Well it actually might - if the system detects that a child has LEFT school early (cutting classes or whatever), you know WHO you are going after that day. And you also know that the child is either alone, or with only one friend, or what not.
I'm totally against this system just for standard surveillance reasons, and it won't be long before kids figure out how to clone or reset their equipment to someone elses, but the first rule of cracking a system is gather as much information as possible - an RFID tag that tells me which kid is currently out of school - gold.
I actually agree with you on most of those points, so I just wanted to point out the most obvious reason TV vs teacherbot are comparable but still significantly different: The student interacts with the teacherbot, and can have things re-explained to them, questions asked and answered, etc. assuming a good enough teacherbot.
There is actually a well written paper on using this sort of tech to teach chemistry, worth a look in.
There have been (tentative) steps made into "AI"-based teacher bots for students. If there were a decent FOSS AI chat-bot base to work from, the system could be built to work within a certain set of boundaries and teach students from there (I'm more than half convinced Apple's TSPS chat is mostly bots that hand off to a person if they can't answer the question, the same can be applied here).
If you remove the need for a teacher to do a lot of the basics, either the teachers will start to teach properly, or they will find a different profession. There are additional benefits such as repetition, ease of updating a text book, and so on.
Protecting the children is absolutely a necessary thing to be doing, and I can not agree more with the general sentiment. However I don't see that lack of network access is going to affect the children's ability to traffic in sexting or other similar acts, only cover the ass of staff when it happens on school grounds. They are still able to be prosecuted for negligence without the devices on the network, and I'm sure if we went and looked there would be at least one case where this happens. At least when you put the student owned devices (SOD) on the network they can be monitored. There is plenty of software and hardware available to listen and watch, you can enable client isolation on your AP's and log everything through a local jabber server as a just in case. This doesn't stop something like apple's AirDrop or even point-to-point wifi, so your AP's are set to nuke any rouge AP's around the place, and so on.
There are a lot of SOD's moving into schools and corporations now, many of them are driven from the (probably incorrect) viewpoint of beancounters or upper management. Wrong or otherwise, we need to adapt or die - and if adapting means we have to change our field a bit and stop thinking of how many units are in the empire, instead thinking of how we monitor and control the devices that are out there then that is what needs to happen.
And it's going to cut down on budget as well. A lot of people complain that they need that big a budget. That might have something to do with it.
Domain security isn't always the answer - what it does appear to be is a series of IT people screaming "my kingdom, my kingdom!" especially with the move to student owned devices. Thankfully a lot of technicians are coming around on actually securing their shit rather than hiding it (my personal favourite: Poor home folder permissions because group policy says you can't connect directly to UNC paths or run scripts or open cmd.exe etc.). Missing simple features like transparent proxying over just lopping them off at the firewall is a sign of a technician who is going to be left behind very quickly - especially with the android/iOS revolutions that are streaming through schools at the moment.
In the past I've supplied myself and clients with something simple like a HP 4500. You can get them for ~$80AU depending where you go (sometimes as high as $150 - still nowhere near the 5 digit range). It has, among other things, a decent scanner and an automatic feeder. I suggest the HP, not because I'm affiliated, but because the earlier models cost about the same, and used to survive scanning POD documents in warehousing/ transport offices, so I've always stuck with them.
would you be saying "Yeah, but can they run marathons?"?
Yes and I frequently do. I find it hard to believe that there is a situation where being able to run 100m in less than 10 seconds is a survival skill. But then I'm an advocate of letting the Olympians use as many drugs as they like to see what the human potential is (and what we can do for our soldiers when we colonize other planets), so maybe I'm not the best person to be actually answering your rhetorical question.
Wasn't that the company pretty recently who said they did this... that they "accidentally" made a web accelerator when they were doing some security work? Has google bought them out or are they ripping them off. Maybe I read it on the sophos naked security feeds, but I can't find it.
I would think the true measure of a foe is how long they can go without you killing them, in which case the current [insert-"terrorist"-here] are pretty damned superior foes. Technology means shit if it's not implemented correctly and with properly trained people - Just because you're rocking around in a marauder doesn't mean a skinny can't come up behind you and crack your head open with a rock.
Ah but that's bullshit in and of itself. You extend the AD schema... ONCE... and you can plug the workgroup manager into it and do apple-equivalent of group policy management on all the machines. The apple kit binds out of the box, and will do authentication, password changes and everything. There are only two points of difficulty that I've seen so far: DFS support is, for lack of a better word, shit. You can get DAVE but fuck that, so you plug the mac's onto the source servers rather than the DFS and it's not that big a deal, just a minor headache if you don't know about it.
The other PITA is auto enrollment for certificates in a 2 factor environment, but even that is pretty easy to get around, a few roll your own scripts and a couple of minor changes and you can programatically create and install the certificate on each machine - as part of the deployment process.
Network deployment tools... what? ARD, DeployStudio, fucking SSH will let you do network deployment. So you can't give your users an SCCM interface - it's only relatively new tech and if you desperately need it, sounds more like you're a shitty admin than against Mac. A decent linux admin should be able to translate their skills straight across with only a minor GUI changeover point, and I know I can Netboot a mac from a BSD server
All in all though, the right tool for the right job, but blatant ignorance of either platform hurts both platforms market share in different places (and lets face it, group policy is loads better than workgroup manager just for the built in defaults).
The last thing I'd want to see is any company, at all, automatically fucking with my MBR just because it doesn't think it matches what they consider a standard MBR. If they can't do that then they can't remove the rest of the infection and the botnet guys can just upload a new one to circumvent the patch.
I say straight out and with a serious look on my face: My rate is $350 AU an hour, and I need the first hour up front. Strangely, some people are actually willing to pay me for that (because they know and trust my work over the faceless muppets at the local "computer" store), so I get paid for it occasionally, or people go the hell away. Win-Win.
Sometimes you don't want to put your fingers anywhere near the site, be it for building security or whatever the reason. The continued proliferation of people who consider that you can just beat someone with a rubber hose for a password, or read it off a post it note so who would bother breaking this algorithm are entirely unhelpful to fostering a secure environment. Just because there are easy methods of physical access, doesn't mean every cracker out there is using them, just like not every cracker out there runs a giant DDoS botnet.
90% of the time I will perform a pentest completely over the wires, just to prove this exact point.
Sounds like the type of people who would just go with what a majority says, or say that something is correct because a lot of people believe it to be correct (appeal to popularity).
Even if you go with what you know is correct, you are probably being influenced - have you never got annoyed at the people around you because they are all wrong? Happens to me every day.
I have a stack of business cards on my desk about 2 inches high which, despite my phone, my laptop and the shared address books, I still refer to. Further than that, I have a nifty little scanner that will OCR the business card and load it automatically into the address book - hardly any manual editing required ever.
Silly etiquette or not, I've always been a lazy administrator and having a card I can just slap in and have it automatically loaded is a great idea for me. Less typing, more time for porn.
From what I saw over the past week, there have been a lot of status updates from random people I know (oddly, around the 20-25 mark and female mostly) going "who the fuck is jess, lol, well i'm going to her party". I doubt she was "hacked" at all, more like some people jumped on it.
Still can't believe this made it to slashdot, it was bad enough seeing it on my morning news.
Since when has MAC filtering been more than a minute annoyance to an attacker. Or lack of DHCP/ Routing.
Strong passwords, WPA2-CCMP and a good watch on your logs is the only thing that's going to keep you safe (at this point in time) if you are home user.
-Applications are generally not cryptographically validating the DNS response, they simply check the AD flag. This means that anyone able to spoof their way between you and your nameserver can *still* compromise DNS. This is better than the current state of things which is subject to shenanigans in a much wider scope, but still.
Shouldn't the applications be just one - the system DNS resolver? If named or whatever microsoft use is doing the lookups for you, then the onus is on the system software to validate the DNS request and either hand it up the chain, if it works, or send up a failure (or nothing at all) if it doesn't. Those of us who need tools that are of a better consistency and have debuggable output can use them, but the majority of applications shouldn't even be seeing DNSSEC any more than they should be seeing IPv6 beyond a "getaddrinfo('slashdot.org'); connect(lookupresult);". Those shenanigans may still occur, but they're really part of the operating system (one application) rather than many.
Slashdot Mirror
Well it actually might - if the system detects that a child has LEFT school early (cutting classes or whatever), you know WHO you are going after that day. And you also know that the child is either alone, or with only one friend, or what not.
I'm totally against this system just for standard surveillance reasons, and it won't be long before kids figure out how to clone or reset their equipment to someone elses, but the first rule of cracking a system is gather as much information as possible - an RFID tag that tells me which kid is currently out of school - gold.
My experience has always been that consumers give a shit about price. The rest is just stuff we geeks fap over.
I actually agree with you on most of those points, so I just wanted to point out the most obvious reason TV vs teacherbot are comparable but still significantly different: The student interacts with the teacherbot, and can have things re-explained to them, questions asked and answered, etc. assuming a good enough teacherbot.
There is actually a well written paper on using this sort of tech to teach chemistry, worth a look in.
There have been (tentative) steps made into "AI"-based teacher bots for students. If there were a decent FOSS AI chat-bot base to work from, the system could be built to work within a certain set of boundaries and teach students from there (I'm more than half convinced Apple's TSPS chat is mostly bots that hand off to a person if they can't answer the question, the same can be applied here).
If you remove the need for a teacher to do a lot of the basics, either the teachers will start to teach properly, or they will find a different profession. There are additional benefits such as repetition, ease of updating a text book, and so on.
Protecting the children is absolutely a necessary thing to be doing, and I can not agree more with the general sentiment. However I don't see that lack of network access is going to affect the children's ability to traffic in sexting or other similar acts, only cover the ass of staff when it happens on school grounds. They are still able to be prosecuted for negligence without the devices on the network, and I'm sure if we went and looked there would be at least one case where this happens. At least when you put the student owned devices (SOD) on the network they can be monitored. There is plenty of software and hardware available to listen and watch, you can enable client isolation on your AP's and log everything through a local jabber server as a just in case. This doesn't stop something like apple's AirDrop or even point-to-point wifi, so your AP's are set to nuke any rouge AP's around the place, and so on.
There are a lot of SOD's moving into schools and corporations now, many of them are driven from the (probably incorrect) viewpoint of beancounters or upper management. Wrong or otherwise, we need to adapt or die - and if adapting means we have to change our field a bit and stop thinking of how many units are in the empire, instead thinking of how we monitor and control the devices that are out there then that is what needs to happen.
And it's going to cut down on budget as well. A lot of people complain that they need that big a budget. That might have something to do with it.
Domain security isn't always the answer - what it does appear to be is a series of IT people screaming "my kingdom, my kingdom!" especially with the move to student owned devices. Thankfully a lot of technicians are coming around on actually securing their shit rather than hiding it (my personal favourite: Poor home folder permissions because group policy says you can't connect directly to UNC paths or run scripts or open cmd.exe etc.). Missing simple features like transparent proxying over just lopping them off at the firewall is a sign of a technician who is going to be left behind very quickly - especially with the android/iOS revolutions that are streaming through schools at the moment.
In the past I've supplied myself and clients with something simple like a HP 4500. You can get them for ~$80AU depending where you go (sometimes as high as $150 - still nowhere near the 5 digit range). It has, among other things, a decent scanner and an automatic feeder. I suggest the HP, not because I'm affiliated, but because the earlier models cost about the same, and used to survive scanning POD documents in warehousing/ transport offices, so I've always stuck with them.
Real men log in as root and never touch the su commans
I just thought he was quoting the new blue ray "special edition" release. Nooooooooooooooooooooo.
would you be saying "Yeah, but can they run marathons?"?
Yes and I frequently do. I find it hard to believe that there is a situation where being able to run 100m in less than 10 seconds is a survival skill. But then I'm an advocate of letting the Olympians use as many drugs as they like to see what the human potential is (and what we can do for our soldiers when we colonize other planets), so maybe I'm not the best person to be actually answering your rhetorical question.
Wasn't that the company pretty recently who said they did this... that they "accidentally" made a web accelerator when they were doing some security work? Has google bought them out or are they ripping them off. Maybe I read it on the sophos naked security feeds, but I can't find it.
I would think the true measure of a foe is how long they can go without you killing them, in which case the current [insert-"terrorist"-here] are pretty damned superior foes. Technology means shit if it's not implemented correctly and with properly trained people - Just because you're rocking around in a marauder doesn't mean a skinny can't come up behind you and crack your head open with a rock.
You get checkpoint FDE for free on Windows?
Ah but that's bullshit in and of itself. You extend the AD schema... ONCE... and you can plug the workgroup manager into it and do apple-equivalent of group policy management on all the machines. The apple kit binds out of the box, and will do authentication, password changes and everything. There are only two points of difficulty that I've seen so far: DFS support is, for lack of a better word, shit. You can get DAVE but fuck that, so you plug the mac's onto the source servers rather than the DFS and it's not that big a deal, just a minor headache if you don't know about it.
The other PITA is auto enrollment for certificates in a 2 factor environment, but even that is pretty easy to get around, a few roll your own scripts and a couple of minor changes and you can programatically create and install the certificate on each machine - as part of the deployment process.
Network deployment tools... what? ARD, DeployStudio, fucking SSH will let you do network deployment. So you can't give your users an SCCM interface - it's only relatively new tech and if you desperately need it, sounds more like you're a shitty admin than against Mac. A decent linux admin should be able to translate their skills straight across with only a minor GUI changeover point, and I know I can Netboot a mac from a BSD server
All in all though, the right tool for the right job, but blatant ignorance of either platform hurts both platforms market share in different places (and lets face it, group policy is loads better than workgroup manager just for the built in defaults).
What "areas" have single digit GB caps?
A lot of low-price packages in regional australia do. Low price here meaning $30/month or so.
The last thing I'd want to see is any company, at all, automatically fucking with my MBR just because it doesn't think it matches what they consider a standard MBR. If they can't do that then they can't remove the rest of the infection and the botnet guys can just upload a new one to circumvent the patch.
I say straight out and with a serious look on my face: My rate is $350 AU an hour, and I need the first hour up front. Strangely, some people are actually willing to pay me for that (because they know and trust my work over the faceless muppets at the local "computer" store), so I get paid for it occasionally, or people go the hell away. Win-Win.
Sometimes you don't want to put your fingers anywhere near the site, be it for building security or whatever the reason. The continued proliferation of people who consider that you can just beat someone with a rubber hose for a password, or read it off a post it note so who would bother breaking this algorithm are entirely unhelpful to fostering a secure environment. Just because there are easy methods of physical access, doesn't mean every cracker out there is using them, just like not every cracker out there runs a giant DDoS botnet.
90% of the time I will perform a pentest completely over the wires, just to prove this exact point.
Sounds like the type of people who would just go with what a majority says, or say that something is correct because a lot of people believe it to be correct (appeal to popularity).
Even if you go with what you know is correct, you are probably being influenced - have you never got annoyed at the people around you because they are all wrong? Happens to me every day.
Hah. haha. hahhahahhhahahhahahhhahahahahaaahahaha.
RSA Servers Hacked
Lockheed Martin Network Intrustion
I have a stack of business cards on my desk about 2 inches high which, despite my phone, my laptop and the shared address books, I still refer to. Further than that, I have a nifty little scanner that will OCR the business card and load it automatically into the address book - hardly any manual editing required ever.
Silly etiquette or not, I've always been a lazy administrator and having a card I can just slap in and have it automatically loaded is a great idea for me. Less typing, more time for porn.
From what I saw over the past week, there have been a lot of status updates from random people I know (oddly, around the 20-25 mark and female mostly) going "who the fuck is jess, lol, well i'm going to her party". I doubt she was "hacked" at all, more like some people jumped on it.
Still can't believe this made it to slashdot, it was bad enough seeing it on my morning news.
The van looked a lot like a van guys with weapons got into, had weapons removed from and had been used to transport insurgents
4 wheels and a sliding door right?
Since when has MAC filtering been more than a minute annoyance to an attacker. Or lack of DHCP/ Routing.
Strong passwords, WPA2-CCMP and a good watch on your logs is the only thing that's going to keep you safe (at this point in time) if you are home user.
-Applications are generally not cryptographically validating the DNS response, they simply check the AD flag. This means that anyone able to spoof their way between you and your nameserver can *still* compromise DNS. This is better than the current state of things which is subject to shenanigans in a much wider scope, but still.
Shouldn't the applications be just one - the system DNS resolver? If named or whatever microsoft use is doing the lookups for you, then the onus is on the system software to validate the DNS request and either hand it up the chain, if it works, or send up a failure (or nothing at all) if it doesn't. Those of us who need tools that are of a better consistency and have debuggable output can use them, but the majority of applications shouldn't even be seeing DNSSEC any more than they should be seeing IPv6 beyond a "getaddrinfo('slashdot.org'); connect(lookupresult);". Those shenanigans may still occur, but they're really part of the operating system (one application) rather than many.
Your proposal is acceptable.
Wait... you didn't mean that sort of MiB?