604 posts • joined 25 Apr 2008
Having worked in the DOD as a civilian--many of us have left the DOD for bigger paychecks. Why work for 90K when you can get nearly twice as much working for civilian companies. All who are now heavily investing in InfoSec. Another up-side, is I don't have to live life like an angel...worrying about losing my security clearance... and/or having my life turned upside down every 5 years dealing with a clearance investigation.
This is putting the DoD in hard times with InfoSec. Most of the civilians/military leadership O-5/GS-15 and above aren't proficient in technological computer fields--let alone information security. They are pilots, business grads, etc. Almost everything but a computer engineer, MIS, development, etc. education. So they aren't exactly proficient at leading--or understanding the support needs of computer professionals. Such as security hardware, cloud infrastructure, etc. Since they don't understand it... they don't get the right items implemented and make poor decisions.
Until the DoD and defense contractors get in line with civilian salaries, they will only be able to attract professionals right out of college--only to watch them leave after 4 years.
Re: Interesting effect, wrong explanation
Apparently you didn't read the paper, and/or you don't understand it. It isn't about clock cycles. It's about side channel measurement of fine performance benchmarks and the differences noticed in these benchmarks between like CPUs.
Consider, the variation in performance affecting entropy if one processor's temperature is 7 degrees cooler than another--among other performance changing variables; such as workload.
Don't you love people who make crazy claims without at least trying to understand what is being said?
Trump did the correct thing here. The cybersecurity tsar position didn't wield much authority; and therefore, not very effective at getting some things accomplished. It's not a position requiring congressional approval.
The job now falls on Homeland Security, which wields a lot more authority when it comes to auditing and review. Homeland Security can now put the entire network infrastructure and operations along side many other critical systems in order to hand down major penalties to government agencies and their management.
So before Trump bashers start repeating the idiocy of politics--and you really should be smarter than this. You should look at the entire picture, and not just the rants and raves of a few politicians from the DNC (who need to call on their assistants to log themselves in to their computers).
The cyber tsar position was just another one of these "I'm doing something about it" jobs, without any teeth. They weren't in charge of anything but charts and PowerPoint. It is a job which costs taxpayers money, and does little. Even USCERT didn't fall within the grasp of the job, if this tells you anything.
Since he used Ubuntu to break into Apple, there will be no job waiting. However, the magistrate appears to be a UNIX geek; lucky for him!
Did the UK hire Hillary and Obama to ensure MI5 was staffed by the same type of people hired to run the intelligence agencies in the USA?
Keep an eye on the bank account
What do you want to bet, Mr. Jones will be moving into a larger house an purchasing a couple of cars within the next 6 months.
Sounds like another individual who is getting paid by companies to endorse them, and/or being forced by the Canadian government not to offend China--since China is the second largest trade partner it has.
If you wish to purchase Chinese electronic products--which have a history of poor security and monitoring customers-- then go for it. I wouldn't want to be the individual who approved taking on this risk.
Just another product to monitor us and collect data, which can then be stolen and given to the entire word--and then used against us.
Only the foolish trust Google.
Stop mirroring the media
While I don't think Trump has done more than any other president, he has definitely accomplished more than any other president since Reagan. Especially for the common workers in the USA.
Most outside of the USA only hear bad, made up, and malicious things about Trump so they immediately believe it all. When in reality, his approval within the USA is steadily rising.
The taxpayers in the USA are tired of funding everything without help from allies, and are tired of being on the bad end of trade deals--especially tariffs. In the USA, you can buy European made jeans for about the same price as American made jeans. However, in Europe, you'll pay many times more for American jeans than the European jeans. Also, there will be a limit on the amount of goods the USA can send to another country, but there is no limit on the number of goods sent to the USA.
It's just about being fair. Imagine if your taxes were raised 10% to pay for something in another country.
Then you have to call out things like the Paris Climate agreement crap. To make sure Germany can meet this, they fund companies within their borders to move to a lesser country which doesn't have pollution controls. Germany didn't do anything to limit the overall global pollution, they just diverted the pollution to another country. Then hypocritically yell at other countries for not signing onto the pollution standards, and proclaim how environmentally friendly Germany is.
Here is the real funny part... people in the USA have begun to pay closer attention to the goods they purchase, and have stopped purchasing products from unfair countries. This is why many countries have decided to renegotiate trade deals with the USA without making too much fuss. Right now, America's economy is very strong, and companies are rewarding workers with higher wages and better benefits. If you're another country, do you really want to discourage Americans spending their money on goods from your country?
The ones you should really be kicking in the teeth is the media who freak out for no real reason and make up false stories and accusations on a president who is gaining in popularity within his own country, especially with the common working people.
This is only true, if they leaked what they found. Which of course, they don't do. GL
What's worse is a vendor who knowingly releases a product with vulnerabilities. This happens every day. As a penetration tester, I'm amazed at how many vulnerabilities are in high dollar commercial products. Like the applications which manage systems, your money, or keep data on you and your family. Some of these vulnerabilities were so easy to find, there is no way they didn't know them if they conducted proper due care and due diligence in their QA procedures.
Only a matter of time
Since most organizations don't build a robust network operations center to monitor live security events, nobody will notice these attacks occurring until well after the fact--most likely on some weekly report.
If we've learned anything from recent attacks on large organizations is: it takes a while before anyone notices. So it was only a matter of time before malicious hackers started to take advantage of this.
Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers
Ironic part is
...the information leaked is the same information political campaigns purchase on all of us so they can better target the public for contributions.
You'll probably never see politicians outlaw the collection of certain data, since they themselves profit from it. Every habit you have, each item you purchase is collected and added to your own little private database for a company to sell. Trends, movements, purchases, etc. Is all bought/sold.
Human metadata is the new gold, and politicians can't get enough of it.
First problem is career politicians who want to politicize the military.
Second: Stop worrying about the rest of EU. They don't care. So UK can't depend on them. The EU is so crooked, I wouldn't count on them to deliver diapers to the poor in Brussels.
Third: The bulk of Russia's sub/naval force is housed at Polyarny. meaning, to get to the Atlantic, they are going to traverse the North Sea. So, to protect the UK, there needs to be a strong and stealthy naval defense force. So get it done politicians... or perhaps, we should do better at voting out career politicians.
Fourth: Because UK doesn't have enough subs to do a proper in/out rotation, sub crews are forced to go on longer deployments. Which means you will have retention problems.
Fifth: Dismantling ships and disposal of nuclear propulsion systems. This is a problem because career politicians only worry about themselves at this moment; they'd rather push off things to the next person in office (especially when the opposing political party is likely to be in power in the future). So they aren't forward thinking... and dismantling and disposal isn't typically something they can speak on to get votes.
LOOL @ Dunn
Once again, Mr. Dunn hasn't done a lot of forward thinking and proper research.
If all of this is true, (about bounties and poor development practices) then why do most software vendors have occasional security updates?
Probably a majority of bugs are reported back to a vendor from customers who conduct tests (including penetration tests) before completely committing to purchasing their product. Most large corporations now, either have penetration testers (or contract this out) to evaluate the application's security.
Usually, a penetration test is outlined in the agreement between vendor and customer. Companies can no longer get away with saying you can't pen test their product before purchasing it.
It's not unusual to find security vulnerabilities. When we do, it's usually taken care of quickly and without fuss from the vendor. Also, customers don't demand money for doing the pen test, since it's part of their due care/due diligence. However, it's not uncommon for a customer to point out the vulnerability and then not release all of the details. I mean, we aren't paid by them to pen test their software. :) ...so the vendor is forced to figure a lot out on their own; which they typically do well, once it's pointed out.
So, to say a software vendor isn't doing a good job securing their application because they don't offer bug bounties, or have a program for the general gray hats to make money on--doesn't mean they aren't focused on security, or that their software development methodology is poor.
Because of all this, why would a company offer a large bug bounty if they have a product which is being used by many? Consider just how many ridiculous claims and false findings you'd have to deal with from this type of program. Many companies who do have bug bounties aren't really doing it for security... they are doing it as a marketing stunt. It's good publicity, usually gets another story or two published... and nobody knows they don't really do much with the program after a couple of months and the marketing boost from it begins to wear down.
...speaking with one Dutch company about bug bounties (who doesn't even have a bug bounty program of their own), isn't exactly proper research. LOL
I can tell the author doesn't have a lot of experience in InfoSec. Also, many of the commenters don't as well. I've been penetration testing for over 15 years, so I've noticed many security cock ups, poor risk management, etc. What I see more of though, are people making comments without thinking it through.
First-- Reworking and following the exact steps a hacker does to your system is common place. It's often necessary to ensure you find everything. This is particularly important with databases... where there is a lot of information. Usually too much for the hacker to scrape and copy in full; so you need to figure out exactly what was copied, removed and/or changed. NOT REWALKING THE STEPS is considered negligent. Making fun of it like this author does, is ridiculously stupid.
Second--ANYONE who thinks their system is so secure because they do everything right is a moron. Not ignorant, but a moron. This includes certificate management. I'm willing to bet I can find a bad cert somewhere in your network. I find them about 70% of the time I look. Or I find they aren't bound correctly, etc. Chances are, your network has at least one, and the system using it doesn't fail because of it.
Third--While no doubt Equifax messed up on this; however, if you don't get why a system doesn't quit working due to an expired certificate--then you haven't worked with really large networks. Also remember, this type of risk is often accepted. Probably on your network as well.
Fourth--Speaking of risk acceptance. Chances are your CIO has accepted some risks, and at first glance (since you're ignorant and don't get the entire picture) you would think he's crazy to do so. ALL NETWORKS HAVE ACCEPTED RISKS.
Fifth-- Struts was a particularly nasty beast. Easy to do (even for you script kiddies) remote exploit which was being actively exploited the same day it was published. Many companies decided to wait until Monday to patch it and became victim to it. Many more would have become victim to it, but were saved by proxy systems being correctly configured to stop outbound traffic. Heck, the system you work on may have been hit, exploited, but saved because of a outbound setting. So... be careful what you gripe about.
So before you begin to throw stones (and nobody in InfoSec should), look at your company's network to see how many exceptions to policy and larger network accepted risks there are.
Also, anyone in InfoSec who believes their network is completely secure from malicious activity should give up this career field, because you don't have what it takes to think forward enough to do the job correctly. All large networks are vulnerable in one way or another... ALL OF THEM. The key is how you respond and gracefully recover from an attack... not just how you work to stop it.
Detroit has been destroyed under poor leadership for the past 40 years.
It's had more than its share of educators and over paid city employees who have done some pretty outrageous crimes. Usually, they don't get very harsh sentences. This doesn't seem to be an exemption.
Whomever stated Detroit isn't a large city should really learn to at least consult the "google' and spend 10 minutes educating themselves. The entire Detroit-Windsor area is quite populated.
Also, most of the "abandoned" buildings and s-hole areas have been demolished and corporations are beginning to move back to Detroit. Don't you just hate people who only 'relay' bad information, instead of having the brain power to do their own fact checking?
Although it's far from being anything spectacular, it's still better than NYC, Chicago, Cleveland and other cities with abandoned, s-hole neighborhoods.
The fine may seem small, but the companies who were affected by the scam will file civil suits against the men to get their money back. Not only will the companies be awarded what was taken, but it's likely punitive damages will be awarded as well.
When all is said and done, along with legal fees, these guys will be lucky to have any money left. Even if they had $20 mil in the bank before the scam.
...when you use copy/cut and paste, you're leaving behind the information on a notepad which survives reboot; and this notepad is easily retrievable.
Memo to all Personnel
Due to the recent threats and a need to have a system we can store state secrets on, I've ordered our email server to be moved into a towel closet near a bathroom; where it's unlikely any malicious foreign service will find it. We've also instituted an offline backup system to place important files on the laptop computer of my assistant's husband.
--Hillary and the DNC--
Re: @Martin Gregorie
If you're going to spill evilness about those on the opposite side of the political spectrum, you may want to at least take a few minutes to look at how imbedded you are.
You should consider how fascist your words are.
A fascist doesn't want to hear the other side. If someone doesn't believe what you believe, then they are wrong... and should be punished. --This is fascism.
A fascist doesn't look at both sides. They are stuck on what they are told (rarely looking for the truth).
A fascist sees faith as a bad thing, and belittles anyone who follows religious beliefs.
Finally, a fascist calls others fascist without proof...often times without knowing what the word actually means--because they've spent so much time just repeating what they've been told to say.
Attempting to apply 'tribalism' to religion is so completely ignorant, it's clear you don't have any original thoughts of your own, and you've never stopped to use the cognitive creative abilities your brain does have. You may want to try critical thinking for once. You'll find your life suddenly becomes a lot more enjoyable and filled with less hate.
No math outside USA, China and Germany?
Is it only the USA and Germany which bridge mathematics and science in school?
The ISS is moving ~17,500mph because of orbital mechanics. If it was going slower, it will fall back to earth. If it was going a little faster, it would increase it's orbital altitude, if it was going much faster... say 25,000mph, it would escape earth's gravity.
Consider how fast an object must be going to maintain earth orbit, then how fast something needs to go to escape earth's orbit. Finally, work how fast something must go to escape the grasp of the sun. Most objects don't decelerate due to friction, they decelerate from gravitational pull of a large object. Such as a large planet, star, etc.
If you don't believe 35000mph is fast, perhaps you should consider just how fast it really is. If you were watching traffic on a road, in which the speed limit is 35000mph, you wouldn't see the traffic go by, and you couldn't turn your neck fast enough to keep up; even if you were 5000 feet from the road.
First off... the emails weren't leaked as first reported. They were approved the evening before by the Senate sub-committee. Senator Booker introducing them was just putting together a grandstanding moment for the crowd, in hopes of becoming a front runner for president.
If you read everything thoroughly, you'll find in each case, it shows how the nominee is actually very UNBIASED in his opinions. (which is why not a lot was really talked about during questioning in the afternoon or making headlines) In protecting freedoms of everyone from all ethnic backgrounds; despite Islamist terrorists attacking the USA a week earlier.
As far as being read into a program. There are items which can come from a program which are declassified or classified releasable outside of it's SCI container. This often happens for certain high ranking government officials, judges, etc. with a need to know.
It's amazing how people immediately disregard facts, when lies or 'spin' is brought up on things they wish to hear.
If you want to make a comment when knowing only 2% of the information, and/or looking at all the facts--instead of looking at everything from all sides--you're free to do so. By now, you're likely used to the taste of toes in your mouth. You will also likely continue to make less than $70K/year.
If you notice, not a lot was brought up in questioning this afternoon... other than grandstanding blah blah questions, and nothing is being made of it today. Well, nothing substantial. I'm sure the far left will still rant and chew on this nothingburger.
Re: Not the root problem
Here's a quick run thru of why you're SO VERY WRONG.
Any code live to a hacker is potentially a weakness... if not today, then tomorrow. This goes for encryption as well. Typically, developers are 'too busy' to maintain every part of the code.
The most prevalent weakness in web sites, is in not updating/upgrading code developed in out of date environments. For instance, using jQuery 1.7.x (which I see a lot), when the current version is 3.3x. You can even find old .NET web apps, etc. Yeah, a lot of exploits in there.
Giving me access to code, allows me to scrape the website and go to town. If I don't find a weakness, it sure makes it easy to duplicate and redirect users to it. Because there is so much code, I can get not only authentication credentials, but likely internal information; such as an account number, social security... you get the picture now.
If the directory isn't locked down, what would you do if someone... say, updated the code for you? ...think malicious thoughts.
If you think none of this is possible, then what we can tell from you is--you don't have much experience in the real world. So we think "Bulls Eye"!
Look... we voted out the Obama--Clinton power house Dems which abused their powers and continue to slow down progress by throwing false and malicious accusations against innocent people.
We learned from the Obama era, even the FBI, MI6 and CIA can't be trusted... even within these organizations it's possible for people in the highest levels become corrupt and unfair.
As someone who does pen testing and red teaming for a living... those who concentrate too much on encryption, often leave other weaknesses wide open; because people are, for the most part... lazy and forgetful.
The brain trust of the sewage department has spoken
Yes, I'm sure the brightest computer scientists and engineers stand outside in the Michigan sunshine...err snow drifts to que for an opportunity to work at the sewage department.
Saving $1Mil is a huge sounding statement, until you realize where they were beforehand.
Since you chose Oracle... you likely would have saved even more money if you decided to use something else. You definitely will find, you will have a more secure database if you went with several different products.
If you had completed a good amount of technical research, you would have found out corporations are moving away from Oracle in favor of 2 to 3 other solutions.
You can't just look at your initial savings, you have to look at savings over the lifecycle of the product... in this case, about 4 years. Not to mention the risk increase/decrease... in the case of Oracle... it's a definite risk increase. Although, who cares if hackers get in to the database and start releasing a bit too much chemical into the wastewater? Especially knowing how well the sewer system drains in the old central part of Detroit, even if it only rains 0.25 of an inch.
What's holding you back from Google Cloud? Oh, OK... it was hoping you'd say 'lack of hardware security modules'
No doubt they have access to the keys. Which is why I always believe it's better to use a 3rd party.
The biggest item here, is to let us know with their services, how much latency is added to each of the most common cloud configurations--when using their HSM. Also, how much it will cost to decrease the latency. This goes for incoming and outgoing traffic.
The cloud is a great place to reduce time and cost, provided you aren't worried about performance.
The nanny state kicks in.
Let's make regulations covering every bit of data we can; then, let's make things so convoluted and difficult to interpret we are sure to get people busted; because, finding people educated enough to understand all of these regulations will be difficult.
We must do this because InfoSec professionals are too stupid to figure out how to secure data. Plus, if encryption best practices change, we want to create even tighter regulations to babysit.
...blah blah blah.
I like the GDPR in theory. In practice, we're beginning to see the rich white men in Brussels are trying to over control the industry.
You don't need to make regulations on how encryption is properly done. All you need to do is create laws to hold businesses responsible and punish appropriately. Require businesses have a robust InfoSec organizations within their corporation. Let the professionals who know a lot more about securing data than politicians, do their job.
Then you don't need to stick your noses in at every turn, cost taxpayers more money than needed... and if big industry changes occur... it's easy to adapt without having to rewrite 35 volumes of outdated regulations.
You obviously aren't trained in legal matters.
Businesses also have constitutional rights. A business has the right to not do something, and you have the right not to support this business for their decision. Nobody has a monopoly creating a forced action. Everyone can go elsewhere and make a number of choices.
This being said, both the EULA and Debian's lack of action is not against GDPR or anyone's constitutional rights in any country in Europe.
Re: At Superprof we take security seriously and know how key it is to the running of our business
Taking security seriously doesn't mean you have cousin Nigel--educated by the London public school system and flunked out of taxi driving school--audit your security practices.
Taking security seriously, means you've built your security policies and procedures around industry best practices, and annually have an outside agency audit your security and risk management programs. Then you take the audit to heart to make changes as necessary to constantly improve.
Re: Well to stay real for a bit
The ISPs can't monitor your Internet packets if they are encrypted, and many times, the route taken by the packets for all the web sites you view (from your computer to any particular web site) doesn't pass through the ISP.
However, if you use their DNS servers (and most people do), they can track where you have been on the Internet.
Performing a traceroute doesn't prove anything when it comes to DNS.
The path used by packets to perform information exchange with a particular web site, isn't the same path taken by DNS to resolve queries. Two very different protocols, for two very different services.
C'mon. You should know this.
Don't you just love the ignorant when they post something on a security site?
Pascal's response to this article actually gave me a chuckle. I didn't think anyone who is so ignorant on DNS would post something so silly.
I guess the filter most of us have for being quiet when something doesn't make sense to us wasn't provided Pascal.
Pascal, you aren't the center of the universe. Just because something didn't work for you.. doesn't mean it doesn't work. It just means you're too ignorant to figure it out. Perhaps you should research the problem on YOUR END a bit more. :)
A waste of time
Let's see how long it takes for everything to get on the notebook sites and dev sites, such as GitHub.
Not attempting to hide IP
The IP wasn't hidden, because more than likely this wasn't done by the government. It was instead carried out by students and/or faculty at the university. In China, it's a HUGE crime to attempt to hide your actions or use devices such as Onion routers, external proxies, etc.
China's strict control of the Internet within their country, does provide some benefits to intelligence communities in more than just this reason.
Re: There is not enough OMG for this
This is old news. It happened during the Obama administration around 5-8 years ago.
Part of the problem uncovered in an after action report, was the lack of funding the Obama administration provided to the department of defense, DARPA and intelligence agencies. This forced them to use poor quality products and take shortcuts both logically and physically regarding intelligence techniques, tactics and procedures.
It's not going to work...
It's not going to work --to get a job -- when you hack Apple systems using Ubuntu.
This really erks them off.
You take privacy seriously... my azz.
Taking privacy seriously means testing and checking all plugins for privacy concerns before making them available to the public.
Obviously this application wasn't checked for privacy concerns... so it seems you don't take privacy seriously. You're only trying to cover your back side after the fact, like a weak politician.
Making some BS statement after the fact, doesn't help your credibility at all. It only makes it worse. Better would be, you are going to make changes in procedures to ensure privacy is maintained prior to making plugins available.
Sorry for the misunderstanding
The NSA doesn't actively practice hacking systems in the USA.
We turn this over to the FBI and let them do it. We only get involved when these twits can't figure it out.
It's impossible to break into. We haven't found a way in so we gave up.
The protocol is different, but the cipher suites and certs are still the same.
We'll never be able to crack this.
BWah ha ha ha ha.
Psst. Think everyone will buy this?
Then there are other unreported vulns
As a penetration tester for a large company, it's my job to test all applications before they are certified on our networks. This includes internally developed, as well as COTS apps.
Probably more than 60% of the time, I find vulnerabilities for the vendor to fix. Around 10-20% of the time, it's a critical vulnerability (remote and easy to do). Each time, I noticed they NEVER publish the vulnerability. They just add the fix quietly into their next "update". No mention of what we find at all.
So why don't we say something out loud? Because most software vendors/companies have items in their commercial EULA's which amounts to a non-disclosure agreement. Getting on a bulletin board, twitter, etc. will put the company you work for--and your job--in jeopardy; so unfortunately this isn't an option.
So if your a network engineer, be aware of this factor and use it to budget better security equipment to mitigate this fact. Especially with external facing web applications.
I have to ask...
Since Oracle has a horrible reputation of fixing patches--not to mention the high number of EASY exploits; why are you still using this database, and/or any application requiring Oracle Java?
Fortunately, the two companies I've worked for in the past five years have both pretty much phased all Oracle products out--including Java based web apps. Not to mention, getting rid of applications which embed Oracle into their products. Such as Symantec DLP.
We were hoping it would take some time before people figure this out.
Now we have to get good at bypassing home physical security systems again.
Anyone who believes you can simply kick out a fix for something in a few days is ignorant about the process... and a moron for not taking the time to learn a bit more about it.
First off... nearly anytime you increase security--albeit slightly--you impact usability. Therefore, it must be tested by security and users. Many times, it must be tested against a load of different software to ensure it doesn't negatively impact them.
Just like chess, when you move a piece to strengthen your position, you also create a weakness because you're no longer defending areas where you once were.
So... the entire operation, usability, security, etc. must be checked, attacked, worked with etc. Sometimes, it isn't fixed during the first iteration, so it must be done over.
This does take some time. If you think you can do better, and teach people something they don't know... then by all means, step up and jump froggy jump! It's easy to be a beotch and complain about something, when you're a moron.
Sometimes it's better to keep your mouth shut and let people think you're an idiot, than to open it up and remove all doubt.
Where have you been?
This isn't a new technique. We've been using it for a while.
Keep politics out
I don't care which side you belong to. I don't want to see any political activities at a Info Sec conference. I even hate the morons on both sides, who want to interject it on this site.
They only display how hateful and small minded they are; most only repeat what they've heard, and not what they objectively know from doing their own work. If they did, they'd see both sides are moronic liars, who only say things to get your vote and do their best to trash anyone who opposes them.
So.. it's the same ole crap from both sides. Use your brain power for something else, and keep the political thoughts away from security sites and conferences.
This has been known by most of the major countries in the world since at least the mid 80s. It's one of the reason there is shielded conduit and tempest solutions, even when the transmission is encrypted.
If 18 or 22 years of age is too young to be held responsible for poor decisions, then we really need to raise the age for voting, drinking, driving, flying aircraft, etc. They weren't 12 to 14, so young my azz.
Sure it wasn't violent... which is why you give them 1 or 2 years instead of 5-20 years.
If they stole money from you, and you weren't able to feed your kids or make rent... you might think a bit differently. A lot of people live paycheck to paycheck. Losing 500 euros can really hit a family hard and cause undo stress... for a lot longer than 240 hours.
I think the judges have loss touch with what it is like for the majority of people. Those who don't make 300K plus euros per year.
Apparently, you think JLR should monitor all their vehicles and some how know when they are sold off?
Of course not. But you do have to think of the process... and bump it up against a few things.
It's the typical security see-saw balance of usability versus security.
Make it too easy, then a auto thief can easily make changes so you can't track the car.
Make it too hard, then the owner gets upset.
Like any new technology where security is involved, it takes a bit for a good balance to be struck. So in the mean time, don't get too pissy about the situation. Instead, work to find a balanced solution. This is what security professionals are supposed to do.
Re: Oh, we "customers" or "products" always pay
Apparently you don't understand economics.
If a company is fined and you believe they are going to raise prices because of this... then go elsewhere. Typically though, companies don't raise their prices; stockholders end up taking the biggest hit. Some may go into not paying raises/bonuses to employees. This is why fines can be successful in ending bad behavior.
Where the money goes? ...this depends. Typically there is some sort of general fund it goes into and then those in charge figure out what to do with this. Sometimes the money here goes for good things, like new bridges or other infrastructure projects. Like in Germany, it will likely pay for a pipeline to Russia.
The USA doesn't like the government interfering in business policy. You know, this whole freedom and liberty idea. The only real exception is health and welfare of the public/customers.
When it comes to this case, most people in the USA think it's moronic, and just a way for a government to screw over a company and the company's work force. In other words, a way to make politicians rich at the expense of employee raises and benefits.
Are people in Europe so stupid they wouldn't know how to download and install another browser; or another application and not use what is already installed? Of course not. Further, Android doesn't prevent the user from doing this. Can you imagine purchasing a new phone and there is not browser at all on it? C'mon. Do you really expect them to just install a competitor application? ...or some plain label and insecure browser? Common sense needs to be used.
Try doing this away from SFO
One of these days, they are going to start doing things away from the bay area.
San Fran has become a crap hole lately, especially in the downtown area. I wouldn't attend a conference there again if they paid for the entire trip.
I'd rather deal with the crowd in Las Vegas or traffic in Chicago than to put up with the smell and sights of downtown San Francisco.
Raise your hand...
If anyone is shocked Oracle had this problem.
...take the walk of shame if you're still using Oracle products. This includes the whacky Symantec products (Like DLP) which build it into the application.