The major problem is that when I go to vote, I have a few choices on the ballot. Some I think suck less than others, but no way to vote for the sort of person I'd like to be in office.
Yes, I can write-in sometimes, but that is almost literally pissing into the wind. If there are other candidates from independent parties, they tend to be bugshit insane in some way.
We vote for the same people because they're the same people on the ballot. Even with a largish primary field like the Republicans have, there's really no good choice, only a decision of which one isn't as bad as the others. When your population is 300+ million people, even 15 candidates is not really all that much for a national race.
So, no, the answer is not voting for different people. At least, that's not the first step that has to happen. The first step is harder... building a party from the local levels upward which can get elected and has a base where it can get funded and get on a state and national ballot. For that, you need to do the work that the other parties have been working on for the last 100+ years.
I agree that in the general sense there is a certain level of IT staff where it no longer matters how much IT staff you have as long as you have qualified people who are executing the right tasks.
However, when we talk about SMB, we're talking about businesses that generally have a very small IT staff. Small enough that the amount of IT staff a cloud provider has allows for process and practices that those in-house groups simply can't (or won't) replicate with their small staff.
Now, if you're a big player with dozens of admins already that are being used under a proper security program, then you're capable of doing all right. At that point, you evaluate if you are then doing *better* than the cloud provider. Being in-house has advantages over public clouds in some respects, but is your security program actually taking advantage of those practices? Or are they just feeling more emotionally satisfied because they can touch the server?
And at the point, what is the cost? You're paying a bunch of IT security people, sysadmins, and operators salaries to effectively duplicate the effort that a Cloud brings you for less operating expense. As long as your team is even of equal quality to the AWS team, you're wasting money unless you are very specifically using those in-house advantages. And those are fewer than people want to believe, precisely because if you're connected to the Internet, it doesn't matter if you are housing your machines in a vault surrounded by a bunker, guarded with tanks, you're still open to attack if you screw up your configuration.
Congratulations, you're spending possibly hundreds of thousands of dollars more so you can watch your own security camera footage of your own racks of servers. If you even set that up and bother to review it regularly to begin with.
No. Botnets are run on the client OS'es and VMs. You could have a million compromised AWS client servers and still not be in danger yourself. You certainly do not get access to the whole "AWS network" internally because just because some client has malware running in a VM.
Yes, clients have a need to secure their own VMs and software, and if they don't, they get malware, just like every other machine. That does not spill down into everyone else's VM automagically. You need to be attacking their hypervisor or management processes to get general access to other people's stuff. Even then, it's not that simple.
There are ways to potentially jump between tenants on a Cloud service, but normal botnet malware is not one of them.
Point being, you can be infected by malware in the Cloud or in-house with an equal probability because you can make the same mistakes on your tenant instances in either place.
However, the piece of the puzzle an AWS takes over, for instance physical security, hypervisor security, much of the network device security are pieces that in-house groups frequently manage inadequately.
As for medical records, I agree the Cloud isn't necessarily right for high sensitivity items like that, but that is true *if and only if* your operation is taking the steps to actually do more than AWS would do. An in-house setup where you store medical or other highly classifed information is no safer than the Cloud just because it is in-house. Period. You have to actually take the steps to take advantage of those inherent benefits. If your security program is actually just saying that you're in-house while doing less than AWS, you're selling security theater and FUD.
In the case of highly sensitive data, you are a target whether you're on an AWS or not, because they want the data you have, not because you were on AWS and somehow "easier". Being in-house doesn't make you invisible. A Sony or an Ashley Madison both had shit security practices and both would have been hacked whether in-house or in the Cloud because of that, and nothing else. They might as well have had their stuff in the public cloud and saved themselves some money for all the good their shitty in-house network was to them.
They do have some pretty cool buildings and big name customers. Right across from our cage was Wikipedia and down the row was EA and a lot of other names you'd quickly recognize. It's not really the Internet, but you could be forgiven for thinking it was.
Seriously though... time and time again in my own career and those of the people I know who work in this business I hear the same thing. You slap a security program on paper if you're lucky, and as soon as it gets in the way of revenue or development, the exceptions start flying.
I know cloud shops are audited to be compliant with security standards that I am personally familiar with. No one is saying that those processes are perfect or that they aren't able to present an audit compliance fiction, but compare that with the efforts that most shops put into that, and they still come out on top.
I've worked in IT and IT security for a couple of decades. I know that in the SMB market, it's a challenge to get the right expertise and any sort of process which audits and holds IT staff accountable for security process. That's because IT is overhead and IT security is overhead to the overhead. Everyone cuts corners at that level. I'm sure there are small shops that that security seriously, but by and large, that's the exception, not the rule.
Yes, people will push you to do things you don't want or even need to do. All I can say is that you need to evaluate whether it is something that is happening whether you like it or not. If you can generate a well thought out argument for it to not be implemented, by all means present your case.
That said, unless the decision is ultimately yours, resistance is generally futile. Even if the company is better off with your older tool or process, resistance past an argument presented and rejected by those with the responsibility to make the decision is a poor idea.
I recall having employed someone on my team who resisted a certain process change that had been ordered from the top. I had no more choice over it than he did.
However, my team member resisted the change continuously, in fact enough so that it became a distraction. I spent a lot of time explaining that a) it wasn't really all that bad and b) that we needed to execute our directives. He eventually became insubordinate and was fired.
Do I believe he was right? Actually, no. His processes were firmly rooted in tried and true methods, but methods that were a decade old and no longer matched what we were trying to do. Did I sympathize with him about the sudden influx of buzzwords and having to change to some process filled with them? Oh, yes... I most certainly did.
He "just wanted to work", but unless you do the work you are instructed to, you're not actually doing your work. Your tasks are set by your employer, and your employer is who reaps the results of their own errors. Don't become a roadblock in front of a steamroller. You're there to get paid, you can always work your own way on your own time. Or change jobs to one that suits you.
And now thinking back, I wonder if I thought he was a little "autistic". I have no idea if he was, although he was smart, but very socially inept, and resistant to change. What really mattered, frankly, was that he was unwilling to accept that if he wouldn't change, he no longer was employable. The team was asked to do certain work, and provide certain deliverables, and he failed to do so. Unlike the poor saps who work in industry and are suddenly out of a job due to new skills they can't learn, he was more than capable of learning and mastering that process. He just didn't.
I will target *you* if I suspect that you have credit cards and a shitty security program. You personally may not be bad at security, but if you're working at an SMB, chances are that you have an insufficient program. It's the whole "look to the left and look to the right... two of the three of you have a bad security posture."
Sure, AWS has more credit cards, but all you need to have are *enough* credit card numbers for me to steal. Hacking AWS is real work and AWS doesn't have one file where its millions of credit card numbers are just listed. There are thousands of separate vendors all with their varying databases and levels of security.
Hacking small timers like you and twenty like you is easy. Don't assume that smaller is safe. If you can be batched with a bunch like you, then volume makes up for your shorter list of data. And your local cops can't help, and the FBI won't give a shit about you.
If you have a small time security program now, you're probably no safer in-house now than you'd be in the cloud, even if it is bigger target in general.
Who is more likely to cut corners on a security budget?
A company that will live and die based on it's IT security reputation.... or the IT department of some random company that doesn't have IT as a source of revenue and IT security is therefore overhead.
There's always going to be some business or agency that needs to keep things in-house, but in no way is the Cloud model inferior to the laughable efforts of most IT shops today.
I take it you have never been to a real data center if you honestly believe someone can just sort of walk into a cloud data center. You can't just walk into a secure facility with a security guard, man-trap and biometric scanners by flashing a badge. And that is just to get you into the general access area. The cages are usually individually locked too.
And yes, everything you listed is done by Cloud providers except perhaps the items that would need to be done by the tenant. And nothing stops you from doing that yourself on top of what they provide.
Read the FedRAMP requirements or ISO 27000-series. All of that is in there, and all of those providers have been third party audited that they comply.
That is all well and good for you personally, or even a one man business. However, no business I know of that has more than a few people is going to shut off their internet when someone goes on vacation. I don't think that's really a case that this person is trying to make.
Of course, in the cloud you're much, much less likely to permanently lose your data through misplacing it, or by theft, or search warrant in.
Cops want your physical data devices and PC? No copy of the data elsewhere? You're done. Copy in the cloud? Yeah, the cops will get a copy of it, they may even put a block on your account maybe, but you're getting the data back eventually, maybe even immediately. Same goes for theft, only you're even more likely to never get it back, ever.
Cloud storage is only a problem if your data is so secured that it cannot tolerate the risk of being stored elsewhere, even after you have taken the precaution of encrypting it. If you encrypt data in the Cloud and someone hacks in and steals it... you still have your data, and they have an encrypted blob.
Actually they *do* upgrade your software, if you know how to do it.
They provide upgraded images for you to use for your servers all the time. You just have to rip down your old servers and replace with the new images.
Sure, if you didn't write your app so it could handle coming up on new anonymous VMs every time, this is less possible, but to be honest, they provide huge capabilities for you to keep your OS and software up to date, you just need to be able to make use of the capabilities that are there.
Yes, they don't upgrade your running instance for you, but if you're using cloud servers like you used old rack mounted servers, you've missed the whole point of where we've been going for a decade now with VMs and software defined hardware and network.
So... Sony got breached in-house. Are you saying the Cloud companies would do a *worse* job?
Also, it is a fallacy that access to the AWS "datacenter" gives you access to everything. They have numerous network segments, firewalls, loads of servers, and multiple actual physical locations. Chances are, your hacker who does get access gets access to a segment that they don't even know what that segment contains.
And there is petabytes of data. I suppose they can spend a few years trying to figure out which set of bits is the segment they want, but frankly, I doubt they would. Perhaps they access the Management console. Which account ID is Sony? Which one is WhateverCompany? Can they figure that out before the hole is closed? Maybe, maybe not.
Hackers are still going to do what they already did: target specific companies and/or scan all IPs for basic vulnerabilities. Sure, someone is going to try and hack AWS, but what do they get out of it? In this case, I believe there is safety in numbers. It's a more central target, but it is a huge target to digest.
It may well be that Sony can get hacked in AWS, but if they're going to get hacked, they might as well pay less to get hacked than to pay the salaries of their clearly incompetent administrators and IT managers.
True. A cloud provider protects *part* of what would be considered a data center, but it does not protect your poor software configurations or shitty code from compromise. And if you open up your security groups/ACLs to everyone, you will be open to attack.
You still need competent IT security for a cloud installation. What you don't need is a data center of your own.
I don't see why you think more admins are equivalent to more failure points. You need more admins and audit staff to have a proper program to secure data. Using fewer admins is the equivalent of wishful thinking. You're hoping that your few admins are more trustworthy, but you lack the resources to enforce it because you can't separate duties. A large cloud company can enforce that precisely because they have more staff.
I've worked for companies where there were only a few admins, period. There was no separation of duties for their data center, except maybe on paper. Any of the admins had complete power to grab anything they wanted and there was no staff that could adequately audit the logging and monitoring infrastructure to prevent the admins from simply disabling the logging and security monitoring. Extrusion of data was a piece of cake. All that was needed was motive to do so. Luckily, no one really cared to do so, but that was mere luck, not a security program.
Larger cloud companies run regular compliance audits and have enough staff that separation of duties is something that really happens and can be made to work. For small and medium businesses, those cloud companies have objectively better security precisely because they can specialize their staff and realistically only grant access based on least privilege. There are checks and balances, and not all rights are in the hands of all powerful admins.
Now, if you work for a big company, your IT staff may be at a level to support a comparable security program, but that will be because you have more admins, not less.
As for "pre-compromised" open source, do you really inspect and compile all your OSS software? Extremely doubtful. Do you think that a large provider would purposely install compromised binaries or allow them to be installed by someone else?
I understand that physical access is everything, but are you actually carrying out your carefully scrutinized software checks, or are you simply pointing out that it is possible to do so. Because, while anyone can compile their own OSS code, rarely have I seen anyone actually do that unless they need to, let alone run a code audit for vulnerabilities unless you're talking about the very highest security levels. For most SMBs, your argument is bogus precisely because they never actually take advantage of their ability to do so. They don't have the time or the staff or the expertise to do so.
The worst part of all of this is that many in-house IT groups understand that they theoretically have more ability to control their own environments, but utterly fail to actually do so, because they can't get the resources nor do they have the motivation to do so. In the end, it just engenders a false sense of security.
If you take the great number of SMBs in the market and add them to AWS or Azure or whatever, even though you might be theoretically opening them up to some issues, you will be realistically improving their actual security posture by a significant amount because now there is actually a real security program in place for their assets and data where there was not one before.
Breaking into your server closet is definitely worth it, if they have decided that you have data that they need. And you are no more able to resist the NSA than AWS would be. In fact, AWS probably has a better chance of fighting back against pseudo-legal actions that the NSA takes. Your company, unless it is another megacorp, would roll over almost immediately. That is, if they even needed to ask you for permission, which they probably don't.
AWS may be be less secure than we would like, but the safety of in-house security cannot be taken for granted.
I wouldn't use AWS for something I wanted to keep away from the government, but since I imagine most corporations are operating in a more or less legal fashion, the NSA is a non-factor for just about any business doing business on the Internet. And it is almost certain that they do as good or better at security than most in-house security teams because it is their business, not just a line item on the IT budget.
Well, no one is suggesting that the average tested person is autistic, the point was to show that the sample has a higher score on average.
In other words, the bell curve as a whole is shifted more towards the autistic range for males. There are still more "non-autistic" males than "autistic" males, but the number of individuals in the autistic range is going to be higher for males than females.
If you look at the actual diagrams in the article, it shows what looks to me like a fairly standard bell curve for the males (shifted towards a higher AQ), but the female curve is not only shifted, but *tilted* towards a lower AQ score, which looks odd to me, and **actually seems to imply there are even fewer females with higher AQ score than the mean would suggest.**
That same tilt is evident in the non-STEM curve when STEM and non-STEM are compared.
The grouping of females in this tilted graph feels to me like perhaps there is another variable that keeps females who would otherwise be higher on a normal bell curve from passing a certain point and causing them to bunch up at a lower mean score than the males. What this could be can only be speculation on my part, but some sort of extra "training" or inclination for females on how to answer certain questions in a "non-autistic" manner might be an explanation. I would look for questions on the AQ test where it is likely that females might answer differently than males based on common societal expectations that differ between genders. There may be questions on such a test that females would not answer as truthfully as males would, for instance.
It may be interesting to run such a test in places with different cultures particularly those where societal gender roles are more or less pronounced than in the UK.
Perhaps that is true, and that is fine if they can reasonably expect to remain happily and gainfully employed as a mainframe operator.
For instance, if I'm a mainframe operator who is close to retirement, and I make good money, it is a logical choice to just stick with what I'm doing and ride it out.
However, if you've got another decade or so before you're out of the workforce, you don't have be impressed with change, but you do need to adapt to it.
Otherwise, you will be changed out of a job when you'd otherwise have the intelligence and ability to have learned the new hotness, but couldn't be bothered to.
Such an individual may not be impressed with change, but the rest of the world generally doesn't care what any one individual is impressed with.
This feels more like about how *you* don't want to be labelled as opposed to what has happened to this person's son. Well, no one is labeling you. You're doing that yourself.
Perhaps you would care to describe the sort of conditions that are "correct" for his son from scientific literature? You might know something that this person has not been able to find out in 25 years of working with his son. That can happen, science advances all the time, but it is just as likely that he's familiar with them and his son does not respond to those environments.
You don't know what was tried, so it is unclear to me where you get the idea that you can simply assume that he hasn't tried any of those things.
The reality is that severe autism can have a wide variety of outcomes based on the level of development of particular capabilities. You could end up as a very, very odd math genius. Or you could just end up very, very odd and incapable of functioning without considerable attention and a controlled environment. I can totally see how it might be an achievement for his son simply to be able to hold down a job and be able to interact with people in an uncontrolled environment.
The State Department apparently complained about him being removed from Kenya to Somalia, to no avail. And in Somalia, there is no US diplomatic presence. However, I admit it is unclear why the State Department didn't help out while he was in Ethiopia, which does have US diplomatic presence. It is possible that they were unaware of his presence at the time.
Still, this is a US citizen being interrogated by a Federal law enforcement agency. If he's safely in custody, he needed to have his Constitutional rights. If the letter of the law does not make that clear, it should be made clear. That is definitely the province of the FBI and their responsibility.
That's politician hot air speaking. Candidates say whatever someone wants to hear.
Just like when Obama was going to definitely close the internment camp at Gitmo. It didn't happen because reality and the Republicans got in the way.
You could argue that there is a case to extradite Assange, but no one in the US Government has really done a thing to try and even charge him. The only legal cases against him are Britain for him jumping his bail and Sweden for rape. Both of which are more or less entirely proper procedure for the offenses that he is alleged to have committed.
I agree that he should not have been interrogated in this method. That needs to be remedied.
That said, if he was rendering "humanitarian aid" to the Islamic Courts regime, I'd say there would at least have been some reason to suspect him of something other than purely humanitarian motives.
I think they were right to investigate him, I just think they need to follow the rules.
Slashdot Mirror
The major problem is that when I go to vote, I have a few choices on the ballot. Some I think suck less than others, but no way to vote for the sort of person I'd like to be in office.
Yes, I can write-in sometimes, but that is almost literally pissing into the wind. If there are other candidates from independent parties, they tend to be bugshit insane in some way.
We vote for the same people because they're the same people on the ballot. Even with a largish primary field like the Republicans have, there's really no good choice, only a decision of which one isn't as bad as the others. When your population is 300+ million people, even 15 candidates is not really all that much for a national race.
So, no, the answer is not voting for different people. At least, that's not the first step that has to happen. The first step is harder... building a party from the local levels upward which can get elected and has a base where it can get funded and get on a state and national ballot. For that, you need to do the work that the other parties have been working on for the last 100+ years.
I agree that in the general sense there is a certain level of IT staff where it no longer matters how much IT staff you have as long as you have qualified people who are executing the right tasks.
However, when we talk about SMB, we're talking about businesses that generally have a very small IT staff. Small enough that the amount of IT staff a cloud provider has allows for process and practices that those in-house groups simply can't (or won't) replicate with their small staff.
Now, if you're a big player with dozens of admins already that are being used under a proper security program, then you're capable of doing all right. At that point, you evaluate if you are then doing *better* than the cloud provider. Being in-house has advantages over public clouds in some respects, but is your security program actually taking advantage of those practices? Or are they just feeling more emotionally satisfied because they can touch the server?
And at the point, what is the cost? You're paying a bunch of IT security people, sysadmins, and operators salaries to effectively duplicate the effort that a Cloud brings you for less operating expense. As long as your team is even of equal quality to the AWS team, you're wasting money unless you are very specifically using those in-house advantages. And those are fewer than people want to believe, precisely because if you're connected to the Internet, it doesn't matter if you are housing your machines in a vault surrounded by a bunker, guarded with tanks, you're still open to attack if you screw up your configuration.
Congratulations, you're spending possibly hundreds of thousands of dollars more so you can watch your own security camera footage of your own racks of servers. If you even set that up and bother to review it regularly to begin with.
Seriously. Do you even know how AWS works?
No. Botnets are run on the client OS'es and VMs. You could have a million compromised AWS client servers and still not be in danger yourself. You certainly do not get access to the whole "AWS network" internally because just because some client has malware running in a VM.
Yes, clients have a need to secure their own VMs and software, and if they don't, they get malware, just like every other machine. That does not spill down into everyone else's VM automagically. You need to be attacking their hypervisor or management processes to get general access to other people's stuff. Even then, it's not that simple.
There are ways to potentially jump between tenants on a Cloud service, but normal botnet malware is not one of them.
Point being, you can be infected by malware in the Cloud or in-house with an equal probability because you can make the same mistakes on your tenant instances in either place.
However, the piece of the puzzle an AWS takes over, for instance physical security, hypervisor security, much of the network device security are pieces that in-house groups frequently manage inadequately.
As for medical records, I agree the Cloud isn't necessarily right for high sensitivity items like that, but that is true *if and only if* your operation is taking the steps to actually do more than AWS would do. An in-house setup where you store medical or other highly classifed information is no safer than the Cloud just because it is in-house. Period. You have to actually take the steps to take advantage of those inherent benefits. If your security program is actually just saying that you're in-house while doing less than AWS, you're selling security theater and FUD.
In the case of highly sensitive data, you are a target whether you're on an AWS or not, because they want the data you have, not because you were on AWS and somehow "easier". Being in-house doesn't make you invisible. A Sony or an Ashley Madison both had shit security practices and both would have been hacked whether in-house or in the Cloud because of that, and nothing else. They might as well have had their stuff in the public cloud and saved themselves some money for all the good their shitty in-house network was to them.
That laptop is totally going to fall on my face. Or the ground.
It actually looks like it could be comfortable, if set up properly, but I don't want heavy objects balanced above me while I work.
They do have some pretty cool buildings and big name customers. Right across from our cage was Wikipedia and down the row was EA and a lot of other names you'd quickly recognize. It's not really the Internet, but you could be forgiven for thinking it was.
Seriously though... time and time again in my own career and those of the people I know who work in this business I hear the same thing. You slap a security program on paper if you're lucky, and as soon as it gets in the way of revenue or development, the exceptions start flying.
I know cloud shops are audited to be compliant with security standards that I am personally familiar with. No one is saying that those processes are perfect or that they aren't able to present an audit compliance fiction, but compare that with the efforts that most shops put into that, and they still come out on top.
I've worked in IT and IT security for a couple of decades. I know that in the SMB market, it's a challenge to get the right expertise and any sort of process which audits and holds IT staff accountable for security process. That's because IT is overhead and IT security is overhead to the overhead. Everyone cuts corners at that level. I'm sure there are small shops that that security seriously, but by and large, that's the exception, not the rule.
Yes, people will push you to do things you don't want or even need to do. All I can say is that you need to evaluate whether it is something that is happening whether you like it or not. If you can generate a well thought out argument for it to not be implemented, by all means present your case.
That said, unless the decision is ultimately yours, resistance is generally futile. Even if the company is better off with your older tool or process, resistance past an argument presented and rejected by those with the responsibility to make the decision is a poor idea.
I recall having employed someone on my team who resisted a certain process change that had been ordered from the top. I had no more choice over it than he did.
However, my team member resisted the change continuously, in fact enough so that it became a distraction. I spent a lot of time explaining that a) it wasn't really all that bad and b) that we needed to execute our directives. He eventually became insubordinate and was fired.
Do I believe he was right? Actually, no. His processes were firmly rooted in tried and true methods, but methods that were a decade old and no longer matched what we were trying to do. Did I sympathize with him about the sudden influx of buzzwords and having to change to some process filled with them? Oh, yes... I most certainly did.
He "just wanted to work", but unless you do the work you are instructed to, you're not actually doing your work. Your tasks are set by your employer, and your employer is who reaps the results of their own errors. Don't become a roadblock in front of a steamroller. You're there to get paid, you can always work your own way on your own time. Or change jobs to one that suits you.
And now thinking back, I wonder if I thought he was a little "autistic". I have no idea if he was, although he was smart, but very socially inept, and resistant to change. What really mattered, frankly, was that he was unwilling to accept that if he wouldn't change, he no longer was employable. The team was asked to do certain work, and provide certain deliverables, and he failed to do so. Unlike the poor saps who work in industry and are suddenly out of a job due to new skills they can't learn, he was more than capable of learning and mastering that process. He just didn't.
I will target *you* if I suspect that you have credit cards and a shitty security program. You personally may not be bad at security, but if you're working at an SMB, chances are that you have an insufficient program. It's the whole "look to the left and look to the right... two of the three of you have a bad security posture."
Sure, AWS has more credit cards, but all you need to have are *enough* credit card numbers for me to steal. Hacking AWS is real work and AWS doesn't have one file where its millions of credit card numbers are just listed. There are thousands of separate vendors all with their varying databases and levels of security.
Hacking small timers like you and twenty like you is easy. Don't assume that smaller is safe. If you can be batched with a bunch like you, then volume makes up for your shorter list of data. And your local cops can't help, and the FBI won't give a shit about you.
If you have a small time security program now, you're probably no safer in-house now than you'd be in the cloud, even if it is bigger target in general.
Who is more likely to cut corners on a security budget?
A company that will live and die based on it's IT security reputation....
or the IT department of some random company that doesn't have IT as a source of revenue and IT security is therefore overhead.
There's always going to be some business or agency that needs to keep things in-house, but in no way is the Cloud model inferior to the laughable efforts of most IT shops today.
I take it you have never been to a real data center if you honestly believe someone can just sort of walk into a cloud data center. You can't just walk into a secure facility with a security guard, man-trap and biometric scanners by flashing a badge. And that is just to get you into the general access area. The cages are usually individually locked too.
And yes, everything you listed is done by Cloud providers except perhaps the items that would need to be done by the tenant. And nothing stops you from doing that yourself on top of what they provide.
Read the FedRAMP requirements or ISO 27000-series. All of that is in there, and all of those providers have been third party audited that they comply.
That is all well and good for you personally, or even a one man business. However, no business I know of that has more than a few people is going to shut off their internet when someone goes on vacation. I don't think that's really a case that this person is trying to make.
Of course, in the cloud you're much, much less likely to permanently lose your data through misplacing it, or by theft, or search warrant in.
Cops want your physical data devices and PC? No copy of the data elsewhere? You're done. Copy in the cloud? Yeah, the cops will get a copy of it, they may even put a block on your account maybe, but you're getting the data back eventually, maybe even immediately. Same goes for theft, only you're even more likely to never get it back, ever.
Cloud storage is only a problem if your data is so secured that it cannot tolerate the risk of being stored elsewhere, even after you have taken the precaution of encrypting it. If you encrypt data in the Cloud and someone hacks in and steals it... you still have your data, and they have an encrypted blob.
Actually they *do* upgrade your software, if you know how to do it.
They provide upgraded images for you to use for your servers all the time. You just have to rip down your old servers and replace with the new images.
Sure, if you didn't write your app so it could handle coming up on new anonymous VMs every time, this is less possible, but to be honest, they provide huge capabilities for you to keep your OS and software up to date, you just need to be able to make use of the capabilities that are there.
Yes, they don't upgrade your running instance for you, but if you're using cloud servers like you used old rack mounted servers, you've missed the whole point of where we've been going for a decade now with VMs and software defined hardware and network.
So... Sony got breached in-house. Are you saying the Cloud companies would do a *worse* job?
Also, it is a fallacy that access to the AWS "datacenter" gives you access to everything. They have numerous network segments, firewalls, loads of servers, and multiple actual physical locations. Chances are, your hacker who does get access gets access to a segment that they don't even know what that segment contains.
And there is petabytes of data. I suppose they can spend a few years trying to figure out which set of bits is the segment they want, but frankly, I doubt they would. Perhaps they access the Management console. Which account ID is Sony? Which one is WhateverCompany? Can they figure that out before the hole is closed? Maybe, maybe not.
Hackers are still going to do what they already did: target specific companies and/or scan all IPs for basic vulnerabilities. Sure, someone is going to try and hack AWS, but what do they get out of it? In this case, I believe there is safety in numbers. It's a more central target, but it is a huge target to digest.
It may well be that Sony can get hacked in AWS, but if they're going to get hacked, they might as well pay less to get hacked than to pay the salaries of their clearly incompetent administrators and IT managers.
True. A cloud provider protects *part* of what would be considered a data center, but it does not protect your poor software configurations or shitty code from compromise. And if you open up your security groups/ACLs to everyone, you will be open to attack.
You still need competent IT security for a cloud installation. What you don't need is a data center of your own.
Stuxnet, anyone? How safe were those centrifuge controllers from infection? Not at all. No one infected them from the Internet.
I don't see why you think more admins are equivalent to more failure points. You need more admins and audit staff to have a proper program to secure data. Using fewer admins is the equivalent of wishful thinking. You're hoping that your few admins are more trustworthy, but you lack the resources to enforce it because you can't separate duties. A large cloud company can enforce that precisely because they have more staff.
I've worked for companies where there were only a few admins, period. There was no separation of duties for their data center, except maybe on paper. Any of the admins had complete power to grab anything they wanted and there was no staff that could adequately audit the logging and monitoring infrastructure to prevent the admins from simply disabling the logging and security monitoring. Extrusion of data was a piece of cake. All that was needed was motive to do so. Luckily, no one really cared to do so, but that was mere luck, not a security program.
Larger cloud companies run regular compliance audits and have enough staff that separation of duties is something that really happens and can be made to work. For small and medium businesses, those cloud companies have objectively better security precisely because they can specialize their staff and realistically only grant access based on least privilege. There are checks and balances, and not all rights are in the hands of all powerful admins.
Now, if you work for a big company, your IT staff may be at a level to support a comparable security program, but that will be because you have more admins, not less.
As for "pre-compromised" open source, do you really inspect and compile all your OSS software? Extremely doubtful. Do you think that a large provider would purposely install compromised binaries or allow them to be installed by someone else?
I understand that physical access is everything, but are you actually carrying out your carefully scrutinized software checks, or are you simply pointing out that it is possible to do so. Because, while anyone can compile their own OSS code, rarely have I seen anyone actually do that unless they need to, let alone run a code audit for vulnerabilities unless you're talking about the very highest security levels. For most SMBs, your argument is bogus precisely because they never actually take advantage of their ability to do so. They don't have the time or the staff or the expertise to do so.
The worst part of all of this is that many in-house IT groups understand that they theoretically have more ability to control their own environments, but utterly fail to actually do so, because they can't get the resources nor do they have the motivation to do so. In the end, it just engenders a false sense of security.
If you take the great number of SMBs in the market and add them to AWS or Azure or whatever, even though you might be theoretically opening them up to some issues, you will be realistically improving their actual security posture by a significant amount because now there is actually a real security program in place for their assets and data where there was not one before.
Breaking into your server closet is definitely worth it, if they have decided that you have data that they need. And you are no more able to resist the NSA than AWS would be. In fact, AWS probably has a better chance of fighting back against pseudo-legal actions that the NSA takes. Your company, unless it is another megacorp, would roll over almost immediately. That is, if they even needed to ask you for permission, which they probably don't.
AWS may be be less secure than we would like, but the safety of in-house security cannot be taken for granted.
I wouldn't use AWS for something I wanted to keep away from the government, but since I imagine most corporations are operating in a more or less legal fashion, the NSA is a non-factor for just about any business doing business on the Internet. And it is almost certain that they do as good or better at security than most in-house security teams because it is their business, not just a line item on the IT budget.
Well, no one is suggesting that the average tested person is autistic, the point was to show that the sample has a higher score on average.
In other words, the bell curve as a whole is shifted more towards the autistic range for males. There are still more "non-autistic" males than "autistic" males, but the number of individuals in the autistic range is going to be higher for males than females.
If you look at the actual diagrams in the article, it shows what looks to me like a fairly standard bell curve for the males (shifted towards a higher AQ), but the female curve is not only shifted, but *tilted* towards a lower AQ score, which looks odd to me, and **actually seems to imply there are even fewer females with higher AQ score than the mean would suggest.**
That same tilt is evident in the non-STEM curve when STEM and non-STEM are compared.
The grouping of females in this tilted graph feels to me like perhaps there is another variable that keeps females who would otherwise be higher on a normal bell curve from passing a certain point and causing them to bunch up at a lower mean score than the males. What this could be can only be speculation on my part, but some sort of extra "training" or inclination for females on how to answer certain questions in a "non-autistic" manner might be an explanation. I would look for questions on the AQ test where it is likely that females might answer differently than males based on common societal expectations that differ between genders. There may be questions on such a test that females would not answer as truthfully as males would, for instance.
It may be interesting to run such a test in places with different cultures particularly those where societal gender roles are more or less pronounced than in the UK.
Perhaps that is true, and that is fine if they can reasonably expect to remain happily and gainfully employed as a mainframe operator.
For instance, if I'm a mainframe operator who is close to retirement, and I make good money, it is a logical choice to just stick with what I'm doing and ride it out.
However, if you've got another decade or so before you're out of the workforce, you don't have be impressed with change, but you do need to adapt to it.
Otherwise, you will be changed out of a job when you'd otherwise have the intelligence and ability to have learned the new hotness, but couldn't be bothered to.
Such an individual may not be impressed with change, but the rest of the world generally doesn't care what any one individual is impressed with.
This feels more like about how *you* don't want to be labelled as opposed to what has happened to this person's son. Well, no one is labeling you. You're doing that yourself.
Perhaps you would care to describe the sort of conditions that are "correct" for his son from scientific literature? You might know something that this person has not been able to find out in 25 years of working with his son. That can happen, science advances all the time, but it is just as likely that he's familiar with them and his son does not respond to those environments.
You don't know what was tried, so it is unclear to me where you get the idea that you can simply assume that he hasn't tried any of those things.
The reality is that severe autism can have a wide variety of outcomes based on the level of development of particular capabilities. You could end up as a very, very odd math genius. Or you could just end up very, very odd and incapable of functioning without considerable attention and a controlled environment. I can totally see how it might be an achievement for his son simply to be able to hold down a job and be able to interact with people in an uncontrolled environment.
I would think that would be obvious. Odd that it is not.
The State Department apparently complained about him being removed from Kenya to Somalia, to no avail. And in Somalia, there is no US diplomatic presence. However, I admit it is unclear why the State Department didn't help out while he was in Ethiopia, which does have US diplomatic presence. It is possible that they were unaware of his presence at the time.
Still, this is a US citizen being interrogated by a Federal law enforcement agency. If he's safely in custody, he needed to have his Constitutional rights. If the letter of the law does not make that clear, it should be made clear. That is definitely the province of the FBI and their responsibility.
So you're merely advocating targeted mass murder? Sounds totally legit. Much better than insurrection.
That's politician hot air speaking. Candidates say whatever someone wants to hear.
Just like when Obama was going to definitely close the internment camp at Gitmo. It didn't happen because reality and the Republicans got in the way.
You could argue that there is a case to extradite Assange, but no one in the US Government has really done a thing to try and even charge him. The only legal cases against him are Britain for him jumping his bail and Sweden for rape. Both of which are more or less entirely proper procedure for the offenses that he is alleged to have committed.
I agree that he should not have been interrogated in this method. That needs to be remedied.
That said, if he was rendering "humanitarian aid" to the Islamic Courts regime, I'd say there would at least have been some reason to suspect him of something other than purely humanitarian motives.
I think they were right to investigate him, I just think they need to follow the rules.