It's not hard, but...
...it does cost money. Twice the money, in fact, plus the design overhead.
1111 posts • joined 19 Aug 2008
...it does cost money. Twice the money, in fact, plus the design overhead.
Pun for my baby
And pun more for the road
(I'm so very, very sorry)
Allow me a shout out to the superb "The Life Scientific", presented by Jim Al-Khalili, Well worth seeking out on ListenAgain if you're overseas, have an interest in science and didn't know the programme existed.
Apart from the lack of a realistic mechanism that could "break up" any planet, let alone a large one, I've got one word for you: gravity. if you split the earth into, say, 500 equally sized lumps, they'd remain clumped together, hence you'd see a standard planetary transit light curve.
You're home by 18:00 and don't do out of hours reading? How do you keep up with threat intel, new vulns, new tools, changes in management frameworks, etc etc?
I do wonder whether any studies have ever been done to see whether mega bucks executives are worth the money compared to cheaper ones. I suspect not for obvious reasons.
Like these, the first three hits for "Harvard Business review directors remuneration" ?
In my experience, having a CSO is a good proxy for being prepared to spend time and money on security. It certainly doesn't guarantee good security practices, but NOT having a CSO is IME usually a sign of an organisation that really doesn't get it.
I've always said that my three biggest allies for getting management to pay attention and then do things are:
1. Demanding customers
2. Demanding regulators
3. Well-resourced, skilled and motivated attackers.
...a timing edge no real trader can afford to buy
Sure you can. Just use the appropriate brokers. If their commissions made trading unaffordable, no-one would be doing it.
alternative solution: stick orders in a queue for xx minutes before they are processed. Takes any speculation (aotomated or otherwise) out of the equation
Merciful heavens... *covers eyes
Dear El Reg Editorial: I suspect there'd be a lot of interest in some interviews with tech people in financial services, especially when it comes to issues where tech and trading rulebooks, regulation etc cross over -- things like HFT -- and there's clearly a lot of misapprehension amongst the readership. How about it?
And it would not be possible if exchanges did not offer a wide range of bizarre trad types that act as the input to a "trading language" that HFT's can use to prove the exchange for who is buying and selling on a large scale without actually committing their own money.
Read this three times and I still don't understand what it means
This issue isn't trades, it's (supposedly) orders.
IDK about equities or other FICC instruments but I believe mowst forex trading venues have a minimum order size of at least $1m, more often $10m or more.
There is this thing called "price discovery". It's quite important.
Jibber-jabber as a service? WHERE DO I SIGN?!
...we even half-seriously considered releasing the source code ourselves – and when that idea was floated, and we realized there wouldn't be any fallout (other than a lot of code questions!), that's when we truly felt free."
Do I need to make any further comment? No, I don't think so.
Not this again... sigh.
How many people would have died had that money not been spent on their care instead?
Suppose one of them was a relative.
Add up the cost of delaying, IDK, say 10,000 ops a few days. let's say there's a 1% mortality increase: That's £100m (by UK standard actuarial stats, as I remember it -- may be more nowadays.) Then the cost of, say, two days of overtime by the outsourced SPs and inhouse IT, if there still are any. Assuming they get paid overtime -- and I don't know about anyone else, but in 21 years in IT and 11 employers, only one has paid IT or security droids overtime) -- but this is the public sector, and they still have unions, so let's make a wild guess and say... 1.5m staff... say... 25,000 IT staff total, only half of who will be junior enough to be dragged in at the weekend. Let's say they did 10h days over the weekend. 12,500 * 20h @ £40 = £10m.So, grand total: £110m.
On the other hand, three years of Windows licenses ... bulk discounts.. say £50 each * 500,000 machines = £25m. Some fraction of those machines will be too old to run W8 or 10; let's say half need forklift upgrades, at £500 each (including boxdropper pay): 250,000 * £500 = £125m.
So we're already at £150m without factoring in the cost of doing all the OTHER security things apart from "apply patches" (you'll recall there's a bit more to it than that, and if it's worth doing, it's worth doing properly, right?) and I'm certain if I thought about it there are many other costs I've neglected.
Now imagine you're running a hospital trust, on a fixed budget allocated by external forces out of your control. People are lined up on trolleys in the corridors, it's a 6h wait to be seen in A&E for everyone except stroke, heart attack or major trauma cases. Meanwhile you have 300 elderly people clogging wards because you can't discharge them because there's no social care available. Oh and you're short of your budgeted complement of nurses to the tune of 12%, and you're facing annual budget cuts of around 5% for the next five years. How would you feel about the suggestion that they spend £150m+ on replacing computers that, to your eyes, appear to be working just fine, just as they have for the last decade?
And that's more or less what happened: £1Bn was raided from the infrastructure and IT budget to pay for opex -- clinical staff, pharmaceuticals, keeping the lights on,
They've taken a decision that a couple of days without email (or completely down) once a decade is less expensive that hiring the number of sec analysts and managers needed to implement comprehensive best practices (not to mention the disruption and capex overhead caused by, say, forcing 2fa for desktop access.) All I can tell you is that they're rich and I'm not, so who's the smart guy here?
This is why "vulnerability management" is a thing. It's not rocket science, just slow, tedious, and moderately expensive.
It's the most trivial exploit imaginable, just send an empty password hash. Boom, you're ring -2.
The upshot of this that if you were vulnerable to wannacrypt last week then you've been owned by the NSA for years.
What utter, utter, bollocks. If you don't know what you're talking about, might I gently suggest avoiding commenting?
...will be interested
....puts forward the idea that each point in space is yo-yoing between expansion and contraction
Am I so very wrong for speculating about what would happen if those pulsations or oscillations could all be synchronised? It'd be the best bang since the big one!
They want the porn ban. They want ubiquitous surveillance. They want end-to-end encryption to be illegal and for all social media sites throughout the world to have to collect, check and store scans and pics of primary issue governemtn photo ID (but only for British cits.)
They want the NHS privatised through the back door with a budget vut by ~5% a year for the next five years, they want 100,000 missing nurses, they want a 35% fall in export earnings, and above all they want the bloody immigrants (by which they mean black people) sent home.
They must want all these things, because they're about to vote for them in record numbers. They certainly don't want human rights, privacy, a penny on income tax to fund the NHS or dope legalisation.
Sorry, but I've reached the stage that only bitterness and cynicism keep me sane.
Send them where? Crapita, Fujitsu, Cap Gemini?
That's more or less how it's always been since 1947.
Bollocks. Sorry, but it is.
...is it always Friday?
And when will they let us work Wednesday to Sunday so we can rely on having a couple of days a week off?
Currently still sat at my desk when I was hoping to be away 30 mins ago (17:00), waiting to hear we're definitely OK...
Photo ID? What what what? They send someone round to check your face matches the picture you submit??
...parties can fall back on the DPA as GDPR will grant similar rights to organisations to store an individual’s data but not to process it any further.
In other words, "none at all", per the Fifith Principle?
There are far too many to keep track of.
I worked at a spam filtering place a while back; newsletter "spam" was a major problem, because our customers' end users would frequently report newsletters that they'd actually signed up to as spam. For obvious reasons the newsletter purveyors would be unimpressed to be blacklisted, whether by a single service provider or by lots of RBLs.
A solution was eventually decided on, but it's filed in the same place as the solution to the problem of the Lintilla clones.
...aaaaand the Deputy AG has threatened to resign unless the WH stops blaming him for it.
You were saying?
If it's partisan bullshit, why are former IC heads and GOP elders like Lindsay Graham and McCain saying it stinks to high heaven and calling for an independent prosecutor to be appointed immediately?
Fire isn't here yet, but it's in the post, I assure you.
Trump fired Comey, but read the BBC article about why: It wasn't Trump deciding to do so as much as agreeing to do so.
And if YOU read it again, you'll notice that that's the White House's version of events. I'd advise against taking what they say on trust as being self-evidently 100% accurate and truthful.
Comey submitted a request for increased resources for the Russia investigation last week to the same Deputy AG who supposedly decided to write Sessions and Trump a letter advising them to fire him (Comey). And we now know about the Grand Jury subpoenas too. They're going to be opened one day, and when they are...
Actually... as it happens... the Nixon Presidential Library had something to say about that.
It almost feels like a sort of slow motion coup-d'état.
To quote a fictional Secretary of Defense:
Errrrrrr... that's not... entirely.... true.
Note also that there was considerable speculation that the most likely source of the leak was lardarse himself.
Mildly surprised El Reg hasn't yet picked up on the aspect that saw the US press barred from (or rather, not invited into) the Oval Office for what they thought was the meeting with Russian FM, Sergei Lavrov. The WH staff only admitted one snapper, a Russian with a large kitbag of gear who they assumed was Lavrov's official snapper but surprise!!! turned out to be working for TASS, Well, I say "working for TASS" -- the pictures showed up there, anyway. So now we know what Trumpy looks like in the company of the hairy Ivans when he thinks no-one's watching...
Oh yeah, and Kislyak, the FSB station chief in Washington was also there. Though the WH absent-mindedly forgot to mention it in any official briefings or press releases... it was only the TASS pics that gave the game away.
It's a diabolically awful situation, but at the same time I can't help but feel some grudging respect for the apparently effortless way the Russians have run rings round the entire US electorate, establishment, and IC, and completely compromised the organs of government.
Amazing the way that American English has suddenly and spontaneously evolved slavic characteristics, isn't it?
Nothing was made up, just released what the DNC and Podesta actually talked about...
...and started as we know well back in 2016...
...it must be some sort of easter egg filter in El Reg's Perl codebase that kicks in whenever someone parrots the Kremlin line word for word:
The whole "Russian Influence" meme is nothing more than a desperate (and surprisingly successful with the entire MSM following their DNC paymasters orders) attempt to defelct attention from the real scandal that needs a Grand Jury/Special Prosecutor - and that's to what extent was the Obama administration spying on the GOP and Trump campaigns.
Well done,Anonushka, extra cabbage soup ration for you tonight!
Or can we put a penny on income tax for leavers?
We are all leavers now. And the dawning understanding of what a bucket of smashed crabs the whole affair will be just might have something to do with the apparent coyness and reluctance of the Tories to include the same silly "no tax increases, guaranteed " manifesto commitment this time round. Instead they're blustering about being the party of lower taxes. They know perfectly well gov revenues will be falling fast at the same time as spending requirements are rapidly increasing, and as they've had this long term obsession with not running a budget deficit,.. there's only one way this is going to go.
Wasn't that an album track by The Fall?
Try find one on hp.com, go, try ... tell me, I had a quick look, could not find one ...
I have a (real crap, ridiculously low-end and underpowered, but adequate for web and playing music and the odd but of iPlayer) HP laptop that had Ubuntu pre-installed. Cost me less than £200 (I spent £30 maxxing out the RAM, then discovered that installing it involved disassembling the entire machine - keyboard out, motherboard out -- it was emphatically NOT designed for post-sale upgrades).
Biggest problem is that external monitor support died after a major version upgrade and hasn't been fixed so far.
Ubuntu's site lists 140 HP models "certified" with Ubuntuhttps://certification.ubuntu.com/certification/make/HP/
Here's HP's Linux stuff:
If you have a computer, of any form, and it has an operating system installed, you can guarantee that it has undiscovered bugs and vulnerabilities.
True, but there are bugs, and there are BUGS. I can't see Linus approving a kernel patch adding a Javscript engine to the kernel, for instance.
Point of order, Chair: I'm in infosec and I can't afford a mortgage! (I live, or rather exist, in/near London. What's that message broadcast from the Event Horizon again?)
Worth pointing out that one of the recent Shadowbrokers dumps included docs showing CNE tools ported to every platform under the sun, including Free (at least) BSD. If they can target BSD, so can other threat actors -- the sort who are more likely to want to compromise an average Commentard's site than the NSA.
Delighted to find this is still online, 20 years after I raided it to customise the Windows startup / shutdown sounds...
Little known fact: Avon demonstrates what is, in effect, Ssh tunnelling via Orac (on what looks like a beach in Essex) to Zen on board the Liberator at the start of S3E1.
I would get out more, but I'm a sad bastard :)
So, could possibly be mounted in the axis of a naval vessel, the sort with the power already in place for rail guns?
Possibly (though I imagine operations consumes quite a bit of power) but why would you want to do that? Hard to imagine a less effective weapon than a few dozen protons, even if they *are* travelling at relativistic speeds. You wouldn't want to stick your head in the way, but it's not going to be any use as a weapon.
DNS is a fantastic method of moving information into and out of a compromised server because it bypasses ALL SECURITY on a network
...unless you're piping your DNS logs into a halfway decent SIEM backend datastore, of course. I've only seen that in really large enterprises though. Or doing https://uk.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152 . Or if the DNS traffic generation activity is picked up by whatever endpoint protection you have in place. Or if the malware that does it is spotted and blocked by traditional AV, or by next-gen pop-the-attachment-in-a-sandbox malware defence systems. And so on and so forth.
Just so we're all clear on this: Russia hacked the French elections, US Republicans and Dems , and the EU referendum.
FTFY. No, don't ask for the evidence, as is typical in this country you won't be reading about most of it for another 29 years 3 months (God forbid the Mail / Express/ Telegraph readers should discover they were played like a fiddle by Vladimir!)
Biting the hand that feeds IT © 1998–2017