Don't get me wrong, I don't blame Finland for joining the Axis in that situation.
However, we should not forget that Vichy France was completely at the mercy of the Germans. There were some slimeball collaborationists in Vichy France, but it is hard to see how collaboration could have been totally avoided in that situation.
The US is not a "normal" country. It is a superpower with significant interests and responsibilities. Japan can become more "normal" without ending up like us. More likely, they end up like Germany, which is hardly a militaristic state at the moment.
True, although that's mostly because anyone who was a POW or MIA from Korea is likely quite dead by now. They could technically be alive, but it is hard to see someone being treated like a POW in a place like North Korea having a long life in captivity. Even the peasants in NK suffer, I can't imagine any US POW still being alive in that shithole after 50-60 years.
We have ten of those supercarriers, and the Chinese don't have shit for a navy. Even with their somewhat better equipment now, they still have poor training and leadership. I'm not worried.
As for China's army, it would be hell on wheels if we had to fight them in China, or even Korea, but China can't land and support their hordes in Japan without very good logistics, which they don't really have. It doesn't help to have 10 million troops when they don't have the training or support to allow them all to be used effectively on the battlefield. It's not like they can pile on to giant rafts to overrun Japan.
What would happen is that we'd probably fight to end any logistical capability that China had to get troops across the sea, and then mop up any that managed to get to Japan easily. After that, we'd probably just start bombing China until they came to the table.
Thing is, I don't think the Chinese are that stupid. They're not planning on invading Japan. They want resources, not a bunch of tentacle porn. Japan is notoriously resource poor, that's why they fought WWII in the way they did. They needed the resources from elsewhere to power their empire. So, China doesn't care about Japan in that way.
I disagree. There are plenty of generals who believe you can have tactical nuclear exchanges and not end up in a global thermonuclear war, WOPR notwithstanding.
Not sure I like the chances of going down that road, but it is theoretically possible to not have an immediate race to annihilation.
You wouldn't be able to take them out of the equation without hurting some people who don't deserve it.
The real question isn't whether you will be hurting people by doing that. The question is whether you will be hurting fewer people over a longer interval than if you just left them there.
Note, I don't think the Koch brothers are the evil genius behind the Illuminati that is running the US. That's just bogeyman in the closet sort of bullshit. The problem with the country is how it is run, and while the Koch brothers may be part of that, maybe even a larger part of it than most, you wouldn't end the problem by removing them. It's not even clear that they wouldn't be replaced by something or someone worse.
If you want cleaner energy, then definitely take the step of both promoting and using it. Remain positive and keep moving forward, and you'll find that obstacles will still be there, but they will fall apart when reality sets in.
One assumes that you're either going to get the adequate software, or they're not going to sell the automatic option at all. If the price is too high for a safe self-driving car, they're not going to get any self-driving car.
If there is one thing I am happy about, it is the fear of self-driving cars ensuring that no one dares to cut corners on it.
Look, humans can be really good drivers, but they're also extremely shitty drivers. And it can shift from one to another with the same driver, based on their circumstances. Just this morning, some mother in her SUV was driving really slowly and failing to turn right on red because it looked very much like she was fussing with her baby or something else. She was *not* paying attention to the road, and of course, that's pretty par for the course around here.
Other times you have slow people in the fast lane, yapping on their phones without even as much as handsfree. Just removing those people from driving responsibilities would do wonders for traffic, as well as aggressive driving and road rage. And if you took the road ragers out of the loop and put their cars on full auto, their overblown reactions to similar scenarios would also improve safety.
Yes, I don't want to end up being a passenger in some automated pod, but if I can go on autopilot for awhile, instead of having to experience the "thrill of the open road" whether I want to or not, I would love that.
You miss the point. He's not saying it is unreasonable because nothing bad is ever going to happen.
It is unreasonable because if something bad does happen, it will already be outside the range where a human could successfully intervene.
The scenarios where a human taking manual control would be better would be the first scenarios that they would have to ensure the computer dealt with as well, or better than a human, when it comes time to release the vehicle to the general public.
Note I did not say that automated cars would always do better. If a pedestrian does something completely unexpected, like decide to commit suicide in front of your vehicle, it is very possible that the automated car would run that person over. But then, so would the human driver.
In the end, however, when it comes to braking, speed control, and attentive driving, a computer wins every time. That alone is enough to ensure a higher safety rate among vehicles.
And don't get me wrong, I don't want to stop having the option of driving my BMW. But it would be really nice to have the option to have it drive itself when I need to do rush hour, or take long trips.
Strictly speaking, he'd have no trouble laundering the money. They don't have serial numbers and its not like they'd have a dye pack in there.
The problem is that he'd be limited to buying fast food with his earnings for the next 50 years because I don't know how much effort you'd need to actually turn that much money into a more portable form. I don't think there are enough Coin Star machines between there and the West Coast to do it.
You can tell that this guy had like 1/10th of a really good idea knocking around in his otherwise empty skull and failed to realize that it wasn't nearly enough to make this even remotely feasible. Of course, that's why there are few true criminal masterminds out there. It's easier for someone that smart to actually make money with a real job.
You're trying to solve the issue. I think it is already too late for that.
It's not the end of the world. We're not going to end up like Venus from this, but a lot of people are going to get displaced and things are going to change. That can be a disaster or it can be handled more or less gracefully. And it is one thing I never see get discussed in these little debates. It's always "it's totally real and we can only stop it with solar panels" or "its a conspiracy to keep climate researchers in business".
This article is making a statement about climate. If the climate is changing, and will continue to change, then what needs to be done about it that can actually be done to actually save people and infrastructure?
The earth is an oblate spheroid, the moon was landed on by the US in a number of Apollo missions starting in 1969, and a group of asshole al-Qaeda terrorists hijacked planes on 9/11/2001 and destroyed the WTC towers and impacted the Pentagon after flying low over my fucking head as I drove to work that day. Please don't be an ass.
However, I'm not a scientist. I don't disbelieve in human causes for the warming, but I have zero first hand ability to judge whether it is true or not. And to be honest, it is entirely irrelevant to me.
The point I was making is that ultimately, the requirement to reduce the warming of the Earth to merely two degrees is a distraction. And the bickering about who caused it is an equal distraction. Assuming we did cause warming, this happened over the period of industrialization. Fixing such a process isn't going to happen in the desired time frame. If we're dropping all our eggs in that basket, we're going to lose.
I want to make very clear that we're doing what it takes to make sure the people impacted are taken care of. We can bicker about what caused it, but we should be preparing to get people out of there and mitigate the damage.
To deal with the outcomes, all we have to prove is that warming is happening. If it is, then we have all the answer we need to start the process of mitigating the damage. I don't care if it is CO2, sunspots, or cow farts that is causing it. That's a problem someone else can work out. Let's get a pricetag together for what needs to be done and get on it. This doesn't have to be a disaster, but it will be if we ignore it until it is too late.
You know what? I have no idea if warming is caused by humans or not. And it really doesn't matter.
If there is a warming trend, human caused or not, we should be dealing with the evacuations and necessary work to deal with rising sea levels.
We're not going to be able to stop it. It's time to figure out who is going to be underwater in 5-10 years (if anyone) and get them out. If there is a problem with warming coming, that is the solution. The rest of it is just babble.
Now, if you want to reduce CO2 emissions at the same time, feel free. I just don't want to be sent back to the 18th Century to stop something that's going to happen no matter what we do.
I am all in favor of less CO2 emissions and more efficiency. I just think it is a waste of time, at this point, to make that what we throw all our money at, because it isn't going to make a bit of difference in the short term.
I think what you're saying is a serious problem with the enforcement system, and I know companies do this.
I do want to be careful though. One place I worked, they said that PCI was a joke for the reasons that you stated, but I know they said that just because they couldn't be arsed to do PCI for real and knew we wouldn't be able to skate by.
So, it is important to differentiate the actual process of having audits and standards with how those audits are run. I agree that we need a new process for enforcement, but I want to make sure that we aren't just feeding the excuses of people like those I worked with, who were more than happy to trash PCI so that they could get on with making products with little regard for security except where they thought it would look good as a fancy looking "feature" they could sell, but left the door wide open in other areas like secure coding and operating the environment.
PCI compliance is merely showing that you have done a due diligence and audited check of your security against (mostly) sound security principles.
Reality is... PCI can't stop all attacks. Not much can, truth be told, unless you're an NSA level operator, and even they suffered an Edward Snowden. The proper process and security program can stop some of the attacks and mitigate the damage of successful attacks.
In terms of legal liability, IANAL so it is hard to say what effect it will have, but it could reduce it to near zero, if you can prove that you had a good faith attempt to secure your application.
On the other hand, as an application provider, you also have specialized knowledge of your application and you should be able to do better than the PCI bare minimum, so if you fail to secure areas that are in your own area of reasonable expertise, you may suffer liability, but hopefully less liability than someone who failed or gamed the PCI process.
After all, if you lock your door and secure it, but a thief is somehow able to easily remove the bricks for your wall and smash through the drywall to get in and take your stuff, there's really only so far you can go to protect your stuff.
If done right, this handles the low hanging fruits, and possibly some of the middle ground, but it can't do squat against 0-day attacks that no one else knows about. Most companies have no ability to gain knowledge of 0-day attacks, and as we saw with Heartbleed, it can go on for years before it becomes public.
Further, before Heartbleed was public, it was also a lot less well known to all possible attackers. Once publicized, the race is on to prevent everyone else out there from using it, and if PCI is working properly, you may not stop the 0-day attacks, but you won't have your pants down after they have been announced.
So, PCI, or some regime is a necessary, but not complete method of stopping attacks. It's part of a defense in depth approach.
Well, they can't just walk in there, tell you that you fail, and walk out. I mean, you *could* do that, but you don't want a standard to immediately put you out of business if you have a flawed, but good faith effort to comply. PCI is not about hitting a target and nothing else. You want an auditor to work with you to get you back into shape.
Of course, you're probably suggesting that the "help" isn't from improvements, but rather from gaming the system. In that sense, it is possible for that to happen. I think the funding for audits should come from a different place, or some other organization selects the auditor if the audit target is paying for it.
That said, we should certainly not put all our fish into the PCI basket. Security is definitely not something that comes out of a set of requirements for a certification. At best it is a framework for you to use to get your InfoSec program to a certain minimum standard.
Speaking as someone who has been in charge of PCI compliance (it was v2, not v3) for a small company, I disagree, but I understand why you would think so.
Many of the PCI requirements are simply common sense. You'd want to run your security that way anyway.
There are a few provisions of the PCI DSS where security people could have an honest disagreement with the actual requirements. In those cases, you could present compensating controls which mitigate the issues, which would make it harder for you to convince an auditor to sign you off, but in the end, they are accepted if this is a well researched change.
One of the biggest flaws I have seen is that every PCI level below Level 1 is a self-certification unless the bank in question requires you to have an audit at the lower level. Admittedly, I see where audits are very expensive, but if you're handling credit card data, there should be at least some sort of sign off.
Obviously, moving to the auditors, the auditors are hired by the company. That usually doesn't mean much, as no auditor is going to risk their reputation for the peanuts I was paying them, but bigger companies they may be more willing to play ball with. There has been at least one auditor in that space that I am aware has either provided a product that gives certification for mere payment on-time (we obviously didn't go with them) or they will bend over to make their customer able to pass.
While I agree this is a serious problem, I don't think it discredits the program, it is merely a hole in enforcement which you would have to deal with in any regime where big companies are involved. The big companies are good at this, it's not like they don't regularly pull one over on the government too.
But the one thing that I think keeps people on their toes is actual third party audits which are reported out. As you might argue, some companies create what I would call "compliance fictions" that allow a once-per-year audit to be passed without actually having to change bad practices, but what are the other options that are not difficult to operate? I spend months ensuring that our security is up to par with all the reporting that we do, but if the reporting becomes too onerous, we end up having to hire more people, which is very difficult unless you are a bigger company. Regulations do have the effect of making big companies much more attractive as providers, but as we know, those sorts of companies are both more expensive, less innovative, and much more likely to attempt to influence lawmakers with their large amounts of money.
The best things we can do are keep the auditors honest. It may be that we find a way for auditors to not be funded by companies directly, but rather through program fees paid to a trade organization. I'd prefer to keep the government out of this, as the government's security programs aren't much better outside of the classified realm, and their requirements and working with agencies and their security contractors makes me want to stab myself repeatedly just to end the pain.
To be fair, I don't want to say that problem solving questions are an issue.
I even have some interviewees write code on a board, but it is almost always short, to the point, and to demonstrate that they have actually seen the language they are purporting to have been working with for the last two years.
Having said that, I don't know if my problem solving for coding is well tested in an interview situation. My success is generally through knowing where to look, finding the best tool for the job, and building a consistent and optimized product. None of that works without me "cheating" and looking things up.
For that, I might sit and stare at books or web pages for hours before I write a single line of code and make a plan for how I think it should be structured, perhaps with pseudocode and such. Once the plan is in place, writing the code is fairly trivial, but the lead up to it is slow and deliberate and in an hour, I'd have little code to show for it. A speed coder, I am not. I have been pretty pleased with my output professionally, and no one has said otherwise in my earshot.
Anyway, problem solving is good, but it should be tailored to the time limits, or even better, if you want a real problem solving solution, find a way to send them home with homework before the interview, and review it during the interview and during their leisure. It's true that they can "cheat" by downloading answers, but anyone who writes their own code should be able to explain the reasoning behind the selection of what they picked. Plagarizers will have code, but be unable to explain what they "wrote" to you.
On the contrary. You go to college so you can get your piece of paper, and/or so you can get into grad school. Cheating on tests is a very effective path straight through to your first Master's thesis. At that point, you just need to muddle through and plagiarize or get someone to write it for you. I wouldn't usually suggest trying that in a doctoral program, but there are countries where it is a lot easier to pull off.
And no, I am not suggesting that. But let's face it, an undergrad degree is either there to get you for first job or to get you in grad school. With the weed-out classes that many popular majors have, actual learning is your second priority. If you just want to learn things, audit the classes you are trying to challenge yourself with and take whatever the easiest classes are to pass with. Learning is a luxury in college.
Well first, they activate the magnetron to completely wipe all devices in the room, and shut down any pacemakers (to eliminate the weak and old). The faraday cage is there to keep them from downloading it all again or reaching the Internet.
Yes... but I get the idea that under normal circumstances, the normal smart watches are not optimized for the quick switches you need if you actually have roving proctors, as opposed to the TAs who sit at the front and play with themselves during prelims and finals.
No one has asked me to sit in silence for 20 minutes reciting things from memory. No one has forced me to solve some kind of hard problem without the ability to go get some reference material.
You got off pretty easily in your interviews, I guess. Every third interview, I get some dipshit who thinks that they need to have me write code under a time deadline without reference materials or adequate tools. I get it, there are some geniuses out there who can do that. And I can't blame them for wanting to hire such people, but I'd consider that to be an escalation challenge, not the first question.
Mind you, I can pull it off sometimes. I always was good at test taking. What I hate is that people actually use that method and waste people's time. It's a weed out method, and a bad one at that. I've never worked with someone who needs to win a speed coding contest to do their job.
In the US, we were taught pretty comprehensively about the dangers of aristocracy as well.
The problem is that in the US, we have trouble sometimes telling what aristocracy looks like because we shortsightedly removed all noble titles. That removed the show-off aspect of nobility but made it harder to find the real aristocrats like your Bushes, Kennedys, Clintons, and etc. It might be a little easier to understand the country and where it was going if we'd been looking to elect Prince George II of the House of Bush or Baroness Hillary Clinton of Harlem.
Slashdot Mirror
Don't get me wrong, I don't blame Finland for joining the Axis in that situation.
However, we should not forget that Vichy France was completely at the mercy of the Germans. There were some slimeball collaborationists in Vichy France, but it is hard to see how collaboration could have been totally avoided in that situation.
Today even terrorist harbouring countries such as Turkey are members of NATO. NATO like the UN are obsolete abd should be dismantled.
Turkey has been a NATO member since 1952, which is about three years after NATO was formed. They're not exactly a new addition.
The US is not a "normal" country. It is a superpower with significant interests and responsibilities. Japan can become more "normal" without ending up like us. More likely, they end up like Germany, which is hardly a militaristic state at the moment.
True, although that's mostly because anyone who was a POW or MIA from Korea is likely quite dead by now. They could technically be alive, but it is hard to see someone being treated like a POW in a place like North Korea having a long life in captivity. Even the peasants in NK suffer, I can't imagine any US POW still being alive in that shithole after 50-60 years.
We have ten of those supercarriers, and the Chinese don't have shit for a navy. Even with their somewhat better equipment now, they still have poor training and leadership. I'm not worried.
As for China's army, it would be hell on wheels if we had to fight them in China, or even Korea, but China can't land and support their hordes in Japan without very good logistics, which they don't really have. It doesn't help to have 10 million troops when they don't have the training or support to allow them all to be used effectively on the battlefield. It's not like they can pile on to giant rafts to overrun Japan.
What would happen is that we'd probably fight to end any logistical capability that China had to get troops across the sea, and then mop up any that managed to get to Japan easily. After that, we'd probably just start bombing China until they came to the table.
Thing is, I don't think the Chinese are that stupid. They're not planning on invading Japan. They want resources, not a bunch of tentacle porn. Japan is notoriously resource poor, that's why they fought WWII in the way they did. They needed the resources from elsewhere to power their empire. So, China doesn't care about Japan in that way.
I don't recall us pledging to use nukes to support Ukraine. They're not even part of NATO.
Now if Russia pulls that in the Baltic states, then you might see some fireworks.
I disagree. There are plenty of generals who believe you can have tactical nuclear exchanges and not end up in a global thermonuclear war, WOPR notwithstanding.
Not sure I like the chances of going down that road, but it is theoretically possible to not have an immediate race to annihilation.
You wouldn't be able to take them out of the equation without hurting some people who don't deserve it.
The real question isn't whether you will be hurting people by doing that. The question is whether you will be hurting fewer people over a longer interval than if you just left them there.
Note, I don't think the Koch brothers are the evil genius behind the Illuminati that is running the US. That's just bogeyman in the closet sort of bullshit. The problem with the country is how it is run, and while the Koch brothers may be part of that, maybe even a larger part of it than most, you wouldn't end the problem by removing them. It's not even clear that they wouldn't be replaced by something or someone worse.
If you want cleaner energy, then definitely take the step of both promoting and using it. Remain positive and keep moving forward, and you'll find that obstacles will still be there, but they will fall apart when reality sets in.
One assumes that you're either going to get the adequate software, or they're not going to sell the automatic option at all. If the price is too high for a safe self-driving car, they're not going to get any self-driving car.
If there is one thing I am happy about, it is the fear of self-driving cars ensuring that no one dares to cut corners on it.
Look, humans can be really good drivers, but they're also extremely shitty drivers. And it can shift from one to another with the same driver, based on their circumstances. Just this morning, some mother in her SUV was driving really slowly and failing to turn right on red because it looked very much like she was fussing with her baby or something else. She was *not* paying attention to the road, and of course, that's pretty par for the course around here.
Other times you have slow people in the fast lane, yapping on their phones without even as much as handsfree. Just removing those people from driving responsibilities would do wonders for traffic, as well as aggressive driving and road rage. And if you took the road ragers out of the loop and put their cars on full auto, their overblown reactions to similar scenarios would also improve safety.
Yes, I don't want to end up being a passenger in some automated pod, but if I can go on autopilot for awhile, instead of having to experience the "thrill of the open road" whether I want to or not, I would love that.
You miss the point. He's not saying it is unreasonable because nothing bad is ever going to happen.
It is unreasonable because if something bad does happen, it will already be outside the range where a human could successfully intervene.
The scenarios where a human taking manual control would be better would be the first scenarios that they would have to ensure the computer dealt with as well, or better than a human, when it comes time to release the vehicle to the general public.
Note I did not say that automated cars would always do better. If a pedestrian does something completely unexpected, like decide to commit suicide in front of your vehicle, it is very possible that the automated car would run that person over. But then, so would the human driver.
In the end, however, when it comes to braking, speed control, and attentive driving, a computer wins every time. That alone is enough to ensure a higher safety rate among vehicles.
And don't get me wrong, I don't want to stop having the option of driving my BMW. But it would be really nice to have the option to have it drive itself when I need to do rush hour, or take long trips.
Strictly speaking, he'd have no trouble laundering the money. They don't have serial numbers and its not like they'd have a dye pack in there.
The problem is that he'd be limited to buying fast food with his earnings for the next 50 years because I don't know how much effort you'd need to actually turn that much money into a more portable form. I don't think there are enough Coin Star machines between there and the West Coast to do it.
You can tell that this guy had like 1/10th of a really good idea knocking around in his otherwise empty skull and failed to realize that it wasn't nearly enough to make this even remotely feasible. Of course, that's why there are few true criminal masterminds out there. It's easier for someone that smart to actually make money with a real job.
I was thinking evacuations and resettlement.
You're trying to solve the issue. I think it is already too late for that.
It's not the end of the world. We're not going to end up like Venus from this, but a lot of people are going to get displaced and things are going to change. That can be a disaster or it can be handled more or less gracefully. And it is one thing I never see get discussed in these little debates. It's always "it's totally real and we can only stop it with solar panels" or "its a conspiracy to keep climate researchers in business".
This article is making a statement about climate. If the climate is changing, and will continue to change, then what needs to be done about it that can actually be done to actually save people and infrastructure?
The earth is an oblate spheroid, the moon was landed on by the US in a number of Apollo missions starting in 1969, and a group of asshole al-Qaeda terrorists hijacked planes on 9/11/2001 and destroyed the WTC towers and impacted the Pentagon after flying low over my fucking head as I drove to work that day. Please don't be an ass.
However, I'm not a scientist. I don't disbelieve in human causes for the warming, but I have zero first hand ability to judge whether it is true or not. And to be honest, it is entirely irrelevant to me.
The point I was making is that ultimately, the requirement to reduce the warming of the Earth to merely two degrees is a distraction. And the bickering about who caused it is an equal distraction. Assuming we did cause warming, this happened over the period of industrialization. Fixing such a process isn't going to happen in the desired time frame. If we're dropping all our eggs in that basket, we're going to lose.
I want to make very clear that we're doing what it takes to make sure the people impacted are taken care of. We can bicker about what caused it, but we should be preparing to get people out of there and mitigate the damage.
To deal with the outcomes, all we have to prove is that warming is happening. If it is, then we have all the answer we need to start the process of mitigating the damage. I don't care if it is CO2, sunspots, or cow farts that is causing it. That's a problem someone else can work out. Let's get a pricetag together for what needs to be done and get on it. This doesn't have to be a disaster, but it will be if we ignore it until it is too late.
You know what? I have no idea if warming is caused by humans or not. And it really doesn't matter.
If there is a warming trend, human caused or not, we should be dealing with the evacuations and necessary work to deal with rising sea levels.
We're not going to be able to stop it. It's time to figure out who is going to be underwater in 5-10 years (if anyone) and get them out. If there is a problem with warming coming, that is the solution. The rest of it is just babble.
Now, if you want to reduce CO2 emissions at the same time, feel free. I just don't want to be sent back to the 18th Century to stop something that's going to happen no matter what we do.
I am all in favor of less CO2 emissions and more efficiency. I just think it is a waste of time, at this point, to make that what we throw all our money at, because it isn't going to make a bit of difference in the short term.
I think what you're saying is a serious problem with the enforcement system, and I know companies do this.
I do want to be careful though. One place I worked, they said that PCI was a joke for the reasons that you stated, but I know they said that just because they couldn't be arsed to do PCI for real and knew we wouldn't be able to skate by.
So, it is important to differentiate the actual process of having audits and standards with how those audits are run. I agree that we need a new process for enforcement, but I want to make sure that we aren't just feeding the excuses of people like those I worked with, who were more than happy to trash PCI so that they could get on with making products with little regard for security except where they thought it would look good as a fancy looking "feature" they could sell, but left the door wide open in other areas like secure coding and operating the environment.
PCI compliance is merely showing that you have done a due diligence and audited check of your security against (mostly) sound security principles.
Reality is... PCI can't stop all attacks. Not much can, truth be told, unless you're an NSA level operator, and even they suffered an Edward Snowden. The proper process and security program can stop some of the attacks and mitigate the damage of successful attacks.
In terms of legal liability, IANAL so it is hard to say what effect it will have, but it could reduce it to near zero, if you can prove that you had a good faith attempt to secure your application.
On the other hand, as an application provider, you also have specialized knowledge of your application and you should be able to do better than the PCI bare minimum, so if you fail to secure areas that are in your own area of reasonable expertise, you may suffer liability, but hopefully less liability than someone who failed or gamed the PCI process.
After all, if you lock your door and secure it, but a thief is somehow able to easily remove the bricks for your wall and smash through the drywall to get in and take your stuff, there's really only so far you can go to protect your stuff.
If done right, this handles the low hanging fruits, and possibly some of the middle ground, but it can't do squat against 0-day attacks that no one else knows about. Most companies have no ability to gain knowledge of 0-day attacks, and as we saw with Heartbleed, it can go on for years before it becomes public.
Further, before Heartbleed was public, it was also a lot less well known to all possible attackers. Once publicized, the race is on to prevent everyone else out there from using it, and if PCI is working properly, you may not stop the 0-day attacks, but you won't have your pants down after they have been announced.
So, PCI, or some regime is a necessary, but not complete method of stopping attacks. It's part of a defense in depth approach.
Well, they can't just walk in there, tell you that you fail, and walk out. I mean, you *could* do that, but you don't want a standard to immediately put you out of business if you have a flawed, but good faith effort to comply. PCI is not about hitting a target and nothing else. You want an auditor to work with you to get you back into shape.
Of course, you're probably suggesting that the "help" isn't from improvements, but rather from gaming the system. In that sense, it is possible for that to happen. I think the funding for audits should come from a different place, or some other organization selects the auditor if the audit target is paying for it.
That said, we should certainly not put all our fish into the PCI basket. Security is definitely not something that comes out of a set of requirements for a certification. At best it is a framework for you to use to get your InfoSec program to a certain minimum standard.
Speaking as someone who has been in charge of PCI compliance (it was v2, not v3) for a small company, I disagree, but I understand why you would think so.
Many of the PCI requirements are simply common sense. You'd want to run your security that way anyway.
There are a few provisions of the PCI DSS where security people could have an honest disagreement with the actual requirements. In those cases, you could present compensating controls which mitigate the issues, which would make it harder for you to convince an auditor to sign you off, but in the end, they are accepted if this is a well researched change.
One of the biggest flaws I have seen is that every PCI level below Level 1 is a self-certification unless the bank in question requires you to have an audit at the lower level. Admittedly, I see where audits are very expensive, but if you're handling credit card data, there should be at least some sort of sign off.
Obviously, moving to the auditors, the auditors are hired by the company. That usually doesn't mean much, as no auditor is going to risk their reputation for the peanuts I was paying them, but bigger companies they may be more willing to play ball with. There has been at least one auditor in that space that I am aware has either provided a product that gives certification for mere payment on-time (we obviously didn't go with them) or they will bend over to make their customer able to pass.
While I agree this is a serious problem, I don't think it discredits the program, it is merely a hole in enforcement which you would have to deal with in any regime where big companies are involved. The big companies are good at this, it's not like they don't regularly pull one over on the government too.
But the one thing that I think keeps people on their toes is actual third party audits which are reported out. As you might argue, some companies create what I would call "compliance fictions" that allow a once-per-year audit to be passed without actually having to change bad practices, but what are the other options that are not difficult to operate? I spend months ensuring that our security is up to par with all the reporting that we do, but if the reporting becomes too onerous, we end up having to hire more people, which is very difficult unless you are a bigger company. Regulations do have the effect of making big companies much more attractive as providers, but as we know, those sorts of companies are both more expensive, less innovative, and much more likely to attempt to influence lawmakers with their large amounts of money.
The best things we can do are keep the auditors honest. It may be that we find a way for auditors to not be funded by companies directly, but rather through program fees paid to a trade organization. I'd prefer to keep the government out of this, as the government's security programs aren't much better outside of the classified realm, and their requirements and working with agencies and their security contractors makes me want to stab myself repeatedly just to end the pain.
To be fair, I don't want to say that problem solving questions are an issue.
I even have some interviewees write code on a board, but it is almost always short, to the point, and to demonstrate that they have actually seen the language they are purporting to have been working with for the last two years.
Having said that, I don't know if my problem solving for coding is well tested in an interview situation. My success is generally through knowing where to look, finding the best tool for the job, and building a consistent and optimized product. None of that works without me "cheating" and looking things up.
For that, I might sit and stare at books or web pages for hours before I write a single line of code and make a plan for how I think it should be structured, perhaps with pseudocode and such. Once the plan is in place, writing the code is fairly trivial, but the lead up to it is slow and deliberate and in an hour, I'd have little code to show for it. A speed coder, I am not. I have been pretty pleased with my output professionally, and no one has said otherwise in my earshot.
Anyway, problem solving is good, but it should be tailored to the time limits, or even better, if you want a real problem solving solution, find a way to send them home with homework before the interview, and review it during the interview and during their leisure. It's true that they can "cheat" by downloading answers, but anyone who writes their own code should be able to explain the reasoning behind the selection of what they picked. Plagarizers will have code, but be unable to explain what they "wrote" to you.
Hillary Clinton's love notes to Donald Trump from high school (the ones where she says "I love your ... fingers!").
I just threw up a little in my mouth.
On the contrary. You go to college so you can get your piece of paper, and/or so you can get into grad school. Cheating on tests is a very effective path straight through to your first Master's thesis. At that point, you just need to muddle through and plagiarize or get someone to write it for you. I wouldn't usually suggest trying that in a doctoral program, but there are countries where it is a lot easier to pull off.
And no, I am not suggesting that. But let's face it, an undergrad degree is either there to get you for first job or to get you in grad school. With the weed-out classes that many popular majors have, actual learning is your second priority. If you just want to learn things, audit the classes you are trying to challenge yourself with and take whatever the easiest classes are to pass with. Learning is a luxury in college.
Well first, they activate the magnetron to completely wipe all devices in the room, and shut down any pacemakers (to eliminate the weak and old). The faraday cage is there to keep them from downloading it all again or reaching the Internet.
Yes... but I get the idea that under normal circumstances, the normal smart watches are not optimized for the quick switches you need if you actually have roving proctors, as opposed to the TAs who sit at the front and play with themselves during prelims and finals.
This solution seems too obvious.
No one has asked me to sit in silence for 20 minutes reciting things from memory. No one has forced me to solve some kind of hard problem without the ability to go get some reference material.
You got off pretty easily in your interviews, I guess. Every third interview, I get some dipshit who thinks that they need to have me write code under a time deadline without reference materials or adequate tools. I get it, there are some geniuses out there who can do that. And I can't blame them for wanting to hire such people, but I'd consider that to be an escalation challenge, not the first question.
Mind you, I can pull it off sometimes. I always was good at test taking. What I hate is that people actually use that method and waste people's time. It's a weed out method, and a bad one at that. I've never worked with someone who needs to win a speed coding contest to do their job.
In the US, we were taught pretty comprehensively about the dangers of aristocracy as well.
The problem is that in the US, we have trouble sometimes telling what aristocracy looks like because we shortsightedly removed all noble titles. That removed the show-off aspect of nobility but made it harder to find the real aristocrats like your Bushes, Kennedys, Clintons, and etc. It might be a little easier to understand the country and where it was going if we'd been looking to elect Prince George II of the House of Bush or Baroness Hillary Clinton of Harlem.