Re: Holy shit!
A free bar of soap
That's for a silver badge. For gold you get soap on a rope.
2583 publicly visible posts • joined 31 May 2011
The individual *users* should however also have a specific key so that they are also authenticated with respect to the backend.
Well, yes, but as the researchers point out, the users are pretty much at the mercy of the developers in this respect and that the developers are only putting in enough effort to get the app talking to the back end. At no point in these flawed apps would I expect the people using the apps to have an opportunity to set up their own keys. To go into a little more detail, the article states:
By default, most BaaS solutions require an application only to authenticate using an ID that uniquely identifies the app, and a so-called "secret" key, used to indicate that the app uses the ID legitimately. These credentials, however, neither authenticate a device nor a user. They merely authenticate the app as such and are therefore shared between all installations of this app.
So it looks as though it is not only the devs basing their apps on the BaaS solutions that fail to practice good security, but those that offer the BaaS solutions as well. And so the dominoes fall.
From the linked OIG report, "Among other hiring challenges the audit identified were that the FBI’s background investigations are more onerous than those used by many private sector employers, and it was difficult to retain top talent because private sector entities often pay higher salaries."
This totally misses the point. It's not that the private sector pays more, it's that by working as a government contractor, one can make more money doing the exact same job for the exact same people. One of the basic ideas with shifting the US government to a contractor-based model was to allow more flexibility in responding to change. Sure, it can cost more, but the government people should not be handling the technical work in such a model. Instead, they should be providing the leadership and oversight and contractors should be doing the actual work.
For example, a Computer Forensic Examiner's pay grade goes from a GS7 to a GS12 which has the person starting at $33979 and topping out at $78355 (link). Considering that many of these positions will be in the Washington, DC area, there will also be an cost of living adjustment along with that. Still, someone doing the same work as a contractor can make enough from the start to compete with the high end of the GS scale and expect to have plenty of opportunities for growth while at the same time enjoying the job security that only an extreme shortage in one's field can bring about.
The FBI needs to cut those positions as government slots and contract them out in order to actually be able to fill them (as in actually getting the job done). The only way I can see that these positions will be filled by government employees is to train existing employees after getting them to sign an agreement that they will continue to work for the FBI for a period of several years. This will be a partial solution, at best, leading to a longer time before employees move to contracting, but not slowing the overall rate of attrition.
Many government systems require smart card login which I believe would at least complicate this hack, assuming drive encryption. This can be expensive to implement, but as the main target of this sort of attack are likely to be corporate assets, it would probably be within reach to implement.
...why not just find a sadist who'll gouge out your eyes with hot spoons for free?
Because with the sadist option, it probably could be traced back to you when you send it toward your victim of choice, but combining that font with an anonymous email... yeah, that could do some untraceable damage.
They definitely broke some rules but are not YET implicated in giving the information to the government prosecution without warrants.
I would be fascinated to know what kind of warrant would authorize the government or, anyone else for that matter, to wiretap a conversation between an inmate and his or her attorney.
I think that "probable cause" and a warrant for phone records needs to be established...
Perhaps a better way to deal with surveillance and information gathering of all sorts is to require a warrant no matter what. We will still have warrants rubber stamped, but there should be no possible case of the judiciary or other oversight bodies not being aware of what is going on unless a law is broken. It is a simplistic and perhaps absurd approach, but it certainly removes ambiguity.
Our spies have counter spies,
Behind their backs: espy 'em
And their spies have anti-spies,
who in turn decry 'em.
But the master spies, themselves, it seems
Have fewer rules to go on;
While higher up have fewer still,
And higher still, and so on.
Their civil overlords to placate,
The spooks will prevaricate.
And the public so is served
In a matter most undeserved;
All the while Spies Black, Gray and White
Covertly scheme us all to spite.
Perhaps the best way to go is to register with different information at every site for which we are forced to enter our personal details and to set up several electronic accounts that we only transfer money to via several intermediate hops just as we are ready to spend it. Figure out a way to automate this process without also causing red flags to fly for our government overlords and you should be well paid via very secure and untraceable means.
Makes me wonder when paranoia turns out to be the best option.
OK, at the high end, we have Bill Gates and Warren Buffet while at the entry level, we have computer science and engineering vs everything else. Based on that, at least, it looks like STEM areas are a reasonable investment if you want to encourage people to be productive and make pretty good salaries.
Pigs on the wing?
Yes, the DSM-V eliminated Asperger's Disorder and a number of other diagnoses and replaced them with autism spectrum disorders. This has caused concern for a lot of people as it can complicate their lives - patients had one diagnosis that now no longer exists in a clinical setting. On the plus side, the change was at least in part because of better models for cause and treatment of these disorders than were previously available.
An application whitelisting technology might be considered unsuitable if, for instance, it had to be disabled in order to install security updates for the operating system or particular applications.
If set up properly, it should in fact block whatever does not fit a predefined pattern of behavior (including information about the installing user ID, source of install files, target of the install, temp directory used, et cetera). Unfortunately, the people who put together patches have a habit of changing many things a signature may be based upon from version to version which cause the white listed app's update to fail. This can be avoided by implementation of proper dev and test environments and verifying each new application and patch in them. Unfortunately, the need for setting up said environments in shops that do not have them prior to implementing white listing typically will lead to less than desirable outcomes.
Also, there will always be one-off applications in any organization. Rather than set up rules for all aspects of these, it is typically acceptable to turn off blocking, run the installation, turn logging on to make sure the app can run and then go back to blocking as normal*. This is in contrast to enterprise standard applications that should have rules created for both installation and patching.
* Based experience with McAfee's HIPS.
So 4 out of 5 allegations were true?
[ Sorry, my sense of humour is not working very well today. :-/ ]
Well, if not written at least sarcastically, I have to say that your statistics ability is offline as well. A more complete statement might be that for every 3,000,000 teachers, on average 600,000 are falsely accused of inappropriate acts by a student, while around 2,500 are justifiably accused and an indeterminate but significant number are not accused at all even though they should be.
Typical Windows application installation: Prompt, prompt, prompt, prompt, prompt, and then a final prompt called 'Finish', which may itself churn for ages. Possibly reboot required as well.
Perhaps, for home users. Most installers have command line switches that you may not have bothered to use. Not so much for enterprise environments. There, everything should be done in the background. At the very most, a notice that some new feature is being set up on some user's machine on an ad hoc basis because of licensing issues is acceptable.
As far as running files from the temp directory is concerned, it is typical of malware to do so, therefor it should be blocked. It is that simple. Likewise, restricting admin accounts access to the internet and to email is useful because those are more properly things that a regular user account should do. Too, if Mozilla's install process under Windows is an issue, then Google's is even more so. The Chrome browser does not require admin rights to install and does so using fairly non-standard methods and locations. Regardless of the quality (or lack thereof) of the software, doing that sort of thing just makes life difficult for anyone trying to maintain large numbers of machines.
The joke used to be, "What does 'XP' stand for?" The answer, of course, is "eXtremely Painful." That aside, users have had plenty of time to learn the interface and how to do whatever needs doing. As the author mentions, the new version "didn't ask anyone to radically re-learn what it takes to drive a computer." That matters more than anything else to consumers. Having to spend weeks or months of frustration while they have to relearn how to do things they had already learned years ago is a sure way to cause slow uptake. I argue that if MS should learn anything from the Linux community it is that the GUI should not be married to the OS. If they would allow their customers to easily maintain their desktops across versions, there would be a dramatic shift in acceptance of Windows 10 and beyond.
Yeah, the bit in the review about "The Zygon Invasion is Doctor Who does Homeland," made me wonder about the Zygon graffiti. Does any of it say "Doctor Who is watermelon?"
I know the article stated that Volvo had already set this up to dodge moose and reindeer, but how about white tails? Those things are lethal!
Boffins have debated whether Voyager 1 has left the Solar System for a few years now...
This is what happens when you move the solar system limits from Pluto to some other locale: it just confuses everyone! Actually, I was not able to easily find a definition as to what the solar system is, much less what its boundaries are, on the IAU's web site (they really have a crappy web site, especially when it comes to search functions). As far as I can tell, they have defined what a planet in the solar system is without defining what constitutes the solar system itself.
Space based weapon systems weapons of mass destruction are specifically forbidden by international treaty.
It is within the bounds of the Outer Space Treaty to develop space-based platforms using conventional weapons, which would presumably allow a country to place a large mass in orbit and simply nudge it down onto the heads of whomever that country happened to be having an argument with at the time. I would prefer that this loophole be closed as I would not want the chance of falling rocks to be included in my local weather report, but it seems to be on the table.
My experience is that one of the biggest biggest factors in the lack of uptake of DLP has been that it would block access to personal email, social media and similar web sites at work. A potential spy might not be able to burn a CD or plug in a thumb drive to copy all of a victim's data, but being able to upload it to the cloud works just fine. Any hole in the protection that DLP offers makes the entire effort useless.
@James Micallef, What you seem to be alluding to in your comparisons between countries would still seem to come down to cultural differences in attitudes toward guns, their possession and their uses. I think that this goes to the root of the issue of not just gun violence but violent crime in general. I consider @DavCrav's earlier comment concerning the way the UK counts violent crime in contrast to the US as a reasonable example of cultural differences in this regard.
"Gun advocates say that high gun ownership promotes deterrence, that no-one is willing to commit a gun crime because anyone else might pull a gun on them." At least in the US, this does not seem to hold water. Nor does the counter that making access to guns will decrease their use in crime. I realize these statements really upsets a lots of people, but given the available information it is clear that neither approach has proven useful other than for fear mongering among our politicians.
Perhaps you are correct concerning a more nuanced approach to what is appropriate in terms of pistols versus hunting weapons. It certainly seems logical that hand guns are more apt to be used in crime than more traditional hunting weapons (long rifles, shotguns) and should be approached differently by legislators, but I would like to see some evidence that such an approach will be effective before having to listen to both sides talk past each other yet again. What does seem clear is that changing people's attitudes concerning gun ownership in the US is both a necessary and extremely difficult task for which there is remarkably little political will given that it is now used by both our major parties to get out the vote.
So you saying that ready access to firearms has no connection to firearms related crime.
What I am saying is that there is no correlation in the US between successfully restricting gun ownership and reducing either violent crime or violent crime involving guns. I am not stating a belief - here is a summary of the relationships between gun ownership, etc, in the US that I referred to previously: link. I am also saying I believe that focusing on violent crime involving guns as opposed to all violent crime will not alter the overall number of deaths by violent means even though the number of people killed by guns may go down.
My example of community service vs incarceration is just an example of a difference between cultures, not a complete cure to the world's problems. Don't be daft! It may or may not have some bearing on the subject, but I understand there is evidence that imprisoning juveniles leads to much worse outcomes than alternatives such as community service and we have a very high rate of imprisonment in this country. More to the point, the UK's collective approach to a lot of things is different from that of the US and it might be worth drawing from the experiences of those from outside our country in dealing with these issues.
"The simple fact is that having less guns lying around would certainly solve the issue."
The issue of violent crime, guns or no, will most certainly not be solved simply by removing guns. There is a much higher incidence of violent crimes in this country that does not involve guns than does, though the proportion that does is pretty much the same across the board. You might solve the issue of accidental death or injury caused by guns, but not those issues caused by intentional acts. At least on the face of it, guns seem to be a means to an ends. Getting rid of this particular means will not alter the desire to get to the horrible ends, nor the ability of people to achieve said ends. And yes, I agree with you concerning the likelihood of removing guns from the equation altogether, though I disagree with you concerning the results should that unlikely goal be achieved. Simply put, the current data does not support your statement. The cause of violent crime is not the presence or absence of guns. Failing to identify and address that root cause will see guns banned, politicians claiming victory over gun violence, and the same numbers of people killed or injured in violent crime.
Be glad - it's also why we dont have high levels of gun crime, lots of children shooting each other and daily mass murders...
BS! Anti-gun laws here in the US are successful in depressing levels of gun ownership but not in lowering relative incidence of their use in crime (or violent crime, for that matter). For example, Washington, DC has both some of the toughest gun laws and highest rates of violent crime. Again, there does not seem to be a correlation between gun ownership levels and gun crime levels in the US. There also does not seem to be much correlation between relative levels of prosperity and violent crime. About the only simple correlation I could find among those typically cited by people "debating" this issue is between violent crime (with or without guns involved) and population density, but it is a weak relationship at best.*
If it is not a factor that fits someone's political agenda, it tends not to be considered in public forums. What actually seems to be going on is something more complex than a simple good/bad dichotomy. It probably has more to do with the cultures within the various jurisdictions. Rather than trying to address the issue as a matter of access because doing so demonstrably doesn't work (e.g. drugs, guns, anything having to do with a teenager), I would think that identifying and addressing the root causes of violent crime might be a little more to the point. So, if we were to borrow something from the UK, perhaps it ought to be having low-level offenders do community service in preference to incarceration.
Back to you, AC, the reason you don't have "high levels of gun crime, lots of children shooting each other and daily mass murders" is most likely not that you aren't allowed access to firearms. It is that you come from a different set of values, attitudes and circumstances.
* Sources: A quick search through Wikipedia and whatever government stats sites that Google searches returned. Look it up yourself - it might prove educational.
Good questions. PSI actually will throw pop-ups from its tray icon when things are changed or require updates. PSI can be configured to allow users to handle updates, though most accept the default of running automatically. Just the same, PSI cannot automate everything and automatic updates sometimes fail. This applies especially to anything handled by Windows Update for which PSI simply redirects you to Microsoft's update service. Finally, you may have noticed the article mentioned that some versions were no longer supported and fell into a different category altogether (presumably including Windows XP), so there is an entire class of issues that cannot be addressed by the software.
Most of the linked article's recommendations address things that already have mandated solutions but that are not uniformly implemented. Simply centralizing control or coming out with redundant orders will not improve the current situation but will shift where many of the issues are. Of note is that the authors of the linked paper are both captains and are very careful to avoid anything critical of leadership and instead point to their not having enough information rather than acknowledging there are plenty of feeds for patching levels that are simply ignored or not acted upon. Interesting, too, is that there is no mention of DISA. They hit the nail on the head, though, when addressing issues of adopting and implementing new ideas.
"Administrators often forego patching and updating these systems because they are non-redundant; the systems are a single point of failure within a specialized function." This is brought up as an issue but not addressed. Also related and not addressed are the in-house-developed systems that patching will break. A big source of push-back when it comes to patching is that systems are built to spec, but there are not enough resources to maintain them when the operating environment changes through the upgrade or patching of their operating systems (I'm looking at you .NET and Java). Having an Army-wide enterprise SCCM solution will mean that patches will be deployed no matter what, but that a lot of mission critical systems will break and there will not be resources to bring them back. Enterprise solutions will lead to lower cost of implementation and greater homogeneity, but will not necessarily provide increased quality of service.
Zog, I am a bit torn on your post. Thanks for the link to Ben Goldacre's site. It is definitely worth a visit. The points you allude concerning issues with a blanket announcement concerning processed meats are well taken, too, but you seem to have missed the point on smoking studies and have fallen for the tobacco company line concerning cause.
The reason it is so difficult to assign causality to smoking's relationship with cancer in humans is because it is typically unethical to set up blind studies concerning smoking using human subjects. So tobacco producers continued to push back every time a new study was done ("It's just a correlation. It was an animal study and doesn't properly relate to humans. and so on...) while simultaneously suppressing any evidence that may have impacted their bottom line - the opposite of ethical. I remember from stats class in college that the only way to prove cause and effect through correlational data is to also demonstrate that there was no other possible cause for the outcome and that this is almost impossible to do using observational data. Perhaps a better way of putting it is that smoking has not been proven to cause lung cancer in humans though there is very good reason to believe that it does rather than simply stating that it does not cause it. I have often pondered what the world would be like if tobacco companies had to prove that tobacco use does not cause cancer.
But you may puff away until you are ninety and die of something else, cancer free.
So essentially you are saying that just because something doesn't kill you outright and something else might get you first, there is no causality? I apologize if I am putting words in your mouth, but the analogy that comes to mind is that of playing slots in a casino: the only way to not lose everything is to cash out early or simply not play.
As an aside, I realized the eventual source of my demise would come in the form of smoked foods when I heard they were found to have a link to cancer.
VDI with Windows VMs seems to be the flavor of the day for at least two branches that I am aware of. Linux desktops, not so much. Macs? I know of one pilot program that went nowhere. My guess is that over time, we should expect mostly laptops for PC purchases and those only for management and essential personnel on a regular basis with a pool of loaner machines that can be checked out for people on travel.
I got a Nexus 6 as my newest phone and like it just fine. I looked up the spec on the 6P when I first saw ads for it and realized pretty quickly that it is a new release in the same line and not an upgrade (much as the model number would suggest). The 6P has some features the 6 does not and vice versa, but neither is clearly better than the other. As far as I can see, the choice will come down to which feature set works best for the prospective customer. Providing more choices in the same line of phones seems like a good idea from Google's point of view as they might be able to attract people for whom the 6 would not have been as desirable without having to do a complete product redesign.
Make absinthe using sweet wormwood and malaria will be a thing of the past. It might not cure malaria, but odds are good it would help prevent the spread and would have better uptake than sweet wormwood tea.
As a designer, if the cost of the components required for internet connection is low enough, why not build them into your latest mouse trap.
1) Because form should follow function, 2) if it introduces more problems than it solves, then it cannot be justified and should not be tolerated, and 3) because it is inelegant.
Their security is incredibly important to Uber and we will follow up with them directly.
It took me a moment to stop laughing about Uber's statement. They seem to have a better to ask forgiveness than permission approach to everything... with their customers, with regulators and now with their drivers. I wonder if the drivers affected by this particular issue are among those who are having to pay Uber more.
Yes, good points. Another issue with replacing software with the next new shiny every time there is one is down to having to retrain staff. The new and improved interface foisted on people who have spent the requisite time to learn the previous systems forces them to learn a completely different way of doing the exact same task. Simply rearranging the menus on an existing system will negatively impact productivity and reworking entire systems even more so. Multiply that out across a large organization... sometimes the appropriate response to people spouting the sort of thing the author has is, "Go disrupt yourself."