Design is not a bug. Some things just aren’t designed to meet security goals. Telnet is plaintext, in most environments that’s a pretty bug security issue. That’s not a bug in the code, it’s just not designed to protect the data from tampering, evasedropping and hijacking. It just can’t operate any other way.
Configuration errors are security issues, but they are not bugs. Users can setup up things insecurely.
Human beings present their own security issues, and they are definitely not bugs you can code away.
The biggest myth about software security is that’s it’s all just bugs. This leads to after the fact thinking (well just patch it), and a huge blind spot to the fact that security isn’t something you can just build, it’s an entire process that goes way beyond just code.
I think this is mostly an issue of overloaded terms. There are security design considerations, and security issues. Telnet being plaintext is not a security issue for telnet, it's a security issue for those using telnet for something it's unsuited for. HTTP being unencrypted is not a security issue for the HTTP protocol, or an application that wants to support that (a browser), but it may be for an application that makes requests over HTTP instead of HTTPS when those requests require some level of privacy.
If an application has a design goal to be secure in some aspect, but the design they chose doesn't accomplish that, then the design itself is a bug and needs to be fixed (or they need to change their design goals). Buggy designs exist, they're the designs that don't fulfill the desired purpose.
All security issues in a the context of a project which intends to provide security in that aspect are bugs.
Interesting a younger Donald Trump proposed a wealth tax back in 1999 (of 14.5% on $10M or more). But the 16th Amendment clearly says "income" tax. It doesn't say "wealth" or "assets" or "property", so any wealth tax without an amendment would fail on constitutional grounds.
Yes I remember him proposing that; as I recall, the quid pro quo was a concomitant permanent abolition of the estate tax, which would have a sweet deal for the Trump dynasty.
Note: I performed security audits of VHA facilities for a couple of years.
Unlike non-federal hospital, this is due to jurisdiction. VHA Hospitals are federal land so local police departments wouldnt have any jurisdiction, and the federal government typically looks at its responsibility to enforce laws within the land it owns. Also, some VHA facilities are on large campuses in more rural/less urban areas which effects the size of the police forces there.
The Fukushima accident had more to do with the culture in Japan than the industry globally[1]. The government and the regulator were basically in bed with TEPCO.
Do you think that this is somehow unique to Japan? How close do you think regulators and operators are in the US? Is there any industry that even remotely seems like it has a healthy relationship with its oversight bodies?
> Do you think that this is somehow unique to Japan? How close do you think regulators and operators are in the US? Is there any industry that even remotely seems like it has a healthy relationship with its oversight bodies?
Yes, and no. TEPCO, and The Nuclear Village are strong powerful entities and lobbyists in Japanese Society. But it was the 'Japanese' way of not asking the global community for help that ultimately ensured that the Abe Government and its subsequent action would take the act of secrecy in the face of one of Man's biggest ecological disasters.
Very, look at how much influence Edison and SONGS have over the Judicial system, and I will remind you San Onofre is home to some of the most expensive real estate in all of the US:
Perhaps, but business interests are always messy things within centralized governance models and I can go on my tirade for the imperative need for Anarcho-Capitalism, but to be honest if someone like Trump hasn't already made it clear to you that these imbeciles (they're all the same) in power will march us off to extinction for yourself, then my arguments will fall on deaf ears.
If the US inspections of offshore oil rigs are any indication of our lack of ability to fix things obviously broken, I can't imagine nuclear power plants would be any different, except the risk in a nuclear scenario would be amplified.
* Constructed by companies like Halliburton and Bechtel
* Operated by utilities like PG&E, collaborating with traders like Enron.
I don't know about you, but to me, the whole setup does not scream competence, good judgment, incorruptibility, and adherence to the highest ethical standards.
Indeed I am (that's why I wrote "like"), but they were the household name in the field. Frankly, I don't know who plays that role now, but how confident are you that they behave fundamentally different, as opposed to just not having been caught yet?
Depends on where you buy it. If the place didn't have a problem with criminals using burner phones, you would not have ID requirement otherwise they will make a copy of your ID before activating your pre-paid phone.
Different places have different problems enabled through different technologies or goods, therefore different regulations. The place is huge and devided to about 200 parcels all with different approach of handling issues, check it out here: https://www.google.com/maps
You don't build a city without some kind of central planning. Even in the total absence of zoning someone needs to build the infrastructure to link it all together. That is in large part why "just deregulate zoning" alone isn't an answer - cities in large part are in bureaucratic gridlock on developing infrastructure and wouldn't be able to supply new construction adequately. But as a society we simply cannot have private companies bulldozing blocks or razing roads to build rail or bike lanes.
Additionally in the same way public policy hinders development today it could be reversed to help development. Subsidizing density and mixed use would do a lot of good to jump start the much needed urbanization of most western populations.
> In a way, the world is lucky it happened there and not somewhere else.
Its a mixed bag, while that might be true its important also to remember that kind of accident could have really only occurred in the USSR. Western countries simply couldnt muster the political support to build reactors with that lack of concern for safety, or those kind of design flams. The USSR? No problem.
Just wow to think they build power reactors without even a containment structure.
That is naive, the western countries had their share of failures. For example, the UK officials pushed hard on becoming part of the big boys club in 1950's and this resulted in relaxed safety and resulting disaster in Windscale. The politicians didn't care or know too much about safety even in this western country.
Windscale was bad but it was at least three orders of magnitude less severe than Chernobyl in terms of radiation release.
Cockcroft had also insisted that the chimneys at Windscale be fitted with expensive scrubbing equipment, which everyone thought was idiotic until the fire. Not exactly "relaxed safety" there.
One dude insisting on one safety measure being added to a catastrophically stupid and unsafe design, while being resisted by everyone else, is very much within the realm of “relaxed safety.” In fact, I’d say that’s a rather mild and understated way to describe it. “Utterly negligent on safety” would be more accurate.
Design is not a bug. Some things just aren’t designed to meet security goals. Telnet is plaintext, in most environments that’s a pretty bug security issue. That’s not a bug in the code, it’s just not designed to protect the data from tampering, evasedropping and hijacking. It just can’t operate any other way.
Configuration errors are security issues, but they are not bugs. Users can setup up things insecurely.
Human beings present their own security issues, and they are definitely not bugs you can code away.
The biggest myth about software security is that’s it’s all just bugs. This leads to after the fact thinking (well just patch it), and a huge blind spot to the fact that security isn’t something you can just build, it’s an entire process that goes way beyond just code.