35 posts • joined 22 Dec 2007
Re: Thank goodness we've got the cloud sorted out here in the UK
"Some concerns are removed, some new ones are added but most still remain, albeit slightly changed."
Spot on. And now we are trying to figure out how to manage these concerns through contract management processes instead of through technical controls and we real beginners in this space.
Yes, they are there
And already serving malware...the anti-malware software I use started warning me it had blocked content shortly after the ads first appeared.
Maybe our Senate should read the US Senate 14 May 2014 report "Online Advertising and Hidden Hazards to Consumer Security and Data Privacy"
So they can use the headlines of course.
"the Learning Centre's WLAN and satellite WAN are both slow"
Latency will be the killer for the satellite WAN and some of this may be reflected in the local WLAN performance if 'local' requests are making it out local environment. DNS would be one candidate I guess.
So start by understanding what traffic is going through the satellite gateway, no need to sniff the traffic yet, just get connection logs if possible from the device itself, this should give you a good idea of what is going on with just src/dest ip and ports.
How you do this will depend on the capabilities of the gateway, best case is very careful use of remote administration access or using the VNC capabilities to get internal administration access otherwise you are facing big time latency - two day round-trip.
Of course, the urethra squared law.
Surely the rate at which a comet passes water is more properly measured in terms of the concepts expressed in this El Reg piece:
So instead of 'Olympic Swimming Pools' maybe 'Cats urinating per minute'?
Re: Reaching out
I always thought that was misspelt and the 'a' should have been a 't'....
"I got used to programming save/restore points throughout large runs."
I got used to bribes :-D
I wonder what was more effective? I also had to read several boxes (2000 per box I think) of cards in on the high speed card mangler regularly so being on good terms with the operators when working out which bits of compacted card had been read and which ones you had to try and resurrect via duplication was important.
The human element has really gone out of modern computing :-D
Re: Port That Job!
Aaaaahhhh 60-bit registers on the Cybers.
Actually there were two sets of registers - A and X - which were 18 and 60 bits respectively (there may have been B as well which were also 18 bits, in fact I'm pretty sure of it). X for data and A for address...and there were 8 each of them. from memory A0 was just a dumb register, A1-A5 were paired with X1-X5 and loading a value into them (A1-A5) fetched that memory location into the corresponding X register. A6 and A7 were the reverse and loading a value into them wrote the contents of X6 or X7 to memory. This resulted in quite a bit of mental gymnastics to make sure that whatever you needed to get back into memory was in one of the two registers at the right time...which is where the use of a couple of (three?) XOR operations to swap values in registers was a lifesaver.
No hardware stack of course :-)
An interesting architecture.
Re: I'm a museum piece, myself
The Cyber series were rather fun, there was a mean Startrek game on them (or at least the ones I got to play with) and an animated Snoopy that alternated between the circular main console displays. Inside they were a birds-nest of wires.
Because they did.
Re: Cockroach anecdote
Google "willy cockroach".
Writers seem to be fascinated by the idea.
Re: Cockroaches aren't poisonous, right?
Well that's only one per 14,476 square kms - they do need a lot of space.
If you read the OSVDB blog post.....
McAfee made 2,219 requests over about 3 days. This is from their web logs. Using Fiddler it looks like a single search request on vulnerability Id would produce 1 entry in the osvdb.org web logs so assume that represents the number of vulnerabilities that were looked up over 3 days...that's 2% of the database of 105,316 vulnerabilities.
I would say that that is probably automated so would breach these terms:
4. Obtaining data from this website in a programmatic fashion (e.g. scraping via enumeration, web robot, crawler, etc) is prohibited. Such activity is likely to trigger security software that will permanently block your IP from accessing the site.
But it doesn't look like an attempt to grab the database.
McSlurp or McBeatUp with sour grapes as a side?
Re: Data quality?
Possibly....but a real vulnerability reported in 1902 would be worth searching the database for...but the only way of finding it seems to be starting at 1, then 2, then.... A vulnerability discovered in the Dalton Adding Machine would rewrite computer security history!
From the OSVDB home page:
The project currently covers 105,316 vulnerabilities, spanning 123,155 products from 4,735 researchers, over 112 years.
The vulnerability with Id of 1 is dated 1998-12-25, presumably the 112 years comes from the date of another vulnerability...any idea which one?
Re: Where would we be if....
Maybe you should read some more:
Apple licensed the mouse.
Where would we be if....
Xerox PARC patented stuff?
Or maybe they did and just let it slide.
The problem with the free food angle...
Is that there is probably a far better way of addressing the problem.
Two slices of bread with a bit of egg squashed between them will retail for between 1.50 and 2.00 quid/euros according to a bit of google.
A loaf of bread, a dozen eggs, and thou beside me in the wilderness to get the punters to stop should double the value in a morning....by the end of the week you have started a franchise and world poverty is something you are talking to Gates and Bono about.
Re: Try harder!
I've had nettles served as a component of a soup in an expensive noshery, I've actually picked the nettles used. It's not a 'Wow' experience, more novelty, but not at all unpleasant.
Fruit from trees on private land were fair game when I was a young lad...the practice was called 'scrumping'.
Shellfish are a great resource if you have access to someone who actually knows what isn't going to kill you. Collecting them helps pass the time between snacks as well.
Mushrooms were a part of my diet in the 50's and 60's, collected on the vast grass expanses of airfields.
Re: The rotters at work
I'm not sure what the price of beer in the UK is anymore but I imagine that 5 quid for a pint of really good beer would not be unheard of.
Now make it last a week.
Have a look at this:
And check out Jack Monroe in the Guardian.
You can also look for road kill while collecting the wood and maybe throw bits of wood at the wild life - something that used to be quite effective once upon a time here in the realm of Vulture South :-)
There are a lot of comments here...
...so this may have been covered already. Apologies if it has.
Some poor guy is now being pilloried as being responsible for this because he 'commited' it. The real culprit is the QA process that lead up to that commit. Name them.
Ethical Hacking <> Any Idea of Governance
They may be certified to hack you but they have no $%$^ idea how to protect you.
Cloud comes with a whole range of risks that are very difficult to address. They obviously did not employ their own 'skills' on their own Cloud provider.
Or maybe they did...which gives you a lot of confidence in their 'certified' graduates.
Re: What about financial security/
MegaUpload - Kim DotCom - if I have the references correct.
You should have no confidence it it is 'freemium' and limited confidence otherwise. They can be located anywhere and you probably don't have the $$$$'s to chase them if they decide to dump you.
@boltar Re: Oh the security....
The resources required are in this case related to the effort dedicated to governance. This doesn't really correlate with the complexity of individual systems but will be correlated with the complexity of the systems run across the organisation and the impact of a compromise of those systems.
Looking at it from a different perspective, Email may be (relatively) simple (ever configured sendmail?) but the contents of email will be very sensitive. This warrants a high level of governance.
So the simplicity of the technology is trumped by the sensitivity of the information it maintains.
@Mike Pellat Re: Oh the security....
It comes down to whos contract is being executed. If it is the service providers then what you say is very true. If, on the other hand, it is your contract in your jurisdiction then you may have a leg to stand on. But if it is a big provider you are probably signing their contract.
Oh the security....
"Some mission-critical enterprise apps will not lend themselves to cloudification and security concerns for some will trump cost considerations. But why would you not use cloud versions of software such as CRM, email, billing and office apps?"
This is all from a very jaundiced security perspective, and it is only scratching the surface.
A good starting point is probably ISO27K certification to verify that the controls are documented and then SOC1 and SOC2 certification to verify that the controls are being operated effectively. Map this to a not uncommon scenario where the 'service provider' you are dealing with is using compute infrastructure from a second party who is, in turn, using physical facilities from a third party. The physical guys may have heard about SOC1 and may well have ongoing certification because it's good for business, the layer up may have heard of ISO27K and are likely to be getting certification 'any time now' but a SOC2 will bring a wrinkle to their brow. The organisation that your business wants to deal with is looking at you blankly on all fronts.
Stop that or you will go blind.
Are you getting on top of your network/system/application/user/admin/.... monitoring? Have a SIEM and starting to get some value out of it? Factored that into your Cloud solution? So you have events arriving via syslog or you are polling using WMI to get a view of your assets that is comparable to that which you get with on-premise solutions? Dream on.
Dependence on exposed services.
Calling web services or doing other fancy stuff with DNS resolution on public DNS servers? Are you factoring in the risk of these services being compromised? The more entangled you get from an infrastructure perspective with your cloud service provider the greater the likelihood that you will have to start looking at these issues.
Disgruntled employees. Is it a concern for you within your organisation, how do you deal with them? How do all the potential organisations in your supply chain deal with them (see Due Dilligence).
There are some interesting challenges here. Is the cloud provider signing a contract with you are are you signing a contract with them, if the latter then you are going to have very little control. The whole due dilligence here will also be way beyond your procurement folk and concepts like data sovereignty are going to take a lot of explaining. If you are also moving into an environment where date breaches can attract serious penalties (like here in the land of Vulture South) then you have to try and factor that into the contractual arrangements.
So you have a contract. Fabulous. Has anyone seriously seen all the clauses in the contract managed and enforced? Have you estimated how much effort that will take given that you have lost visibility of a lot of things that are important?
"CRM, email, billing and office apps". These are all probably significant if you have data breach legislation.
Is it really worth the effort?
Since June last year
I have seen GET /HNAP1/ HTTP/1.1 requests dropped at my (personal) edge servers. It ramped up in December last year.
So it has been known for quite a while?
Do you ever really know what you are buying?
I found out about the embedded Computrace application late last year. I checked up on one vendor and found that they didn't hide the fact that this was part of their package, they just didn't broadcast it.
Haven't read the small print, but this should be in the large print on any product that you are purchasing. It falls right into the sort of embedded capability that the Snowden leaks revealed and really begs the question as to who is funding this.
Would be really interesting to see an analysis of what it can potentially do.
Your slip is showing...
Well your age anyway :-)
No progress then....
The German magazine c'T demonstrated the same thing in 2002 (an English translation of the report is not hard to find with Google).
Money, Money, Money!
The price of software is based on what the market will bear. Different segments of the market will bear different prices - e.g. consumer -v- corporate - and have different buying patterns - eg. single unit -v- volume.
Problem: How to extract maximum revenue across the entire market?
Answer: Pitch different 'versions' with different prices at each identified segment of the market with careful feature selection to minimise uptake of lower priced versions in segments targeted for higher priced versions.
"... the most CISC ever..."
Actually the VAXen were microprogrammed beasts and at the core you had a RISC processor. You could, at one time, buy some software from DEC to roll your own microcode. So instead of having all these macros in RISC assembler to perform common operations they just appeared as part of the micro-coded instruction set.
Are they fit for any purpose?
A sequence diagram usually only represents one path, out of many, through a use case. They don't handle exceptions very well and they don't handle message content particularly well.
All of this is evident in the examples given.
Why not use BPMN - Activity diagrams ++ - instead?
- Crawling from the Wreckage Want a more fuel efficient car? Then redesign it – here's how
- Apple SILENCES Bose, YANKS headphones from stores
- Flesh-flapping, image-zapping app Snapchat NOW ad-wrapped
- Vid NASA eyeballs SOLAR HEAT BOMBS, MINI-TORNADOES and NANOFLARES on Sun
- TV Review Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots