Indeed. GIGO works even when unintentional.
150 posts • joined 10 Nov 2015
The issue isn't brains.
US companies spend far more buying back their own stock than on R & D.
The next largest category is generally marketing.
This focus extends to employees: a young, cheap employee is far better than an older, expensive and not-puppy-like one. H1B is even better: should they become skilled, the poor sap is stuck in green card limbo for 7 years or more - a literal indentured servant.
Lastly, the notion that "training" is all that is needed is bollocks.
Society can not survive with everyone being a coder any more than society can survive with everyone eating cake.
The real issue is whether all parts of functional society deserve a reasonable share of revenue as opposed to the 1%. As the inequality numbers clearly show, the battles of the past 2+ decades have clearly swung in the 1%'s favor.
I have no doubt the vulnerabilities noted exist, however, the connection between an XP terminal and the actual ship's controls and systems is far less clear to me.
The XP based PCs are no doubt used for communications, shipping orders, paperwork, entertainment and whatnot but that is a far cry from steering, ballast control and so forth.
And given the age of the PCs, it seems highly unlikely that the ships are networked such that such control capability is even possible.
Mischief, in this case, is largely a command and control type interference such as was seen with NotPetya damage.
Cities in Asia - Tokyo and others - have shown that public transportation, both rail and bus, can work just fine.
The issue is density. Cities with low density - the existence of public transport is irrelevant. Cities with high(er) density - insufficient coverage of public transport, poorly maintained/operated/designed public transport, etc will still yield poor transport scores.
Self driving autos don't fix anything. Beyond the orbiting to avoid parking, the real issue is that any form of shared vehicle paradigm requires more miles per passenger transport mile than personal car use.
Bicycles aren't really a solution either - at least in cities with cars. You either have lots of dead bicyclists, lots of slow bicyclists or you have really, really slow drives. The bicycles simply cannot operate in an environment optimized for car transport, for example, because their usual top speeds and acceleration profiles are significantly slower than autos. This disparity is also why so many bicyclists run red lights - they end up stopping almost every block because the cars will have gone (traffic lights synced for cars) or else simply run the lights, and a bicyclist has to spend sweat to get up to speed.
I understand the indignation, but the cure doesn't seem workable.
First: companies never want employees to know what other employees make. This is counterproductive as it never helps the corporation - it only makes labor costs higher since no one ever advocated for a pay cut to decrease the average on "their side" - sex or whatever.
Second: Even if averages were the same, there would still be complaints about he/she being paid more than they're worth. Publishing averages forces companies to have to answer difficult, if not impossible, questions on why anyone is below average. It also introduces a mechanistic quality to pay - much like past Japanese salaryman views on "lifetime earnings". Is this really beneficial, especially given that nobody has lifetime employment?
Third: I am fascinated to see how this dynamic plays out, should these precedents get set. Male/female must have the same averages. What about married/single? gay/straight? female gay vs. male gay? Hispanic straight male vs. Asian trans-sexual (to) female?
What if one high paying member of a given demographic quits, and drops the average of that demographic significantly - should someone else be bumped up to compensate?
Could be a great jobs program for Maths PhDs to try and balance all of the demographics into a "fair" average.
Equitable pay is absolutely a problem, but I really don't see how focusing on averages helps.
$24m wasn't carried on the phone. The phone was 2nd factor in multi-factor authentication. Sim clone then "forget password" and reset.
Or in other words, the real world of password attack.
Cell phone based 2nd factor is convenient but cell phones are really, really easy to attack. This "gang" used a particularly high effort one; in reality you just need to find an appropriate cell phone store location with a manager who needs money fast...3 or 4 digit payments to these low paid people goes a long way...
Yes, but the comment doesn't go far enough.
This fellow isn't very smart because white collar crime in the form of market rigging, front running, other bankster tactics would yield millions in his own pocket rather than just millions of damages and tens of thousands in pocket.
My view is this is more an attempt at setting a precedent than "getting" Mondelez.
The cyber insurance sector has had an overall 60% loss ratio (% of premiums paid out to claims) for many years - NotPetya *might* significantly shift this for the industry overall, but definitely would shift this for Zurich in particular. Individual insurance orgs in cyber insurance have loss ratios ranging from 0% to 150%+.
The litigation does, however, guarantee to shift the actual balance sheet hit out at least a year or two, possibly more. Tactically this is probably worthwhile (from Zurich's perspective) in its own right...
There was a report out of Verizon at the 2016 Black Hat: roughly 1/4 of users surveyed clicked on everything regardless of training, background whatever.
Likely these people are the ones glued to their phones/computers, obsessively grinding through every email and social media message.
1/4 don't click on anything - the paranoid/security types.
The middle 1/2 can be educated but would still be fooled by attacks like the one noted in the article.
I would be less surprised that attackers are not tip tier. The airlines, just like the banks, insurance companies, utilities and what not all are running 40+ year old hardware underneath the tangle of glittery modern add-ons.
The likelihood that these rats nests of 4 decades' of IT upgrades is secure is zero.
Sadly, wrong. Windows has more vulnerabilities than Linux, true, but the highly effective SMB attackers aren't using "spray and pray", they're doing targeted intrusions, then recon, then ransomware as the final monetization step.
In this respect, Linux is no better than Windows because neither is really the issue. It is routers, firewalls, phishing emails, poor passwords, etc which are used.
Cyber security today is simply not meant for SMBs. If you have a $10M budget or more and have reasonable execution capability, you can have a fairly decent cyber security setup in the sense of preventing attacks.
However, cyber security in a more holistic sense isn't about preventing attacks. It is about preventing attacks from destroying your business.
Backups are fine from a business recovery perspective - but that assumes that the business can withstand a 1 or 2 week recovery cycle. Many can not.
What every SMB truly must address is business continuity: what must be done in order to ensure that the business will survive if it is attacked by ransomware? By DDoS?
The tools to mitigate these impacts are *not* actually prevention of attack, rather they need to be resilience focused.
Similarly, what is the impact on the business from a whaling expedition? an HR PII theft? A data or IP theft?
The answers to these scenarios are mostly process. Two factor authentication as in calling to confirm whenever a new payee is requested. Never sending more than XX records of HR data unless independently confirmed by 2 or 3 real people in authority. Not putting all your data/IP in one spot, and locking away portions that aren't actually used frequently to specifically be hard to access.
I don't disagree there is at least some militancy among bike riders in SF, but lane reductions aren't just for bike lanes.
There are many bus only lanes now, at least in downtown SF.
However, my view is that a big part of the congestion is due to construction and events. There are now 2 events / 2 weeks a year where a key road in downtown is completely blocked off for the Sales Force and Oracle conferences. Both events also deploy masses of private buses to ship conventioneers around to the many venues being used to wine and dine them.
Ultimately, many people aren't going to use public transit unless forced to. The only way to fix the congestion problem is going to be big city congestion pricing as seen in Singapore, London and other places.
Actually, I would point out that few taxis circle the roads looking for passengers. In real life, they get routed to some, but many hang out in hotel or other major venue taxi lines.
TNCs, on the other hand, are *always* forced to travel to the passenger. I would not be surprised at all if TNCs travel 0.5 to 1 mile per mile of passenger transported - in other words, miles driven per passenger mile delivered is low.
This is very much a structural difference vs. private cars, and is likely a significant difference vs. taxis because taxis can pick up anyone they see.
The problem with UEBA is context.
In particular, baselining assumes that bad behavior is outside the baseline behavior set - in reality, bad behavior is context dependent. A sales person copying a customer list into their phone is not a bad behavior...unless he's quitting the next day.
There's also the issue of alternate data capture. The ignorant crims today will try to copy into USB hard drives in one go; the smart ones will space copying out. Particularly sensitive data - just take a phone snap. etc etc.
Yes and no.
I've never heard of any institution that permits pen-testing of its actual deployed core infrastructure.
I very much doubt pen-testers were ever allowed to touch the ATM backbone. A penetration which compromises functionality - even for a short period of time - would immediately result in people getting fired.
Always important to keep in mind that residency in Japan, even "fluency" in the language, does not equate to either understanding the culture or being an integral part of it.
One example: Most of the foreign men who have learned to function in Japanese talk like gay men or women.
It is because the Japanese language is highly contextual: tone and words used are different between a man to woman vs. woman to man, as well as different from boss to subordinate, parent to child, etc.
Teaching Japanese to foreigners is also an extremely low status occupation - which is why the vast majority of such teachers are women.
Last fact: the vast majority of foreigners in Japan are men.
So, Japanese women teaching the Japanese language to classes composed almost exclusively of men. The men learn tone and word choice from the women.
I have friends who have been in Japan for 20 years - and no Japanese ever told them of their Japanese language equivalent of a lisp - another cultural thing to keep in mind. Foreigners are such unreliable, unspeakable barbarians that pretty much anything is expected from them except "proper" behavior.
Given that cryptocurrency wallets are open to all to view - only the most idiotic physical attackers would not check the wallet's contents.
A physical attacker going after a cryptocurrency wallet is almost certainly knowledgeable about what he's going after.
The 2 codes presumes an attacker who is randomly selecting victims *and* just barely cognizant of cryptocurrencies and technology. Or in other words, a straw man attacker.
I will also add that cryptocurrency wallets are delightful from a physical attacker point of view in that they combine the hostage and the ransom all in one. No more messy negotiating with 3rd parties.
I would be very nervous if I held any significant amount of cryptocurrency in a nation with kidnapping for profit...
The issue is that attackers don't have to have admin access to attack, they just need to have access to something running on the same physical machine.
Do the HR and payroll people have the same security practices and standards as the R & D folk?
Worse, a lot of companies use cloud - there can be literally dozens of different companies running on a given big iron.
Vet short sighted to just talk about single specific big iron installs
I'm all for educating developers more, but it is naive to think that education is the way to fix the problem.
The real issue is that security thinking is dramatically different than coding.
There are people who like to focus on all the ways that code can be broken, and there are other people who like to think of all the ways code can be used to implement some capability.
It isn't clear at all to me that both can be done, well, by one person - much less as an industry practice across tens and hundreds of thousands of developers.
The Cyber Independent Testing Lab with its UL-type approach probably has the right of it - flagging the most common coding conventions that are vulnerable, but it is far from clear that significant progress can be standardized at beyond their approach.
In the meantime, UL itself is getting into the game with a "standards-based" approach. Ugh?
The major platform owners - "Don't be evil" and Z - get about half the revenue of the digital advertising market.
Proctor and Gamble cut their $1.2B-ish ad budget by $200M - and saw no change in results at all. This gives a real world idea of just how much fraud there is.
Overall, digital advertising is a shade under $400B. A Proctor and Gamble percentage of fraud would mean $65B in advertising fraud. It is probably that the actual fraud is higher.
Why would the platform owners want to stop this?
Concurrent sentences aren't automatic.
Furthermore, the additional charges are added later to keep you in the s**thole jail for months and years, until the general crappiness of living there makes even innocent people plead out, which in turns pumps up the prosecutor's track record for when he goes for judgeship.
Haven't read much history, have you? Armies "foraging" off the countryside. The menfolk getting conscripted on the spot. The women being forced to serve other ways. Then there's Genghis Khan in the central Eurasian plains, Magdeburg and the rest of the Reformation and Counter Reformation wars, Romans salting the ruins of Carthage... I'm seeing a pattern and it isn't the one you're espousing.
Nice try but a fail.
The entire US' energy consumption for computing was calculated by the NREL back in 2001: http://www2.lbl.gov/Science-Articles/Archive/net-energy-studies.html
To put in terms of the article - which is presumably GW per hour - total computing and networking electricity consumption in the US in 2001 (peak of the Internet 1.0 bubble) was ~2 percent or ~8.4 GW per hour rate.
Or put another way: Bitcoin electricity consumption today uses 30% as much juice as the entire US computing and networking infrastructure in 2001 - the peak of Internet Bubble 1.0. The US consumes about 1/4.5 of the overall world's electricity; if the computing percentage is equivalent worldwide (which it is not clearly either higher or lower), then bitcoin alone is consuming 6.7% as much as the entire world's computing and network electricity usage. This is ludicrously high.
While internet usage has increased since then as has computing, efficiency has also increased - so it is unclear if the overall US computing consumption number has increased or decreased. Certainly overall US electricity consumption has not changed much since 2001 (3,9__ TWh in 2001 vs. 4,0__ Twh today).
I'm no fan of banksters, but credit reliability is very much a "social good" in financial terms.
The individual who has bad credit is highly incentivized to kill all such data, for example.
And if you say that this can be compensated for - it can, but the cost is treating all people with little or no credit history as bad credit. This penalizes those who legitimately are just starting their financial histories (usually young people).
The management of fraud and other criminal activity is another legitimate use case although personally I think credit ratings enable far more than disable. Many of the more sophisticated criminals know very well how to jack up credit ratings artificially.
I am curious, however, as to what other people's experiences with "4-9s, 5-9s, or 6-9s" guarantees or past uptime have been.
From what I have personally seen as well as what is seen publicly, these numbers are neither backed by real guarantees (i.e. cash put forward to compensate for failure to deliver) or by reality (all sorts of games played to manipulate results).
One easy example is the Dyn attack. Any company using AWS in the East Coast for that period could not possibly have had 5-9s uptime that year, and that outage is hardly the only one by AWS.
Smaller outages occur all the time as well - from local power outages to a backhoe taking down a fiber optic line - stuff happens.
Berkshire Hathaway/Buffet/Munger doesn't invest the same way as even your typical hedge fund manager.
For one thing, they are using free money. Unlike just about every other non-government in the world, BRK is investing free money via the enormous float from their insurance operations.
And also unlike just about every other non-government in the world, BRK's only objective is return *of* investment first, followed by return *on* investment.
Since they don't have a time limit (i.e. annual returns to compare to other hedge fund/mutual fund/whatever managers), they invest for 20+ year time frames. Nobody else does that.
Combine enormous scale with enormous time frames, you get a fundamentally different investment framework. Kudos to them for executing very well since other insurance companies are not able to generate even 1/4 the annual returns irregardless of time frame.
Really easy? How is that?
You can't see the laser beam in the air unless there is a lot of dust.
If you're the one being blinded/hit, you also can't see the source.
So how exactly is it easy to see the attacker, particularly if they are 2 miles away?
What about if they are 1.9 miles away - the difference in angle is 18 degrees - you can see the difference from a point (laser head on)?
Biting the hand that feeds IT © 1998–2019