Posts by Mike 137 3789 publicly visible posts • joined 10 Sep 2009
".. you end up with even dumber people in the populace over time."
And the real joke is that each successive generation of 'smart' people is drawn from an increasingly dumb population.
This might explain some of the problem, but as is frequently demonstrated in both physics and biology, everything that persists is ultimately self limiting, and if it's not it doesn't persist, so maybe there's still hope for the future.
To steal (i.e. to commit theft) in English law is to 'permanently deprive' the victim of what is stolen. Unless the data were deleted at source by the perps after they got hold of it, it's exfiltration not theft. If the perps go on to take funds using the exflitrated card data that will be theft.
also the random interaction of ultimately dozens plus of lidars, radars and whatever pinging away independently. There's either going to be a huge bandwidth need or we're going to get interference, and that could do a lot of interesting things to the vehicle's appreciation of what's happening round it.
So far we seem only to have run these vehicles individually one at a time among dumb vehicles. Put a hundred or so 'autonomous' cars on the six roads leading into the Plough roundabout in Hemel Hempstead UK among conventional traffic in the rush hour and let's see the outcome.
If you want evidence of what is required for confidence in this technology being safe, see the US Consumer Watchdog report. I quote: 'Google/Waymo claims that its computer-controlled vehicles have logged 300 years of human driving experience. But the testing that would be required in order to match the safety tolerance of commercial airplanes is estimated at over one hundred millennia. A lower level of safety – “a level of 80 percent confidence that the robotic vehicle is 90 percent safer than human drivers on the road,” would still require 11 billion miles of testing (or about 5,000 years), according to researchers at the University of Michigan'.
"The real challenge to making them applicable in the real world lies in the scaling up the manufacturing process."
The real challenge will actually be maintaining predictable behaviour in the face of the incredible amount of interference now present pretty much everywhere on Earth. Any control system that operates at the quantum scale intrinsically has very little if any noise immunity, so its reliable operation is problematic in real-world environments.
Some years back researchers (at Cambridge if I remember correctly) demonstrated a transistor that could be switched by a single electron. The essential question of course would be "which electron - the one we provided, or a randomly passing one?"
Without a link to the actual report this is mere hearsay.
Certain Reg reporters habitually fail to link to primary sources - this really must change. If the primary source is not available publicly, it would be courteous to indicate this; otherwise it should always be linked to.
This is much more important than the page layout redesign.
So it's perfectly normal, and indeed necessary, for your car to have an online account to which it posts all sorts of stuff - "Facebook for vehicles"?
The big question is not how to manage this, but why it's the case at all. As the lawyers say: “Qui bono?” - who gains from it? What possible benefit could there be to the owner of a car to have its journeys tracked, its air conditioning adjusted and its doors unlocked via the internet?
I run a very reliable car old enough to have none of this computerised junk on board. I seem to be able to do everything I need with it, and there's no need to worry about its previous owners.
"No-one ever wrote a Sci-fi film where the humans leave earth in a huge ship, spending decades in 'stasis' to reach another solar system and find some microbes."
Actually I wrote a short story along these lines a few dacades back, but you're right in a way - it wasn't exactly a blockbuster.
"In a court document filed in the Los Angeles County Superior Court, in the US, Iman Sadeghi, accused his former employer Pinscreen of submitting bogus images and results to SIGGRAPH, a computer graphics conference, and lied to investors."
Does this statement allege Pinscreen lied to investors (whereupon it should read 'and of lying...') or does it allege Sadeghi lied to investors (which is what the current text literally means)?
Impacted means compressed by an impact or blow. Apparently this is not the effect noted, so maybe "affected" would be a better choice.
The general term 'impact' has unfortunately become a universal and often highly imprecise replacement for a range of specific and precise words indicating effects. The result is loss of real meaning.
In a case such as this it matters, as the real effects appear to be corrosion-related and due to water permeability of the fibres, neither of which have anything at all to do with impacts.
" information your browser supplied, so hardly personal info"
It doesn't matter where it came from. If it's collected by the Register and is capable of identifying a living person (on its own or in conjunction with other information the Register holds) it is definitely personal data under the GDPR.
And note that even a dynamic IP address can be personal data (Patrick Breyer v. Bundesrepublik Deutschland C‑582/14 2016).
Copyright was actually (in the 18th century) originally intended to prevent flawed copies of works spoiling the reputation of the originator. The composer Handel was one the early promoters of the principle, due to publishers making faulty copies of his music scores for sale with his name on them but without his approval.
Thus the "copy right" was (on similar lines to GDPR in respect of personal data processing) intended to give the author control over the copying of his or her work, not to prevent copying. Indeed, that period in music, one of the most fertile and imaginative for hundreds of years, was grounded in composers using other composers' ideas and even borrowing passages from their works. What they weren't allowed to do was copy each others' scores verbatim in entirety without permission, and particularly to ascribe such copies to the original author.
Money reared its ugly head later when it became possible to make a profit by restricting access to works in the name of 'copyright'. The freedoms to extend and assign copyright clinched the position that led to where we are now - thousands of good artistic works locked up in vaults in perpetuity because their copyright has run out, so there's no money to be extracted for their release, and (as many excellent rock bands found out) mandatory assignation of their copyright to producers who subsequently make all the money out of it.
Over the last few decades the entire regime of intellectual property protection, which evolved rationally as a progressive scale between short term strong protection (e.g. patents) at one end and long term light protection (e.g. copyright) at the other, has been perverted by greedy magnates into an arbitrary jumble of increasingly strong protection of increasing duration with ever greater penalties attached for ever more trivial acts counting as infringement.
This proposed law would not solve that problem, but promises to give interested and unaccountable third parties the right to exercise a power that should be solely vested in the legislature. Furthermore, just as now our web searches do not return an objective selection of published pages but instead what Google thinks we should want to see, based on what Google thinks we meant by our search terms, if this law were to come to pass, media providers would have the opportunity by virtue of the lack of transparency of their 'automation' to limit our choices in media consumption.
Were copyright to return to its original principle of being cause for civil, not criminal, action, the problem of 'piracy' could be controlled by any media rights owner determined enough to monitor usage and take action, but criminalising an act and then appointing non-judicial interested parties to police it is tantamount to legalising vigilantism, and more importantly, is unlikely to work as anticipated without significant adverse side effects.
It is unconstitutional and very possibly unlawful to provide only a single means of opting out, particularly an online means in the light of the govt's arrant incompetence at delivery.
However, you can send the following form letter to your GP and it should prove binding:
-----------------------------------------------------------------------
[to practice administrator]
I absolutely prohibit in perpetuity any sharing of my medical records with any person, legal entity or agency, except in the specific cases of [1] access to my records with my explicit consent or directly in my immediate vital interest if I am on the specific occasion unable to give consent, and exclusively for therapeutic purposes in support of treatment of a medical condition with which I present or [2] where required without the option by statute or order of the Court.
For avoidance of doubt, this prohibition applies to any current or proposed scheme of medical records sharing envisaged or planned at the date of this letter and equally to any plan or scheme of medical records sharing to be conceived, invented or proposed at any time in the future.
I request that your surgery take whatever necessary steps to ensure that this prohibition is properly registered with the relevant parties to ensure it is honoured, and that you inform me of the action you have taken and its result.
-------------------------------------------------------------------------
"getting a remedy against such cases might be hard if they have no presence in the EU"
If they process the personal data of 'data subjects who are in the Union' and are 'a controller or processor not established in the Union' (GDPR Article 3(2)) they are obliged to designate a representative in the EU (Article 27(1)) and declare the representative's contact details (Articles 13(1(a)), 14(1(a))).
However the interpretation of the term 'in the Union' under Article 3 (and elsewhere) remains to be fully established by precedent.
-----------------------------------------
I'd be fascinated to know why this post got a down vote!
"getting a remedy against such cases might be hard if they have no presence in the EU"
If they process the personal data of 'data subjects who are in the Union' and are 'a controller or processor not established in the Union' (GDPR Article 3(2)) they are obliged to designate a representative in the EU (Article 27(1)) and declare the representative's contact details (Articles 13(1(a)), 14(1(a))).
However the interpretation of the term 'in the Union' under Article 3 (and elsewhere) remains to be fully established by precedent.
When will everyone at last stop confusing information with IT? Information security is not primarily a technology issue - it's about business process management. IT security is just a small part of that. If you're in doubt about this, just take a moment to review the UK Information Commissioner's action reports. A very high percentage of personal data breaches have nothing at all to do with IT - they typically range from sending a steel filing cabinet full of medical records to a scrap merchant to a barrister leaving their client's file on the bar in a pub, or a member of Parliament dumping constituents' letters in a waste bin in a park. Even a stolen laptop is not primarily a technological security issue - what matters is what information is stored on it.
Until the quality of business process management (whether related to IT or not) is taken seriously, no amount of technology will 'solve' the parlous state of information security, and this was recognised by the Article 29 Working Committee that created GDPR. However, in my experience the majority of businesses have handed GDPR compliance either to the IT department or their lawyers to create a documentation set for 'nominal compliance', rather than reviewing what they actually do with the relevant information in the course of day to day business. Which of course means that in reality they're not compliant at all.
You ultimately get the security you work for, but it's not a good starting point to mis-describe the problem you're trying to fix. IT security is technological. Information security is much wider and includes business process management, and it's still anybody's guess what the blazes 'cyber security' is.
Why not instead be for vendors not handing us a pile of sh...?
The position that it's OK to supply a grossly faulty product and then spend its entire operational life tinkering with it to fix those faults would not pass muster in any branch of real engineering, from house building to aerospace.
Unfortunately, since software is now increasingly incorporated into almost everything, other products previously based on real engineering (including aerospace) are being dragged down to a common abysmal standard. This is not just an inconvenience or an annoyance - it's becoming downright dangerous.
We should not be for "regular security updates" - we should be for getting it not so grotesquely wrong in the first place.
Part 2, Chapter 2, section 16 of the UK Data Protection Act 2018 - "Power to make further exemptions etc by regulations" - in principle allows ministers to create any exemptions they like "for the performance of a task in the public interest or in the exercise of official authority".
Consequently, government is practically speaking allowed to do anything it likes with our personal data by invoking these purposes (particularly the latter purpose), and such regulations are not subject to the full Parliamentary scrutiny that would be applied to primary legislation.
This is interesting (and disquieting), since the fundamental origin of data protection law was Article 12 of the 1948 Universal Declaration of Human Rights, which declaration was specifically defined to protect the public from governments. Unfortunately, as generally adopted into laws, the right to privacy is not one of the absolute rights.
Long live democracy!
What you lament is not a new problem. See G K Chesterton's essay "The Voter and the Two Voices" published in "A Miscellany of Men", Methuen, 1912.
When pestered by canvassers I typically resort to quoting Shakespeare: "A plague on both your houses. They have made worm's meat of me." (Mercutio, Romeo and Juliet Act 1 scene 3). That usually causes them to leave without further ado, and I don't think that response would be an unduly useful data point their voter statistics.
There's one litle thing that's been forgotten in all this - THE USER!
This cunning plan makes the user's browser almost impossible to secure, as there may be dozens (in one recent case I counted: 30) untrusted sources of fragments, every one of which is essential to the service and none of which can be verified as clean and legitimate. That's simply taking the target off the provider's back and pinning it firmly to the bum of the customer (sorry - punter).
Until we culturally return to the concept that service provision is for the benefit of the user of the service, we're going to go on passing the buck downstream, as nobody gives a 'fetid dingo's goolies'.
I generally refer to this as the sodumate society (say it slowly).
13 use-after-free
7 heap overflow
1 double free
1 out-of-bounds write
1 type confusion
1 untrusted pointer dereference
All of these are machine level coding errors most of us have been making for at least 40 years. We should ask ourselves urgently why we're still so incompetent at coding before someone else demands that answer. Or is everyone so tolerant already of the garbage we call software that no-one will ever ask?
Let's not forget that every 'previous' version of Windows is retired while still littered with exploitable vulnerabilities. This does not inspire confidence in its successor.
What is really needed by business is not a constant torrent of fixes for elementary coding errors for the life of the product, but software that is reasonably securely engineered to start with.
I suspect that the real distinction is not between IT folks that are omniscient and business folks that are dumb but between informed and uninformed folks, and it is probable that uninformed folks exist in both camps.
The fundamental problem as I have observed it over some 30 years is that there is increasing impatience with [a] formal process; [b] the design stage between concept and implementation. Add to this the poor level and quality of communication skills commonly exhibited by both business and technical folks and the result is often as described here.
While it is valid never to ascribe to malice what is adequately explained by stupidity, it is equally valid never to ascribe to stupidity what is adequately explained by ignorance - and each of us is inevitably ignorant of some part of any complex problem. That's why good communication and collaboration are necessary to arrive at a workable solution. However there's an absolute barrier to adequate delivery that commonly rears it's head - contempt for the "other side", and there are clear indications of it from both sides in this article and this thread. Avoid it - it will ruin everyone's chances of success.
Jolly good stuff but maybe a bit complicated.
Must be 40 years ago that we were using a noisy diode to generate a signal that could be converted into a random bit stream, from which we could peel off arbitrary numbers - total cost in modern terms about five quid. The randomness of that bit stream was driven by the uncertainty of the drift of electrons across the diode junction, which is quite adequate for most purposes.
BTW there's no such thing as a random number. Randomness is a property of series or sequences (and possibly sets) not of individual entities. It describes the independence of entities with respect to each other - which is why I refer above to arbitrary numbers.
"Engineers like to do clever hacks and show them off..."
Not at all. Speaking as a Chartered Engineer, real engineers attempt to fulfil societal needs by creating products that are robust, cost effective and maximally simple to use.
In an age when any guy who services your boiler is called an "engineer" and software developers and "UX" (funny, not to say illiterate, way to spell 'experience') "designers" are entirely self-taught it's not surprising that impractical nonsense is the output - "garbage in - garbage out".
The problem is so engrained that the European authority for design registration officially considers "design" to be a purely aesthetic phenomenon, whereas in reality the design stage of engineering is the crucial process of converting a concept into a usable product.
"ExoMars 2020, which compromises an orbiter and a rover, is slated to launch on a Russian Proton rocket in 2020, with the rover due to arrive on the surface in March 2021."
It's unlikely to arrive any time if it's compromised. Maybe he means "consists of"?
"Name
Address
Phone number
...which are all forms of personally identifiable or 'sensitive' information"
No they are not - please read the GDPR. The sensitive information categories (as set out in Article 9) are:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data, biometric data for the purpose of uniquely identifying a natural person
data concerning health
data concerning a natural person's sex life or sexual orientation.
The data categories you list are merely "personal data" under GDPR.
Article 9 para. 2(g) provides for the public interest basis and purpose I referred to in my original post.
And in answer to "Why does a registrar need to publish them to the world?" - it's quite simple. It must be possible to hold anyone publishing anything on the web accountable for the lawfulness and propriety of what they publish, just as it is for publishers in paper print. The web as a medium does not confer (and should not confer) any special exemption.
Given the extent of web publishing, the proportion of cases where release of the publisher's identity might lead to harm is vanishingly small, and could be handled by registrars via an exception process. As a general principle, the motives of any publisher who wants to avoid being held accountable need to be shown to be legitimate (as for example in the case of "whistle blowing" for which there are provisions already on most statute books).
I might conceptually favour reversal of the current "opt out" for demonstrably private registrants so a private registrant's details would so concealed from public view unless they specifically requested disclosure (in line with the "opt in" for consent under GDPR). However that would put a burden on registrars both to establish the validity of the asserted "private registrant" status in order to control fraudulent registrations (which are a recognised problem already) and to establish a mechanism whereby legitimate requests for disclosure could be complied with in aid of registrant accountability.
BTW there's nothing to prevent anyone setting up a PO Box and/or a non-geographical phone number and quoting these in their registration. The critical point is that, directly or indirectly but reliably, the registrant of a web site must be contactable for legitimate purposes.
I have spent more almost two years now supporting the efforts of businesses towards GDPR compliance and have found that almost everyone has their head in the sand - if not somewhere less salubrious. It's a pity that a body as ubiquitously necessary as ICANN seems to have done what almost everyone else has - NOT READ THE REGULATION!!
Apart from the 'sensitive' categories of personal data (which I should hope are irrelevant to WHOIS) GDPR prohibits no processing. What it requires is that processing is justified by one of a set of alternative lawful bases and a specified legitimate business purpose.
It should not be beyond the brains of anyone in business to select an appropriate basis from the list and specify a legitimate purpose for any fair and necessary processing. I suggest to ICANN that the "public Interest" basis and "in order to facilitate the registration of domain names and assure the accountability of registrants" might be worth considering. It might just be that simple!
All the kerfuffle and confusion about GDPR in the corporate sphere arises from not having done the necessary basic homework about what the regulation actually demands, but, two months from going live, it may be a bit late to start.
Strange that nobody's mentioned the UK Data Protection Bill currently before Parliament. When we leave the EU (nominally March 2019) this will become the legislative basis for personal data processing in the UK.
Equally odd that, 19 months into the two years granted to prepare for GDPR compliance, businesses of all scales are still wondering how to get started (with exactly five months left in which to act).
Any password can be brute forced given the time and effort required. This is a completely incorrect way of thinking. All reports of 'weak' passwords obtained by brute forcing have been based on offline attacks on password databases. So what's the root problem here? That the password database got exfiltrated. It's both unreasonable and impractical to make the end user responsible for the entirety of password protection including the security of the authentication server.
Most users aren't idiots when creating passwords - they're actually extremely clever, but at solving their own problem, not yours. You give them a set of complicated rules they have to remember despite only using it four times a year; they have to think up a new password without writing it down and can't see it when they type it in (even for the first time). Then they have to remember it for a minimum of 24 hours before using it again. That's the problem you give the user, and they solve it very well - Companyname123 or Pa55w0rd!
BTW there is a huge amount of solid academic research into the psychology and practicality of password use, but of course nobody in IT has read it - or indeed ever heard of it. They just make up arbitrary rules for someone else to follow, based on unconsidered mantras.
Nice to see from the above comments that not everyone still subscribes to the "must be supported" - i.e. "we must be allowed to continuously tamper with your computer to apply often broken fixes to our crap code" bullshit.
How about us insisting the vendors get it right before release?
And BTW, how about vendors (including Mozilla) recognising that business users need long term stable systems?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
