At work, I am required to encrypt anything containing sensitive information and the receiver is required to know how to decrypt it...which takes no knowledge at all since it all happens in the background. Any time I need to transmit sensitive information from an environment that does not have encryption/decryption capability, it goes by fax or snailmail. It's so 20th century.
Sigh. Well, if there is a silver lining, it will force Apple down the same road (to hell?) that Microsoft was forced down years ago to create a more secure OS. We know Microsoft isn't there, and now Apple OSs are going to get the same level of scrutiny. Maybe criminals will begin to lose interest in exploiting Windows? (HEY! That really is a silver lining!)
I work in a medium size organization. Similar to other responders here in small organizations, we fall under a Support Division whose lead reports to Operations (i.e., a COO). I don't mind that we're in the same department as office supplies, furniture, telephones, and facility management, except when it comes to funding where we're competing against -- you guessed it -- office supplies, furniture, telephones, and facility management. Given my druthers I'd rather report to the COO, not because I have a bad boss (I don't), but because IS/IT merits higher visibility in the food chain.
I'd rather they stare at me than put me through all the security crap that costs billions of dollars in equipment and TSA personnel. Somehow, the Israelis have figured out how to use behavioral recognition w/o all the extraneous BS according to everything I've read on the subject thus far.
Current fears of government involvement/takeover of private businesses aside, given the reliance of the DoD on the Windows ecosystem, it is reasonable to expect they -- and other security organizations such as the NSA -- have some level of access to the code developers (not necessarily to the code itself). MS has a vested interest in thier sucess because they couldn't afford the headline, "DoD drops Windows for Linux."
While there could be a backdoor, a more rationale conclusion is the involvement of these government agencies is to help insure the O/S has the capability to be highly securable. Very few programmers outside of government have the same security worldview as the NSA/DoD, so MS needs that government expertise to assist them.
http://iase.disa.mil/stigs/index.html
Agreed: I don't have the right to tell you what you run on your computer, just what you run if you want to connect to the internet, a public medium, as are public roads for which we need to take a test to get a license. That technical and political issues have to be dealt with in a comply & connect strategy is a given, but not a reason not to do it.
The chaos of the maladies now so ingrained into the unsuspecting user's computers begs for a solution many will find unpalatable. My favorite, actually, is licensing, not comply & connect.
This is a needed first step towards a comply & connect policy for all computers that people want to connect to the internet. The very arguable question is how far to take that policy. I think simply making sure an approved anti-virus program is installed, and redirecting computers that don't to an AV download site (be it Comcast's or Cox's free McAfee versions or somewhere else) ought to be adequate. No AV, no connect until you install it.
I doubt Symantec's warning was geared to a Slashdot audience, but towards those Neanderthal carbon interface devices that refuse to pay for an AV service or application. Usually, I just want to slap users (twice) and then ask what problem their having with their system. MS didn't develop free AV software to compete with other AV companies, but to protect their OS against negligent, recalcitrant, cheapskate, or just plain ignorant users.
It can also be said the AV manufactures over-priced their products, putting AV protection out-of-reach for some, regardless of their intellect.
"Enterprise readiness," along with "supportable," was a term taken from the original poster. I don't know what it means to him.
To me it means if the proposed solution can accomodate the existing infrastructure, and is sufficiently scalable to support projected growth for the next 5 years (my number, because I don't want to have continually revisit a product because it wasn't adequately scalable -- or supportable, for that matter).
Consider the possibility management might be wise to be concerned about supportability and enterprise-readiness. The good news is at least they're thinking about those things. Of course, I don't know your management like you do, and you may have cause to believe their actions are borne of being awash in perks.
But as crazy as it may seem, let's assume they're really interested in what's best for the company. Is your solution better, faster, cheaper, supportable, and enterprise-ready? If so, sell your idea to them in management language. A "suggestion" isn't enough. It's their sandbox.
Your points are reasonably well thought out, but would this be the same government we think could do a better job of running our healthcare system? I'd rather keep the current set of problems than create another faceless, unaccountable bureaucracy. However, some minimum standards for CAs set by government (NIST?) while leaving implementation to private industry might be appropriate.
Best advice you'll ever get is to hire a CPA, as cayanne8 suggested. Oh, and if you're talking about keeping your full time employ in addition to your proposed self employment, say goodbye to routine family time. It maybe OK for you, but not for them.
When you have a population the size of China's, what else are they going to do but sit around and try to poke holes in your network defenses in hopes of collecting information (military, corporate, personal) useful to their government? Their government doesn't have to pay them much, either.
What I find ironic is the income they receive from us through commerce or interest on the money they've lent us, is what funds this sort of activity. Former Soviet President Commrade Kruschev was wrong when he said he would bury us. It isn't the Soviets, it's China, and we're burying ourselves. The only question is how deep the grave is going to be.
Did the developer pay for the development or did the employer/customer? If the developer paid out of her own pocket, it's hers: she can produce as many eggs as desired; otherwise, she needs her tubes cut.
Your boss is on the right track. You have to be able to demonstrate your value to any company and IT is usually not the money maker unless your business model is based on online sales. So look at your tasks proactively, instead of preventative (the "good offense" approach).
Are you responsible for the security of the data? Then what would be the cost to the company if the data leaked out? Think in terms of competitors, public image/trust, the privacy of customer records, and need to keep internal financial records private from viewing to all but authorized personnel. Who is responsible for making sure those things don't happen? This will be a mostly qualitative analysis on your part.
Lastly, don't expect to be able to do this analysis in a week or two. A thorough analysis will probably take a least a couple of months.
Are you responsible for the integrity of the data? What would be the cost of records in your boss's db becoming corrupted? Who makes sure backups are readily available? Again, a qualitative analysis unless the db is a money maker, in which case you should be able to come up with some hard cost value.
Are you responsible for the availability of your data? What would be the cost of a prolonged power outage? Is there a sales server that actually makes money taking orders? If so, what is the dollar value of the orders lost if the server goes down for an hour? This would be a more quanititative anlaysis than the others.
You kind of get the idea, but overall it is very difficult to come up with a pure quanititative analysis of your worth, but you can get reasonable values to replace the hardware and estimate the time to restore. Don't get wrapped up in the employee vs. contractor discussion. There's pros and cons to both and neither have any greater weight than the other in a vacuum. It depends on the needs of the company. Your mission: Document everything you do to protect the company proactively and convince them they never want to find out what would happen if you weren't there watching out for them.
1. The kid did them a favor; however, he should have reported the credentials were in the wild without actually doing his self-initiated penetration test. That's where he crossed the line.
2. The school district needs to immediately mail notices to all people whose personnal data may have been compromised (by the kid or anyone else who logged in), and be prepared for the civil suits should any of that data be used innapropriately.
3. I am not a fan of firing people for one-time incidents (assuming it was), but a top-down review of server configuration procedures and/or additional training for those involved is highly in order.
But you're right, it's not a pain in the ass, and the people who are bitching about it are whiners. OR, maybe they don't know the trick that I know - set the administration password to a null password. That way, UAC doesn't require you to type anything at all. Just click the box and it's gone.
All that is accomplished by setting the administrator PW to null is to shift system security away from the computer to the lock on the door.
Slashdot Mirror
At work, I am required to encrypt anything containing sensitive information and the receiver is required to know how to decrypt it...which takes no knowledge at all since it all happens in the background. Any time I need to transmit sensitive information from an environment that does not have encryption/decryption capability, it goes by fax or snailmail. It's so 20th century.
1. Make the laws on government bidding so complex that very few CAN understand them. Requires power.
2. Grease the skids to overcome the inevitable subjectivity inherent with people trying to interpret complex rules (crony capitalism). Requires money.
3. Shazam! You win the bidding process.
Sigh. Well, if there is a silver lining, it will force Apple down the same road (to hell?) that Microsoft was forced down years ago to create a more secure OS. We know Microsoft isn't there, and now Apple OSs are going to get the same level of scrutiny. Maybe criminals will begin to lose interest in exploiting Windows? (HEY! That really is a silver lining!)
I work in a medium size organization. Similar to other responders here in small organizations, we fall under a Support Division whose lead reports to Operations (i.e., a COO). I don't mind that we're in the same department as office supplies, furniture, telephones, and facility management, except when it comes to funding where we're competing against -- you guessed it -- office supplies, furniture, telephones, and facility management. Given my druthers I'd rather report to the COO, not because I have a bad boss (I don't), but because IS/IT merits higher visibility in the food chain.
I'd rather they stare at me than put me through all the security crap that costs billions of dollars in equipment and TSA personnel. Somehow, the Israelis have figured out how to use behavioral recognition w/o all the extraneous BS according to everything I've read on the subject thus far.
While there could be a backdoor, a more rationale conclusion is the involvement of these government agencies is to help insure the O/S has the capability to be highly securable. Very few programmers outside of government have the same security worldview as the NSA/DoD, so MS needs that government expertise to assist them. http://iase.disa.mil/stigs/index.html
My company's solution is to lock down the systems so tightly as to turn network systems into standalone systems.
And America is NOT spying on China?
Current U.S. law prohibits cyber attacks against systems in other nation-states.
Agreed: I don't have the right to tell you what you run on your computer, just what you run if you want to connect to the internet, a public medium, as are public roads for which we need to take a test to get a license. That technical and political issues have to be dealt with in a comply & connect strategy is a given, but not a reason not to do it. The chaos of the maladies now so ingrained into the unsuspecting user's computers begs for a solution many will find unpalatable. My favorite, actually, is licensing, not comply & connect.
This is a needed first step towards a comply & connect policy for all computers that people want to connect to the internet. The very arguable question is how far to take that policy. I think simply making sure an approved anti-virus program is installed, and redirecting computers that don't to an AV download site (be it Comcast's or Cox's free McAfee versions or somewhere else) ought to be adequate. No AV, no connect until you install it.
I doubt Symantec's warning was geared to a Slashdot audience, but towards those Neanderthal carbon interface devices that refuse to pay for an AV service or application. Usually, I just want to slap users (twice) and then ask what problem their having with their system. MS didn't develop free AV software to compete with other AV companies, but to protect their OS against negligent, recalcitrant, cheapskate, or just plain ignorant users.
It can also be said the AV manufactures over-priced their products, putting AV protection out-of-reach for some, regardless of their intellect.
"Enterprise readiness," along with "supportable," was a term taken from the original poster. I don't know what it means to him.
To me it means if the proposed solution can accomodate the existing infrastructure, and is sufficiently scalable to support projected growth for the next 5 years (my number, because I don't want to have continually revisit a product because it wasn't adequately scalable -- or supportable, for that matter).
Consider the possibility management might be wise to be concerned about supportability and enterprise-readiness. The good news is at least they're thinking about those things. Of course, I don't know your management like you do, and you may have cause to believe their actions are borne of being awash in perks.
But as crazy as it may seem, let's assume they're really interested in what's best for the company. Is your solution better, faster, cheaper, supportable, and enterprise-ready? If so, sell your idea to them in management language. A "suggestion" isn't enough. It's their sandbox.
I wonder how much Rep. Barney Frank (D-MA) paid him?
A few years in Gitmo and you'll tell them whatever they want to hear... doesn't matter what was or wasn't stored on that drive anyway.
Maybe if we just subject the hard drive to waterboarding, it'll reveal the data?
This is not a new problem for RR photographers, which are legion. http://www.trains.com/trn/default.aspx?c=a&id=3941
Your points are reasonably well thought out, but would this be the same government we think could do a better job of running our healthcare system? I'd rather keep the current set of problems than create another faceless, unaccountable bureaucracy. However, some minimum standards for CAs set by government (NIST?) while leaving implementation to private industry might be appropriate.
Congress is in session. Hide your wallet.
Best advice you'll ever get is to hire a CPA, as cayanne8 suggested. Oh, and if you're talking about keeping your full time employ in addition to your proposed self employment, say goodbye to routine family time. It maybe OK for you, but not for them.
When you have a population the size of China's, what else are they going to do but sit around and try to poke holes in your network defenses in hopes of collecting information (military, corporate, personal) useful to their government? Their government doesn't have to pay them much, either.
What I find ironic is the income they receive from us through commerce or interest on the money they've lent us, is what funds this sort of activity. Former Soviet President Commrade Kruschev was wrong when he said he would bury us. It isn't the Soviets, it's China, and we're burying ourselves. The only question is how deep the grave is going to be.
If iVasto hadn't said that, I would've. That's the answer in a nutshell.
Did the developer pay for the development or did the employer/customer? If the developer paid out of her own pocket, it's hers: she can produce as many eggs as desired; otherwise, she needs her tubes cut.
Your boss is on the right track. You have to be able to demonstrate your value to any company and IT is usually not the money maker unless your business model is based on online sales. So look at your tasks proactively, instead of preventative (the "good offense" approach).
Are you responsible for the security of the data? Then what would be the cost to the company if the data leaked out? Think in terms of competitors, public image/trust, the privacy of customer records, and need to keep internal financial records private from viewing to all but authorized personnel. Who is responsible for making sure those things don't happen? This will be a mostly qualitative analysis on your part.
Lastly, don't expect to be able to do this analysis in a week or two. A thorough analysis will probably take a least a couple of months. Are you responsible for the integrity of the data? What would be the cost of records in your boss's db becoming corrupted? Who makes sure backups are readily available? Again, a qualitative analysis unless the db is a money maker, in which case you should be able to come up with some hard cost value.
Are you responsible for the availability of your data? What would be the cost of a prolonged power outage? Is there a sales server that actually makes money taking orders? If so, what is the dollar value of the orders lost if the server goes down for an hour? This would be a more quanititative anlaysis than the others.
You kind of get the idea, but overall it is very difficult to come up with a pure quanititative analysis of your worth, but you can get reasonable values to replace the hardware and estimate the time to restore. Don't get wrapped up in the employee vs. contractor discussion. There's pros and cons to both and neither have any greater weight than the other in a vacuum. It depends on the needs of the company. Your mission: Document everything you do to protect the company proactively and convince them they never want to find out what would happen if you weren't there watching out for them.
1. The kid did them a favor; however, he should have reported the credentials were in the wild without actually doing his self-initiated penetration test. That's where he crossed the line.
2. The school district needs to immediately mail notices to all people whose personnal data may have been compromised (by the kid or anyone else who logged in), and be prepared for the civil suits should any of that data be used innapropriately.
3. I am not a fan of firing people for one-time incidents (assuming it was), but a top-down review of server configuration procedures and/or additional training for those involved is highly in order.
All that is accomplished by setting the administrator PW to null is to shift system security away from the computer to the lock on the door.
\\Banished\\
Question liberals
Will you guys cut it out!