Posts by David Tonhofer

First poster gets it wrong

> This is the main problem of security through obfuscation.. as there are no external checks for security, security tend to be sloppy at best.

Possibly, but not necessarily. Of course, "roll your own cryptosystem" is to be avoided as a sign of the typical cowboy coder stance.

> If you start shouting "open source" as a mantra, please consider that if everyone knows what you are doing, someone will eventually crack your public system, and chances are he won't tell you....

Possibly, but not necessarily. If everyone knows that I keep my rare pr0n in bank safe 12 at location X, there will still be nobody who can get at it.

> So companies should probably use public and secure algorithms and then, not tell anyone witch ones they are using. That is secure... but illegal (as you must say you are using XXX open source code..)

It's not "illegal", it's breach of contract. And then again, you may just add "contains OpenSSL code licensed by the Apache software foundation", which is sufficient.

The larger problem being of course, that your _code_ is the LEAST problematic aspect of keeping your system secure (how do you "crack" my AES implementation? fat chance here),.

@Joe K

"instead of making sure the device is bugfree and finalised (like EVERY other pre-flash device)"

That's because these "devices" where basically a couple of mechanical widgets and some wire, encased in bakelite.

Every other device since then has neither been bugfree nor finalised.

"make the ROM a flash chip. Morons."

The only moron is you. Hopefully you are not a hired engineer.

Your license, should you accept it....

Ok, new levels of randomness from the Internet. Whatever.

But the title of this little Reg' Article is wrong as this is not "Open Source" at all. Let's check the somewhat "papal" definition at http://www.opensource.org/docs/osd. It says:

5. No Discrimination Against Persons or Groups: The license must not discriminate against any person or group of persons.

And there you go.

Absolutely something for "semi-coherent computing"

...hopefully

Urrrr....context, pretty please?

And we cite: "...the report notes while the majority see the benefits, concerns over data security and governance could slow the progress of Web 2.0 development in enterprises"

"I see the benefits" is probably related to the beloved "I have a vision" and the less eloquent "Mmm... mushrooms!", often heard in a strategic meeting or some other dark place in the middle of the night.

Please do say: What exactly _are_ those apparently self-evident benefits? What exactly _is_ that Web 2.0? We demand to know!

@B stands for Basic.

"And lets not forget neither Java or the bastard rip off javascript are noted for their speed"

Yes, yes. Java != Javascript, like, totally. Discussions about the speed of Java have passed their "best before" date so long ago that they redshifted right out of anyone's event horizon who actually cares. Really, I would rather you discussed the politics of Cromwell.

Did I forget something?

Oh yeah, I like Perl.

So say we all.

...the "sweary recluse" is really the dog's bollocks. I want to see that kind of stuff in IEEE Software!!

@The Future

"Removing people is the best way to reduce IT costs and making it possible for people to create their own apps is the best way to do this."

But it's simply not going to happen. Parametrization - yes. Creating apps - no. The last 30 years have conclusively shown that the complexity of the application does not go away if a new development tool comes along. Trained people may be able to develop faster but untrained ones will still be unable to develop.

Remember those ads in the 80's mags? "Mr. [mgt guy] has gone Code Free with his new [some tool]. He swears he will never go back."

Mr. [mgt guy] was part of the problem.

@Steve Keller

Well said sir, but please note that the "network administrator" is NOT, repeat NOT the company security officer!

"There are no standards for real security of data"

Of course there are. Lots. And Lots. And Lots. From high-level recommendations like ISO-17799 or those here: http://csrc.nist.gov/publications/PubsSPs.html down to detailed in-company program instructions.

"..because all they understand is computer security and not physical security and it takes an understanding of both to provide effective security."

I agree with the integration work at least. Said glibly, the problem is management who things that "they" are able to implement good company-wide security as "they" got rid of the worm that came in on the notebook last week. Wrong, wrong, wrong. Anyway, the point is - companies need personnel that is dedicated to the task of security while still being integrated in the day-to-day work to be able to make well-informed implementation decisions. They need to know about networking. They need to know about what's around networking. They need management support. And they need time.

But suddenly -- economics! It is very difficult to bill for such "additional" services - exploitation costs become too high, time for the project is too short, the learing curve too steep, management is either dismissive or becomes catatonic as security hoovers up a squalid percentage of the fixed-cost contract :-( At the end of the day, your identity information may not prove to be that important, really. :-((

"Perhaps that's why I'm on a computer security forum trying to learn but i rarely if ever see a computer security person on a physical security forum"

I don't know about that. One person hanging on a security forum does not a one-way knowledge transfer make.

And yeah, those guys goofed up when not encrypting the tapes. Maybe they wanted to do it "soon" and it's been on the to-do list for ages? I know the problem. (but I managed to encrypt our tapes with the underhand trick of 'unpaid sunday work')

Ok, I'm off, gotta check the servers.

What SHOULD Microsoft have done?

... JUST ... DIE .... ALREADY ...

(makes swinging motions with a flamethrower)

@Get your facts straight

> including dropping boxes in front of a ship.

OH NOES! FREE TRAINING! IRAN IS DANGEROUS!!! THINK WHAT THEY COULD DO WITH NUKES!!!

Seriously, here's an excellent complement to the above article:

http://www.military.com/opinion/0,15202,159657,00.html

It says:

-- And when I say "speedboat," folks, I'm not talking about a small frigate, or even something the size of PT 109. I'm talking about the kind of boat you see on American lakes every summer pulling sunburned water skiers around. These Iranian boats are typically armed with a single high caliber machine gun, which is, to put it placidly, a darn sight less weaponry than U.S. combatant ships carry. It sounds to me like the "white box-like objects" the speedboats dropped into the water were Little Rascals technology simulations of mines, painted a bright color for the express purpose of ensuring the Americans saw them and steered around them.

"Dr Paul Reiter"

"In truth, the principal determinants of transmission of malaria and many other mosquito-borne diseases are politics, economics and human activities."

Oh shit! A self-evident truth at six o'clock!

Come clear, AC - you just wanted to reaffirm your manly stance against Climate Change, right?

DO WANT

...the audio of the pro-Exchange maniacal rant.

Oh my..

And this from the country where a few milligram of mercury let loose on the Unsuspecting Children(tm) can lead to a class action lawsuit. Did lawyers lobby for this too or what?

Note that this saves a bit more than 1/1000th of the annual US CO_2 emission; but are have the production of the light bulbs and the production of the production lines of the light bulbs been accounted for?

LOL WUT?

This is politicis (thus a he said/she said thing), but it can be saved by numbers! Do we have numbers? We need numbers!!!