Re: Windows vs Linux
I keep saying: Linux has been around and proliferated successfully enough to become a target. It's no longer just a patch Tuesday World.
330 posts • joined 1 Feb 2015
I keep saying: Linux has been around and proliferated successfully enough to become a target. It's no longer just a patch Tuesday World.
Yes, and the Earth is clearly flat.
I fear this disease will spread, as it is clearly contagious.
There's just something about secret bureaucracies that just has the weird putrid smell. And, it seems to be there throughout most of the Anglosphere. They cannot claim to serve the people if they have no accountability that the people can trust. The courts are supposed to provide that. Here in the states, we get to have secret courts, as if we actually trust that. I'm really sad to hear that in the U.K. there would even be the consideration of no court involvement whatsoever. It's just the same putrid bureaucratic disease everywhere.
Fair enough. It's not as if they can't tell what country you're coming from. It's not as if computing standards have only recently been addressing internationalization. Seriously, this is easily fixable, so what's Google's problem? Why the hell are they taking so long to fix this? Oh right; too big for their britches.
"...Windows 10’s password reset questions are in effect hard-coded; you cannot define your own questions..."
"Hard-coded" is bad enough, but I've seen too many really lame security questions--with topics that some people chat about on social media--seriously, and that crap has to stop.
And, it can be done by way of the registry. I... just... don't... know... what else to say.
Oh, just that use of the word "bulk" creeps me out.
Given that passive reconnaissance has been the first step since the beginning, this should be no surprise. If anything, buying data from legitimate services has been around for longer than we can know.
Yes, we might hope that these services vet their customers, but why would they care? Yet, even if they were willing, crims are in the business of shrouding themselves, and there's little hope of guaranteeing that this practice would never happen.
"...for the ethically challenged..."
I knew a guy who was truly ethically challenged. He would out-and-out say that it would be perfectly fine if certain things were not revealed. He used to do one of those infomercials selling money making schemes. He'd rent business jets and present them as his own in his infomercial, along with other shady claims. And yes, he went to jail. And not, no one in my family who knew him is in touch with him, as it's all just too damn disgusting.
It's not about whether you can or cannot be a broker of sorts; it's about misrepresentation and fraud. What you sell must be what you claim it to be (or at least sufficiently to stand up in court); and if you're going to omit certain facts, you better be very careful what facts you omit. I am not a lawyer, but some of you might what to get educated on some of this stuff before the law comes knocking on your door.
That would be a topic for a statistical study. But, using it or not, it's exactly the kind of thing that would be on by default--something that too many users wouldn't even know to turn off.
And then, none of this is shocking. When this thing was created, it was a given that automatic configuration is a chicken or egg problem that requires to much broadcasting of "please come and be my mommy and tell me who to be." So, there is no surprise that any technology along these lines is rife with vulnerabilities.
I'd like to blame all this on the nature of consumer technology, but it happens there's a protocol (name escapes me at the moment) for administering servers in enterprise environments that just as bad or even worse. Security will never be easy, and we need to be wary of those offering short cuts, which was in fact a topic of discussion when UPnP was created. So, this counts as a "we told you so." Hah!
This kind of thing is covered in annual training, and agencies are required to have such training--at least where I work. Just think; there are places where private information of celebrities and government officials can be looked up. Not only must there be training, but these things need monitoring and enforcement. I guess there are areas where these regulations need to be fortified just a bit.
This put a few thoughts in my head. I've done PCI in the restaurant industry, and credit card numbers never need to be stored there. But, do I understand correctly that hotels keep numbers on file for ongoing charges and a hedge against guests who might take off without paying? That's a major challenge. Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel. That way the hotel can deal with ongoing charges without storing a card number that could potentially be used by anybody. But, given the time it took to get chips in the states, I imagine this won't happen over night.
Insert usual rant about this phrase here. Do they realize this is coming to mean the opposite of what it should?
"Someone once asked me why were some connectors denoted "male" or "female""
I do wonder about how this came to be the dominant language, given that the terms "plug" and "socket" go back at least as far. And, while I'm not the biggest proponent of political correctness, I am concerned that with the proliferation of technology, this will come to affect children at younger and younger ages. "Mommy, why is this thing that I stick into that thing called male and that other one female?"
Hmm... Let's see. If there is no hope of ever prosecuting a target, then there's no hope of ever bringing a target to court. And, if there's no hope of ever bringing a target to court, then why bother with any manner of court order? I guess that's one reason that warfare and policing aren't conducted the same way.
And, the nationality of that author... Could that be saying something about his prescience?
Anyway, good point on the throwing stones stuff and such. This has become a global issue and, we need to be vigilant about reigning those that say our governments need more powers to be, um, more vigilant. These things have to balance out, but they'll quickly get out of balance if we don't continually insist on balance.
"...the key to one room, not the 'master key of the hotel'"
Um, who's going to manage the keys? Is this going to be some kind of key escrow? Do they not understand that anybody can generate a key independent of such nanny-state management?
Clearly, these things are going to end up in the outlawing of various forms of encryption--along with any methods to hide it.
And, they'll also end up having to outlaw cryptographic research that isn't government sanctioned. Imagine having to get a license to learn.
"its not node.js specific."
Oh, I wholeheartedly agree. And, that makes more work for those of us who have to work as gatekeepers. But, rest assured; we're keeping an eye out for these things.
It's NPM repos again. Anybody keeping track? Anybody got a fix? Sorry Node.js devs. I like Node.js too, but there's got to be room for improvement.
"Just like what you get with Linux."
Linux is not a service. You don't sign up for it, and you don't send your data through somebody else's server in order to use Linux.
(@MMR, voted you up, but I just had to go and at least explain the key difference, in case other don't get it.)
How the hell... URL parameters... validation... you gotta be kidding me... oh screw it.
Enforcement of laws against stupidity. Yeah, if you've got people's data and you don't even use minimally reasonable security practices, smack up side the head. 'Nuff said.
"Yes, I am expecting my downvote counter to go through the roof."
Not so much. At the time of this comment, you're up 8 and down 0.
The simple fact is that they'd eventually come after Linux. It was inevitable. But, notice it was more about badly administered boxes than Linux itself.
"...on a domain owned by her and husband Jared Kushner."
Um, ownership does not equate to administration thereof, because you just know that that domain wasn't setup by them directly (or at least if would be shocking if they did).
Given the impulsive nature of the way email and such are used, I'm wondering if something preemptive can be done about these things. It brings to mind so ideas that are a little out there, but I think that a survey of what private services our public officials--and their spouses--would be worth a study of some kind, at least a journalistic one.
"...but moved everyone except the original sender to Bcc"
Ohhhhhh, I definitely want a button for that.
I'd make one--if only VBA were not one of the most horrendously dangerous features of Outlook (and Word, and Excel, and...).
BTW, voted up this entire chain of comments. Email interfaces need to be designed for safety and not enable, even foster, impulsively dangerous behavior. I'm sure many of us have fallen pitfall at one time or another despite reasonable levels of vigilance--the very reason I've so pissed off that UI designers need some training in social engineering. Imagine how dangerous it is for those with no restraint what-so-ever.
I'm glad that I have the option to have private tabs and such; but just because I do security work around HTTP, I much prefer completely different browsers--each with it's own script-restricting addon, cookie-restricting addon (including Flash cookies), and tracking-control addons (Ghostery and Privacy Badger).
Besides, there's a difference between paranoia as an affliction and paranoia as a hobby. I thinking of getting a really fine tin-foil fedora.
That was worth half a chuckle, but it's at least nice to know that Amazon knows how to use BCC--given that others have caused damage by not using CC instead of BCC.
"...facing a dual threat of more aggressive overseas hackers and a lack of funding for cyber defences."
O.K. everybody. It's seems we're finally getting through. Don't back off; shout even louder.
First, I'm definitely on board with the points about WiFi, and I definitely go in and disable that nonsense right away.
But, however minimal, most of these things do include some means of limiting incoming connections, at least as far as what ports are open (I did say minimal), and some allow filtering for outgoing connections--not that the average home user would ever bother with managing outgoing filtering. Still, I wouldn't regard one of these little boxes as being on par with an enterprise-grade firewall--along with what can be done with filtering rules that are properly managed.
O.K. so I'm being a bit pedantic. But, just like there are different grades of locks, some of which can be picked with a bump key and some can't, there are different grades of firewalls. I think maybe we need some new terminology--as if we don't already have enough of that.
"...easy to manage clients" seems to be something that could be interpreted in dystopian terms. I'm pretty sure I don't want Comcast to manage me, either directly or through my devices--power user or not. And, what they do manage, I want to know about so that I can deal with it accordingly.
Someone needs to come up with a special font that guarantees that all characters appear distinct, and mail programs and browsers need to guarantee that only this font can be used to display URL's (or at least not be altered by the email formatting.)
Um, there are business procedures for these things. And, when forwarding a suspected infected email to an infosec analyst, you do it as an attachment, right?
Maybe someday, I'll share my Vim syntax highlighting for email headers, because it's just fascinating to see how far a serious phishing campaign will go to make an email look as if it's coming from inside your own business, which can involve a pair of malicious MTA's and a malicious DNS server to spoof your company's domain name in the email headers. I've seen just this sort of thing singled out by Proofpoint mail filtering.
But, if you're afraid of opening an email in your mail program, then get a new mail program. Just don't click any damn links, and make sure your email program doesn't display remote images. And, if you're in an enterprise environment, I would hope the relevant mail settings are already correctly set by GPO. Here, we even have a report phishing button in the Outlook ribbon, and it just makes everything so much nicer.
Computer scientists are supposed to be good with numbers, and they're supposed to know how the numbers for this sort of thing relate.
Yet, it's true that the numbers for chess are constants, while the numbers for hackers are constantly changing. I suppose you'd have to create categories to pigeon hole things in to get the numbers to map.
I like the way the EFF's Privacy Badger does this, and I use it in concert with Ghostery. They make a good team.
Oh, the typos. Was it really that weighty an issue.
As long as it's opt in; otherwise, it wouldn't be a charity. Imagine if a government decided to do such a thing as a kind of tax but kept it secret.
Anyway, stealing from a charity, particularly one involving children, is just perverse.
Yes; and if you'd logged in, you could have used this fine icon--which I've been aching to use for such a long time.
"It appears even politicians down under are moronic."
I think there's a personality type in the DSM for that. Politics obligates politicians to forfeit all reason other than that which is associated with political interests.
@AndyS, I thought "Create more velocity in our revenue attainment" meant "make money faster"; but hey, close enough. Yeah, I heard talk like this just last night on NPR, talking about Amazon's explosive growth and why the totally overwhelmed Seattle. And anyway, that's the problem with business speak; it seems intent on bamboozling investors with a severe lack of clarity, or at least for the novice investors who would be much served with plain language.
Anyway, I like the other points, so voted up.
"First they came for our metadata, then they came for our encrypted communications, then they came for...... us."
First it happened in one country. Then it happened in their neighbor's country. Then it happened in the entire anglosphere. Then there was no more free world.
"Those who would give up essential Liberty, to purchase a little temporary Safety..." -- Ah, you know the quote.
But, what is it these who argue for more safety and security think they are doing? Are they just over zealous? Are they trying to get more bang for their budgetary buck? Or, are are they just asshole authoritarians pretending to serve the people? Perhaps it's a mix of these, but I fear those who are so bought into the bullshit that they have no concept of balance.
One day there will be no more vulnerabilities -- and then Hell will freeze over. But, they've been asked just to try a little harder for way to damn long. Maybe they'd try a little harder--to get Hell to freeze over--if they were subjected to a bit of Hell fire.
"...and aren't likely to see any significant damages when you win..."
Well, I think many would agree that increasing the degree of punishment is a much more significant issue than any political orientation (as this question of leaving it up to class-action suits seams to be about). Get something together that actually effects major positive change--and can't be blocked by monopolistic, plutocratic, big-corporation lobbyists (Monsanto), and I could give a flying f**k what political orientation it comes from--um, short of fascism, communism, or some other extremist perspective.
O365 uses the same business model as all the other cloud services, which is to get you to sign up for as many of their services as possible--regardless of whether they would all be acceptable for a particular customer's security needs, such as the remote desktop features of many meeting and communication apps. And, once a customer has been strong armed into allowing something dangerous, there's no way to control it. So, whatever anybody says about being able to secure cloud services, these big cloud-service bundles are more in the interest of Microsoft and other cloud-service providers that want to stop selling software and move everybody to a forced subscription model are not in the interest of the very variable security needs of individual enterprises.
(BTW, SME also stands for "subject matter expert". After all, we are now in an age when acronym collisions are inevitable.)
I expect a major factor in this is that it depends very much on the willingness of leadership to hire the right kind of infrastructure support and then actually listen when they point out the weaknesses--because when the CEO of a major national retail chain is said to have replied to warnings with "we sell hammers", then there is faction in the corporate culture that is really doing leadership wrong. Yeah, those of us in the trenches are really never going to forget that one.
Last time I tried running VirtualBox, there were compatibility issues. Having not revisited it, I'm wondering what progress has been made since. Not being a fan of monopolies and monopolistic corporate behavior, I'd really like to hear that there's more healthy products of this sort, ones with a future, ones able to dislodge themselves from the likes of Oracle (@DJV, voted up).
BTW, I was fine with Oracle when they were just Oracle. But, these "portfolio" companies appear to, shall I say, dilute the focus of their workforce and thus the quality of their products. Yes, they get more customers with a portfolio of products, but those customers eventually end up with lesser quality products. I fear it's not a healthy aspect of the market.
"User Training and Education"
Sadly, vigilance is not innate to the human condition, and social engineering seeks out the lazy and impulsive. So, yes (voted up), and do the homework to get a really good training program.
I've seen IT security outsourced because a CIO didn't like the infosec team's complaining that certain PCI DSS security controls were missing or inadequate. That was a place that was too small to have a CISO, so the infosec team didn't have the clout to establish and enforce reasonable policy.
I've also witnessed an IT manager bargaining with and browbeating PCI auditors, which I suspect is common--as under PCI there is a conflict of interest created by the requirement that a company gets to choose who they pay to audit them. And, if infosec is under the IT department, you can expect to see the infosec team seriously hamstringed by conflicting expenditure choices. So, hierarchy is also important.
I personally am predicting that the insurance industry will eventually have a role in this, as insurance companies would surely have an interest in the selection of auditors for the companies they insure--and thus also have an interest in whether the infosec team has the clout needed to do their job. Unfortunately, it will take time and many successful class-action lawsuits before we'll see this.
I once got to see a call center using a "predictive" dialing system. That was in the late '80's. Yeah, this crap has been around that long. Call center workers sit in front of a terminal with a head set on. Information on the person being called is pulled up in front of them automatically. The computer predicts when the current call will end--and starts dialing the next call with the objective to have call center worker talking to the next party before they have a chance to take a breath. That way the call center can pound out the calls like a machine gun.
I've seen a number of call centers, political, corporate, non-profit; they're all very depressing places.
Well, they are used for political campaigns, often call robo-callers. Yet, some would think that's just another way to extract money from the populace.
I know that's a typo (yeah, and we know that's supposed to be that nauseating public relations B.S.), but somebody seriously should make them cry.
@Dabooka, "You've really never heard of Cathay Pacific?"
I'm afraid so. But, then I avoid flying like the plague and will make every effort to take the train in business class instead. Yes, cramped seating is harder to take for some, and I'm one of them (hsperson.com).
Biting the hand that feeds IT © 1998–2018