* Posts by mutin

60 posts • joined 21 Jul 2017

Page:

Iran tried to hack hundreds of politicians, journalists email accounts last month, warns Microsoft

mutin

speculation without knowledge id BS

It would be good to read some comments concerning technical details of this article or MS info or Iran's hacking in general. However, ALL went to whistle rather than moving -political speculations without any real ground. Iran will not help in political games to President Tramp and neither Democrats. Both are enemies to Iran. So, hacking was not about US politics, President Tramp and stupid attempts to hurt the President basically on nothing. So, the article speculation is pure BS and the most of comments as well. The real purpose was either money or information. The same as China, N. Korea and others alike.

mutin

Re: Iran...

Well, I would suggest being more specific when blaming the US for throwing somebody in a jail. Ever came in the US and got behind bars?

Today's Resident Evil: Ransomware crooks think local, not global, prey on schools, towns, libraries, courts, cities...

mutin

Re: Insurance

Update and maintenance is not enough simply because AV SW effectiveness is about 80% . Or 90% backwards. Attacks are usually targeted and based on social engineering. Statistically, around 3% of receiving spam email tend to open malware file, attachment, picture etc. The backup is in 90% untested and fails to work when needed. And in fact, backup and restore is very complex service and requires high level IT professionals to implement. I doubt that "cloud" could help in such cases as well. That is statistical reality of security life. So, let's save some money and pay. After all, miscreants do also need to get reasonable quality of life and put a lot of efforts in their business :)

Tech lobbyists turn on Trump over Mexican tariffs, then quickly try to smooth the waters

mutin

Trump is right

All is very simple. Only people who do not know the situation on US borders joking around. I've seen how guys coming in track loads and useless attempts of police to catch them. That is in Arizona. Each person illegally coming costs us money. Stopping them will reduce waste of our taxes. That is not about liberty or what ever human rights. Did you like crows coming from Middle East for better life in EU in millions? More likely you do not. Trump talks about money. Mexico cannot stop? Ridiculous! They definitely can but just do not want such headache. Then - pay for your inactivity. That is the same story as of narco-traffic. It cannot be stopped by one country. That requires mutual efforts.

Banhammer Republic: Trump declares national emergency, starts ball rolling to boot Huawei out of ALL US networks

mutin

Re: "Unacceptable risk", eh? - let me guess

All is very simple. Politics. It is good manner in the EU to hate the US. Media and politicians work hard for that. Simply because US finally wants equality in paying for mutual defense. And avoiding deals with such countries as Iran, China and Russia. Not the first time in human history. US was for some time outside of Europe politics and that started WW2. Finally US spent enormous resources to get Germany and allies down. So, EU wants to be very friendly with the trio of VERY Democratic countries. Fine. But do not ask US to help again if you got in a problem.

Wannacry-slayer Marcus Hutchins pleads guilty to two counts of banking malware creation

mutin

Re: Now, for the last act ... - a lot of SecPro needed

Hey, FBI etc. needs more than ten thousand security professionals. The gap will not be filled in in near future. So, considering his status of convert in "white" he more likely will get an offer. He definitely got some credentials to ask for good pay. That may be already a part of his plea.

MIT USA VP: ZTE? OMG, WTF! GTFO

mutin

Of course, #1 is China, the second is Russia, and Saudis are attributed to aftershock. But, the problem is that the university as well as CalTech and others is full of Chinese student. Would be nice to know the percentage of China funded students in each of ivy league. That is much more risk than any ZTE or Huawei. Americans cannot pay MIT astronomical number of $70K/year. Plus, US basic school education cannot compete with Chinese. Guys there drilled and grilled while at school. Within 10 or 15 years China will not need to spy on US technology anymore.

Click here to see the New Zealand livestream mass-murder vid! This is the internet Facebook, YouTube, Twitter built!

mutin

Re: Murder and rape are ALWAYS illegal

I agree - there are a lot of crap in the world now. However, I would suggest open eyes and recall that political based terrorism exists almost 200 years. Saying that murder is .. there is no word how bad is it, but saying that is too simple. Last case in question was political murder. I see it as much in response to around the world Jihad. How many people consider Jihad and mass murder caused by it as completely appropriate thing? Hundreds of millions? So far in this world cruelty sooner or later gets the same in response. Unfortunately, being cruel is human nature. By Sigmund Freud, aggression is human beings' basic instinct. Say thanks to who ever created us.

mutin

murder is illegal?

Well, yet another incorrect reply. Murder and rape not ALWAYS illegal in SOME Islamic countries. Sheriat law permits SOME cases. As far as I've seen in news last forty years.

NASA's crap infosec could be 'significant threat' to space ops

mutin

Re: apparently too small of a budget

If seriously, moving federal systems in cloud Obama was promising saving money on that. Of course, such moves never save money. Fed budget for information systems did not decrease of course. Curios people can either read my article on that matter (cloud, politics, money) on www.rubos.com or check themselves. Fed budget is public info and easy to check. It has special part for fed IT. So, do not worry. They have a plenty of money to waste. Sorry, to move in big pockets of IT giants. And in "Cloud First".

mutin

Obama, Kundra, cloud and continuing failing

Failed audit is not a surprise. That crap started when Obama came in and with new Federal CIO Kundra (now in SalesForce) originated Cloud First program without, of course, any NIST guidance existing and their heads also lacking any knowledge. NASA was chosen first to begin with. And of course, it failed in first implementation audit. Since that it is continuing to be like started in Obama era. No security actually. Even having inconsistent papers ... Where is expected cloud security, which should (?) be better than local enterprise based?

Frankly, I doubt that many of US government agencies have adequate security either local or cloud.

Many thanks to black hats who somehow appreciate space business and not touching poor buddy.

SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability

mutin

Re: Virtual Machines? If the hypervisor is malicious?

One reminder - Intel had BMC embedded hidden hypervisor back in 2008 - 2009. That is all from top to botton is at somebody's will. Do you think they stopped that? I doubt.

mutin

any good news on Intel future

Intel definitely has a problem as a company. It is actually not a CPU maker but trying to do almost everything in IT market place. Including security. The problem is known back in 20 century when automobile conveyor manufacturing was invented. It ended up building huge factories which finally were not manageable. Simply because of the size. There is a limit of manageability. Intel, in general, reach such limit. And the problem not only in such architecture vulnerability. It has overall problem with new ideas, new research and implementation of new technologies.

New CEO is not a technical guy. Typical monstrous Intel's response to failing research is building a huge research center in India. It that the place to find new technology ideas and well educated researches? I doubt. With all due respect to India and its culture, it is not the place known for modern technical research and availability of brains for. One may find millions of freshly baked software coders (which also far off skilled professionals) but technology research requires completely different technology culture and hundreds of tears of its development.

Who will stand up for European democracy? Us! says US software giant Microsoft

mutin

what?

What service? Informing of attacks and helping (!) to resolve? Redmond? Unless they collect info from other reputable sources, that will be just crap. Or they figured out how to index and search Dark Web?

Fun never ends!

Germany tells America to verpissen off over Huawei 5G cyber-Sicherheitsbedenken

mutin

They gonna say Ooops! right?

What people are usually saying when found that pwned? Oops ... we do not believe!

With all China great reputation for hacking and stealing secrets what else is needed to stay away from them handling your major resources?

May be some influx of Chinese immigrants to keep Merkel happy?

Only plebs use Office 2019 over Office 365, says Microsoft's weird new ad campaign

mutin

Re: Without the hype, how the ad would really have gone...

There is yet another option - LibreOffice freeware. Supports all platforms, great to replace MS Office.

mutin

Yah, but people who want good smart and free software (thanks for keeping it up) use LibreOffice. Compatible and very opened to users. actually, there is no need in any M$ related Office software anymore as LibreOffice exists. I usually give small donation. We need to support our free world.

Another Apple engineer cuffed over alleged self-driving car data theft: FBI swoop on bod as he boards plane to China

mutin

security is not chinesity

I wonder about stupidity of both guys caught by Apple security, see the article how that happened. China is known very much for stealing secrets. So, why to hire a guy with certainly weak background (dad in China, i.e. the family is there) for the secret project when it was already the same kind of case?

Do not tell me about EOE when we see in US East Coast IT departments 100% guys from India. So, just avoid hiring guys with questionable background. Or we do not have enough American citizens to do coding? Then why? Would it be better to educate guys here for free than exporting potential spies?

I also see very bad security level at Apple secret facility - guy was able to copy from network (!) to his personal storage (!). Why do they permit storing secret files on personal computers? Apple network does not work?

It seems to me that Apple is fitting in the case "security by obscurity". They are building Maginot Line to defend while not so stupid guys can always go around.

Romford Station, smile! You're in London cops' final facial recog 'trial'

mutin

so many concerns - about what?

I'm not in London, I'm in THE US. And frankly, do not understand people's concern. may be with the exception of wasting tax money. All your faces are in ID/passport etc. systems. All your faces have been captured on various security cameras. recorded and saved and kept for long time. So, what is your "privacy" concern over guys playing hi-tech toy with low level of success? Liberty and overall liberals' politically motivated speculations when nothing wrong happened and will not? Anybody detained, behind bars?

As I always said being CISSP - do not expect any privacy when you are in public space, do not use Internet if you are worry about you freedom rights, do not encrypt email as it is useless. Only people who have something to hide should worry about stupid hi-tech toys. Ask guys for your picture and have a fun!

The BMC in OpenBMC stands for 'Burglarize My Computer' – thanks to irritating security flaw

mutin

old news sometimes not a bad news

BMC actually is not "baseband management controller" but Baseboard Management Controller. And alterations of management system in BMC flash memory have long and great story. You guys can take a look back in 2008 when Russian guy found hidden hypervisor in Intel motherboards. If you do not read Russian see the site www.rubos.com for both Russian and English. The people who think it is minor stuff can possibly change the mindset. See also articles on malicious hypervisors there. Have a fun!

Another inconsistence in this article that to change management software one needs root access. Actually not. Root is about "ring-0" level. And root belongs to the OS. System management software is ring -2 and that is two levels down from root. It is really funny that people do not know that such embedded software CANNOT be identified from OS level using any currently available security means. Sorry, it is ring -2.

German cybersecurity chief: Anyone have any evidence of Huawei naughtiness?

mutin

components of critical infrustructure

Technically speaking, Huawei equipment installed in a country Internet infrastructure seems as controlled by local specialists and not by guys from China. Not entirely correct. The update of Huawei equipment will come from China. It means UK guys wasting time checking the code. They are checking "public" version. An update to new "private" version may easy bring as many backdoors as China government wants.

People who did not read about world and particular China history do not understand Chinese mind set. It was last 5000 years the country of slaves, I would use "robots" as it is much closer. It was always the upper not even class but a group of governing people. Not Emperor but his closest circle always ruled the country. Nothing changed. CH government while presenting as "modern communists" are actually the some junta as before. 5000 years back. And current purpose is to dominate the world. They have 1,500.000.000 people, they have a lot of cash, and they sent millions young people to study in the best Western universities. US universities of the best quality occupied by Chinese. The idea is very simple - we have money, we have #1 industry, we want to be the technical and thus real leader of the world. The problem still exists - by gens, Chinese guys cannot think free as Western race. China still needs inventions, trade secrets - in general - ideas. Millions of slaves can do manufacturing but cannot do ideas. So, millions youngsters in the US and other Western countries is the attempt to create a class of Western-thinking technology leaders.

Until they overcome their nature, they will need backdoors and other hacks in Chine Made equipment.

mutin

Re: Evidence? You want evidence?

You are right. But people on this list have no clue about China, Russia, etc. They live by "all people united". Left or liberal, they follow the song "Imagine all the people...". Any company in China by definition, is under government control. If CH government wants Huawei to implant a back door, the company will.

Guys, take some time to read about communist countries, USSR and China (which had been created by USSR direct help) history. China was 5000 years back an empire, and it is empire governed by modified communists. Entire world of capitalism helped to grow it to technically modern country. That changed nothing in CH junta mind set. They want to be #1 and control you guys. You think about US as it is "empire". Not really. Simply the US is the state trying to protect you from such things as 1,500.000.000 robots controlled by a dozen of maniacs.

Fix you ignorance, read books (put down you mobile sucker for a couple of years) and you will find out that things as much much more complex than you can imagine. And travel to CH to see thing by yourself.

Super Micro says audit found no trace of Chinese spy chips on its boards

mutin

Had anybody seen such report or knows the company name? So, what are we discussing? The word of SM CEO? Do you trust such word saying nothing more than Bloomberg? Come on!

mutin

Re: Get your tin-foil hats ready...

You write :"I would have expected Bloomberg to have produced some physical evidence - even a single demonstrably hacked motherboard"

So, do you really expect that such evidence can be found? All what was altered has been destroyed. It was not in Apple or Amazon or Super Micro interest to keep any evidence for investigation.

mutin

It is really funny - have anybody tried to follow the link in the article likely to pointing to a report from independent company? It goes to Super Micro site saying that it was a company and a report. Super Micro DOES NOT provide a link or a document or disclosing the name of the company. So, what are you talking about? What SM proved as we cannot see it published?

Nobody mentioned in original article really wants INDEPENDENT PUBLIC investigation. It is all cover-up. Too much money and reputation i.e. money involved.

So far Super Micro does bla-bla-bla and no proof that Bloomberg was incorrect.

Renegade 3D-printing gunsmith Cody Wilson on the run in Taipei from child sex allegations

mutin

won't help

Good point but will not help. Even if the site he probably used says "Click that you are at least 17/18" that is the person's responsibility to somehow figure out the age. Otherwise it is his/her fault. Like not knowing law ...

What ever he is and what ever he did, it is really bad situation when US agencies are against you. Options are really limited.

Linux kernel's Torvalds: 'I am truly sorry' for my 'unprofessional' rants, I need a break to get help

mutin

Re: That's right Linux community... bend over...

My finding after a lot of thinking and re-thinking is: Underlying basic human instinct is not Aggression but Ignorance. How is it related to the matter in question? Ignorance in code development triggers Linus' aggression. Simple like that. No need to consult any doctor or analyst. But he needs some rest definitely. Better where there is no people but sharks. Easier to deal with.

mutin

Re: That's right Linux community... bend over...

Agree. There are A LOT OF MEANS of checking code before sending as a patch. So, sending crap is simply ignorance and wasting of other people's valuable time. Read this humor/anecdote below:

Doctor looks at a contractor head in emergency room covered with blood. Doctor: What happened, man? Contractor: Well, John dropped his hammer on my head from the roof. Doctor: What did you say? Contractor: I said - You are not entirely right, John!

Do we expect Torvalds' comment on crap like that? As the center point of HUGE development effort, how much crap he gets for each release?

Mr. Torvalds, you do not need help. You were 90% right. May be you've been a bit over. But I would not blame a person who gets a dozen of hammers on his head daily!

Microsoft accidentally let encrypted Windows 10 out into the world

mutin

Re: Does anybody here remember...

There are no fanatics. Either idiots or Redmond C-team on the pay.

xNIX platform proved much much better in everything. I bet M$ will slide in Linux based system after W10 like MAC OS is based on BSD. W10 and other server versions cannot be better because they reach the summit entropy point. After that is simple chaos and system degradation. That is what we see in failing patches and updates. After 25 years of attempts to make such process stable.

After 25 years of dominating IT OS market Redmond crap is going to die as OS. 25 years wasted and thousands of strokes and heart attacks.

I remember W95 presentation and advertising clip. Completely stupid and idiotic. With Bill of Redmond as the star. Behaving correspondingly. That was the label for all Windows OS versions I used since that.

Everyone screams patch ASAP – but it takes most organizations a month to update their networks

mutin

Patching? Actually it should b Vulnerability Management cycle

Auto patching system may fail. I've seen that. In particular funny (sorry) was that I explained IT director that vulnerability scanning is standard way to check if patching works. He was not idiot but ... So, when they hired IT boss on the top of him and we resumed scanning, we found that 30% of computers were not patched while system reported they were. Then virus outbreak happened on the top of multiple vulnerabilities.

So, patching we discuss here IS NOT THE GOAL. It should be always Vulnerability Scanning after.

Is it possible to do within a month? Very hard. Almost impossible considering complex IT systems. The only one success story was when I did VM for Navy installation of 4,000 computers ten years back. Somehow IT guys managed to patch and I was able to do my scanning. Since that I see only sad stories.

The chaos result of of what we have now was created by IT giants rushing for profit no matter what.

They created the environment of "IT jungle" where we - the food for predators and them aka "hackers" - will coexist forever. The only one way to limit your risks is to limit your Internet connections. Pack your bag, forget your computer and go South. Bingo.

Can we talk about the little backdoors in data center servers, please?

mutin

Re: If an attacker has freedom of movement on your management network

This vector is known publicly since 2011 when Russian scientist published a paper (originally in Russian) that Intel motherboards' BMCs have malicious hypervisor embedded. Plus, guys at Michigan University had research on that matter published in 2012. So, all about that see our papers and presentations on www.rubos.com

Sorry, too much to repeat all what we published. Enjoy the NEWS of 2011 - 2012 at Rubos, Inc. site!.

mutin

Really OLD NEWS at RedHat

Well, it has been University of Michigan research around 2012 about problems with system management software, and Russian Scientist found spyware hypervisor in Intel motherboards BMC around 2008, and we talked about all this stuff twice at DeepSec 2014 and 2016... So, hwy it is a NEWS? People, search Inet for news and read what was published. Well, see all related research and presentations at www.rubos.com

Enjoy the article about malicious hypervisor embedded in Intel motherboards in English. Nobody knows that Intel has spyware in its management software, or at least had?

Kaspersky VPN blabbed domain names of visited websites – and gave me a $0 reward, says chap

mutin

yet another good news about Kaspersky

So, guys want to be on bad news again. They created a buzz after being caught on collecting and sending user info to Russian FSB and following US government embargo to use. That damaged reputation and others are following US government, or at least thinking. Instead of paying something even if not legally obligated, they want the K-name to be in discussion again. However, IT/Security world is not a Hollywood. Bad reputation is really bad thing.

I would suggest researches to sell Kaspersky related bugs on open market as K-guys are really cheap and in bad shape financially. Or PR is stupid as it gets.

Oracle's JEDI mine trick: IT giant sticks a bomb under Pentagon's $10bn single-vendor cloud plan

mutin

Money goes where people retire

I understand Oracle's concern. A piece of big pie is worth of trying.

I impressed that Pentagon is going to trust cloud while it has been proved that clouds are less secure than traditional local enterprise infrastructure.

However, the story background is different from public. Such huge money usually appear on play table when one of a few high ranking generals are going to retire. Somehow happens that they finally lend up in companies which were rewarded contracts. After a few months of legally required waiting period.

I've see myself such story when US Navy decided to build useless Navy and Marine Corp Intranet and a few billions got in IT companies. Participating admirals finally moved in IT companies chairs.

The same happened with Vivek Kundra who was Obama federal CIO and ended up in Salesforce which got 50 millions. After hiding in Harvard hole for six months.

On Kaspersky’s 'transparency tour' the truth was clear as mud

mutin

Re: But...

Well, two important topics are forgotten:

- Kaspersky himself had and has friends in FSB. It means he will do what they ask for

-They did not promise to stop sending information from user computer to Kaspersky data center(s), which where ever it/they is/are or will be will send info in Moscow. Where it will be available to Mr. K FSB friends. The same way they grabbed NSA info from stupid NSA contract facing bars. Running on government computers they will collect confidential info and send it ... I really to not care about my "personal" info. I simply know that "privacy" is good to believe in but does not exist anymore. But I think any government info should not be widely available. Mr K lovers can download and use Kaspersky company software.

As soon as the company moves its headquarters in EU, and developments as well, and Mr K steps down, the problem will dissolve. But that won't happen simply because they use the company as FSB helper.

Kaspersky Lab's move from Russia to Switzerland fails to save it from Dutch oven

mutin

Re: FUD...

You people are so naive! Not actually understanding any aspect of security, business and Russia government FSB/KGB. First of all, The Lab is not moving its headquarters from Russia nor sw development. Kaspersky himself has been educated at KGB academy while not field operations but computer security. He had and has connections in FSB. Moreover - personal friends. Do you think having data center in Swiss will prevent from silently dumping user data to RF FSB? Until Putin = FSB couple exists do not even think of using ANY computer product Made In RF. Read more about USSR and then Russia activities to spread their ideology and influence around the globe. And think about if you can trust Lenovo notebooks with China made firmware. Same stuff as Kaspersky.

Boffins urge Google to drop military deal after Googlers storm out over AI-based super-drones

mutin

Re: The choices

I agree. As Dr. Freud once and a while ago mentioned, the basic human instinct is "aggression". However, my ten cents to psychology - the basic instinct is "ignorance" and its child is "aggression". We ignore almost everything and will be aggressive until the end of this civilization. Arms' race will never stop until humanoids exist on this planet. So, activists against the war and warfare may need to wait until next civilizations comes in ... After all, there are still 1.5 billions of commies on this planet (as the result of ignorance) and such states as Russia and China will use AI in any form to get warfare advantage. Open your eyes and see imperfect world you live in.

mutin

Re: how much collateral damage will you stomach?

So what? Stop using cars which kill much more often?

Good news: AI could solve the pension crisis – by triggering a nuclear apocalypse by 2040

mutin

Not an interesting story at all

It boils down to that all so named experts know basically nothing what they are taking about and plus did not try to do any estimate on any matter. For instance, the status of WOMD in 2040 when nuclear powers as US and Russia rush in small caliber arms race. What about computer power and the capability of what ever military wants to simulate? What exactly AI can do and what cannot concerning complex scenarios? Basically, it is bla-bla-bla research with simple outcome - something may happen in 2040. Well, why 2040 but not 2030 or 2050? Guys seems to retire in different world in 2040, by their estimate, and thus nobody will blame them for screwed predictions.

Europe fires back at ICANN's delusional plan to overhaul Whois for GDPR by next, er, year

mutin

The World is still bigger than EU

Let EU do its own domains and the rest of the nworld will stick with the US. So far only EU rulers objected current system on the ground its own regulation. So, keep your regulation for yourself (EU) and do not disturb other people who are OK with the current system.

mutin

You simply do not understand how EU stuff works

One cannot overcome a few people who think they are smart but were not smart enough to understand how what they invented will work. I mean GDPR and EU Commission. EU Commies are sitting on their hairs and feeling they are gods on Olympus. They expect everybody across EU and around the world will become compliant. Did they issue any recommendations how to do that in a form of a framework? No, they did not. But I DID. In 2012 when it was the draft. It is very complex implementation and 99% still have no clue that it is not about security controls but mostly about privacy controls. Very different story.

So, shortly - one story it to write the regulation. Completely different story is to implement. Guys please come down to us from your EU Olympus and explain how to implement what you've invented.

We're Putin our foot down! DHS, FBI blame Russia for ongoing infrastructure hacks

mutin

Re: Russia hacking us?

Wrong. Stuxnet is not about Russia at all. And the first link is speculation. The most important - Russian NEVER officially claimed that they found US actuvity on their infrustructure.

mutin

Re: Russia hacking us?

AFAIC Russians never claimed US attacks against their power infrastructure. I'm sure we have the tool for but it has not been used so far. See our MH research on www.rubos.com

OK, deep breath, relax... Let's have a sober look at these 'ere annoying AMD chip security flaws

mutin

Re: FoFake company, fake claims?und this explanation

By the link that is ALL fake. Will see what AMD will find. While Israel does not permit extradition of its citizens, AMD still can sue guys. Let's get some popcorn and patiently wait for the dust settles.

mutin

Good Pirates???

That is a shame!!! Not AMD, because bugs are bugs and there is a process to fix. For the company expense. What CTS-Labs did was "good piracy" and my suggestion is to do what normal people do with ANY pirate - hang them! They are not about security, they are about money and getting it in the most dirty way. In InfoSec world of terms. I would suggest NOT to deal with the company, otherwise one day your own hands will get dirty as well. Or they trade you for yet another money.

But, they are not only greedy but also stupid! They expected AMD stocks react on their "news". Well, the case of Meltdown etc. shows that the reaction is minimal if at all. Investors use different criteria. and judge by different information.

Frankly, I've been in InfoSec since 2003 and do not remember such misconduct of vulnerability announcement. May be they need PR themselves? But that is not about Information Security. That works in Hollywood.

Audit finds Department of Homeland Security's security is insecure

mutin

No leadership - no security.

I commented on a few posts. Now are my 10 cents.

It was never a time when US government agencies had good security. May be CIA and NSA. But others, including DoD, are affected by internal politics. IT never wanted independent security management. However, CIO will never be good CSO, and first of all because there is ONE budget for everything. Only at the end of 2016 OMB got Director of Security, which still reports to Federal CIO. The worse case was Obama ruling. His first CIO nearly escaped jail right in the beginning of his job. But having absolutely no knowledge or experience in security this Guy Vivek Kundra initiated with Obama blessing federal "Cloud First" program. He had no clue about cloud security, NIST had no related documents and nether anybody in the government, but they started and started with moving in "cloud" NASA. NASA got OIG assessment in the same way as DHS and found disastrous situation.

So, what should we expect from US government concerning security when they do not have independent leader even in perspective? A couple of years ago US government estimated that they need 30,000 REAL security professionals. Where could they get them? Inside DC boarders? There are no security pros living in DC ... Come and see.

mutin

Re: Shrug

We simply do not have complete information concerning the audit. They may audited just a part of entire department

Concerning the number - US government rile is "fix ALL new vulnerabilities within a month or less and report ALL which cannot be fixed". So, should be "0" by US government rules. Also please consider who lives within DC and works for the government. Got it? People with adequate security experience do not exist within DC boarders. The government a couple years back estimated that it needs 30,000 security professional.

mutin

Re: Not impressive. But then again if you're a sysadmin how would *your* company fair ?

You are right. Chaos is the security status including the US. I worked for a company which required HIPAA compliance. They never were besides of my best efforts. They reported to DHHS that compliant every year basically giving false statements. The best compliance level was when I finally left - around 15%. The reason - I was only one who understood what the security means, and was reporting to the long line of IT management. They simply ignored whatever I said or did exactly what I recommended not to do..

mutin

Re: When the fox runs the hen house

Not exactly right. I worked for US government for total around 7 years starting around 2003.. And it was ALWAYS like that. The most devastating in security were Obama's initiatives. First - misunderstanding that InfoSec is not IT. In general the government does not has separate line of security management reporting to upper manager. For instance, for long time it was Federal CIO position and it was NO position of a security manager. At the end of 2016 (!) they finally got something like Director but reporting to Federal CIO. It means security does not have its own budget and does not hire by its understanding who they need.

You get a criminal record! And you get a criminal record! Peach state goes bananas with expanded anti-hack law

mutin

Is stupid as its gets

Just to add my ten cents to public opinion that the proposed law is completely stupid and the result of incompetence. As CISSP and PhD I can say that people are right. It is stupid law. My POV is that it will not improve security at all. State of Georgia Cyber Security Task Force (I do not think it exists) will not be able to identify who exactly is trying to access a computer residing in this state. FBI will not. They are not stupid to help this state in such useless activity. Needless to say that the most serious penetrations happened came from spams. Wanna try to catch spammers? You'll get a bot probably sitting in one of G-senators' computer. Then jail this guy who actually was voting for this fake law.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020