El Reg please note

You might like to take note of this yourselves, starting with your annoying grey bar...

file formats?

HTML is not a file format - it's a page description language.

magnify? Light

"...the gravity of foreground objects warps and magnifies the light from background objects"

How do you magnify light? Images can be magnified by deflecting light. Light can be amplified, diffused or concentrated, but magnified? Surely "magnified means "made bigger", which could only be accomplished by adding more photons from somewhere (thus effectively meaning the same as "amplified"). Or have I missed something?

Reasons

A huge amount of the comment here and elsewhere on this research anthropomorphises cats - accusing them of "murder", "torture" &c. &c. All this misses the point entirely. Cats are much more hard-wired than many of us would like to believe. They are to a large extent stimulus-driven automata, pre-programmed to pounce on small animals that move in their field of awareness.

That means it's the responsibility of the "owner" (although nobody really 'owns' a cat - it simply occupies a territory that you may also occupy) to minimise the damage a cat can do - particularly in densely populated urban environments. The simplest fix is a collar with a bell on it, but it has to be a sensible bell, not the tiny token gesture fitted as standard to most commercial cat collars.

A bell does not so much alert the prey as distract the cat by spoiling its stealth as it springs - provided the cat can hear the bell and it is fitted when the cat is young enough. If it works, operant conditioning eventually sets in, reducing the incidence of the predatory behaviour.

Nevertheless, the biggest problem for prey species is not the behaviour of the individual cat but excessive predator density. Where I live, nine or ten cats have "homes" within an area of one acre (18 residences). This is at least 20 times the natural predator density, and is only sustainable for the predators because the cats are artificially fed. It is however, completely unsustainable for many of the prey species.

important question

I wonder how many who have commented here have actually read the full paper. Minor point maybe, but...

not quite the right approach

Despite the prevalent myth of the Superhacker, there's plenty of solid evidence that most breaches are total pushovers. Just for example, Verizon's 2012 report (on 2011 data) concluded that 96% (4% more than the previous year) of attacks were "not highly difficult" and that "97% of breaches were avoidable through simple or intermediate controls".

So what we really need is not a few expensive cyber whiz kids on short term assignment for the duration of the London jamboree, but for ordinary IT staff at all levels to be competent in basic security housekeeping. It would be much safer and vastly more cost-effective, and would also release the real experts to protect us against the occasional attacks that are not so trivial.

However, it's not in the interest of the attackers, the defenders or indeed many security researchers to point out how easy cyber attacks currently are to accomplish, as they would all lose face (and, in many cases, huge revenue streams or big salaries). So we are kept in ignorance by an informal (and albeit uncomfortable) collaboration of deception on the part of pretty much all those who know the real situation. It would be incredibly difficult for government to justify proposed levels of expenditure on "cyber defence" if it was well known that the vast majority of their appallingly frequent security problems stem from the incompetence and slackness of the implementers and defenders of their systems. But we are up against a very determined adversary, so we have only one real choice - face facts or lose.

A-ha!!!!

Maybe this explains why so many web applications are security nightmares? See http://www.infosecurity-magazine.com/blog/2011/12/14/software-insecurity-thrives/474.aspx

It's a small single board computer - so?

I fail to see how this device will help many school kids get to real grips with microprocessor technologies. In the late '60s-early '80s we bought chips, obtained the support manuals, learned the device architectures and instruction sets and built ourselves (admittedly idiosyncratic and limited) microsystems from scratch, and we learned to do all this without formal instruction by trial and error. We could do this solely because the devices were simple and transparently documented.

This device, neat as it is, is extremely complex and non-transparent in terms of hardware and, by virtue of using a high level OS, presents to the user such an abstracted view of the machine that very little more can be learned than would be possible using a conventional PC running linux.

A much better starting point for imparting fundamental principles to school kids would be based on a simple device such as mid-range PIC (for which many affordable demonstrators are already available), coupled with programming in C and assembler. The essential task is not to take the current "hacker kids" to a higher level (they're already self-motivated enough) but to bring a basic understanding of systems principles to as wide a sector of the population as possible - so we must start simple. This offering sits half way home, rather than at the starting line.

trigger a risk?

"may in turn trigger a governance and compliance risk." How do you "trigger" something that's an intrinsic attribute of an object or process? "Incident" may be what is meant here. The word "risk" is so widely misused in the IT community I'm surprised it still means anything at all.

a teaspoon of vodka?

"1.3m litres" - did you mean "1.3M litres"? if so, you're only a factor of 10^7 out.

What happened to the "Right to a Private Life"?

This will brand recipients of social care as a card-holding sub-class. Has this been considered?

Which one per cent?

"...only going to be able to simulate about 1 per cent of the complexity inherent in the human brain"

So which one per cent are they going to choose? The classic error of artificial intelligence gurus that keeps the intelligence truly artificial is to consider the brain as a single entity with intellect as its prime purpose. The brain is actually an integrated assemblage of several organs - evolved independently and performing multiple separate functions (admittedly with many local overlaps). But fundamentally, as Robt. Ornstein pointed out some 30 years ago, the brain is a body controller. The rest is extra. So an arbitrary replica of one per cent of the number and interconnections of synapses in an average brain dedicated to intellectual processing is not a model of the brain - nor would a similar replica of 100% of the number be.

So this is all good fun, but really has nothing to do with a decent quality human brain. The Californian definition of artificial intelligence draws from the Californian definition of intelligence, and that of Southampton similarly - but they may not be identical, and neither may be all that representative of the real thing. Mr. Spock was a non-feasible fantasy too.

Plus, think of the energy consumption. I can work till lunchtime on a couple of slices of toast and some coffee. A million CPUs (even ARM CPUs) are going to clock up some serious electricity bills. Then you have maintenance - we'll be back to the reliability problems of the early vacuum tube computers. So why bother Steve?

Are these your only assets?

Not a bad notion - but it doesn't cover the whole ground by a long chalk. Your most important assets are your business information. These need to appear on the inventory too, otherwise you're just talking about empty boxes.

ISO 27001/2 requires you to identify your "most important information assets", but how can you do that unless you know about all of them? For much too long we have concentrated on the technologies at the expense of their business purpose. Information is what matters to your business - your IT is just a tool for making use of it.

A much more serious aspect of von Neumann Archtecture

A fundamental attribute of the von Neumann architecture this paper doesn't mention is that a common memory array contains both instruction codes and data. The decision as to whether a word fetched by the processor is to be interpreted as an instruction or as data depends entirely on the previous state of the machine - if the last fetch was the parameter of an instruction, this fetch is an instruction and so on. This represents a huge security vulnerability that has been systematically exploited in many ways for many years - "buffer overflow" and "stack overflow" attacks that cause maliciously injected data to be interpreted as machine instructions dominate the professional attack space. But even accidental loss of instruction pointer integrity can be extremely damaging - causing uncontrolled execution of arbitrary instructions, and it does happen, as in "hey, my machine locked up!".

The major contender architecture - Harvard - has separate instruction and data memories, and is widely used in industrial controllers, for the very reason that they have to be robust. Harvard architecture didn't take off in the office computer space due to the initial high cost of memory, but that's not been a major consideration for some time. I've been waiting for years for a Harvard architecture PC CPU, but in vain. Even a dual-stack operating system that segregated function call and return addresses from function parameters would be a huge step forward, even if it ran on a vN CPU. But nothing's being done. Instead we have numerous questionable sticking plasters such as random memory allocation, stack validation et al, which regularly prove their ineffectiveness due to the extent of the underlying festering wound - an almost unsecurable architecture. von Neumann was not considering security when he came up with his computing model.

backing up?

Some data is almost impossible for the average user to back up, thanks to the delightful MS Registry and the idiosyncracies of applications. For example, my ftp client must store site credentials somewhere (probably in the registry), but I've never been able to find them. A user space backup won't include this critical data. Oh for a return to .ini files - they were easy to manage and maintain.

Admin or not?

"With XP, you are running as administrator or you are not."

You're wrong there. You can run in general as a non-admin and choose to run any installed application with admin rights via the right click menu.

The real reasons behind this idiocy

It's easy to accuse people (particularly politicians) of evil motives, but the reality is much sadder than that. These idiotic attempts to centrally control and administer human relationships are invented with the best possible intentions by narrow minded inhuman zombies drawn from the same population as the rest of us.

We have a culture in which competition and aggressiveness dominate and are lauded - in which everyone is expected to exploit or be exploited (in many cases, both). As a result we have poor social cohesion (i.e. nobody much cares about anyone else) and trust is difficult to establish.

The optimum solution to this would be to encourage people to take responsibility for each other within the community (as indeed was done in the not too distant past). That would help people learn again to care and trust, but it's a slow process that takes much longer than the life of a government. It would also entail some dismantling of "consumer culture" that would be resisted hand over fist by the "marketplace". For proof, just look at the attitude of bankers to bonus limitation.

Because government always seeks "quick wins", the alternative that comes most readily to mind is to legislate for control. It doesn't achieve the ostensible objective, but that doesn't matter. It does achieve another objective - a sense of having taken decisive action.

The really sad part is that impersonal rule-based attempts at regulation of social and personal interactions (all the way from "political correctness" to this prospective debacle) undermine the opportunities of ordinary people to learn to fend for themselves by making sound individual judgements based on caring. Just as when pocket calculators became commonplace the skill of mental arithmetic was largely abandoned, people are already relying on database-derived rubber stamps of personal probity rather than paying attention and using their intuition to decide for themselves who is OK and who is creepy. This legislation will only exacerbate the trend.

To anticipate the counter-argument - yes, in the absence of the legislation there would be the occasional accident. That's very sad but unavoidable in life, and there's absolutely no warranty that in its presence their number will be fewer. The regulation of trust is itself no guarantee of safety. Quite the opposite - it will in the long term make people more vulnerable to the abuses it is attempting to control. The worst possible condition (to which we are being inexorably driven by increasing centralised rule-based administration of human relations) is to be physically alive and still at risk but emotionally dead, believing our safety lies in responding as automata to standard stimuli, whether commercial triggers to empty our wallets or social triggers to trust or not trust because a database entry tells us to. To quote Benjamin Franklin "Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety and will lose both".

No surprise there

The fundamental problem is that the people defining "password strength" [1] can't do arithmetic and [2] are stuck in the past. They don't understand what contribution symbol space and field size actually make to the equation so they just go for what "looks complicated", and their assumptions about brute forcing are based on decades-old histories of offline cracking of UNIX password files, which is not the main current threat.

The two greatest single strength factors against brute force at a user interface are limited retries and backoff time. After that, non-obvious password choice (e.g. not "password"). I always recommend an acronym of a private but memorable phrase at least eight words long. The user doesn't have to remember a complex string of arbitrary characters (something our brains are generally bad at). Instead she remembers the phrase (something our brains are quite good at) and reconstructs the password each time she needs it by repeating the phrase to herself as she enters the password.

Assuming nothing but lower case letters, that yields roughly 2x10^11 (2 followed by eleven zeros) possible passwords, and the vast majority will not be dictionary words (unless you intentionally choose a phrase that has a dictionary word as an acronym). So let's arbitrarily and pessimistically throw away half of them to allow for bad choices. It's still 10^11. So statistically a brute forcer will need to make around 5x10^10 attempts. Limit the login interface to three failed attempts per, say, 15 minute interval or 12 per hour, and it will take about 490 thousand years on average to break in. By then you should have had some kind of admin alert from the system.

"IT Governance"

"IT Governance" is an unfortunate term - it presupposes that business process owners should actually be interested in the technologies for their own sake. They shouldn't be primarily interested in technologies - they should concentrate on making their business processes cheaper/faster/smoother/more robust. The technologies are just means to those ends.

What should matter to business is information, not technologies, so what we really need is Information Governance, not IT Governance. Concentrating on the "IT" causes the technologies to become both the driving force and the bone of contention while the business processes are often left to languish. There is indeed such a thing as "the Business" - we've just got into the habit of ignoring it in favour of a techie-led culture of change for the sake of change. The results are all around us - gross inefficiency, poor returns on IT investment and a landscape littered with failed IT projects.