It is still not clear to me what you actually recommend—nor is it clear why your views about profiling, if true, wouldn’t extend to all intelligence work, or even to immigration. Should we issue visas to people at random, or should we pay more attention to those applying from Yemen, Pakistan, and Somalia? For those seeking to immigrate from Canada, should we give more scrutiny to Arabs or to Inuit? I don’t see how you can pull the brakes once this train has left the station. The base rate of terrorism is low everywhere and on all occasions. And, yes, we have an ethical commitment to treating people fairly, wherever possible. But it seems to me that you have made far too much of these facts at the airport—and, given your reasoning, they should vitiate our commitment to targeted security on every other front. Rather than fly drones over Yemen, we should let them drift with the wind and rain down missiles at random.

I think this was a brilliant debate. I would have to fully parse Schneier's main points before I could truly know how strong they are, but have seen actual flaws in more than one of them. Sam's point, however, seems overwhelmingly strong but without a solid implementation route.

One thing is for certain: profiling combined with random screening is the best combination. The question is simply whether or not any profiling system can be implemented that will increase security more than it will cost (in various ways).

That wasn't answered here, but I think Harris definitely won the argument of whether profiling could help, while Schneier won the argument of it not being as simple as, "Look for Muslims."

Luckily for Sam, that wasn't his argument, although Schneier seems towards the end to wish it was.

"Enforcing Python’s engines, I wrote a script that generates some nicely crafted unique Http requests, one after the other, generating a fair load on a webserver, eventually exhausting it of resources. this can be optimized much much further, but as a proof of concept and generic guidance it does its job. As a guideline, the main concept of HULK, is to generate Unique requests for each and every request generated, thus avoiding/bypassing caching engines and effecting directly on the server’s load itself."

In order to confuse the target Web server as thoroughly as possible, Shteiman has included a number of different features in HULK, including the ability to hide the actual user agent and obfuscate the referrer for each request. In his own tests, Shteiman said that the attack tool had no trouble taking down a target server within a minute or so.

"Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host," he said.

The framework has also recently received an update but, most important of all, has also received a very prominent backer: Microsoft.

"Even though many vendors have followed Microsoft’s lead in providing comprehensive security updates to customers, the formats vendors use vary. CVRF provides the entire industry with a way to share and present data in a coordinated and structured manner," stated Mike Reavey, Senior Director with Microsoft Security Response Center, and announced that Microsoft has presented the latest monthly security updates (released on May 8) in the CVRF format.

Extolling the virtues of the format, Reavey pointed out that even though home-computer users or small businesses haven't got much use for it, big businesses could do without continually “copying and pasting” Microsoft's security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list.

"For these customers, this machine-readable format may enable more efficiency and automation. Faster and more efficient guidance for these customers means they can more quickly ensure protection, which is always our goal," he wrote, and added that Microsoft's bulletins will continue to be issued also in the current format for those who don't require automation.

Climate scientists have been consistently downplaying and underestimating the risks for three main reasons. First, their models tended to ignore the  myriad amplifying carbon cycle feedbacks that we now know are kicking in (such as the defrosting tundra).

Second, they never imagined that the nations of the world would completely ignore their warnings, that we would knowingly choose catastrophe. So until recently they hardly ever seriously considered or modeled the do-nothing scenario, which is a tripling (820 ppm) or quadrupling (1100 ppm) of preindustrial levels of carbon dioxide over the next hundred years or so. In the last 2 or 3 years, however, the literature in this area has exploded and the picture it paints is not pretty (see “An Illustrated Guide to the Science of Global Warming Impacts: How We Know Inaction Is the Gravest Threat Humanity Faces“).

Third, as Blakemore (and others) have noted, the overwhelming majority of climate scientists are generally reticent and cautious in stating results — all the more so in this case out of the mistaken fear that an accurate diagnosis would somehow make action less likely. Yes, it’d be like a doctor telling a two-pack-a-day patient with early-stage emphysema that their cough is really not that big a deal, but would they please quit smoking anyway. We live in a world, however, where anyone who tries to explain what the science suggests is likely to happen if we keep doing nothing is attacked as an alarmist by conservatives, disinformers, and their enablers in the media.

BDD-Security is a framework written in Java and based on JBehave and Selenium 2 (WebDriver) that uses predefined security tests and an integrated security scanner to perform automated security assessments of web applications.

Don't scanning tools already to that?

Partly. Scanning tools are good at finding certain types of vulnerabilities, such as injection vulnerabilities (Cross Site Scripting, SQL injection, etc.). But scanners don't understand the semantics of a web application. From a scanner's point of view E-bay.com and Citibank.com are the same thing: a series of HTTP requests with fields that can be scanned.

This means that purely automated scanning is a shallow form of security testing. In many cases the precise tests performed, and how they were performed is hidden from the user. The result of the scan is a report that only contains vulnerabilities. You could think of a scanning tool as a Badness-ometer.

Manual application security assessments result in a much deeper form of testing, because humans understand context.

BDD and Resty-Burp are my new favorite scanning toys. Resty-Burp lets you control Burp scans through a REST API call. Sexy.

To see how the denial of the obvious has become a new article of faith for secular liberals, consider the response I received from Chris Stedman. In an article published in The Huffington Post, Stedman urged me to visit a mosque with him. This invitation was much celebrated online. Many people appear to believe that the remedy for my bigotry is for me to meet real Muslims—as though I have never met Muslims or doubted for a moment that most Muslims living in America are really nice people. This misses the point entirely.

Stedman’s article is worth reading. It is well written and earnest, and it reveals just how confused my fellow liberals are about Islam. Stedman is a gay, atheist, interfaith activist. As one person wrote on Twitter (@GadSaad)—“Wear a t-shirt stating ‘There is no God and I am Gay’ in Islamic countries and report back on your experiences.” This may seem like a cheap shot. It isn’t.

This is complete ownage. That being said, I think he may be wrong about the effectiveness of profiling, as Schneier successfully argues in his response to Sam. I'm not thoroughly convinced, but Bruce's argument sounds strong. In short, Sam would be right if it were effective, but if it's not then he's wrong.

But here in one of the richest corners of the country, the tech elite display an ambivalent, sometimes contradictory approach to wealth. Money, as one scholar of the Valley described it, is treated as a measuring stick, gauging the power of the companies that entrepreneurs have built, rather than a thing to display.

“They use it as a way of keeping score — how disruptive can you be in reordering the market,” said Ted Zoller, a senior fellow at the Ewing Marion Kauffman Foundation and a scholar of entrepreneurship.

I definitely see this around here. It's not about the money you have, it's about what you've created--with money simply being the "currency" by which the disruption is measured in.