The Google Voice transcription is so uncannily near-perfect with phone numbers, and so awful with everything else, I suspect it is cheating, and using the Caller-ID and other sources to cheat on 'recognizing' a phone number.
I've worked for several Fortune 500 companies. Support has nothing to do with the decision: Exclusionary contracts do. Microsoft offers huge discounts to businesses that agree not to use a competitor's product. They also regularily check for compliance and there are large fines for any company caught using open source software.
I have been an employee/contractor at many Fortune 500 companies, and have never seen anything even hinting at a contract with Microsoft involving "large fines for any company caught using open source software". Care to provide any proof of Microsoft contract with any F500 consumer of software that prohibits said F500 from running open source software?
People talk about this records retention issue like law enforcement is asking ISPs to store full packet captures of every session and decrypted SSL traffic, or even just netflow data on every customer's every transaction.
If you read the articles, they're really just talking about storing the dynamic IP address (DHCP) assignment records, showing when each customer was handed a particular IP to use, and when they stopped using it. So perhaps 1-2 records per week per customer, or less -- I still have the same "dynamic" IP from my cablemodem provider as when I first signed up a year ago. To oversimplify, it's the difference between asking a hotel to put a camera in every room versus just keeping a register of who has received a key and whether they've checked out yet. And this law lets the wireless carriers keep running their no-tell motel operation.
If the network itself (switches and routers) is built on Cisco, there are commercial (SolarWinds) and Freeware (NeDi) tools to document the interconnections, VLANs, and configs.
Assuming you've left CDP enabled and standardized your SNMP community strings, NeDi does a fine job of documenting a network with minimal effort. I've found switches the network team didn't even realize existed just from using the NeDi discovery mode and adding 'public' to the list of SNMP strings to try.
Wow, three achievements and I haven't even posted yet. Had I waited another week to register my account, I would have lost the opportunity for a 5-digit UID.
I am ambivalent about seeing this hang around beyond April fools. If it doesn't add a lot of server or database overhead, I suppose it can do little harm.
Protect your identity by controlling your identity
on
Linked In Or Out?
·
· Score: 3, Informative
I created a Facebook account solely because somebody with the same name as I already had one, and people were assuming his profile was mine. So by creating a minimal profile on that social networking site, I took better control over my identity.
Linkedin has definite professional benefits, allows you to maintain limited contact with former co-workers, people who you might later find working in the same city as you've just moved to, or the firm where you are thinking of applying for a job.
If you refuse to voluntarily publish positive information about yourself, what will potential employers find? If nothing at all, they may tend to assume the worst, or at least assume you have no notable skills, hobbies, friends or publications.
Seeing player number 363 spectating at your game is like seeing Slashdot UID 363 replying to your post -- You know that guy isn't Cmdr Taco, but chances are it is a friend-of-a-friend of one of the founders.
(Says the guy with UID 90,847)
even traveled to Bali for 2 years is better, so I might insist on a drug test) you're not going to make the first interview.
Right. If they pass the drug test, no way did they spend two years in Bali.
Where I last worked, half our senior operations staff had been promoted up from tech support jobs, so "First line tech support" is not necessarily a career killer.
I know it sounds crazy in the land of the free, but how about not selling guns to anyone who doesn't REALLY need them? And don't give me the bs that they would find a way to get the gun anyway. If school shooters knew how to get contraband they'd get drugs and would be chilling out watching dogs wearing hats on wide-angle camera instead of shooting people.
Um... guns are contraband, in Chicago.
And no, they can't just drive to Indiana -- transacting handguns across state lines, without going through an in-state dealer, is a Federal crime (also applies to most long gun transfers). Federal law also bars purchase of a handgun by anybody under 21, or long arm under 18.
Illinois already has extremely strict firearms controls (no carry permit, special ID card required to possess firearm or ammo, waiting perids on all firearms); Cook County (Chicago and suburbs) is stricter still (magazine capacity bans, ban on "ugly black rifles"), and Chicago's law is basically what you suggest -- only cops, the city council, and other criminals have handguns in Chicago.
None of this has made Chicago schools any safer.
You'd better believe that anybody attending a Chicago Public School knows "how to get contraband". I really doubt school shooters go on rampages because they weren't able to score pot to mellow themselves out.
The fact is that an awful lot of kids in school in the US can get very easy access to weapons that allow them to kill people very easily.
<sarcasm>
That's impossible, Chicago's gun laws are among the strictest in the hemisphere. Why, guns are nearly as illegal as crack, and we all know how impossible cocaine is to find in Chicago!</sarcasm>
All handguns are effectively banned in Chicago, all weapons are registered with the city, and Cook County laws are not much less strict, same goes for Illinois state law -- Illinois has more restrictions on who may possess firearms than Canada, and all the laws in the world wouldn't have done much to prevent the NIU shooting.
Selling firearms across state lines without going through a Federally licensed dealer is also criminalized, so it's not the fault of adjoining states with less controls. And if availability is the issue, then why wouldn't these incidents be more common in places outside of Chicago, Illinois, a city with laws that go beyond any laws Hillary or Barack would admit to dreaming of for America?
These "weapons that allow them to kill people very easily" have been around for hundreds of years, the real question is what has changed in these kid's heads "that allow them to kill people very easily"?
If another young adult wanted to kill 5 people, he could just as easily bring in a kitchen cleaver or a few mason jars filled with gasoline; every teen has access to these, so there's something besides availability stopping the average teen from mass murder.
, Skype saves us TONS of money, and that, for some reason, is public enemy #1 with them.
I agree with your IT department 100% on Skype. That is one creepy closed-source product/protocol which has no place in a business network.
I've been trying for the past year to get Skype/EBay to talk to us at all, to even begin to have a conversation about how to securely enable internal clients to make and receive Skype phone calls without also enabling any and all other encrypted peer-to-peer applications.
Because that is what Skype really is, on the wire -- an obfuscated, encrypted peer-to-peer tunnel in which anything can be exchanged between the internal PC running Skype and a random workstation in some former soviet block nation which it appears to be using as a supernode. Any network where you can reliably use Skype, you can use the same network and host security holes to run P2P filesharing, botnets, or anything else your dark little twisted heart desires.
I'm part of the tiny IT Security department of a Fortune 500 with many offices around the world. We're understaffed and overburdered with "approvals" and "sign-offs" and other process, but we make do with what we have.
So earlier this year we had a conference call with the various remote site operations and networking and help desk
We had a bunch of customers saying "Why doesn't the company use Web 2.0? Why is Instant Messaging discouraged? Why is there no Wiki on the Intranet?"
While this wasn't a priority, we had a small server sitting idle from a failed project. So we built a MediaWiki server, gave it a catchy DNS name, and configured it so anybody who can authenticate to the company LDAP server has an auto-created Wiki account. Even preloaded the server with the Help: namespace and some documents from IT's old file share. I also contacted the biggest site's help desk and inquired whether they would be interested in importing their "how to" documents, but only got a snarky "I know what a Wiki is, and we don't want any" reply.
After some testing internally, about two weeks ago we send out a preliminary announcement about the new Wiki to 100 "power users", including the specific individuals who were complaining about the lack of a Wiki. The response?
Deafening silence. Perhaps fifty users bother to click on the link, a dozen of those logged in, and four go so far as to create a personal "User" page or make a test edit to one of the existing pages. You can lead users to a wiki, but you can't make them contribute.
I like Priest,hes a great (and great big) guy; in the Youtube video hes the BIG guy in the Hawaiian shirt at the very beginning.
I can personally confirm that he has a history of making female reporters cry -- I first met Priest at DEFCON 7, where I witnessed him personally banning another reporter (Carolyn Meinel) from every attending another DEFCON after her team was caught cheating at Capture the Flag.
The same "media" who's parent companies are RIAA/MPAA members?
Not all "media" companies, nor all news outlets, have parent firms in RIAA/MPAA.
Some are privately held, some are public firms without any connection to the recording and motion picture industries, and some just have strong editorial and ethics policies giving reporters and editors leeway to follow stories even if they are not in the best interests of the parent firm.
The MPAA in particular represents "just" the six major producers and distributors of motion picture and television programs in the United States -- Fox (News Corp), Disney (Buena Vista), Viacom (Paramount), Sony, NBC (Universal), and Time-Warner (Warner Bros). While the big six control much of TV news (ABC,Fox, CNN, NBC, etc), they don't control it all... yet.
easy enough to set that token to "lost" with a passcode that doesn't expire.
I believe that the account will still go dead when the original lost token goes to "expired" state. I've seen event messages to this effect in the audit trail. Not sure about the exact behavior in the latest release.
If you're an admin you would certainly have access to the RSA ACE server that allows this.
Depends on how the ACE/Server is configured.
RSA has done a pretty good job with granular permissions (aka "task lists"), audit trails, and generally making it difficult to intentionally or unintentionally violate security or security policies.
One drawback is you still need to trust the Linux/Solaris/Windows server where the ACE software is running.
gilesjuk writes: Just shows that keyboard technology will have to change to prevent this sort of problem. The devices are harder to produce for USB keyboards than PS/2 style as you need to understand the USB/HID protocol.
Actually, the article says that the compromise happened on a laptop, which implies a software keylogger, not a device -- the software loggers tap into the keyboard events in the OS, so it doesn't matter how the keyboard is plugged in.
I recently noticed Thinkgeek is now offering the "KeyPhantom" USB keylogger for $199.99.
I would think that it'd be easier to implement a hardware key logger for USB, as USB "hubs" are truly "hubs", so it should be possible to capture the cleartext keystrokes by "sniffing" on any device attached to the same USB bus, instead of having to be inline like traditional hardware PS/2 "Key Katcher" type loggers.
I've found as I've gotten older and now have more to lose, I go out of my way to not acquire keys, to not know users passwords, to not have accounts on systems where I don't need them -- I'm just as curious, yet more risk-adverse.
Average wrote: I always found that sysadmins (myself included) tend to acquire keys whenever possible. I don't care if it's just a broom closet, I want to know what's in there. There's a mix of paranoia, extreme curiosity, and helpfulness that come with the profile.
When I want to see what's in a broom closet, I have security send up a guard with a key and have him open the door and show me around. My curiousity is satisified, and no worries about being liable if later a broom turns up missing:)
One nice thing about physical access tokens is you can add them to the security guard's checklist for terminations, just like a laptop, badge/keycard, and company car. You don't turn it in, you don't get your final paycheck.
The same IT department that doesn't turn off a terminated employee's access would be the same one who doesn't turn off access for the employee's token.
These tokens don't magically fix broken IT security policies.
But these tokens do have a built-in expiration date, the server doesn't fix policies, but it will enforce policies.
When the end-of-life arrives, the token becomes a useless fifty buck hunk of plastic. And unlike passwords, lazy admins cannot trivially override the expiration date, like they do for VIPs in the "user must change password every X days" GPO on every Microsoft AD deployment I've ever seen.
one of the most beautiful things about traveling within the states is that you can drive for days without stopping at all except for gas. Nobody to stop you to check your papers. Granted it's been six years, so I don't know the present situation. But if you lose that, then you've lost one of the biggest advantages of being in the states.
This is still true, unless you cross into California (Fish & Game), or cross from Texas into New Mexico (ICE). But both of these internal state border checks have been in place for at least a decade, and the California check is driven by internal state politics unique to California.
It's not just work, why not also study? Why on Earth, with the technology available, does anyone need to go to a building and sit with 100 other students in a cold lecture hall for an hour or too. There's no reason why that can be video streamed and questions handled by chat or email. Then you can fit in the lecture when you brain is most receptive, and take breaks when you wish, or replay parts you didn't get. In fact for many subjects, the lectures need only be recorded once for use over many years. Transcripts of previous Q and A's can also be available online.
Sure, labs and tutorials need face to face, but that can be one day per week.
Professors might not be too happy with their lectures being recorded once and used forever, but how many actually teach their own courses these days anyway?
University of Phoenix might be considered by many to be a joke, but the concept is sound, just needs better execution.
The way I deploy firewalls is as a component of "defense in depth", in part to ensure that one mistake or intentional act by one trusted individual cannot compromise the entire network.
If you take that into account, then before your thought experiment could conclude that firewalls are not necessary, you have to postulate not only perfectly secure operating systems and protocols and applications, but also perfectly secure people.
At that point, suspension of disbelief goes out the window:)
yet they can't even troubleshoot a single hardware failure due to bad RAM or a failing hard disk in a workstation.
Really? That's weird. Where I work, the only staff who actually have the skills and methodical nature to effectively troubleshoot problems are the "infosec specialists". The desktop support people, the network analyst, the system admins, they all just automatically say "It must be a firewall/IPS/AV/ACL problem" and don't bother to do any sort of fault isolation, or if that doesn't stick, call the vendor and ask them to send out an engineer under our "platinum" service contract.
The "rank and file" I.T. staff and management probably have just about as good a track record of keeping a given computing enviroment reasonably "secure", as long as they're diligent about keeping things updated and patched, and following some common sense procedures. They may not know (or care!) about all the technical details of why a given patch is effective, but it doesn't end up making much difference.
Again, the opposite of my experience.
The rank and file are most concerned about uptime and SLAs, and reluctant to apply patches and updates, particularly emergency patches not released on the second Tuesday of the month, because that means taking an unscheduled outage and making a change that might impair stability or other key metrics.
I'm not saying your wrong, just that your experience doesn't match my (various Fortune 500 and dot-com firm) experiences.
That's the definition of "editorial control", deciding what gets published. I think the Tribune is being consistent here.
In the cases of both the danish cartoons and the CIA records, the paper published the facts around the issue, but not the actual cartoons, nor the actual operatives names and addresses.
Regarding the cartoons, I recall reading a half page editorial on why exactly the Tribune chose to refrain from printing the cartoons. IIRC, they had previously printed the URLs of web sites where the cartoons could be found online, but decided that reproducing the actual 'toons would be in bad taste. Similar justification was provided by the New York Times, etc.
That, and they didn't want to be bombed by the extremist arm of the "religion of peace", not that anybody will ever admit that in print.
But... the CPUID instruction is easily recognizable, so it wouldn't take much work with a debugger to find it and replace it with a simple mov that fakes the cpuid info.
In order to counter that, skype will have to checksum/encrypt the binary, but certain groups of people have been circumventing those measures for a loooong time and are quite good at it.
Slashdot Mirror
The Google Voice transcription is so uncannily near-perfect with phone numbers, and so awful with everything else, I suspect it is cheating, and using the Caller-ID and other sources to cheat on 'recognizing' a phone number.
I've worked for several Fortune 500 companies. Support has nothing to do with the decision: Exclusionary contracts do. Microsoft offers huge discounts to businesses that agree not to use a competitor's product. They also regularily check for compliance and there are large fines for any company caught using open source software.
I have been an employee/contractor at many Fortune 500 companies, and have never seen anything even hinting at a contract with Microsoft involving "large fines for any company caught using open source software". Care to provide any proof of Microsoft contract with any F500 consumer of software that prohibits said F500 from running open source software?
If you read the articles, they're really just talking about storing the dynamic IP address (DHCP) assignment records, showing when each customer was handed a particular IP to use, and when they stopped using it. So perhaps 1-2 records per week per customer, or less -- I still have the same "dynamic" IP from my cablemodem provider as when I first signed up a year ago. To oversimplify, it's the difference between asking a hotel to put a camera in every room versus just keeping a register of who has received a key and whether they've checked out yet. And this law lets the wireless carriers keep running their no-tell motel operation.
If the network itself (switches and routers) is built on Cisco, there are commercial (SolarWinds) and Freeware (NeDi) tools to document the interconnections, VLANs, and configs. Assuming you've left CDP enabled and standardized your SNMP community strings, NeDi does a fine job of documenting a network with minimal effort. I've found switches the network team didn't even realize existed just from using the NeDi discovery mode and adding 'public' to the list of SNMP strings to try.
Wow, three achievements and I haven't even posted yet. Had I waited another week to register my account, I would have lost the opportunity for a 5-digit UID.
I am ambivalent about seeing this hang around beyond April fools. If it doesn't add a lot of server or database overhead, I suppose it can do little harm.
I created a Facebook account solely because somebody with the same name as I already had one, and people were assuming his profile was mine. So by creating a minimal profile on that social networking site, I took better control over my identity.
Linkedin has definite professional benefits, allows you to maintain limited contact with former co-workers, people who you might later find working in the same city as you've just moved to, or the firm where you are thinking of applying for a job.
If you refuse to voluntarily publish positive information about yourself, what will potential employers find? If nothing at all, they may tend to assume the worst, or at least assume you have no notable skills, hobbies, friends or publications.
Seeing player number 363 spectating at your game is like seeing Slashdot UID 363 replying to your post -- You know that guy isn't Cmdr Taco, but chances are it is a friend-of-a-friend of one of the founders. (Says the guy with UID 90,847)
Right. If they pass the drug test, no way did they spend two years in Bali.
Where I last worked, half our senior operations staff had been promoted up from tech support jobs, so "First line tech support" is not necessarily a career killer.
It's the callous disregard for human life, stupid!
The Chicago police and video cameras don't prevent crime, they commit crime. And then do it again. And again.
And no, they can't just drive to Indiana -- transacting handguns across state lines, without going through an in-state dealer, is a Federal crime (also applies to most long gun transfers). Federal law also bars purchase of a handgun by anybody under 21, or long arm under 18.
Illinois already has extremely strict firearms controls (no carry permit, special ID card required to possess firearm or ammo, waiting perids on all firearms); Cook County (Chicago and suburbs) is stricter still (magazine capacity bans, ban on "ugly black rifles"), and Chicago's law is basically what you suggest -- only cops, the city council, and other criminals have handguns in Chicago.
None of this has made Chicago schools any safer.
You'd better believe that anybody attending a Chicago Public School knows "how to get contraband". I really doubt school shooters go on rampages because they weren't able to score pot to mellow themselves out.
All handguns are effectively banned in Chicago, all weapons are registered with the city, and Cook County laws are not much less strict, same goes for Illinois state law -- Illinois has more restrictions on who may possess firearms than Canada, and all the laws in the world wouldn't have done much to prevent the NIU shooting.
Selling firearms across state lines without going through a Federally licensed dealer is also criminalized, so it's not the fault of adjoining states with less controls. And if availability is the issue, then why wouldn't these incidents be more common in places outside of Chicago, Illinois, a city with laws that go beyond any laws Hillary or Barack would admit to dreaming of for America?
These "weapons that allow them to kill people very easily" have been around for hundreds of years, the real question is what has changed in these kid's heads "that allow them to kill people very easily"?
If another young adult wanted to kill 5 people, he could just as easily bring in a kitchen cleaver or a few mason jars filled with gasoline; every teen has access to these, so there's something besides availability stopping the average teen from mass murder.
I've been trying for the past year to get Skype/EBay to talk to us at all, to even begin to have a conversation about how to securely enable internal clients to make and receive Skype phone calls without also enabling any and all other encrypted peer-to-peer applications.
Because that is what Skype really is, on the wire -- an obfuscated, encrypted peer-to-peer tunnel in which anything can be exchanged between the internal PC running Skype and a random workstation in some former soviet block nation which it appears to be using as a supernode. Any network where you can reliably use Skype, you can use the same network and host security holes to run P2P filesharing, botnets, or anything else your dark little twisted heart desires.
So earlier this year we had a conference call with the various remote site operations and networking and help desk We had a bunch of customers saying "Why doesn't the company use Web 2.0? Why is Instant Messaging discouraged? Why is there no Wiki on the Intranet?"
While this wasn't a priority, we had a small server sitting idle from a failed project. So we built a MediaWiki server, gave it a catchy DNS name, and configured it so anybody who can authenticate to the company LDAP server has an auto-created Wiki account. Even preloaded the server with the Help: namespace and some documents from IT's old file share. I also contacted the biggest site's help desk and inquired whether they would be interested in importing their "how to" documents, but only got a snarky "I know what a Wiki is, and we don't want any" reply.
After some testing internally, about two weeks ago we send out a preliminary announcement about the new Wiki to 100 "power users", including the specific individuals who were complaining about the lack of a Wiki. The response?
Deafening silence.
Perhaps fifty users bother to click on the link, a dozen of those logged in, and four go so far as to create a personal "User" page or make a test edit to one of the existing pages. You can lead users to a wiki, but you can't make them contribute.
I can personally confirm that he has a history of making female reporters cry -- I first met Priest at DEFCON 7, where I witnessed him personally banning another reporter (Carolyn Meinel) from every attending another DEFCON after her team was caught cheating at Capture the Flag.
Trust me, when Priest tells you to leave, you go.
Some are privately held, some are public firms without any connection to the recording and motion picture industries, and some just have strong editorial and ethics policies giving reporters and editors leeway to follow stories even if they are not in the best interests of the parent firm.
The MPAA in particular represents "just" the six major producers and distributors of motion picture and television programs in the United States -- Fox (News Corp), Disney (Buena Vista), Viacom (Paramount), Sony, NBC (Universal), and Time-Warner (Warner Bros). While the big six control much of TV news (ABC,Fox, CNN, NBC, etc), they don't control it all... yet.
One drawback is you still need to trust the Linux/Solaris/Windows server where the ACE software is running.
I recently noticed Thinkgeek is now offering the "KeyPhantom" USB keylogger for $199.99.
I would think that it'd be easier to implement a hardware key logger for USB, as USB "hubs" are truly "hubs", so it should be possible to capture the cleartext keystrokes by "sniffing" on any device attached to the same USB bus, instead of having to be inline like traditional hardware PS/2 "Key Katcher" type loggers.
University of Phoenix might be considered by many to be a joke, but the concept is sound, just needs better execution.
At that point, suspension of disbelief goes out the window
In the cases of both the danish cartoons and the CIA records, the paper published the facts around the issue, but not the actual cartoons, nor the actual operatives names and addresses.
Regarding the cartoons, I recall reading a half page editorial on why exactly the Tribune chose to refrain from printing the cartoons. IIRC, they had previously printed the URLs of web sites where the cartoons could be found online, but decided that reproducing the actual 'toons would be in bad taste. Similar justification was provided by the New York Times, etc.
That, and they didn't want to be bombed by the extremist arm of the "religion of peace", not that anybody will ever admit that in print.