Suppose I prominently use Apple products when I visit a public library
or park. Should I be required to carry a sign disclosing that I actually
hate Apple products, and do this only because I own a large amount of
Apple stock?
The article says "included a lot of sensitive information, such as real names, home addresses... it is unclear... if anyone outside the security researcher accessed the leaky server." Suppose my information had been stored on that server. Should I feel less violated if the person accessing it self-identifies as a "security researcher" rather than a "PII tourist"? Might a reasonable process start with: as soon as you notice the initial bits of non-public data, contact the hosting provider or applicable CSIRT, wait, and IMMEDIATELY STOP READING THE DATA?
https://github.com/coreinfrast...
covers this, e.g., "human-readable summary of major changes in that
release to help users determine if they should upgrade and what the
upgrade impact will be" and "MUST identify every publicly known
vulnerability." The main difference is that, for apps, the interests
of the developer are less often aligned with the interests of the
user. The essence of a new release can be "more features but also more
ads."
http://www.eileendonoghue.org/...
has no mention of IT costs - it apparently assumes there's always a
simple supported process like "Control Panel > Date and Time > Change
time zone" that the government could announce to all citizens. The
reality may be bleak. For example, I own several IoT devices that
required me to choose a timezone at initial setup, and I suspect a
huge fraction of device owners would never successfully reconfigure
them for a different timezone. Two apparently have no UI at all for
that (the easiest way is to root it and make a manual/etc/localtime
change). In other cases, the device owner needs to remember the admin
password and/or find the documentation to learn where that UI feature
is hidden. People will simply give up, either discarding the device or
living with a wrong time display for months. Also, it can be much
worse than just a wrong display, such as devices configured to open up
physical security controls between 9 AM and 5 PM local time.
It's no longer 2007 (the last time the government mucked with DST).
IoT is here. Changing DST now will litter the northeast U.S. with
literally millions of insecure or otherwise broken devices.
https://www.redhat.com/en/abou...
says "Red Hat plans to open source Permabit's technology." This may
mean that Red Hat's https://www.redhat.com/en/abou...
Patent Promise will apply. Possibly Red Hat will announce whether they
will hold all of the patents on the Permabit technology, or whether
any third-party patents remain relevant.
... or a close equivalent. Nowadays, billboard operators identify the
mobile phones that pass each billboard, and do correlations with
mobile phones that are detected soon afterward in the advertiser's
brick-and-mortar store: http://clearchanneloutdoor.com...
The message from the Academy was that La La Land would have the votes
in a vacuum, but Moonlight had the votes because we live in a society.
Stunts and fonts are just a distraction.
It's senior management's call unless they request otherwise. Maybe the
obvious on-prem location is closing abruptly, and senior management isn't
allowed to announce that yet. Or maybe the cloud decision has already been
made by a competent IT team of an unannounced acquiring company.
Unsolicited technical objections might be, at best, a waste of time.
My filter.json API requests to stream.twitter.com still seem to do a
plain search (except punctuation). Up until last month,
http://twitter.com/search was extremely useful for plain search, but I
think they changed it (either to give far fewer results, or to make
its own guess of what I actually want).
Because of limited bandwidth to the cloud from undersea, MOOC students will still face the traditional question of "What am I gonna do in a submarine?"
Although nobody should send fake tweets, I wonder what plans Pearson
has for a scenario with a huge amount of chaff to investigate. For
example: suppose many accounts sent tweets in a 1 hour period after
school on your local area's testing day, all of the tweets had
relevant text keywords and a picture reminiscent of a PARCC sample
test question, and all of the pictures had various problems
(blurriness, poor contrast, aimed at the corner of a page, etc.) that
would make analysis expensive.
Originally email was decentralized in a practical way. Now, unless you
arrange for your outbound email to arrive from a server operated by a
large email provider, your deliverability is probably low. All of the
email reputation systems, blocklists, DKIM, SPF, etc. are advertised
as anti-spam measures. The reality is that they force email
centralization in a way that helps the monitoring of email by the
major SIGINT players.
Wikipedia says "With only a few thousand residents, South Padre Island
has consistently drawn between 80,000 and 120,000 spring breakers." Is
it likely that a Range Safety Officer will recommend against launches
during all of the common Spring Break weeks?
The critical question is not why the cell phone records are released,
but what records exist and why they exist. News reports often state
that, at the very beginning of an investigation, law enforcement had
information such as "the last time this person's phone pinged a tower
was in Bridgehampton three days ago at noon." Wireless carriers can't
predict who might be investigated, so this may imply long-term storage
of every person's location. Questions include: A. Can I compel my
carrier to tell me what information it currently retains about my own
previous locations? B. How about other people's locations, with a
civil subpoena? C. Is my carrier using my historical location data for
its own internal purposes (marketing, etc.)?
Why doesn't the Related Work section discuss kpannus from
sourceforge.net/projects/pannus? 'Another command of the PANNUS is the
"kpannus" for kernel live patching.... the PANNUS controls kernel by
using "stop_machine_run()" for safety ensuring, which creates threads
for each CPU to execute a function without any interruption.... The
PANNUS for kernel patch("kpannus") is tested for some functions in the
kernel such as sched_clock, do_gettimeofday, filesystems_read_proc,
cmdline_read_proc, or init_timers.'
VbV has these two issues:
Activate During Shopping asks for SSN digits
I'm at the checkout stage with a random (legitimate) merchant,
and suddenly I get a VbV activation page
with a URL on the merchant's web site asking for the
last 4 digits of my social security number. Whoa! The page
tells me that these digits will be sent directly to my bank,
not to the merchant. How do I know if this is true? The merchant's web
site uses JavaScript and can do essentially whatever it wants
with form data. If I'm an expert and dissect the page, maybe
I can feel safe. But, can an average consumer be expected to
distinguish this from a phish?
Web browser sessions cross trust boundaries
A VbV password is a password checked by my bank that
helps to prove I own the CC. Within a single
session with a web browser, I don't want to be communicating
with a merchant and also communicating with my bank. There
are too many browser vulnerabilities that could allow a
merchant to hijack me. Sure, I'll give the merchant my CC #,
but certainly not any reusable banking password! I've
always used separate browser sessions for my bank, and
currently use sessions on separate virtual machines.
You could choose to read each moderate-probability message yourself to decide whether it's spam. Instead, you choose to shift the cost to other persons by auto-replying to the sender address (which we all know is probably forged).
1 of 30 replies reaches a human. This is unsolicited junk mail from you, and essentially never has any benefit to the recipient. The other 29 consume some server resources at the domain of the forged sender, which adds up to a substantial problem when the domain is forged thousands or millions of times.
There are three reasonable choices for your moderate-probability messages: read them, ignore them, or automatically delete them.
The
law in question
has two distinct parts. First, if you're a business that stores
personal information on a networked machine, and you have a wireless
access point on this network, you must implement a security measure.
The county's choices of security measures probably aren't the best,
but the concept of requiring a security measure in this situation is
reasonable.
Second, if you offer Internet access to the public, you must post a
sign suggesting that customers' personal machines implement a security
measure. It's not necessarily the best way to protect customers, but a
sign is a low-cost requirement and probably rarely burdensome.
The law doesn't forbid offering unrestricted Internet access to anyone
within range. This is a good choice. A person or business should be
allowed to share use of an Internet connection, provided they are
willing to take the risk that someone might use this connection to do
very bad things. For example, you might want to offer your Internet
connection to the (semi-)anonymous public by running both an
unprotected wireless hotspot and a Tor
exit node.
Slashdot Mirror
Suppose I prominently use Apple products when I visit a public library or park. Should I be required to carry a sign disclosing that I actually hate Apple products, and do this only because I own a large amount of Apple stock?
The article says "included a lot of sensitive information, such as real names, home addresses ... it is unclear ... if anyone outside the security researcher accessed the leaky server." Suppose my information had been stored on that server. Should I feel less violated if the person accessing it self-identifies as a "security researcher" rather than a "PII tourist"? Might a reasonable process start with: as soon as you notice the initial bits of non-public data, contact the hosting provider or applicable CSIRT, wait, and IMMEDIATELY STOP READING THE DATA?
to determine whether to sing "It's life, Jim, but not as we know it, not as we know it, not as we know it."
"Using your touch-tone keypad, please enter your latitude in degrees, minutes, and seconds now."
Oops, never mind.
Misread the headline as "Fewer Toys Gives Kids a Better Quality of Playtime, Santa Claims."
They will also learn that the Cigarette Smoking Man does, in fact, smoke on the ISS.
https://github.com/coreinfrast... covers this, e.g., "human-readable summary of major changes in that release to help users determine if they should upgrade and what the upgrade impact will be" and "MUST identify every publicly known vulnerability." The main difference is that, for apps, the interests of the developer are less often aligned with the interests of the user. The essence of a new release can be "more features but also more ads."
http://www.eileendonoghue.org/... has no mention of IT costs - it apparently assumes there's always a simple supported process like "Control Panel > Date and Time > Change time zone" that the government could announce to all citizens. The reality may be bleak. For example, I own several IoT devices that required me to choose a timezone at initial setup, and I suspect a huge fraction of device owners would never successfully reconfigure them for a different timezone. Two apparently have no UI at all for that (the easiest way is to root it and make a manual /etc/localtime
change). In other cases, the device owner needs to remember the admin
password and/or find the documentation to learn where that UI feature
is hidden. People will simply give up, either discarding the device or
living with a wrong time display for months. Also, it can be much
worse than just a wrong display, such as devices configured to open up
physical security controls between 9 AM and 5 PM local time.
It's no longer 2007 (the last time the government mucked with DST). IoT is here. Changing DST now will litter the northeast U.S. with literally millions of insecure or otherwise broken devices.
https://www.redhat.com/en/abou... says "Red Hat plans to open source Permabit's technology." This may mean that Red Hat's https://www.redhat.com/en/abou... Patent Promise will apply. Possibly Red Hat will announce whether they will hold all of the patents on the Permabit technology, or whether any third-party patents remain relevant.
... or a close equivalent. Nowadays, billboard operators identify the mobile phones that pass each billboard, and do correlations with mobile phones that are detected soon afterward in the advertiser's brick-and-mortar store: http://clearchanneloutdoor.com...
The message from the Academy was that La La Land would have the votes in a vacuum, but Moonlight had the votes because we live in a society. Stunts and fonts are just a distraction.
Some clickbait writers have shorter careers than others.
It's senior management's call unless they request otherwise. Maybe the obvious on-prem location is closing abruptly, and senior management isn't allowed to announce that yet. Or maybe the cloud decision has already been made by a competent IT team of an unannounced acquiring company. Unsolicited technical objections might be, at best, a waste of time.
My filter.json API requests to stream.twitter.com still seem to do a plain search (except punctuation). Up until last month, http://twitter.com/search was extremely useful for plain search, but I think they changed it (either to give far fewer results, or to make its own guess of what I actually want).
Because of limited bandwidth to the cloud from undersea, MOOC students will still face the traditional question of "What am I gonna do in a submarine?"
Although nobody should send fake tweets, I wonder what plans Pearson has for a scenario with a huge amount of chaff to investigate. For example: suppose many accounts sent tweets in a 1 hour period after school on your local area's testing day, all of the tweets had relevant text keywords and a picture reminiscent of a PARCC sample test question, and all of the pictures had various problems (blurriness, poor contrast, aimed at the corner of a page, etc.) that would make analysis expensive.
Originally email was decentralized in a practical way. Now, unless you arrange for your outbound email to arrive from a server operated by a large email provider, your deliverability is probably low. All of the email reputation systems, blocklists, DKIM, SPF, etc. are advertised as anti-spam measures. The reality is that they force email centralization in a way that helps the monitoring of email by the major SIGINT players.
Wikipedia says "With only a few thousand residents, South Padre Island has consistently drawn between 80,000 and 120,000 spring breakers." Is it likely that a Range Safety Officer will recommend against launches during all of the common Spring Break weeks?
http://www.hwaci.com/cgi-bin/license-step1
The critical question is not why the cell phone records are released, but what records exist and why they exist. News reports often state that, at the very beginning of an investigation, law enforcement had information such as "the last time this person's phone pinged a tower was in Bridgehampton three days ago at noon." Wireless carriers can't predict who might be investigated, so this may imply long-term storage of every person's location. Questions include: A. Can I compel my carrier to tell me what information it currently retains about my own previous locations? B. How about other people's locations, with a civil subpoena? C. Is my carrier using my historical location data for its own internal purposes (marketing, etc.)?
Why doesn't the Related Work section discuss kpannus from sourceforge.net/projects/pannus? 'Another command of the PANNUS is the "kpannus" for kernel live patching. ... the PANNUS controls kernel by
using "stop_machine_run()" for safety ensuring, which creates threads
for each CPU to execute a function without any interruption. ... The
PANNUS for kernel patch("kpannus") is tested for some functions in the
kernel such as sched_clock, do_gettimeofday, filesystems_read_proc,
cmdline_read_proc, or init_timers.'
VbV has these two issues: Activate During Shopping asks for SSN digits I'm at the checkout stage with a random (legitimate) merchant, and suddenly I get a VbV activation page with a URL on the merchant's web site asking for the last 4 digits of my social security number. Whoa! The page tells me that these digits will be sent directly to my bank, not to the merchant. How do I know if this is true? The merchant's web site uses JavaScript and can do essentially whatever it wants with form data. If I'm an expert and dissect the page, maybe I can feel safe. But, can an average consumer be expected to distinguish this from a phish? Web browser sessions cross trust boundaries A VbV password is a password checked by my bank that helps to prove I own the CC. Within a single session with a web browser, I don't want to be communicating with a merchant and also communicating with my bank. There are too many browser vulnerabilities that could allow a merchant to hijack me. Sure, I'll give the merchant my CC #, but certainly not any reusable banking password! I've always used separate browser sessions for my bank, and currently use sessions on separate virtual machines.
>a few employees abused the flexible work arrangements ... admitted to
>driving a tractor during conference calls about project updates.
This all might've been avoided if certain persons STFU about the tractor story.
It's not pretty reasonable.
You could choose to read each moderate-probability message yourself to
decide whether it's spam. Instead, you choose to shift the cost to
other persons by auto-replying to the sender address (which we all
know is probably forged).
1 of 30 replies reaches a human. This is unsolicited junk mail from
you, and essentially never has any benefit to the recipient. The other
29 consume some server resources at the domain of the forged sender,
which adds up to a substantial problem when the domain is forged
thousands or millions of times.
There are three reasonable choices for your moderate-probability
messages: read them, ignore them, or automatically delete them.
Second, if you offer Internet access to the public, you must post a sign suggesting that customers' personal machines implement a security measure. It's not necessarily the best way to protect customers, but a sign is a low-cost requirement and probably rarely burdensome.
The law doesn't forbid offering unrestricted Internet access to anyone within range. This is a good choice. A person or business should be allowed to share use of an Internet connection, provided they are willing to take the risk that someone might use this connection to do very bad things. For example, you might want to offer your Internet connection to the (semi-)anonymous public by running both an unprotected wireless hotspot and a Tor exit node.