Re: No, you don't wish you'd have bought it.
If you were into vintage PC gaming - why not just run Dos Shell?
140 posts • joined 10 Nov 2015
I understand the indignation, but the cure doesn't seem workable.
First: companies never want employees to know what other employees make. This is counterproductive as it never helps the corporation - it only makes labor costs higher since no one ever advocated for a pay cut to decrease the average on "their side" - sex or whatever.
Second: Even if averages were the same, there would still be complaints about he/she being paid more than they're worth. Publishing averages forces companies to have to answer difficult, if not impossible, questions on why anyone is below average. It also introduces a mechanistic quality to pay - much like past Japanese salaryman views on "lifetime earnings". Is this really beneficial, especially given that nobody has lifetime employment?
Third: I am fascinated to see how this dynamic plays out, should these precedents get set. Male/female must have the same averages. What about married/single? gay/straight? female gay vs. male gay? Hispanic straight male vs. Asian trans-sexual (to) female?
What if one high paying member of a given demographic quits, and drops the average of that demographic significantly - should someone else be bumped up to compensate?
Could be a great jobs program for Maths PhDs to try and balance all of the demographics into a "fair" average.
Equitable pay is absolutely a problem, but I really don't see how focusing on averages helps.
$24m wasn't carried on the phone. The phone was 2nd factor in multi-factor authentication. Sim clone then "forget password" and reset.
Or in other words, the real world of password attack.
Cell phone based 2nd factor is convenient but cell phones are really, really easy to attack. This "gang" used a particularly high effort one; in reality you just need to find an appropriate cell phone store location with a manager who needs money fast...3 or 4 digit payments to these low paid people goes a long way...
Yes, but the comment doesn't go far enough.
This fellow isn't very smart because white collar crime in the form of market rigging, front running, other bankster tactics would yield millions in his own pocket rather than just millions of damages and tens of thousands in pocket.
My view is this is more an attempt at setting a precedent than "getting" Mondelez.
The cyber insurance sector has had an overall 60% loss ratio (% of premiums paid out to claims) for many years - NotPetya *might* significantly shift this for the industry overall, but definitely would shift this for Zurich in particular. Individual insurance orgs in cyber insurance have loss ratios ranging from 0% to 150%+.
The litigation does, however, guarantee to shift the actual balance sheet hit out at least a year or two, possibly more. Tactically this is probably worthwhile (from Zurich's perspective) in its own right...
There was a report out of Verizon at the 2016 Black Hat: roughly 1/4 of users surveyed clicked on everything regardless of training, background whatever.
Likely these people are the ones glued to their phones/computers, obsessively grinding through every email and social media message.
1/4 don't click on anything - the paranoid/security types.
The middle 1/2 can be educated but would still be fooled by attacks like the one noted in the article.
I would be less surprised that attackers are not tip tier. The airlines, just like the banks, insurance companies, utilities and what not all are running 40+ year old hardware underneath the tangle of glittery modern add-ons.
The likelihood that these rats nests of 4 decades' of IT upgrades is secure is zero.
Sadly, wrong. Windows has more vulnerabilities than Linux, true, but the highly effective SMB attackers aren't using "spray and pray", they're doing targeted intrusions, then recon, then ransomware as the final monetization step.
In this respect, Linux is no better than Windows because neither is really the issue. It is routers, firewalls, phishing emails, poor passwords, etc which are used.
Cyber security today is simply not meant for SMBs. If you have a $10M budget or more and have reasonable execution capability, you can have a fairly decent cyber security setup in the sense of preventing attacks.
However, cyber security in a more holistic sense isn't about preventing attacks. It is about preventing attacks from destroying your business.
Backups are fine from a business recovery perspective - but that assumes that the business can withstand a 1 or 2 week recovery cycle. Many can not.
What every SMB truly must address is business continuity: what must be done in order to ensure that the business will survive if it is attacked by ransomware? By DDoS?
The tools to mitigate these impacts are *not* actually prevention of attack, rather they need to be resilience focused.
Similarly, what is the impact on the business from a whaling expedition? an HR PII theft? A data or IP theft?
The answers to these scenarios are mostly process. Two factor authentication as in calling to confirm whenever a new payee is requested. Never sending more than XX records of HR data unless independently confirmed by 2 or 3 real people in authority. Not putting all your data/IP in one spot, and locking away portions that aren't actually used frequently to specifically be hard to access.
I don't disagree there is at least some militancy among bike riders in SF, but lane reductions aren't just for bike lanes.
There are many bus only lanes now, at least in downtown SF.
However, my view is that a big part of the congestion is due to construction and events. There are now 2 events / 2 weeks a year where a key road in downtown is completely blocked off for the Sales Force and Oracle conferences. Both events also deploy masses of private buses to ship conventioneers around to the many venues being used to wine and dine them.
Ultimately, many people aren't going to use public transit unless forced to. The only way to fix the congestion problem is going to be big city congestion pricing as seen in Singapore, London and other places.
Actually, I would point out that few taxis circle the roads looking for passengers. In real life, they get routed to some, but many hang out in hotel or other major venue taxi lines.
TNCs, on the other hand, are *always* forced to travel to the passenger. I would not be surprised at all if TNCs travel 0.5 to 1 mile per mile of passenger transported - in other words, miles driven per passenger mile delivered is low.
This is very much a structural difference vs. private cars, and is likely a significant difference vs. taxis because taxis can pick up anyone they see.
The problem with UEBA is context.
In particular, baselining assumes that bad behavior is outside the baseline behavior set - in reality, bad behavior is context dependent. A sales person copying a customer list into their phone is not a bad behavior...unless he's quitting the next day.
There's also the issue of alternate data capture. The ignorant crims today will try to copy into USB hard drives in one go; the smart ones will space copying out. Particularly sensitive data - just take a phone snap. etc etc.
Yes and no.
I've never heard of any institution that permits pen-testing of its actual deployed core infrastructure.
I very much doubt pen-testers were ever allowed to touch the ATM backbone. A penetration which compromises functionality - even for a short period of time - would immediately result in people getting fired.
Always important to keep in mind that residency in Japan, even "fluency" in the language, does not equate to either understanding the culture or being an integral part of it.
One example: Most of the foreign men who have learned to function in Japanese talk like gay men or women.
It is because the Japanese language is highly contextual: tone and words used are different between a man to woman vs. woman to man, as well as different from boss to subordinate, parent to child, etc.
Teaching Japanese to foreigners is also an extremely low status occupation - which is why the vast majority of such teachers are women.
Last fact: the vast majority of foreigners in Japan are men.
So, Japanese women teaching the Japanese language to classes composed almost exclusively of men. The men learn tone and word choice from the women.
I have friends who have been in Japan for 20 years - and no Japanese ever told them of their Japanese language equivalent of a lisp - another cultural thing to keep in mind. Foreigners are such unreliable, unspeakable barbarians that pretty much anything is expected from them except "proper" behavior.
Given that cryptocurrency wallets are open to all to view - only the most idiotic physical attackers would not check the wallet's contents.
A physical attacker going after a cryptocurrency wallet is almost certainly knowledgeable about what he's going after.
The 2 codes presumes an attacker who is randomly selecting victims *and* just barely cognizant of cryptocurrencies and technology. Or in other words, a straw man attacker.
I will also add that cryptocurrency wallets are delightful from a physical attacker point of view in that they combine the hostage and the ransom all in one. No more messy negotiating with 3rd parties.
I would be very nervous if I held any significant amount of cryptocurrency in a nation with kidnapping for profit...
The issue is that attackers don't have to have admin access to attack, they just need to have access to something running on the same physical machine.
Do the HR and payroll people have the same security practices and standards as the R & D folk?
Worse, a lot of companies use cloud - there can be literally dozens of different companies running on a given big iron.
Vet short sighted to just talk about single specific big iron installs
I'm all for educating developers more, but it is naive to think that education is the way to fix the problem.
The real issue is that security thinking is dramatically different than coding.
There are people who like to focus on all the ways that code can be broken, and there are other people who like to think of all the ways code can be used to implement some capability.
It isn't clear at all to me that both can be done, well, by one person - much less as an industry practice across tens and hundreds of thousands of developers.
The Cyber Independent Testing Lab with its UL-type approach probably has the right of it - flagging the most common coding conventions that are vulnerable, but it is far from clear that significant progress can be standardized at beyond their approach.
In the meantime, UL itself is getting into the game with a "standards-based" approach. Ugh?
The major platform owners - "Don't be evil" and Z - get about half the revenue of the digital advertising market.
Proctor and Gamble cut their $1.2B-ish ad budget by $200M - and saw no change in results at all. This gives a real world idea of just how much fraud there is.
Overall, digital advertising is a shade under $400B. A Proctor and Gamble percentage of fraud would mean $65B in advertising fraud. It is probably that the actual fraud is higher.
Why would the platform owners want to stop this?
Concurrent sentences aren't automatic.
Furthermore, the additional charges are added later to keep you in the s**thole jail for months and years, until the general crappiness of living there makes even innocent people plead out, which in turns pumps up the prosecutor's track record for when he goes for judgeship.
Haven't read much history, have you? Armies "foraging" off the countryside. The menfolk getting conscripted on the spot. The women being forced to serve other ways. Then there's Genghis Khan in the central Eurasian plains, Magdeburg and the rest of the Reformation and Counter Reformation wars, Romans salting the ruins of Carthage... I'm seeing a pattern and it isn't the one you're espousing.
Nice try but a fail.
The entire US' energy consumption for computing was calculated by the NREL back in 2001: http://www2.lbl.gov/Science-Articles/Archive/net-energy-studies.html
To put in terms of the article - which is presumably GW per hour - total computing and networking electricity consumption in the US in 2001 (peak of the Internet 1.0 bubble) was ~2 percent or ~8.4 GW per hour rate.
Or put another way: Bitcoin electricity consumption today uses 30% as much juice as the entire US computing and networking infrastructure in 2001 - the peak of Internet Bubble 1.0. The US consumes about 1/4.5 of the overall world's electricity; if the computing percentage is equivalent worldwide (which it is not clearly either higher or lower), then bitcoin alone is consuming 6.7% as much as the entire world's computing and network electricity usage. This is ludicrously high.
While internet usage has increased since then as has computing, efficiency has also increased - so it is unclear if the overall US computing consumption number has increased or decreased. Certainly overall US electricity consumption has not changed much since 2001 (3,9__ TWh in 2001 vs. 4,0__ Twh today).
I'm no fan of banksters, but credit reliability is very much a "social good" in financial terms.
The individual who has bad credit is highly incentivized to kill all such data, for example.
And if you say that this can be compensated for - it can, but the cost is treating all people with little or no credit history as bad credit. This penalizes those who legitimately are just starting their financial histories (usually young people).
The management of fraud and other criminal activity is another legitimate use case although personally I think credit ratings enable far more than disable. Many of the more sophisticated criminals know very well how to jack up credit ratings artificially.
I am curious, however, as to what other people's experiences with "4-9s, 5-9s, or 6-9s" guarantees or past uptime have been.
From what I have personally seen as well as what is seen publicly, these numbers are neither backed by real guarantees (i.e. cash put forward to compensate for failure to deliver) or by reality (all sorts of games played to manipulate results).
One easy example is the Dyn attack. Any company using AWS in the East Coast for that period could not possibly have had 5-9s uptime that year, and that outage is hardly the only one by AWS.
Smaller outages occur all the time as well - from local power outages to a backhoe taking down a fiber optic line - stuff happens.
Berkshire Hathaway/Buffet/Munger doesn't invest the same way as even your typical hedge fund manager.
For one thing, they are using free money. Unlike just about every other non-government in the world, BRK is investing free money via the enormous float from their insurance operations.
And also unlike just about every other non-government in the world, BRK's only objective is return *of* investment first, followed by return *on* investment.
Since they don't have a time limit (i.e. annual returns to compare to other hedge fund/mutual fund/whatever managers), they invest for 20+ year time frames. Nobody else does that.
Combine enormous scale with enormous time frames, you get a fundamentally different investment framework. Kudos to them for executing very well since other insurance companies are not able to generate even 1/4 the annual returns irregardless of time frame.
Really easy? How is that?
You can't see the laser beam in the air unless there is a lot of dust.
If you're the one being blinded/hit, you also can't see the source.
So how exactly is it easy to see the attacker, particularly if they are 2 miles away?
What about if they are 1.9 miles away - the difference in angle is 18 degrees - you can see the difference from a point (laser head on)?
If the pilots are being blinded - who exactly is attributing the source? It isn't like you can follow a laser on radar, and the blinded pilot can hardly be the one.
Also, if we're talking about a couple of miles away, we're talking some serious targeting capabilities. I'm not at all sure any normal weapon system is so accurate as to place a beam on a pilot's face while landing, from 2 miles away. Atmospheric conditions alone would introduce a lot of error.
Lastly, the attribution is strangely lacking detail. There is mention of anti-drone systems, but there would be more than just lasers - there would be radar. Are the lasers detection devices or attack devices? Are they radar guided or human directed?
All in all, a very poorly sourced and written story.
It isn't clear that "upgrades" are that easy. For example: if the XP machine is the interface to a 10 year old MID (medical imaging device, i.e. X ray, CAT Scan, MRI), the XP machine may be literally the only way to access data coming out of the MID.
Upgrading it might even require a recertification of the MID under US Food and Drug Administration rules.
A couple of interesting anecdotes about the unusual legal status of the French and Dutch sides of Saint Martin:
1) Thieves on one side can flee to the other. It isn't far and there is no border at all other than flags on the side of the road
2) Immigration is different: some nationalities can fly into the Dutch side without a visa but not the French side. Found this out a hard way as a person I was traveling with was informed they were on the French side illegally - excursions to Antigua require a passport and constitute and international border crossing.
The Dutch side is ridiculously expensive, food wise, the French side is amazingly cheap especially vs. the Caribbean in general.
Frankly, this focus on the poor quality of the lane markings is severely misplaced.
Yes, in the ideal world, the markings - lane and otherwise would be prominent and fresh.
However, in the real world, this is rarely the case.
The real question is: how many non-"Autopilot" drivers have crashed into this poorly marked barrier?
If that number is zero, or even crashes but with zero deaths, this underscores the fundamental dangers of "automated driving" whether Level 2, 3 or 4. If humans aren't running into these barriers, then partial or full automation shouldn't be either - and if they are, they should be severely regulated and/or banned.
Remember we aren't even talking about enemy action. If morons with laser pointers are blinding aircraft pilots, I can only imagine the "fun" with lidar spoofers or (in)appropriately placed markers/signs.
The commentariat has so far failed to mention the well documented, top level collusion between titans of the tech industry to depress worker wages through non-compete agreements.
Isn't this indication that the playing field is far from fair?
Sure, there are overpaid, underdelivering people of older age - but there are also overpaid, underdelivering people of younger age as well. Those who have inside connections or play the political game will often "overperform".
The real issue is whether labor is getting a fair shake in the overall corporate pie.
Focusing on the absolute value received is, frankly, a fool's game because the other side doesn't play it.
Don't get me wrong - the management is far from always predatory. I've gone unpaid for many, many months while my employees have not - in order to get my business on a proper footing.
This doesn't occur in large enterprises though.
At least some part of the problem is poor methodology.
If you don't verify that the criminal can decrypt, then paying the ransom is stupid.
A likely additional factor is RaaS: Ransomware As A Service.
While there isn't honor among thieves necessarily, the reality is that a paid ransom that doesn't yield a return means people will stop paying the ransoms quite quickly.
There is therefore a very clear incentive for a ransomware creator to maintain "brand".
However, with RaaS, the attacker isn't the creator of the ransomware. They therefore don't care about the "brand" since it impacts them much less, especially if the commission structure is one where the attacker pays the commission to receive the decrypt key from the ransomware creator.
Lastly, there were a series of high profile attacks last year where the ability to decrypt was either nonexistent to start with or was compromised by LE and/or poor ransomware design. NotPetya and Wannacry, for example.
Lastly, the dynamic of survey respondents also certainly skewed results. Much as negative reactions are far more common in feedback, so too would unrewarded ransoms likely have far higher response rates.
The study is interesting but far from definitive.
Biting the hand that feeds IT © 1998–2019