I simply meant that if you monitor a given application using on-system network tools, you quickly get an accurate idea of what/who that application talks to. And browsers are super-chatty to all sorts of destinations that are not immediately apparent to an end user who is just clicking around the web.
If every car in your neighborhood that gets broken into is manufactured by a single manufacturer, it is in your interest in asking why that is, and perhaps considering that fact when shopping for a new car.
That does happen though. Cars worth more are stolen while cards worth less are not.
The common factor there isn’t that 40 year old hatchbacks have better security. It’s that the risk vs reward isn’t there compared to the brand new luxury cars with higher resale value on the black market.
This isn’t something I’ve just made up either. This is what the police told us when my neighbours Merc was stolen while my Skoda, which was accidentally left unlocked, was not.
Thieves target the expensive cars because they’re worth more. It’s really that simple.
> Thieves target the expensive cars because they’re worth more. It’s really that simple.
They don't target the expensive cars. The most stolen cars in the US are cheap Hyundais And Kias. Before they claimed the top spot on the list of cars taken most often the winner was pick up trucks and old Toyotas.
Thieves target what's easy to take and easy to chop up and sell, not luxury cars with high resale value.
As I said earlier, I have firsthand experience of this being the case.
> Thieves target what's easy to take and easy to chop up and sell, not luxury cars with high resale value.
You’re just proving my point here though. Thieves target cars that have the highest resale value.
Whether that’s as a whole, or for parts where the supply chain for genuine parts has become extremely expensive.
Organised crime happens for money.
Yeah there will there will be a subsection of society that steal cars for shits and giggles. But those also aren’t the sort of motives for hackers who’d go after Microsoft Sharepoint. So if we are to compare like-for-like, then you have to discuss organised crime rather than bored teenagers.
———
By the way, I love how your username is accidentally appropriate for this conversation :D
If every car in your neighborhood that gets broken into is manufactured by Ford, but some people keep saying that their sneakers never get broken into, why don't you just walk everywhere, also they've never driven a car and don't really believe anyone else drives a car and keep implying it's just a status symbol...
and then they say "okay what if we consider everyone's sneakers all together, and how rarely they get stolen compared to cars" as if they've come up with a sensible comparison in complexity...
and then someone suggests "RedHat Linux" as an alternative to your car. Apparently they don't know what section of the world a car fits into, to suggest an alternative - but they're still convinced that you don't need a car and they are genuinely puzzled why more people aren't using "RedHat Linux" instead of cars...
... also only Ford make cars and the only real alternative is something completely different and then pay consultants to customise it and retrain your entire workforce at great cost and upheaval for little to no return, except hoping for an increase in security but not being able to prove same, or even clearly nail down what that means precisely.
One should be wary of anyone selling you a solution to your problems they know nothing about. Naturally, the only way to be entirely secure is to shutdown all the applications and decommission all the computers, a solution which the business side tends to finds unreasonable. Thus the tender balance between business needs and business risk emerges as the deciding principle.
But the numbers are the numbers in heterogenous environments, regarding security problems by platform. And if it rains perpetual Windows-based incidents on your security staff, and you don't consider the numbers when evaluating what you will and will not do, compute/services-wise, then you are statistically likely to see the same rate of incidents, at whatever cost that comes to the business, indefinitely.
> "a solution which the business side tends to finds unreasonable"
Isn't it odd that "unreasonable" solutions keep being suggested in threads started by people who first push Linux, and second ask what the thing even does anyway.
> "Thus the tender balance between business needs and business risk emerges as the deciding principle."
There is no tender balance and this is nothing like the deciding principle, and again it's illustrative that in a world where big organizations turn to poor quality software with poor UX for reasons like "nobody got fired for buying IBM" and "I look good on the Gartner report" and "the vendor will bend over backwards to make our auditors and legal team approve it" that Linux people go for the only thing they have going and try to suggest it's the most important thing, even though it's demonstrably an afterthought or a never-thought.
> "you are statistically likely to see the same rate of incidents, at whatever cost that comes to the business, indefinitely."
And you see this happening for literally 30 years and the "whatever cost" being written off as a business expense that has never changed anything, but you still call it "the deciding principle" when the evidence shows that the decision makers barel consider this at all?
So now you've changed your position, what happens to your original claim "If every car in your neighborhood that gets broken into is manufactured by a single manufacturer, it is in your interest in asking why that is, and perhaps considering that fact when shopping for a new car."
Why would that need to be said at all, if businesses are using security as A [prominent] deciding factor already?
My reply "businesses are visibly not using it as a deciding factor" still seems correct.
Very curious. Just based on the incidents we see, and analyze over time, almost all of them are compromised Windows systems. When I say "almost", I'll provide these stats: ~4500 Windows incidents over 5 years, vs. two Linux incidents.
Similarly, looking at vulnerability counts by vendor doesn't paint a rosy picture of our largest vendor Microsoft, either. But it pales in comparison to the incident statistics, which speak for themselves.
To Microsoft's credit, they've managed to turn their weaknesses into a secondary industry, wherein they now no longer sell just the disease, they also sell the cure. "Oh, your Windows systems have security problems? Have we told you about our expansive security solutions? They're only an additional $your_budget_doubled per year!"
Regarding "the DNS record they had you add to begin with is still there", it generally isn't. Part of the automation process for certbot using the DNS-01 challenge is the removal of the DNS record, following successful validation of said record. In any complex DNS environment, leaving TXT records around just increases the debris.
It's the Let's Encrypt people who make certbot, so that's just an implementation detail, and the premise here anyway is that you would be doing it manually (once) because the inconvenience to be avoided is when certbot can't update the DNS records automatically.
No, it's not the LetsEncrypt people who make certbot. Certbot is an EFF project, managed by separate people. Additionally, most of the DNS implementations will require the use of a specific plug-in/library for your selected DNS platform, and those, also, are developed separately.
Let's Encrypt was an EFF project to begin with. They're still the same people.
The DNS plugins only matter if you're trying to automate updating the DNS entry. The whole point is that you could have certbot spit out a DNS TXT record for the user to manually add to their DNS once, e.g. which contains the public key fingerprint of the certificate they want Let's Encrypt to renew on an ongoing basis, and then certbot would be able to renew the certificate as long as the DNS record remains in place.
No, LetsEncrypt was not an EFF project to begin with. Look, it works how it's documented to work. If you wish it worked some other way, to solve your particular suggested workflow, you're likely free to fork it and make it work that way.
For the Microsoft.com domain, proper, there seem to be no existing CAA rules, allowing each and every CA on earth to issue certificates based on whatever criteria the CA requires. What could possibly go wrong with that approach?
The article contains solid advice that certainly transcends coding, alone; in my free time, I try to essentially "find work". Sometimes that work consists of writing software to solve weird little home "problems" that may or may not be actual problems. Sometimes that means building something as a joke, just for fun.
Sometimes that work consists of over-engineering a water heater box-turned-space shuttle for my daughter. Or recording my dog's wheezing and turning it into "classic industrial" music. It all feeds the same internal need, though; to learn, to build, and to produce something, rather than to passively consume other people's products. It keeps my brain alive, and I find improved performance/innovation in other work-related projects, as a result of just staying active, mentally.
Curious if you've tried any "work" games. Factory building games (Factorio, Dyson Sphere Program, Satisfactory, Captain of Industry, etc.), programming games (Human Resource Machine, 7 Billion Humans, anything by Zacktronics), or colony sims (Rimworld, Oxygen Not Included, Banished)?
And if you're the kind of person that travels in one of these, you likely also have a few additional vehicles in front of and behind your vehicle filled with highly-paid professionals ready and willing to carry you the last mile if your vehicle stops reason for any reason, to include mechanical failure.
The whole armored vehicle market is a relatively small one; it's interesting to learn that BMW is direct participant; I previously had no idea. I foresee a lot of wasted time scouring eBay looking for a project my family will resent me for later in my immediate future!
I was surprised to not see IR beacons on LEO units. In military operations with air surveillance, individuals/vehicles often use IR flashing and IR reflection to mark themselves to air assets. If MPD has the money for 1) an air surveillance unit (this cost is not trivial; SFPD, for example, hasn't had their own aviation section in decades due to the cost), and 2) decent thermal optics on said surveillance unit, then it surprises me they don't spring for sub-$100 IR beacons to distinguish their own personnel from everyone else, and enable rudimentary "blue force tracking", as it were.
Agreed. I invariably lose hours to Folklore every time I end up there. I previously worked for an original Mac team engineer, and he had some fascinating stories, but Hertzfeld's writing allows me to revisit those and so many more tales from that period of Apple/Silicon Valley history, and all without annoying my former boss for more stories.
