Posts by Mike 137 3942 publicly visible posts • joined 10 Sep 2009
A few years back, on a contract with an NHS trust, I found a hospital admissions system running on two separate computers (side by side under the same desk) that required the users to shuffle their chairs back and forth between two screens. I suggested (as a minimum) a KVM switch, but IT support hadn't heard of such a device. The problem is often not so much "legacy" as "inadequate".
"Because the scheme is digital-only, there is no physical document to fall back on when errors occur"
This idiotic lack of resilience has become the order of the day. In the name of "progress" we're rendering ourselves ever more open to accidents by eliminating independent backups for almost all our critical services.
"The idea of a user turning to Copilot, or any chatbot, for "existential clarity" is vaguely disturbing"
Or rather, dead scary, I'd say. Not only is replacing human empathy with the output of a mindless machine a very bad idea, but supporting (nay, definitely driving) a culture in which folks are so deeply worried all the time that they have to ask existential questions at 2AM undermines human resilience. Once that's lost, we're just puppets in the dirty hands of the technocracy.
If it wasn't an effin smart phone on wheels you wouldn't have to worry. My almost entirely* mechanical Volvo is 30 years old today, running perfectly, and has never been broken into or "hacked".
* it does have an electronic engine management system
.
"ultimately both sides will end up being owned by the same giant corporation and there will be no more wars"
Oh yes there will, and they'll last longer. Supplying both sides is both twice as profitable and can be good insurance ("hedging one's bets"). And it works -- there are plenty of precedents going back to ancient Greece.
Good role-play at fire fighting, yes. But fire fighting is far from enough. What's apparently (and almost certainly) missing is modelling the prior state of the victim. So they should also be role-playing the risk management and the operational process space that precede the attack. Just for example, the infamous and costly Equifax breach (2017) was primarily due, not to the cunning of an adversary, but, having been alerted to the vulnerability and provided with a fix, because they didn't have an adequate inventory so they couldn't find the server to patch it.
In a consulting career of several decades I've hardly ever found an organisation that was demonstrably robust against the unexpected. Even where "risk management" has been undertaken, it's typically been [a] conducted in a silo (usually by the Board) detached from operational realities and [b] limited to a predefined list of assumed risks that they're able to think up in their armchairs. Hardly anyone accepts that effective risk management is a continuous dynamic activity involving all echelons of the organisation, backed by effective monitoring, excellent communications, current intelligence and the combined expertise of not a few departments.
"Inclusion of this age group could also support children's online safety by supporting age verification for online services in line with the Online Safety Act 2023."
Now is the time to ask loudly where mission creep will stop (and how many people will be excluded from key services/entitlements just becauss they don't have or can't use a "smart" phone). Write to your MP.
(1)A person is guilty of an offence if—
(a)he does any unauthorised act in relation to a computer;
(b)at the time when he does the act he knows that it is unauthorised
The problem arises where a legitimate researcher wants to investigate e.g. a critical vulnerability in the public interest but the software vendor/host refuses to respond or co-operate. This is much more common than many believe as "reputation" typically takes precedence over protecting the public.
When the CMA was being drafted I suggested that a defence could be reasonable documented and certified attempts to obtain consent before proceeding, but this didn't get into the bill.
"they all allow that, as far as I know"
Not necessarily. For example, many book publishers in UK and some other English speaking jurisdictions expressly prohibit the act of reproducing their published content by any means (irrespective of whether it's for personal use or republishing). One of the complications is that there can be other IP rights in addition to copyright.
"how on Earth do you get to VP status in a company if you don't believe in its products ?"
"VP" is an honorific title, really signifying "top donkey", particularly in the IT arena, where the buck tries to stop first whenever there's an incident. It has been noted in the past that the average life of a CISO is 2.5 years (i.e. until the first data breach). And it's interesting that IT "directors" don't often have a seat on the board.
● promptly patching and updating firmware
● replacing default passwords with strong alternatives (and rotating them periodically)
● putting EAS and other critical audio gear behind firewalls or VPN-protected networks
● restricting remote management to authorized devices
● systematically auditing logs for suspicious access attempts
Assuredly, the assumption that these are "best practices" is a prime source of our abysmal level of cybersecurity. They're the absolute minimum basics.
There's another, more effective, form of engagement -- offering expert assistance and support, preferably prior to rather than merely after incidents (and this is not a "carrot"). Not only are "cyber regs" currently a patchwork -- standards are too. And both almost entirely ignore the non-"cyber" elements of protection, not least realistic business risk assessment and the influence of psychology on both the guides and guided on the victim side.
AI, AI -- Oh!
"Roles centered on routine analysis, [...] transactional support"
Both of these roles only work in the real world if they're capable of effectively identifying and addressing unexpected edge cases -- the very thing that the LLM is incapable of as it operates on statistical probabilities, and edge cases by definition have low probability.
"insisting that cooperation, guidance, and "proportionate" responses achieve better long-term compliance than headline-grabbing penalties"
The expression "headline-grabbing penalties" clearly indicates that the ICO doesn't have a clue about what minimises data breaches. And whether .cooperation, guidance, and "proportionate" responses' deliver useful results depends entirely on the definition of those terms and their applicability to individual cases. (BTW it's revealing that the word proportionate is double quoted, as if it's not to be taken seriously.
Via submissions to several govt. consultations on data protection over the years I have repeatedly suggested that a more effective response would be in three phases: an enforced independent audit of the breach, a set of mandatory remediation actions and an independent post-implementation audit to confirm they were in place and working -- all at the breaching organisation's expense. This would be vastly more effective than fines, which to many organisations are just a cost of doing business (and against which they may even be insured).
So far my suggestion has apparently fallen on deaf ears and the ICO has increasingly ignored pretty much all but high profile data breaches that gain mainstream media attention, even where (in my direct professional experience) the implications of apparently minor infractions have had potentially far reaching consequences. This (underlined by the expression "headline-grabbing penalties") leads me to the (possibly uncharitable but inescapable) impression that the ICO might be at least as concerned about enhancing its public image as it is about fulfilling its ostensible role in protecting the public (a well recognised stage in organisational decline).
For reference: I am a 40-odd year veteran in information management with professional involvement in data protection since the 1984 Act
.
"The best manager is conspicuous ONLY in his/her absence."
Actually, the best manager is one who assists and facilitates your activities so you both get the best possible results. I've had two such in my whole 40-odd year career. My worst had a black Darth Vader high back chair and a stock phrase "bring me solutions, not issues".
The fundamental problem here (one of the key errors that underpin of the supposed charms of using "AI" here) is that coding is not programming. The most important element of programming is the design of appropriate and reliable algorithms for solving the problem in hand. Coding is merely the penultimate stage of realising those algorithms in a way the machine can exercise. The final stage is, of course, testing, and I fail to see how it's realistically practical (or indeed even always possible) to test code that nobody has an insight into because it was churned out by a bot that has no concept of what the code is for in the real world.
The other chief error (the concept that once the tools are smart enough nobody needs to understand what they're doing any more) is a growing general cultural problem that we allow to take firm root at our peril.
"The only realistic use is by governments as a system of universal surveillance"
No, the primary use is to further elevate the egos of the small (thank the Maker!) population of Cracked Coders who think they are entitled to rule the world despite never being able to write code that doesn't need a constant stream of repairs for its entire operational life.
Oh, that explains why they'll quack on regardless of practicality or adverse side effects.
But seriously, it's happened before. The myth that "everyone has a smartphone" will become the fact that "you can't get a job or see your doctor unless you have a smartphone". So we write off maybe 20% of the population?
"... being good at maths has absolutely no relationship to being a good coder"
Depends what you mean by "being good at maths". Most math teachers (and consequently their students, graduates and the public at large) believe being good at maths means being able to manipulate symbols and calculate swiftly. In reality, the mathematical mode of thought is grounded in ability to model the world and its processes logically and reasonably accurately -- the essence of good programming (as opposed to mere "coding"). See W.W. Sawyer, Mathematician's Delight (many reprints since 1945) and Junaid Mubeen, Mathematical Intelligence, Profile Books 2022 [ISBN 978 1 78816 683 6].
" the associated application can be overwritten by "user preference," such as "Open with" overrides in Windows Explorer. [..] The AI gave no hint at these wrinkles"
"The AI pointed out the "ScriptErrorsSuppressed" property of the control, which resolved my problems. This is the simple type of contained question at which AI shines."
Since the "AI" literally hasn't a clue what it's talking about but merely depends on statistics about what token should follow what, all this means that in the first case the question has not been asked enough times in those terms to generate a sufficiently significant probabilistic chain, and in the second case this requirement has been fulfilled. The bot knows nothing about the matter of these (or any other) questions -- it literally hasn't a clue conceptually about what you're asking. It doesn't deal in concepts -- it's the embodiment of the "Chinese Room", the capacity of which was to fool the observer, not render valuable guidance.
It's a massive indictment of declining human mental capacities that we have to keep re-iterating this basic truth -- and as we're cattle prodded into using such "AI" more and more there's a serious danger of us becoming dumber than the machines.
AI assistants were good at reminding humans of key details, "such as committing database changes, that might otherwise be overlooked."
Overlooking such basics says much more about the skills and attention capacity (or lack thereof) of the practitioner than it does about the utility of "AI". I never cease to be amazed by the shallowness of many of the questions on sites such as SO -- they lead me to believe that the software development profession is to a great extent populated with mere 'coders' who are novices at programming (two very different skills).
If you have something important to say, host it on your own web site and get lots of folks to link back to it (the old way the web worked before Grungle took it over). Relying on third parties with unchallegeable "moderation" will always fail you if you're saying something that might annoy the moguls.
Elon Musk, the boss of SpaceX, fired back: "SpaceX is moving like lightning compared to the rest of the space industry. Moreover, Starship will end up doing the whole Moon mission. Mark my words."
"Never apologise, mister. It's a sign of weakness" [1]
[1] John Wayne in "She wore a yellow ribbon"
.
" the organisation forms a life of its own that's only vaguely aligned with what is donors might think it does"
Not so long ago I applied for a senior post at a charity officially dedicated to alleviating world poverty, but withdrew my application when the JD came back headed "[charity name] is a feminist organisation". What that had to do with alleviating world poverty was not made clear.
Lovely cliché that - "due diligence", but almost universally misunderstood. "Due" in this case means "appropriate and sufficient", so if you palm the decision making off on a machine, your "diligence" is by definition not due, as that would require you to assess the situation, think out what is required to manage it and take responsibility for the outcomes, whether good or bad.
However, I'm not surprised at banks cutting corners like this -- it's not for nothing that the collective noun for them is "wunch".
"There's really no excuse for British companies to be reliant on that region in most cases"
An analysis on the BBC lunchtime news suggested that a technical sub-component (e.g. DNS) based in US-east-1 may be sued by the hosting services based in UK/EU. So the customer is not either directly or knowingly using US-based services at any level.
developers are the "ideal victims" because their machines "contain the keys to the kingdom: production credentials, crypto wallets, client data."
All that on the one machine and single account you use for job applications?
Having worked extensively online almost since the web went public (35 years+, ouch!), I've always kept a "dirty machine" for such tasks, with nothing but the basics on it and with a clean backup image that can be used to rebuild it from scratch if it gets contaminated.
In my infosec consulting experience, the key reason most organisations (and folks) get "hacked" is that they have no real proactive defences in place (you need more than a few appliances -- you need forethought, current information about threats and the willingness to make the necessary constant effort).
It always strikes me as amazing (being maybe a little sarcastic here) that, as soon as the next version of an OS or application is launched (or at least once "support" for its predecessor ceases), that predecessor suddenly becomes lethal. The reality of course is that [a] it's always been lethal and [b] its successor is also lethal (needing constant repairs for its entire operational life). I think it's safe to assert that there's never been an OS or mainstream application to date that has been fully fixed before it went obsolete, because software development is still crap in engineering terms.
So we're just dealing with automated con men really. The automation makes them more accessible and potentially more persistent, but the technique is as old as the hills -- find an insecure person and flatter their self-image till they accept anything you say. The real underlying problem is the proportion of the population that's so insecure these days that they can be caught by the scam. That's largely down to education systems that just stuff folks with facts rather than cultivating their ability to exercise attention, perception and judgement. As Dirty Harry said "a man's gotta know his limitations" -- if one does one's less likely to be fooled into fantasies like believing you've discovered a new branch of math without any training in math.
The two problems with the Turing test are:
1. It was a thought experiment only, not intended to be used as a validator;
2. "Passing" or "failing" it depends at least 50% (probably a lot more) on the perceptual capacities and relevant knowledge of the observer, rather than on the performance of the machine. It's therefore got about the same level of absolute validity as Trump's assertions about his intelligence.
That's coz the references were created after the conclusions, (not the conclusions based on the references). This is now a standard approach used by undergraduates who don't like reading papers, so it's possible that the report was written by an intern.
There are now many genuine and useful AI tools (advanced descendents of what used to be called 'expert systems') but they're all one truck horses, each dedicated to solving one specific problem. There's no such thing as generalised AI and LLMs don't really have any kind of intelligence anyway (they're just glorified statistical auto-complete engines with huge data sets to draw on) but they're purported by their promoters to have "generalised intelligence" in that you can ask them any question and get a banal answer to it (whether nonsense or not). This is promotional bullshit, not reality -- indeed it's an open question whether LLMs can legitimately be classed as AI at all. So either the bubble will either burst or the market will eventually lose interest after it's been well fleeced.
""It seems like quite a nice font," he said"
Ultimately, subjective aesthetics should be subordinate to legibility. The job of a typeface is to convey information without imposing strain on the reader. Designers could do worse for a start than take a few lessons from the illustrious Betty Binns (Better Type, Watson-Guptill, New York 1989).
"Adobe’s AI legalese initially required its customers to assume responsibility for copyright infringements caused by its software and services."
"Occasionally, vendors revisit those multipliers and increase the quantity of credits required to use their services"
"Other vendors require customers to pre-pay for “tokens”, but don’t explain that the cost of inputting a token [...] is much less than the cost of tokens their services create when responding to prompts"
It seems that, in what has long been a saturated market, IT as a whole has become merely a domain of dirty tricks to extract revenue. "AI" is just the latest example.
"Larger models will always be more generally intelligent," agrees Perez
No they're not. As no LLM is in any way intelligent even using the most liberal definition of the word, "more" "and "generally" here are pure bullshit. Stringing tokens together in statistically probable sequences is not intelligence. It doesn't even need intelligence -- just the ability to count and a lot of data to work on.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
