have them on an isolated network. Would now likely also have been the cheaper thing. But you find this fragile Windows crap even on, say $10M MRI machines and the like, where it does not contribute in any meaningful way to the overall cost and doing it better would not be an issue. The problem is machine and automation designers without a clue about security and OSes.
Sure. Or rather, as long as the attacker has the skills, it is. But would anybody in their right mind do a targeted attack against a company, that could put a $10M price (or higher) on their head without any problems? It is good criminal practice to stay an annoyance and to not become a real threat. Competent criminals understand that.
Ah, yes. I have run into that stupidity as well. Many people just do not understand that maintenance is the majority of the cost in OS usage. Fortunately, our customers are usually migration from some commercial UNIX to Linux, and that is pretty painless. Also RHEL is maintaining old software with security and crash fixes forever, so updates are low-risk.
You are saying "Linux", I did not. One advantage of Linux is that it usually does not break on update, though. That is, before systemd. But there are other alternatives.
You assume I criticize them not patching. That is not correct.
You assume I criticize them not patching. You are wrong.
I know of a Fortune 500 company that will move to web-terminals after Win7, exactly because of all these problems. They found that qualifying Win7 and dealing with problems from all the updated and lack of security was more expensive than just making all their stuff (mostly custom applications) web-only in their intranet. There will not be any Win10 except by special permission.
Or in other words, MS Windows is just about the worst OS choice possible for such applications.
The screw-up here is using an OS that cannot be professionally operated...
The classical effect of mindless bean-counters that do not understand risk-management at all. Pathetic. And, since further up you usually find the same bean-counters, those that messed up massively here will likely not even be fired.
This isn't something that AI will be able to successfully figure out for quite some time yet. Over time it should get better and get there, but I expect that to take a long time. Intuition and creative problem solving are going to be some of the last things that AI is going to be able to tackle.
At the moment there is no indication these systems will ever be able to tackle these. Don't forget that we do not have AI at all. All we have is dumb statistical classificators called (weak) AI for marketing purposes (i.e. lying to make thinks look massively better than they are).
Indeed. Hype driven by the incompetent that hope there will _finally_ be a magic technology that will help them to not suck at their job. Reminds me of the ever ongoing search for a magic programming language that will make language that will make bad coders write code that does not suck. Completely impossible, obviously as that is not where the problem lies.
Since artificial stupidity has no understanding of anything and can just sort-of replicate labelled training data statistically when used as a classifier in this way, it will have exactly the same problems as the training data, plus a few more. And the training data will be biased and bad, because if we could do this better, we would.
I don't think it will even work for "commodity" jobs.
It cannot. Oh, maybe it can identify low-skill, low-problem candidates, but these you do not want to hire in the first place. Any job that requires any kind of actual skill will be filled in different ways by different people, because you have to bring your personality into it if skill is needed. Since artificial stupidity has absolutely no understanding of anything, it cannot determine whether anybody is a match for any job requiring actual skill. This is just more of the stupidity that you can successfully hire (and manage) people without seeing them as people. That is not possible.
A few problems.
First, you cannot tell the difference between good security and bad security.
I disagree. The people who can are out there and you can hire them. Not cheap and they will tell you things you will not want to hear. But you can get them to look at your situation, tell you were you stand, and what you need to do to keep that standing or to improve it.
I do agree (basically summarizing the rest of your points, my apologies), that it also takes real insight to recognize these experts and that hiring them and doing what they recommend is often politically problematic and often actually impossible without getting yourself fired. But the problem is neither on the technology side, nor on the risk-management side. Both can be done. The problem is purely political.
True, the incentives are utterly perverted.
I pretty much expect what we have. That does not mean I have to be happy about it.
And if it is large enough, blame "terrorists" or "traitors". Also a very old strategy that works time and again.
Indeed. Most of these "leaders" will repeat history because they are unable to learn from it. The thing that really makes me angry is the sheer stupidity involved.
Almost all IT security these days is "cheaper than possible" because the people in charge are not able to do risk management. Until there are "reference catastrophes" of sufficient magnitude, they will mistakenly believe they are safe and do nothing. Then they will find out that decades of mismanagement are not easy to fix. It is always the same story. It is always utterly stupid. It is always completely obvious to actual experts what is going on, but nobody listens to them.
The leadership we have on all levels is not modern, educated, enlightened. It is cave men (and the occasional cave-woman) dressed in suits, full of themselves, greedy, corrupt and utterly incompetent and unsuitable to fill their core responsibilities.
No. Trusted third parties exist. No need to be mindlessly paranoid.
It can also be pretty stressful if you are an outside consultant being brought in after others have done it wrong for some time. I do agree that management is the main root-cause of the problems in almost all cases though.
Why would that prove anything?
If Apple is going to deceive you in front of lawmakers. Why not release source without the offending code, and compile and send a different branch with it.
Indeed. The source is valuable if a) somebody really digs through it and b) it is that basis of the installation you do. Otherwise, it is just a heap of code lines without much meaning.