Posts by Mike 137

Open shared infrastructures are ...

Open. This is inevitable, so open shared infrastructures should not be used where their openness can lead to hazard. I would have thought this was blindingly obvious. Not for nothing was frequency hopping point to point radio invented and widely used for secure communications before the "smart phone" took over the planet.

jailed under 'soft violence' laws

Apparently only hard violence is acceptable.

Change one word for reality

"It is completely predictable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic,"

The Russians have been messing with our (and many other nations') social, scientific, economic and political life for over 200 years. We should expect that as it's part of the culture.

Full circle?

In the mid-eighties I worked on a project called HOTOL - a planned stratosphere capable aircraft that could operate as a jet at normal altitudes or a sort of super speed rocketty thing in a high altitude rarefied atmosphere. Lovely notion, but sadly, it never got off the ground.

So much for 'umbrella' services

HMRC should take note, as contractor tax fraud is clearly not always conducted by the contractors. I guess nothing will change their position though as it's never been based on evidence.

Actually...

Actually it's a myth that cockroaches can survive nuclear radiation. They're protein based just like other organisms and the proteins get scrambled just like eggs. What is true is that any cockroaches that succeed in surviving (by e.g. being protected in basements &c.) will swiftly take over as [a] they're scavengers and there'll be a lot to scavenge and [b] they breed "like flies".

For want of a nail (thermal cutout actually)

"While there was code preventing the printer head from exceeding 261°C (501.8°F), Coalfire claimed it was able to bypass it"

Relying on a software controlled thermostat alone seems fragile. When I was designing and building high temperature equipment, we always built in at least one bimetallic thermal cut-out so everything would shut down before anything caught fire. They cost no more than a couple of dollars in one-off quantities (much less in bulk). Obviously the makers didn't think of this.

<sarc>Nice precise guidance</sarc>

"... If it's likely that there will be a risk then you must notify the ICO ..."

What a muddle! Of course there's always a risk - the real question is what the level of risk is. And of course likelihood is one of the two parameters of risk - the other being consequence, so "likelihood of risk" is both specious and tautological.

Official guidance should be neither, so why does the guidance not say something like "if there is a high likelihood of significant harm to the rights and freedoms of data subjects..."?

Maybe because the use of the term "risk" in the vernacular has always been utterly sloppy and even risk professionals in general don't seem to use a consistent definition of it. It's about time we did.

No surprise there

I remember a public presentation by a well known data protection consultant, who said "your privacy policy is PR". And so it seems for almost every Europe relevant privacy policy we've examined in the course of a couple of years of research. Less than 0.5% have been even broadly compliant with the GDPR and literally only a couple have essentially been fully compliant.

strange notion?

It's a weird notion that an algorithm is something [a] conceptually new, [b] necessarily complicated, and [c] impossible to explain.

Every single piece of code ever written is a realisation of some algorithm (even Turing's machine). The fundamental question is whether the algorithm is understandable. if not, it's a bad one. Implementing things you don't understand is dangerous.

Suing the wrong party

"The pair sued Google to prevent online searches that included their names from displaying links to the article and images."

It would be more effective and rational to sue the host of the relevant article in order to get it taken down. The GDPR "right to be forgotten" (Article 17) is legitimately exercised against the Data Controller, and it is highly questionable whether Google is the Data Controller in such cases as this, as it's the content that is being objected to, not the listing per se.

Article 17.2 states:"Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller,[...] shall take reasonable steps, [...] to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data."

This effectively means that the party that might be expected approach Google to remove the listing is not the Data Subject but the host of the disputed content pursuant to the exercise of the Data Subject's right under Article 17. In any case, if the content were taken down, Google's listing would probably quite soon get purged by its bots failing to find it any more.

Questionable statistics?

I'm always very dubious about these statistical reports drawn from unavoidably self-selected sources. For validity, it should be qualified by "among those submitting to github or posting on stack overflow...". Both represent a very small sample of the entire population of software development, quite apart from which the two are not comparable. Github primarily represents professional grade open source development, but stack overflow is primarily populated by often quite elementary questions from relatively inexperienced coders, and answers thereto from similar responders. There is of course also the question of the development target. Online and cloud development is typically performed using different languages than native application development. The first four entries in this list strongly suggest a web development bias.

A parallel survey of languages used internally by closed source development houses for mainstream products would be an interesting comparison.

The RFC 2616 GET (anything you want) method

The use of GET without sanitisation, validation or authentication is so appallingly common that this is just another example. Brilliant that it's being prosecuted though even if only at state level. Interesting that it's under "cybersecurty" and not "data protection" or "privacy". Maybe we in the UK would do well to follow this lead, seeing how toothless our data protection regulation seems to be (and it can only get worse from 2021 on).

"This is a beta service for [their security] products"

Two points:

[1] a beta security service operating live?

[2] just shows what we all guessed - security appliance software development is as sloppy as it is for everything else.

So much for "cyber security".

"must now get the permission of your telco or postal service"

I wonder how hard that will be - most likely "roll over and hand over"

"Ethos Capital refused to divulge who all the directors of those companies actually were"

Only in the USA could this be taken as a normal state of affairs. In most countries there are laws mandating disclosure of directorships. Yes, there's a lot of fiddling (witness some of the more interesting entries in the UK companies register), but the principle stands and mostly works.

Interestingly ...

The only place you can download this report from seems to be goooooogledocs, which requires you to run a shitload of potentially snoopy javascript in order to get at it.

I wonder why this report is not available from the parliamentary web site via a simple hyperlink. Might they be trying to discourage security conscious members of the public from reading it? Or are the brains just turned off as usual?

The real problem

The way .uk domains are sold to third parties is not the real problem. That is trade mark infringement. A domain name that replicates a trade mark should not be saleable by any means to anyone except the trade mark holder. And that should not apply solely to registered trade marks, but should also apply to unregistered trade marks that have become established by use. The new TLD will in most cases not differentiate sufficiently to eliminate the public confusion wrt a trade mark, so any such conflicting domain names should be available exclusively to the trade mark holder. Sorry about the loss of revenue, but for Nominet to aid and abet trade mark infringement can only bring it further into disrepute, and ultimately might land it in the dock if right were right. Unfortunately it doesn't seem to be when there are bucks to grab.

"it must still pay maintenance fees to Capita for the upkeep of the software"

"Upkeep"? You mean "so they might finally get it working properly"?

I'm still amazed everyone just accepts that software will always be delivered in a crap state and require constant fixing until it goes obsolete. Try the same with real estate and see what reaction you get.

An excellent move

Something we could well adopt here in Blighty, but it should go even further. Even trade supplier of goods price at several grand commonly present a photo of the item discreetly labelled "for illustration only" or in one notable case "representative or range" where the "range" encompasses devices with a five to one price range. At the low end we get statements such as "goods supplied may not always match description/illustration".

This used to be called buying a pig in a poke and it was in the past considered fraudulent to try selling like that. Now it's the norm.

"they're merely resting, pining for the planet's lava fjords"

but are they blue?

Patents are a complete mess worldwide, so ...

This may not make much difference to the actual protection afforded intellectual property as for international protection you have to take out patents in so many countries anyway and the rules are multifarious. The US tops the bill though as first filing allows patenting of a competitor's unpatented product even if it's already on sale, and most patents seem to be granted without much scrutiny. There seems to be a general assumption that post-grant litigation will sort out any resulting mess. Of course it can, but only if the offended litigant can afford to pursue it. Oh the joys of unregulated markets.

Unfortunate but not unexpected

This is not specific to IPv4 addresses. Whenever there's a slackening off of governance there are opportunities for fraud, and such opportunities are soon spotted and exploited by opportunist fraudsters. Where's the surprise in that?

"prepared to take over at any momen"

A complete failure to understand human psychology. Reaction time is many times longer when task switching, so a "driver" using Tesla "autopilot" is never going to be prepared to take over - they're always going to be unprepared.

Observant!

'"This suggests that the ICO is being selective about its enforcement targets," said Richard Breavington'

You don't need a law degree to spot this. However a basic principle has escaped everyone concerned. If you don't nip abuses in the bud they become ingrained and accepted as normal practice. As data protection consultants, since the GDPR came into force we've only found a couple of privacy "policies" that actually comply with the law. Indeed, the last time I looked, the ICO's own template "policy" for SMEs didn't. It requires all the statutory information, but not in a manner that allows the data subject to exercise their rights (which is what "transparency" actually means).

Fascinating

Also one hell of a piece of engineering! On the radio news this morning they were talking about temperatures of hundreds of degrees on the heat shield through which this telescope peeks.

"... the standard contractual clauses remain a valid tool ..."

"The Court of Justice declared the Privacy Shield decision invalid, but also confirmed that the standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countries."

Which is jolly funny as it was pointed out a couple of years back that the standard contractual clauses don't entirely comply with the GDPR. Not really surprising as they were defined in 2001, 2004 and 2010.

The UK ICO wasn't interested when we pointed this out either. Yet another example of "compliance" in quotes?

A question

Question: when does "national security" precipitate international insecurity?

Answer: as soon as you remove the oversight.

To quote Geoffrey Pelt (The Hunt for Red October) "wars have begun that way..."

Questions

Given 2 TB of RAM, wonder how long it will take for software bloat to eat up this performance.

It also seems to me as an engineer that 2 TB of RAM is a huge target for transient bit errors, so I wonder what the long run time reliability will be.