Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge, that is not so shocking. Once you start using your phone, several apps will start siphoning your data.
Since when is spyware legitimate or benign?
Recent "simplification" of Android Google-store permissions means that I don't even know how much of a permission I am giving to a new app.
If by "permissions" you mean non-negotiable demands... I forget there are still people who don't have operating systems which let them configure actual permissions.
So far, all they've found it doing is reporting the IMEI by sending an HTTP GET http://api.account.xiaomi.com/..., The data is transmitted as a cookie of the form deviceId=IMEI .
Carriers, app vendors, Microsoft, Google, and Apple collect far more data than that. There are way too many things phoning home with the user's contact list and other personal info.
This is about the point where the boiling frog's brain begins to turn to mush.
Funny FCC does not seem to care about taking action to do something about 911 call centers around the country being inundated by defective, poorly designed "smart phone" emergency dialers designed to bypass lock screens and call emergency numbers via spurious digitizer inputs. Everyone has their priorities....
TFA itself has committed the sin of not reading the fucking article. They and their cohort of skeptics read only the summary from NASA without even bothering to get the full paper before drawing exceedingly obvious yet wrong conclusions.
There is nothing wrong with dismissing something you assume is crap and don't want to waste your time with... as a practical matter there is only so much time we all have to make assumptions to operate. The problem arises when we forget or pretend we didn't make them.
When you go that extra step of actively debunking you should no longer be able to hide behind your own ignorance and laziness. All those "skeptics" who think they know something simply because they elect to operate under the safety of default position need a good checking from time to time.
Whatever ultimately happens at least NASA has the guts to go there and actually run experiments which is more than you'll ever get from the armchair skeptics.
Similarly, putting out the modicum of effort to perform basic security like SSL is a signal that the website is reputable. I mean, if you can't be bothered to buy a $50 SSL certificate and install it, are you *really* trustworthy?
LOL and here I thought all this time the Internet was supposed to reduce costs and barriers to competition... yet here we go "the higher the fewer".
When your making the big bucks off Google by operating industrial scale link farms $50/year is a small price to pay for success.
Someone please remind me again why we are even contemplating enriching the clusterfuck that is the CA industry which sees no problem with use of completely automated systems and non-existent documentation requirements prior to issuing certificates?
That's a really great step from Google, I had never thought that it can be done in such a neat way. What's next? Can they also do it for IPv6?
I have previously publically advocated for Google to do exactly this as a way to promote the adoption of IPv6 however I was wrong to go there.
The bottom line is Google a defacto monopoly is using force to effect change in ways mostly unrelated to the mission (Linkage between quality and SSL is both domain dependent and strenuous at best).
Just because I happen to think IPv6 adoption will benefit everyone or that wholesale spying on wires should yield as little fruit as possible does not mean the ends should justify the means.
As far as standards - look, W3C, IETF, et. al. have completely failed to keep up. From 1993 to 1997 we went from HTTP 0.9 to to HTTP 1.1, which is where we are today.
Most HTTP 1.1 features are useless. If it disappeared tomorrow nobody would care or even be able to tell it has gone missing.
HTTP 2.0 will have been languishing for two decades by time there's a standard and any significant adoption. That's not Internet-time.
The pace of standards development is driven by commercial need rather than abstract notions of staleness, "the future", "progress"..etc.
The only reason for delay is nobody cares. The incremental benefit is so trivial as to not be worth the effort unless you happen to be Google. When people care shit gets done even if it means draft implementations making their way into production.
Google has made some mistakes with SPDY and QIC but at least they're actually trying to move the ball down the field instead of just arguing on the sidelines.
My personal opinion we are much better off working TCP and TLS extensions to reduce round trip delays. You can for example in best case get a secure HTTPS request to server without completing a single round trip leveraging TCP and SSL features (fast open, session tickets) neither of which requires maintaining server state, as would keeping TCP sessions open longer than absolutely necessary or having to suffer HOL penalties or get weighed down by pointless politics and scope creep (opportunistic encryption)
Finally working transport and security layers has added benefit of being instantly useful to all protocols not just TCP.
We have a serious breakage problem in the current community process. Google is doing it right - it's everybody else that's not.
The "community" is like the UN. It is simply a forum for those with power (e.g. commercial interest) to negotiate... nothing more nothing less.
What you are reading is people who are trying to elevate themselves by referencing a new obscure technique. Hey, I know AT commands for a modem. Does anyone give a shit? I certainly hope not.
Everything of consequence uses explicit memory management.. Kernels, browsers, network stacks, database stacks, codecs, games.. you really have to work that reality distortion field to get to "obscure technique"
If the only thing that differentiates a great CS grad from a crappy one is memory management, that's a pretty shallow argument. Google it, read it, manage memory for a few hours and poof you're an expert.
What is the difference between managing memory, connections, sessions, transactions, access locks, files? It is not about "memory" it is about "resources" where many of the same patterns are not optional. Loading CD's into your head and declaring "I know Kung Fu" only works in the movies. You have to live and breath resource management or you will be clumsy and fuck it up -- this is what people are complaining about.
Imagine a world in which your wristwatch or other wearable device communicates directly with your online profiles, storing information about your daily activities where you can best access it
This must be an early April fools joke.
. Sensors could be embedded in everyday objects to help monitor and track everything from the structural safety of bridges to the health of your heart
Who thinks it is a good idea for sensors monitoring "structural safety" to be harvesting energy from WiFi signals?
battery-free sensors embedded around your home that could track minute-by-minute temperature changes and send that information to your thermostat to help conserve energy.
Unless your using resistive heating (most wasteful way to heat a home imaginable) no complex array of sensors is going to conserve anything worth measuring compared with a simple PID loop and properly sized forced air system.
Why is it our media (even this post) always seems to portray Hamas in a positive light?
Coverage I've seen usually consists of an interview with an Israeli followed by the same interview with a Palestinian... both questioned, both spew the very same tired talking points day in and day out which Interviewer is mostly disinclined to follow up on even in instances where they know or should know information provided is misleading or false.
This conflict would end the SECOND Hamas stopped their aggression.
I assume Palestinians say conflict would end the second Israeli's stop making their lives miserable.
So what's the problem? Seems easy enough to give both sides what they want...
Unless true motives are couched in fundamentally indefensible geopolitical calculations....but... but this could... never.. I mean.... how many of you really deep down in your hearts believed the US went to war with Iraq because of fears of terrorists and Mushroom clouds? This is what leaders continuously do throughout recorded history. They spout bullshit for public consumption... and sadly people regurgitate it as if rooting for a sporting event.
Hamas lies and has no moral honor, they betray everything, and want nothing less than to wipe other people off the face of the earth.
When old Ben comes on US television waving his arm asserting there is no blockade when questioned it would seem to me Hamas is not the only liar.
How is that humanitarian and moral? And yet the western media doesn't portray that side of the story!
More people are routinely killed in a single hour of Israeli strikes than over a decade and a half of rocket bombardments from Gaza. You tell me.
Both sides are a bunch of immoral inhuman assholes if you want my opinion. Why doesn't the western media portray that side of the story!
I think this is great news as this offers a huge incentive for other countries to stand up competing infrastructure to the US and decimate US domination over the Internet.
The Internet I signed up for was never intended to be controlled by a handful of global, massive content companies.
If your religious text incites violence, and members of your religion act on those incitements, then yes I believe you need to censor such texts and disarm its followers.
This is most of humanity.
To clarify: I'm not talking about the mainstream members of a given religion. I'm talking about the extremist elements (a subset of the total membership) which exist in every religious group today.
Reminds me of lawmakers who intentionally use broad language while telling everyone not to worry.. not applicable to you. This business of deciding who is an extremist promises to be quite a show.
The various extremist sects of Islam are a prime example of this. Mainstream Islam is fine but Al-Qaeda, ISIS and friends are not.
Religion is always used as a tool to gain legitimacy for otherwise illegitimate behavior. The above groups are about religion as much as Warren Jeffs asserting god wants him to be with little girls.
Their literature *should* be censored and their members *should* be disarmed.
I think fundamentally people tend to stake these positions out of fear. When governments lose consent of governed and seek to compensate with force or societies buckle for social or environmental reasons people seem to have an insatiable attraction to fighting symptoms rather than underlying enabling problems.
This is no different than the banning neo-nazi and terrorist groups around the world from running for government.
This is my point exactly. Who the fuck cares if Neo-Nazis and assorted lunatics run for office?
It only makes sense to worry if you are afraid they might actually win a non-zero percentage of the vote. If they do win it means your society is fucked up and perhaps you should be spending your time correcting underlying problems instead of attacking symptoms.
I am sick of IDS/firewall vendor corner cutting and laziness being wielded as an excuse to impede progress or otherwise nerf IP.
This is the same cast of characters who get caught naively mishandling IP layer fragmentation, option headers and hell even nested 802.1q.
Instead of owning up to it sit there like a bunch of two year olds and either complain their jobs are too hard or have the audacity to throw their weight at nerfing protocols themselves.
If people think multipath TCP is useful then they will deploy it and if IDS/firewall vendors don't step up with solutions they can step aside as their competitors win over their business.
But what happens once we reach the ignorance -> fear -> hate -> violence cycle? What happens if someone taps into people's ignorance by spreading literature that taps into someone's ignorance about an ethnic group, leads to fear, hate and eventually violence?
Jedi you are not. Influence you must.
If we can prove that origin post was factually incorrect, it should be removed (not protected by Freedom of Speech) because it incites violence and is factually incorrect. If the person keeps on spreading this kind of hate speech then the person himself/herself should be penalized.
Some religions are provably incorrect with an uncanny habit of enumerating unsightly medieval barbarism within the pages of their holy texts. Texts having been continually leveraged to incite death, destruction and otherwise extend time honored traditions of barbarism throughout history.
Are you saying religion should be banned?
As big a fan of objective reality as I seem to be.. I still fully support the rights of people to believe things which are factually incorrect and to propagate their silly delusions without fear of persecution.
Do you have any idea what percentage of people who believe 9/11 was an inside job controlled demolition and all? How many think the Jews (e.g. Israel) did it? Are you going to prosecute everyone who posts anti-government "hate" because they happen to believe in a provable delusion?
If someone wants to believe all Asian people are alien grey's in disguises and warn everyone of the dangers... cook books and all... they should absolutely have that right.
There is simply no formulation by which freedom may exist without tolerance of the bullshit and asshattery of others.
Pro-anonymity advocates have been saying for years that Freedom of Expression will fix all ills but we've seen a substantial rise of bullying, hate speech and terrorism-advocacy in the past decade. Saying that people will find the truth so long as it's out there, somewhere, does not seem to be working. Great in theory but doesn't work in practice.
Spoken like a true information war looser. It isn't working people are not being nice, they soak up conspiracy theories, don't listen to us or come to our conclusions... also everyone is turning into terrorists.. be afraid..... We can't beat them in the market place of ideas so we'll just shut their asses down.
Saying that people will find the truth so long as it's out there, somewhere, does not seem to be working.
What do we call states which leverage their monopoly on violence to control public opinion or otherwise help them to "find the truth"?
Yes, was curious to understand reasoning behind position.
I would have thought that that the need for firewalls was self evident.
The industry is full of bad ultimately harmful ideas which see widespread adoption for locally optimal reasons. It is far from self-evident to me firewalls do not fall squarely into this category.
The smart devices we use today all tend to have a variation on mainstream OS's. All of which come with some form of host based firewall. Thus the management of these devices from a firewall perspective is even easier. So much so that it is now possible for most marginally technical people to ensure they are properly configured at least at the time of device activation / installation.
I think today anything claiming to be a "smart device" needs no firewall because it accepts no incoming connections. It operates by calling home to the vendor. If you want to access your "smart device" you connect to the vendors server and ask nicely to please access your own gear. A mega ultra cloud firewall...!!1!!!!1!
More generally would be interested in understanding why a device with a specific purpose is more secure when it listens for commands through an internal firewall vs the same listener without? Is a bluetooth headset more secure behind a Bluetooth firewall? Perhaps a concrete example...
How many times have we heard stories about POS terminals at places like McDonald's being compromised and the bad guys scoop tons of customer data. Far too many is the answer. These devices had little to no protection at all from would be bad guys. Simple protections put in place like firewalls go a long way to addressing these vulnerabilities. Are they perfect. Of course not. But they are a lot better than having nothing. Today these protections can be implemented in a manor that has almost no impact on how people do business. Which means that when implemented correctly they will not cause any additional labor on the part of the end user in order to ensure that they remain secure.
Since it cause none or very little impact on the way you do business why wouldn't you implement these simple safe guards?
Data breaches and losses are a significant threat to companies. Small one more so than the large ones. Small companies fold when bad things happen. It's a trivial insurance policy that shockingly very few actually implement.
Why do you feel firewalls are effective? There seems to be an implicit assumption that firewalls are effective... what makes that true?
What if all the worlds firewalls were thrown in the trash heap and in their place systems were configured to accept only Authenticated, Authorized, Integrity protected, Encrypted inquiries from acceptable locations?
Would that world have better or worse security outcomes than todays world? I think no question it would be better.
No more making security decisions by ports and trivially spoofed address headers or checking worthless boxes on a compliance chart only to have the whole house of cards collapse when Debbie in accounting clicks on the wrong untrusted email message with spoofed from header.
Instead of administrators configuring ports and addresses in firewalls what if they instead spent that same time managing the only thing that means squat in a secure system... TRUST
It is not like the technology does not exist. People ignore it because it is easier to hide behind their precious firewalls. So they allow it and by extension allow their suppliers to continue to supply them with crap.
The bug could be deep into the kernel, making almost any magic possible from the application point of view. Having only a few ports open is not enough to protect against this, as the kernel structure and notion of port could be corrupted.
The above can be read as a perfectly sound explanation why firewalls can themselves be dangerous with plenty of CVEs having already been logged against several popular choices.
You now have to worry about two separate kernels being corrupted by low level packet wizardry with dire consequences arising from compromise of either.
If a vendor is disabling the firewall then they should absolutely be approached. If the clown you are talking to says that's the way it's done then go over his head. Tell your boss.
Be gently of course. Doing the run around my hair is on fire dance is not going to win any one over.
You can even help the vendor. There are a ton of tools for all OS's that will help you determine the port that need to be open. Simply run up the software and scan the open ports. Tada you have a simple set of fire wall rules at least. Are they perfect? Of course not they can be improved on. But it's something at the very least. I'm not overly a fan of point to point rules in firewalls as they are self defeating in the long run. ( This is a longer story )
So yes host firewalls should always be enabled. And the rules you use better be documented.
Why? What is supporting reasoning for your position?
You need to look at the PCI-DSS requirements because this is what dictates the security standards of your network if you are storing credit card information.
Handling credit card information is closer to reality than "storing".
A better option for a cheap client is to not store any customer data and use a tokenized system. Authorize.Net will store all sensitive data for an extra $10/mo and allow you to skirt PCI-DSS regulations. You should still run a firewall though and be as close to PCI-DSS as possible though
This is the biggest PCI related farce on the planet. If you don't handle credit card numbers either directly or by proxy then and only then does PCI not apply to you.
The only difference is your not on the hook for secure storage of PAN. **EVERYTHING** else still applies. If your website which stores nothing but handles cards is hacked it can be used to collect everything just the same. Wordsmithing around sales pitches for these systems is to say the least inaccurate.
As soon as they start handling credit card transactions, they will need to conform with PCI standards, which will mandate much much higher levels of protections. There are significant fines associated with non-compliance so you may want to forward them over information about this.
The real question is legal liabilities flowing from a compromise. Weigh the risks, talk to your lawyers.
PCI is not backed by law and as such is rather harmless in and of itself.
Slashdot Mirror
Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge, that is not so shocking. Once you start using your phone, several apps will start siphoning your data.
Since when is spyware legitimate or benign?
Recent "simplification" of Android Google-store permissions means that I don't even know how much of a permission I am giving to a new app.
If by "permissions" you mean non-negotiable demands... I forget there are still people who don't have operating systems which let them configure actual permissions.
So far, all they've found it doing is reporting the IMEI by sending an HTTP GET http://api.account.xiaomi.com/..., The data is transmitted as a cookie of the form deviceId=IMEI .
Carriers, app vendors, Microsoft, Google, and Apple collect far more data than that. There are way too many things phoning home with the user's contact list and other personal info.
This is about the point where the boiling frog's brain begins to turn to mush.
Funny FCC does not seem to care about taking action to do something about 911 call centers around the country being inundated by defective, poorly designed "smart phone" emergency dialers designed to bypass lock screens and call emergency numbers via spurious digitizer inputs. Everyone has their priorities....
TFA itself has committed the sin of not reading the fucking article. They and their cohort of skeptics read only the summary from NASA without even bothering to get the full paper before drawing exceedingly obvious yet wrong conclusions.
There is nothing wrong with dismissing something you assume is crap and don't want to waste your time with... as a practical matter there is only so much time we all have to make assumptions to operate. The problem arises when we forget or pretend we didn't make them.
When you go that extra step of actively debunking you should no longer be able to hide behind your own ignorance and laziness. All those "skeptics" who think they know something simply because they elect to operate under the safety of default position need a good checking from time to time.
Whatever ultimately happens at least NASA has the guts to go there and actually run experiments which is more than you'll ever get from the armchair skeptics.
Similarly, putting out the modicum of effort to perform basic security like SSL is a signal that the website is reputable. I mean, if you can't be bothered to buy a $50 SSL certificate and install it, are you *really* trustworthy?
LOL and here I thought all this time the Internet was supposed to reduce costs and barriers to competition... yet here we go "the higher the fewer".
When your making the big bucks off Google by operating industrial scale link farms $50/year is a small price to pay for success.
Someone please remind me again why we are even contemplating enriching the clusterfuck that is the CA industry which sees no problem with use of completely automated systems and non-existent documentation requirements prior to issuing certificates?
That's a really great step from Google, I had never thought that it can be done in such a neat way. What's next? Can they also do it for IPv6?
I have previously publically advocated for Google to do exactly this as a way to promote the adoption of IPv6 however I was wrong to go there.
The bottom line is Google a defacto monopoly is using force to effect change in ways mostly unrelated to the mission (Linkage between quality and SSL is both domain dependent and strenuous at best).
Just because I happen to think IPv6 adoption will benefit everyone or that wholesale spying on wires should yield as little fruit as possible does not mean the ends should justify the means.
As far as standards - look, W3C, IETF, et. al. have completely failed to keep up. From 1993 to 1997 we went from HTTP 0.9 to to HTTP 1.1, which is where we are today.
Most HTTP 1.1 features are useless. If it disappeared tomorrow nobody would care or even be able to tell it has gone missing.
HTTP 2.0 will have been languishing for two decades by time there's a standard and any significant adoption. That's not Internet-time.
The pace of standards development is driven by commercial need rather than abstract notions of staleness, "the future", "progress"..etc.
The only reason for delay is nobody cares. The incremental benefit is so trivial as to not be worth the effort unless you happen to be Google. When people care shit gets done even if it means draft implementations making their way into production.
Google has made some mistakes with SPDY and QIC but at least they're actually trying to move the ball down the field instead of just arguing on the sidelines.
My personal opinion we are much better off working TCP and TLS extensions to reduce round trip delays. You can for example in best case get a secure HTTPS request to server without completing a single round trip leveraging TCP and SSL features (fast open, session tickets) neither of which requires maintaining server state, as would keeping TCP sessions open longer than absolutely necessary or
having to suffer HOL penalties or get weighed down by pointless politics and scope creep (opportunistic encryption)
Finally working transport and security layers has added benefit of being instantly useful to all protocols not just TCP.
We have a serious breakage problem in the current community process. Google is doing it right - it's everybody else that's not.
The "community" is like the UN. It is simply a forum for those with power (e.g. commercial interest) to negotiate... nothing more nothing less.
What you are reading is people who are trying to elevate themselves by referencing a new obscure technique. Hey, I know AT commands for a modem. Does anyone give a shit? I certainly hope not.
Everything of consequence uses explicit memory management.. Kernels, browsers, network stacks, database stacks, codecs, games.. you really have to work that reality distortion field to get to "obscure technique"
If the only thing that differentiates a great CS grad from a crappy one is memory management, that's a pretty shallow argument. Google it, read it, manage memory for a few hours and poof you're an expert.
What is the difference between managing memory, connections, sessions, transactions, access locks, files? It is not about "memory" it is about "resources" where many of the same patterns are not optional. Loading CD's into your head and declaring "I know Kung Fu" only works in the movies. You have to live and breath resource management or you will be clumsy and fuck it up -- this is what people are complaining about.
"All problems in computer science can be solved by another level of indirection" - David Wheeler
"All problems in physics can be solved by another dimension" - Some jackass
Is 26 dimensions better or worse than 26 levels of indirection?
Imagine a world in which your wristwatch or other wearable device communicates directly with your online profiles, storing information about your daily activities where you can best access it
This must be an early April fools joke.
. Sensors could be embedded in everyday objects to help monitor and track everything from the structural safety of bridges to the health of your heart
Who thinks it is a good idea for sensors monitoring "structural safety" to be harvesting energy from WiFi signals?
battery-free sensors embedded around your home that could track minute-by-minute temperature changes and send that information to your thermostat to help conserve energy.
Unless your using resistive heating (most wasteful way to heat a home imaginable) no complex array of sensors is going to conserve anything worth measuring compared with a simple PID loop and properly sized forced air system.
Why is it our media (even this post) always seems to portray Hamas in a positive light?
Coverage I've seen usually consists of an interview with an Israeli followed by the same interview with a Palestinian ... both questioned, both spew the very same tired talking points day in and day out which Interviewer is mostly disinclined to follow up on even in instances where they know or should know information provided is misleading or false.
This conflict would end the SECOND Hamas stopped their aggression.
I assume Palestinians say conflict would end the second Israeli's stop making their lives miserable.
So what's the problem? Seems easy enough to give both sides what they want...
Unless true motives are couched in fundamentally indefensible geopolitical calculations....but ... but this could... never.. I mean.... how many of you really deep down in your hearts believed the US went to war with Iraq because of fears of terrorists and Mushroom clouds? This is what leaders continuously do throughout recorded history. They spout bullshit for public consumption... and sadly people regurgitate it as if rooting for a sporting event.
Hamas lies and has no moral honor, they betray everything, and want nothing less than to wipe other people off the face of the earth.
When old Ben comes on US television waving his arm asserting there is no blockade when questioned it would seem to me Hamas is not the only liar.
How is that humanitarian and moral? And yet the western media doesn't portray that side of the story!
More people are routinely killed in a single hour of Israeli strikes than over a decade and a half of rocket bombardments from Gaza. You tell me.
Both sides are a bunch of immoral inhuman assholes if you want my opinion. Why doesn't the western media portray that side of the story!
While in another year it may well become illegal to root your phone and crack boot loaders at least you won't be breaking the law when you SIM unlock.
The only reason piecemeal temporary exemptions exist is restrictions are overwhelmingly seen as illegitimate and completely unenforceable.
I think this is great news as this offers a huge incentive for other countries to stand up competing infrastructure to the US and decimate US domination over the Internet.
The Internet I signed up for was never intended to be controlled by a handful of global, massive content companies.
If your religious text incites violence, and members of your religion act on those incitements, then yes I believe you need to censor such texts and disarm its followers.
This is most of humanity.
To clarify: I'm not talking about the mainstream members of a given religion. I'm talking about the extremist elements (a subset of the total membership) which exist in every religious group today.
Reminds me of lawmakers who intentionally use broad language while telling everyone not to worry.. not applicable to you. This business of deciding who is an extremist promises to be quite a show.
The various extremist sects of Islam are a prime example of this. Mainstream Islam is fine but Al-Qaeda, ISIS and friends are not.
Religion is always used as a tool to gain legitimacy for otherwise illegitimate behavior. The above groups are about religion as much as Warren Jeffs asserting god wants him to be with little girls.
Their literature *should* be censored and their members *should* be disarmed.
I think fundamentally people tend to stake these positions out of fear. When governments lose consent of governed and seek to compensate with force or societies buckle for social or environmental reasons people seem to have an insatiable attraction to fighting symptoms rather than underlying enabling problems.
This is no different than the banning neo-nazi and terrorist groups around the world from running for government.
This is my point exactly. Who the fuck cares if Neo-Nazis and assorted lunatics run for office?
It only makes sense to worry if you are afraid they might actually win a non-zero percentage of the vote. If they do win it means your society is fucked up and perhaps you should be spending your time correcting underlying problems instead of attacking symptoms.
It's not like multi-homed protocols based on IP are new. SCTP has been around about a decade (half a decade as a real Internet standard).
SCTP does not do what a lot of people think it does. Additional paths are used only for redundancy.
I am sick of IDS/firewall vendor corner cutting and laziness being wielded as an excuse to impede progress or otherwise nerf IP.
This is the same cast of characters who get caught naively mishandling IP layer fragmentation, option headers and hell even nested 802.1q.
Instead of owning up to it sit there like a bunch of two year olds and either complain their jobs are too hard or have the audacity to throw their weight at nerfing protocols themselves.
If people think multipath TCP is useful then they will deploy it and if IDS/firewall vendors don't step up with solutions they can step aside as their competitors win over their business.
But what happens once we reach the ignorance -> fear -> hate -> violence cycle? What happens if someone taps into people's ignorance by spreading literature that taps into someone's ignorance about an ethnic group, leads to fear, hate and eventually violence?
Jedi you are not. Influence you must.
If we can prove that origin post was factually incorrect, it should be removed (not protected by Freedom of Speech) because it incites violence and is factually incorrect. If the person keeps on spreading this kind of hate speech then the person himself/herself should be penalized.
Some religions are provably incorrect with an uncanny habit of enumerating unsightly medieval barbarism within the pages of their holy texts. Texts having been continually leveraged to incite death, destruction and otherwise extend time honored traditions of barbarism throughout history.
Are you saying religion should be banned?
As big a fan of objective reality as I seem to be.. I still fully support the rights of people to believe things which are factually incorrect and to propagate their silly delusions without fear of persecution.
Do you have any idea what percentage of people who believe 9/11 was an inside job controlled demolition and all? How many think the Jews (e.g. Israel) did it? Are you going to prosecute everyone who posts anti-government "hate" because they happen to believe in a provable delusion?
If someone wants to believe all Asian people are alien grey's in disguises and warn everyone of the dangers... cook books and all... they should absolutely have that right.
There is simply no formulation by which freedom may exist without tolerance of the bullshit and asshattery of others.
Pro-anonymity advocates have been saying for years that Freedom of Expression will fix all ills but we've seen a substantial rise of bullying, hate speech and terrorism-advocacy in the past decade. Saying that people will find the truth so long as it's out there, somewhere, does not seem to be working. Great in theory but doesn't work in practice.
Spoken like a true information war looser. It isn't working people are not being nice, they soak up conspiracy theories, don't listen to us or come to our conclusions... also everyone is turning into terrorists.. be afraid..... We can't beat them in the market place of ideas so we'll just shut their asses down.
Saying that people will find the truth so long as it's out there, somewhere, does not seem to be working.
What do we call states which leverage their monopoly on violence to control public opinion or otherwise help them to "find the truth"?
Do you mean the position that we need firewalls?
Yes, was curious to understand reasoning behind position.
I would have thought that that the need for firewalls was self evident.
The industry is full of bad ultimately harmful ideas which see widespread adoption for locally optimal reasons. It is far from self-evident to me firewalls do not fall squarely into this category.
The smart devices we use today all tend to have a variation on mainstream OS's. All of which come with some form of host based firewall. Thus the management of these devices from a firewall perspective is even easier. So much so that it is now possible for most marginally technical people to ensure they are properly configured at least at the time of device activation / installation.
I think today anything claiming to be a "smart device" needs no firewall because it accepts no incoming connections. It operates by calling home to the vendor. If you want to access your "smart device" you connect to the vendors server and ask nicely to please access your own gear. A mega ultra cloud firewall...!!1!!!!1!
More generally would be interested in understanding why a device with a specific purpose is more secure when it listens for commands through an internal firewall vs the same listener without? Is a bluetooth headset more secure behind a Bluetooth firewall? Perhaps a concrete example...
How many times have we heard stories about POS terminals at places like McDonald's being compromised and the bad guys scoop tons of customer data. Far too many is the answer. These devices had little to no protection at all from would be bad guys. Simple protections put in place like firewalls go a long way to addressing these vulnerabilities. Are they perfect. Of course not. But they are a lot better than having nothing. Today these protections can be implemented in a manor that has almost no impact on how people do business. Which means that when implemented correctly they will not cause any additional labor on the part of the end user in order to ensure that they remain secure.
Since it cause none or very little impact on the way you do business why wouldn't you implement these simple safe guards?
Data breaches and losses are a significant threat to companies. Small one more so than the large ones. Small companies fold when bad things happen. It's a trivial insurance policy that shockingly very few actually implement.
Why do you feel firewalls are effective? There seems to be an implicit assumption that firewalls are effective... what makes that true?
What if all the worlds firewalls were thrown in the trash heap and in their place systems were configured to accept only Authenticated, Authorized, Integrity protected, Encrypted inquiries from acceptable locations?
Would that world have better or worse security outcomes than todays world? I think no question it would be better.
No more making security decisions by ports and trivially spoofed address headers or checking worthless boxes on a compliance chart only to have the whole house of cards collapse when Debbie in accounting clicks on the wrong untrusted email message with spoofed from header.
Instead of administrators configuring ports and addresses in firewalls what if they instead spent that same time managing the only thing that means squat in a secure system ... TRUST
It is not like the technology does not exist. People ignore it because it is easier to hide behind their precious firewalls. So they allow it and by extension allow their suppliers to continue to supply them with crap.
A lot of ideas are obvious once somebody announces what the idea actually is.
In this case it's just plain obvious. Try doing a google image search for air filter fan.
The bug could be deep into the kernel, making almost any magic possible from the application point of view. Having only a few ports open is not enough to protect against this, as the kernel structure and notion of port could be corrupted.
The above can be read as a perfectly sound explanation why firewalls can themselves be dangerous with plenty of CVEs having already been logged against several popular choices.
You now have to worry about two separate kernels being corrupted by low level packet wizardry with dire consequences arising from compromise of either.
If a vendor is disabling the firewall then they should absolutely be approached. If the clown you are talking to says that's the way it's done then go over his head. Tell your boss.
Be gently of course. Doing the run around my hair is on fire dance is not going to win any one over.
You can even help the vendor. There are a ton of tools for all OS's that will help you determine the port that need to be open. Simply run up the software and scan the open ports. Tada you have a simple set of fire wall rules at least. Are they perfect? Of course not they can be improved on. But it's something at the very least. I'm not overly a fan of point to point rules in firewalls as they are self defeating in the long run. ( This is a longer story )
So yes host firewalls should always be enabled. And the rules you use better be documented.
Why? What is supporting reasoning for your position?
You need to look at the PCI-DSS requirements because this is what dictates the security standards of your network if you are storing credit card information.
Handling credit card information is closer to reality than "storing".
A better option for a cheap client is to not store any customer data and use a tokenized system. Authorize.Net will store all sensitive data for an extra $10/mo and allow you to skirt PCI-DSS regulations. You should still run a firewall though and be as close to PCI-DSS as possible though
This is the biggest PCI related farce on the planet. If you don't handle credit card numbers either directly or by proxy then and only then does PCI not apply to you.
The only difference is your not on the hook for secure storage of PAN. **EVERYTHING** else still applies. If your website which stores nothing but handles cards is hacked it can be used to collect everything just the same. Wordsmithing around sales pitches for these systems is to say the least inaccurate.
PCI v3 compliance *REQUIRES* a firewall. End of story. Do not pass go, do not collect $200.
It does no such thing. The requirement is only a tool to keep the whole network from falling under the PCI.
An air-gapped network or an internal only network of trusted peers can be PCI compliant without a firewall.
As soon as they start handling credit card transactions, they will need to conform with PCI standards, which will mandate much much higher levels of protections. There are significant fines associated with non-compliance so you may want to forward them over information about this.
The real question is legal liabilities flowing from a compromise. Weigh the risks, talk to your lawyers.
PCI is not backed by law and as such is rather harmless in and of itself.