This is what you get, and what - currently - only very few federal agencies can afford:
An independent third party auditor issued Google Apps an unqualified SAS70 Type II certification. Google is proud to provide Google Apps administrators the peace of mind knowing that their data is secure under the SAS70 auditing industry standard.
The independent third party auditor verified that Google Apps has the following controls and protocols in place:
Logical security: Controls provide reasonable assurance that logical access to Google Apps production systems and data is restricted to authorized individuals
Privacy: Controls provide reasonable assurance that Google has implemented policies and procedures addressing the privacy of customer data related to Google Apps
Data center physical security: Controls provide reasonable assurance that data centers that house Google Apps data and corporate offices are protected
Incident management and availability: Controls provide reasonable assurance that Google Apps systems are redundant and incidents are properly reported, responded to, and recorded
Change management: Controls provide reasonable assurance that development of and changes to Google Apps undergo testing and independent code review prior to release into production
Organization and administration: Controls provide reasonable assurance that management provides the infrastructure and mechanisms to track and communicate initiatives within the company that impact Google Apps
Sure, it comes with a risk (do you have multiple redundant and trunked high speed internet connections?) but also with enorous freeing of public funds.
"The RADclock project (formerly known under 'TSCclock') aims to provide a new system for network timing within two years. We are developing replacements for NTP clients and servers based on new principles, in particular the need to distinguish between difference clocks and absolute clocks. The term RADclock, 'Robust Absolute and Difference Clock', stems from this. The RADclock difference clock, for example, can measure RTTs to under a microsecond, even if connectively to the time server is lost for over a week! "
I am getting pretty tired of other people telling me what freedom should mean to me.
What freedom means to me, what I am frightened of and / or prepared to sacrifice is not a temporally static concept. 10 years ago I wouldn't even publish my mail address online. Now I have my entire cv on xing. These are rational decisions I made according to costs I perceive (correctly or not) with publishing personal information, or not.
Sure, some people make poor choices about publishing personal information (sexting, anyone?). But some times openness is an indicator for a "safe" society.
Well, they tried a horizontal migration strategy, moving from location to location and department to department. That meant the problems never stopped.
A better approach might have been to do a vertical top-down migration: Servers: first roll out a directory server infrastructure, then a CIFS strategy etc.; Clients: migrate away from MSIE / Active X, then to CUPS, then away from MS Office etc.. And then, finally, to change the desktop OS out from underneath.
A suggested strategy for those planning something similar: 1: migrate the server services (and create a shiny new unified and consistent infrastructure); 2: migrate the desktop apps to FOSS alternatives (chose apps which will work under your target desktop OS); 3: switch out the desktop OS for linux (the users retain the apps they have become used to).
Well, the choice of algorithm is important. MD5 is a bad choice.
And yes you're right, if the password is weak, and the website provides no protection against brute force attacks over HTTP, then it remains a weak password. And resetting the password is a problem which has been mostly solved, you send the person a token by email or sms to their pre-validated account, with which they can create a new password.
I always thought the Fizz Buzz test was quite interesting, never used it though.
When hiring for web developers, I tend to ask where to put validation code for form input data. I hope to hear:
* on the client before the form is sent (usability)
* on the server (in case the client is fuzzing)
* in the domain rules / check constraints of the db server (in case data comes from somewhere other than your app)
But I never do. It's the candidates who haven't heard of the 3rd validation who don't make, and those who can argue their corner well who do. I guess the think to do is to develop your own set of questions to elucidate a candidate's strengths and weaknesses without trying to trap them.
I once failed an interview for being unable to remember what the individual letters in ACID mean. I had forgotten what the "I" meant.
Although the spammers seem to have a fair bit to learn about machine-generated sales patter, some companies might consider blocking all text in email as a matter of course. So many text files infringe intellectual property and patented business methods, and it can be hard for a company to establish which words are legal and which lemmas are not after they have arrived. Blocking all letters, or at least the letters J-M and all the vowels until requested by the user, can be a good way for a company to take a proactive stance against the use of email for illegal and/or infringing message sharing. It also has the benefit of neutralizing this most spam at the same time.
The use of this LCD screen as a fingerprint scanner will most likely suffer from the same problems as all fingerprint locks.
They rely on the "something you have" principle as an authorization token. Until, that is, someone removes your finger from your hand.
Also, fingerprints are per se not exactly unique. Ask the lawyer who was misidentified as a terrorist for having similar fingerprint features.
And of course, it is not exactly difficult to copy and fake someone else's fingerprint.
Text, video and image data were only the start. Making voip traffic available for analysis will significantly increase the range and amount of data available for nurturing a nascent AI.
Should we (as a species) have that ability? I suspect that now Craig "Pandora" Venter has opened this particular box, no end of troubles will come from it.
Well there's the rub - I have no dogma to offer you, no shining path which I want you to follow and none of that happy medium nonesense. All I offer you is your own rationality.
Power corrupts. Allowing power to concentrate is a bad idea. Power is expressed in the modern triumvirate of the state, capitalism and complicity. See the anarchist FAQ for more.
I'd like to offer you my take on this situation, from a classical anarchist perspective.
The police are there to protect your rights - more specifically your property rights. The more property rights you have, the more you can expect those to be protected by the police. The police chase "criminals" - mainly those who sell and consume drugs outside of the federal tax-levying scheme. If you are black, young, and the victim of some brutal crime in the less salubrious regions of Chicago or Pittsburgh - then you are (naturally) of no interest to the police.
Of course the police abuse their power. That is what power is for. That is why giving it up on the back of a vote card is the worst form of societal participation - even the ancient greeks demanded participation and power rotation in their verison of democracy. The police, the military, the judges, the lawmakers have been given an almost limitless amount of power to wield over you and I, who are merely expected to meekly pay for their excesses. As far as I can tell, niether Bush nor Clinton would have sent their children on a 12 month tour of duty in Baghdad. Hell, Bush was even too scared to walk from the Capitol to the Whitehouse on his coronation^H inthronation day.
We pay a gang of mercenaries - known collectively as the Law Enforcement Establishment - to defend our capital for us. For some of us, our capital equates directly with the shop-floor head count. As even Marx pointed out, the only way to make a profit is by creaming some of the profit from your employees' labor.
So friends, don't be disheartened when the police abuse their powers. Just remember that those are the same powers you proxied away to protect your own scrawny interests. Remember that when you see soldiers murdering civilians, policeman beating students and presidential motorcades which would have shamed the soviet leaderships of North Korea and the USSR. Those are your interests which are being protected, those are your tax dollars being spent, those policies were chosen because they are in yout best interest. Let's hope you wake up and smell the coffee.
The police are there to protect your interests. Your interests are in the subjugation of the rest of the world. Your interests are hinged on maintaing a strong dollar and low interest rates whilst raking up the highest levels of personal and communal debt the world has ever seen. Your interests are keeping your employer solvent, the boss rich, and your job secure. Your interests are the pork bellies, the corn fields, the humvees and the processors. Your interests are best served by a militarized police force who know how to effectively suppress dissent, preach conformism and behave as a model of conservative, capitalist values.
All you liberals, aks yourselves who really paid for your education. It wasn't your parents. More likely it was some South American or East Asian peasant.
Its always the IT guys who get blamed for cock-ups on a colossal scale. Occasionally, yes, bad decisions are made or poor execution is to blame. But at the supra-national level, the big mistakes are political ones.
Only governments can waste billions of Euros trying to achieve some kind of "Harmony" across political, linguistic, cultural and privacy borders. This usually fails miserably. The only success governments have at cross-border enterprises is in killing their citizens in wars.
A simpler solution would be to agree on a standardized data format and data content for medical records. This alone would take years. Then a common data-medium (chip cards, whatever) could be issued to those citizens who desire one. Everything else need not be regulated, everything else should be firmly in the control of the people.
How do you validate code for correctness? Well, either you use some cool formal specification language, such as Z, and then spend a great deal of time and effort validating (which is actually very advisable for critical code in, say, device controls for medical equipment) or you use blind luck and "proven" techniques, collectively known as Good Programming Practice.
Traditionally it has been important to "specify and validate" requirements acribically, in the belief that this is was the way to write good code. This is partly true, but that way can quickly turn your process into a dinosaur - stifling change and preventing improvement because of non-compliance with "The Requirements".
You can try "defensive coding", which really treats all messages with great suspicion, messages being an old term for parameters. This is a cool technique, but can lead to slower code than necessary, and can lead to some bug being buried if code attempts to heuristically correct for "bad" messages (there is rarely any way to formally specify what is "bad"). You can use LINT tools (and there are very many, very sophistacted tools) which will catch a whole lot of stuff before it leaves the developer's screen. You can try practices such as pair programming and independent code inspection. On the coding side, you can even try (gasp) such methods as test driven development and contract based development.
On the testing side, there is nothing quite like having an experienced, qualified, motivated and _empowered_ testing team. A testing team which knows how to find bugs, knows how to communicate with coders and has the power to step defects going in to production. A technique I particularly like is defect insertion - secretly insert 10 bugs into the code base and see how many get squashed, this will give you an estmate of how many defects your process doesn't find. There are other cool techniques too, some based on mathematical analysis of the code's attribute - the more complex the code the costlier it is to maintain.
Opening up the codebase to many people might well increase the chance that someone will find the line which causes an error - but IMHO no one goes around looking for bugs unless they are looking for weaknesses. And there we have another (unethical) method - pay some hacker doodz to 'sploit your code. Hopefully they will not find a higher bidder LOL.
All of these methods are likely to increase development effort and cost, decrease the number of defects, increase user satisfaction, decrease maintainance costs and increase well-being and harmony. So it is a trade off, perfect code is incredibly difficult to create - the question is what level of perfection are you (and your customers) willing to pay for. Problems mostly arise when expectation does not meet reality - some flakiness in an F/oss application suite is more acceptable to me than random crashes in software which cost me hundreds - or tens of thousands - or millions - of dollars.
In order to increase some quality aspect of code (security, performance, robustness, correctness...) one can therefore focus on one or several categories - the people, the process, the culture, the tools, the technique, the time&cost etc. The choice of what to focus on is dictated by reality: no one has unlimited resources (except, almost, Google).
There is no silver bullet - but there are golden rules. Finding people who know the difference is crucial I believe.
(Full disclosure: Yeah, I'm looking for heavy duty PM work:)
Anybody who has been working in the field of NLP (natural language processing) can do little more than snear at this story.
The field of word sense exploration is one of the more mature areas of NLP, take a look at Princeton's WordNet database for an example [http://wordnet.princeton.edu/]. Using their word sense database (without referring to silly words such as "ontology") it has been possible - for years - to discover if two lemmas (thats "words" to you) are related in a particular way, or not related. Using wordnet it is possible to distinguish between antonyms and homonyms, thereby thwarting spammers who use words which sound like "viagra" - "niagra" and words which have opposite meanings.
Slashdot Mirror
Amazon provide infrastructure services. They need not, should not, must not know or seek to know how these services are used.
Oh wait, Wikileaks...
Wow, I mean, WTF?
Of all the places, the Pentagon? They do know that the Credit Union idea has socialist. or at least a mutualist roots, right?
This is what you get, and what - currently - only very few federal agencies can afford:
An independent third party auditor issued Google Apps an unqualified SAS70 Type II certification. Google is proud to provide Google Apps administrators the peace of mind knowing that their data is secure under the SAS70 auditing industry standard.
The independent third party auditor verified that Google Apps has the following controls and protocols in place:
http://www.google.com/apps/intl/en/government/trust.html
Sure, it comes with a risk (do you have multiple redundant and trunked high speed internet connections?) but also with enorous freeing of public funds.
In my view, a win.
From TFA:
"The RADclock project (formerly known under 'TSCclock') aims to provide a new system for network timing within two years. We are developing replacements for NTP clients and servers based on new principles, in particular the need to distinguish between difference clocks and absolute clocks. The term RADclock, 'Robust Absolute and Difference Clock', stems from this. The RADclock difference clock, for example, can measure RTTs to under a microsecond, even if connectively to the time server is lost for over a week! "
ymmv
I am getting pretty tired of other people telling me what freedom should mean to me.
What freedom means to me, what I am frightened of and / or prepared to sacrifice is not a temporally static concept. 10 years ago I wouldn't even publish my mail address online. Now I have my entire cv on xing. These are rational decisions I made according to costs I perceive (correctly or not) with publishing personal information, or not.
Sure, some people make poor choices about publishing personal information (sexting, anyone?). But some times openness is an indicator for a "safe" society.
Just my thoughts.
Well, they tried a horizontal migration strategy, moving from location to location and department to department. That meant the problems never stopped.
A better approach might have been to do a vertical top-down migration: Servers: first roll out a directory server infrastructure, then a CIFS strategy etc.; Clients: migrate away from MSIE / Active X, then to CUPS, then away from MS Office etc.. And then, finally, to change the desktop OS out from underneath.
A suggested strategy for those planning something similar: 1: migrate the server services (and create a shiny new unified and consistent infrastructure); 2: migrate the desktop apps to FOSS alternatives (chose apps which will work under your target desktop OS); 3: switch out the desktop OS for linux (the users retain the apps they have become used to).
Just my 0,02
Hi,
Well, the choice of algorithm is important. MD5 is a bad choice.
And yes you're right, if the password is weak, and the website provides no protection against brute force attacks over HTTP, then it remains a weak password. And resetting the password is a problem which has been mostly solved, you send the person a token by email or sms to their pre-validated account, with which they can create a new password.
Cheers
You are right about not being a database / web guru.
MD5 is the wrong hash algorithm, you want to look at bcrypt.
Well, your options are not mutually exclusive.
Most likely:
a) its solar wings failed to deploy
b) it is therefore in deep sleep
c) what goes up (and remains within the Hill Sphere) must come down
ymmv
I always thought the Fizz Buzz test was quite interesting, never used it though.
When hiring for web developers, I tend to ask where to put validation code for form input data. I hope to hear:
* on the client before the form is sent (usability)
* on the server (in case the client is fuzzing)
* in the domain rules / check constraints of the db server (in case data comes from somewhere other than your app)
But I never do. It's the candidates who haven't heard of the 3rd validation who don't make, and those who can argue their corner well who do.
I guess the think to do is to develop your own set of questions to elucidate a candidate's strengths and weaknesses without trying to trap them.
I once failed an interview for being unable to remember what the individual letters in ACID mean. I had forgotten what the "I" meant.
Although the spammers seem to have a fair bit to learn about machine-generated sales patter, some companies might consider blocking all text in email as a matter of course. So many text files infringe intellectual property and patented business methods, and it can be hard for a company to establish which words are legal and which lemmas are not after they have arrived. Blocking all letters, or at least the letters J-M and all the vowels until requested by the user, can be a good way for a company to take a proactive stance against the use of email for illegal and/or infringing message sharing. It also has the benefit of neutralizing this most spam at the same time.
the box I "make use of" has just 15,000 mp3s...
A once crap company company now becoming truly crap: trailerpark online
The use of this LCD screen as a fingerprint scanner will most likely suffer from the same problems as all fingerprint locks. They rely on the "something you have" principle as an authorization token. Until, that is, someone removes your finger from your hand.
Also, fingerprints are per se not exactly unique. Ask the lawyer who was misidentified as a terrorist for having similar fingerprint features.
And of course, it is not exactly difficult to copy and fake someone else's fingerprint.
BTW: the Chaos Computer Club rocks.
And now for a really interesting renewable energy concept: kite gen. Would have made Newton smile :)
Text, video and image data were only the start. Making voip traffic available for analysis will significantly increase the range and amount of data available for nurturing a nascent AI.
Let's see, are we talking about a lump of meat here, or a living human being who was harvested for some rich bastard's benefit?
Should we (as a species) have that ability? I suspect that now Craig "Pandora" Venter has opened this particular box, no end of troubles will come from it.
Well there's the rub - I have no dogma to offer you, no shining path which I want you to follow and none of that happy medium nonesense. All I offer you is your own rationality.
Power corrupts. Allowing power to concentrate is a bad idea. Power is expressed in the modern triumvirate of the state, capitalism and complicity. See the anarchist FAQ for more.
I'd like to offer you my take on this situation, from a classical anarchist perspective.
The police are there to protect your rights - more specifically your property rights. The more property rights you have, the more you can expect those to be protected by the police. The police chase "criminals" - mainly those who sell and consume drugs outside of the federal tax-levying scheme. If you are black, young, and the victim of some brutal crime in the less salubrious regions of Chicago or Pittsburgh - then you are (naturally) of no interest to the police.
Of course the police abuse their power. That is what power is for. That is why giving it up on the back of a vote card is the worst form of societal participation - even the ancient greeks demanded participation and power rotation in their verison of democracy. The police, the military, the judges, the lawmakers have been given an almost limitless amount of power to wield over you and I, who are merely expected to meekly pay for their excesses. As far as I can tell, niether Bush nor Clinton would have sent their children on a 12 month tour of duty in Baghdad. Hell, Bush was even too scared to walk from the Capitol to the Whitehouse on his coronation^H inthronation day.
We pay a gang of mercenaries - known collectively as the Law Enforcement Establishment - to defend our capital for us. For some of us, our capital equates directly with the shop-floor head count. As even Marx pointed out, the only way to make a profit is by creaming some of the profit from your employees' labor.
So friends, don't be disheartened when the police abuse their powers. Just remember that those are the same powers you proxied away to protect your own scrawny interests. Remember that when you see soldiers murdering civilians, policeman beating students and presidential motorcades which would have shamed the soviet leaderships of North Korea and the USSR. Those are your interests which are being protected, those are your tax dollars being spent, those policies were chosen because they are in yout best interest. Let's hope you wake up and smell the coffee.
The police are there to protect your interests. Your interests are in the subjugation of the rest of the world. Your interests are hinged on maintaing a strong dollar and low interest rates whilst raking up the highest levels of personal and communal debt the world has ever seen. Your interests are keeping your employer solvent, the boss rich, and your job secure. Your interests are the pork bellies, the corn fields, the humvees and the processors. Your interests are best served by a militarized police force who know how to effectively suppress dissent, preach conformism and behave as a model of conservative, capitalist values.
All you liberals, aks yourselves who really paid for your education. It wasn't your parents. More likely it was some South American or East Asian peasant.
Its always the IT guys who get blamed for cock-ups on a colossal scale. Occasionally, yes, bad decisions are made or poor execution is to blame. But at the supra-national level, the big mistakes are political ones.
Only governments can waste billions of Euros trying to achieve some kind of "Harmony" across political, linguistic, cultural and privacy borders. This usually fails miserably. The only success governments have at cross-border enterprises is in killing their citizens in wars.
A simpler solution would be to agree on a standardized data format and data content for medical records. This alone would take years. Then a common data-medium (chip cards, whatever) could be issued to those citizens who desire one. Everything else need not be regulated, everything else should be firmly in the control of the people.
To be honest, I have got _no_ idea what you are trying to say.
How do you validate code for correctness? Well, either you use some cool formal specification language, such as Z, and then spend a great deal of time and effort validating (which is actually very advisable for critical code in, say, device controls for medical equipment) or you use blind luck and "proven" techniques, collectively known as Good Programming Practice.
:)
Traditionally it has been important to "specify and validate" requirements acribically, in the belief that this is was the way to write good code. This is partly true, but that way can quickly turn your process into a dinosaur - stifling change and preventing improvement because of non-compliance with "The Requirements".
You can try "defensive coding", which really treats all messages with great suspicion, messages being an old term for parameters. This is a cool technique, but can lead to slower code than necessary, and can lead to some bug being buried if code attempts to heuristically correct for "bad" messages (there is rarely any way to formally specify what is "bad"). You can use LINT tools (and there are very many, very sophistacted tools) which will catch a whole lot of stuff before it leaves the developer's screen. You can try practices such as pair programming and independent code inspection. On the coding side, you can even try (gasp) such methods as test driven development and contract based development.
On the testing side, there is nothing quite like having an experienced, qualified, motivated and _empowered_ testing team. A testing team which knows how to find bugs, knows how to communicate with coders and has the power to step defects going in to production. A technique I particularly like is defect insertion - secretly insert 10 bugs into the code base and see how many get squashed, this will give you an estmate of how many defects your process doesn't find. There are other cool techniques too, some based on mathematical analysis of the code's attribute - the more complex the code the costlier it is to maintain.
Opening up the codebase to many people might well increase the chance that someone will find the line which causes an error - but IMHO no one goes around looking for bugs unless they are looking for weaknesses. And there we have another (unethical) method - pay some hacker doodz to 'sploit your code. Hopefully they will not find a higher bidder LOL.
All of these methods are likely to increase development effort and cost, decrease the number of defects, increase user satisfaction, decrease maintainance costs and increase well-being and harmony. So it is a trade off, perfect code is incredibly difficult to create - the question is what level of perfection are you (and your customers) willing to pay for. Problems mostly arise when expectation does not meet reality - some flakiness in an F/oss application suite is more acceptable to me than random crashes in software which cost me hundreds - or tens of thousands - or millions - of dollars.
In order to increase some quality aspect of code (security, performance, robustness, correctness...) one can therefore focus on one or several categories - the people, the process, the culture, the tools, the technique, the time&cost etc. The choice of what to focus on is dictated by reality: no one has unlimited resources (except, almost, Google).
There is no silver bullet - but there are golden rules. Finding people who know the difference is crucial I believe.
(Full disclosure: Yeah, I'm looking for heavy duty PM work
Drilling deep holes can cause earthquakes:
m al_project_shakes_Basel_again.html?siteSect=105&si d=7407138&cKey=1168104002000
http://www.swissinfo.org/eng/front/detail/Geother
Anybody who has been working in the field of NLP (natural language processing) can do little more than snear at this story.
The field of word sense exploration is one of the more mature areas of NLP, take a look at Princeton's WordNet database for an example [http://wordnet.princeton.edu/]. Using their word sense database (without referring to silly words such as "ontology") it has been possible - for years - to discover if two lemmas (thats "words" to you) are related in a particular way, or not related. Using wordnet it is possible to distinguish between antonyms and homonyms, thereby thwarting spammers who use words which sound like "viagra" - "niagra" and words which have opposite meanings.