* Posts by Mike 137

116 posts • joined 10 Sep 2009

Page:

UK.gov flings £30m at driverless car R'n'D, wants plebs to speek their branes

Mike 137

a real test please

Before we assume, as this consultation seems to do, that autonomous vehicles are "the way forward" and all we have to consider are a few procedural and regulatory issues, I'd like to see the following test performed at least once (preferably more than once:

take around 200 autonomous vehicles and set them off in the rush hour alongside other traffic down the six roads to enter the Hemel Hempstead Plough Roundabout (National Grid ref: TL0549706394) with the aim of crossing the roundabout and exiting on various different roads. Then see what happens.

This roundabout consists of six mini-roundabouts surrounding a bidirectional central roundabout, and is quite a challenge for human drivers when it's busy. Any fool computer can drive down a motorway in steady traffic, but this would test its capacities realistically.

0
0

Google aims to train two million Indian Android devs by 2018

Mike 137

The Way Forward

Embrace Zombie - the new innovative development framework that allows you to generate terabytes of code without thinking at all. We plan to train 10 million Zombie developers worldwide by this time next year.

Oooops - too late, we already have them...

3
0

UK.gov's hated Care.data project binned

Mike 137

prohibiting medical records sharing

Here is a sample standard letter for restriction of medical records sharing, created when this scheme was first proposed. It might still be of use.

"I absolutely prohibit in perpetuity any sharing of my medical records with any person, other legal entity or agency, except in the specific cases of [1] access to my records with my explicit consent or exclusively for therapeutic purposes in support of treatment of a medical condition with which I present or [2] where required without the option by statute or order of the Court.

For avoidance of doubt, this prohibition applies to any current or proposed scheme of medical records sharing envisaged or planned at the date of this letter and equally to any plan or scheme of medical records sharing to be conceived, invented or proposed at any time in the future."

0
0

Mind the GaaP: UK.gov needs to get a grip on digital

Mike 137

Charity begins at home?

"The paper concludes that a new approach is needed where policy making should lead technology; not vice versa." - from an organisation promoting this concept in an online paper entitled "Fulltext.pdf"

1
0

Professor slams digital efforts of 'website-obsessed' government

Mike 137

"doing things wronger"

Might "doing things wronger" include posting a paper for download with a filename of Fulltext.pdf? Relying on the file path to define the nature of the document seems very similar to the sort of thing that is being castigated. Minor example maybe, but it highlights the fundamental problem - failure to think before acting.

0
0

Bees with numberplates will soon be buzzing around London. Why?

Mike 137

Fantastic project but...

Pity that the web site http://www.savelondonbees.co.uk/ is just a heap of JavaScript pointing to about 30 different subdomains.

Nobody with the slightest awareness of online security would go near this with JavaScript enabled, and it just doesn't work at all without.

The most fundamental principle of the world wide web from the very start was endpoint agnosticism - the ability of any browser to get to the content, independent of presentation. I have no objection to bells and whistles - provided they are optional and don't prevent basic access to the content.

Web developers who create sites like this do their clients a huge disservice - they deny the intelligent and infomed access to the content.

4
0

Half of Brit small biz hit by cyber crime. 10% spend zilch on infosec

Mike 137

where's the link to the study?

it would be nice to be able to read the original

0
0

Digital adaption, you're doing it wrong. STEM education needs rethink

Mike 137

where are we?

It'd be really nice if the author were to mention what country he's talking about. I didn't realise this was about Oz until I saw the graph caption near the end. This is not by any means a unique instance.

1
0

True security means better response to hacks, not bigger walls to block hackers

Mike 137

three choices?

"You can prioritise blocking attacks.

You can develop processes that let you respond to attacks.

Or you can put most effort into cleaning up after an attack."

Put that way it sounds really stupid - they are not mutually exclusive. You need to do all three in just proportion all the time. Getting the balance right is the key to success, and it may not be a static balance - the priorities can change depending on what's happening right now, so you need to be continuously attuned to the threat space. Ergo, being aware of the changing threat space is always your highest priority.

0
0

Defence in depth: Don't let your firm's security become a boondoggle

Mike 137

Infosec?

Nothing discussed here is really infosec - it's ITsec. ITsec is a small part (maybe 30%) of infosec. Conflating the two is the error that almost everyone makes and it results in a technocentric view that fails to deliver real security however much you spend. Infosec is about management of risk - ITsec is about choosing and deploying defensive technologies. Unless this is done with reference to business risk, it will be at best very expensive and at worst both very expensive and a failure.

0
0

When should you bin that old mainframe? Infrastructure 101

Mike 137

time dilation?

"24/7/365 support", Talk about over-working the team - 24 hours a day, seven days a week, 365 weeks a ... oh, hang on! Something's not quite right here. In the real support world, you provide either 24/365 or 24/7/52.

1
0

Terrified robots will take middle class jobs? Look in a mirror

Mike 137

rejects?

As always there has to be a happy medium (something nobody seems to have ever managed to achieve sustainably).

However, what has been happening for some time is that against an objective standard of best available performance, median performance has been declining so we're all becoming "rejects". Here, maybe, is a reason. Instead of, as in the past, creating technologies primarily to enhance innate capacities, for some time we've been creating them to supplant those capacities, so the innate capacities are allowed to atrophy. It's even beginning to show in the quality of the supplanting technologies, as people with atrophied capacities have entered the roles of creator, designer and QA inspector. Evidence of this is readily to hand - witness the appalling quality of software, even in mission- and life-critical systems.

1
0

Pay up, Lincolnshire, or your data gets it. Systems still down after ransomware hits

Mike 137

"... spread throughout its systems."

who's running a flat network then? I see this all the time - exclusive reliance on Active Directory for control over access to resources over an otherwise exhaustively interconnected user network. Apparently nobody's heard of network segregation.

0
0

Plusnet ignores GCHQ, spits out plaintext passwords to customers

Mike 137

"When a web site is able to 'remind' you of your password by emailing it back..."

"When a web site is able to 'remind' you of your password by emailing it back, that's a symptom of very poor security practices."

Ironically the Register did this the last time I forgot my password. I still have the email containing my password in clear in the body of the message.

0
0

Now VW air-pollution cheatware 'found in Audis and Porsches'

Mike 137

Vorsprung durch

Betrugerei?

0
0

Amazon Echo: We put Jeff Bezos' always-on microphone-speaker in a Reg family home

Mike 137

"And what resulted over time is this:"

"distrust turned to uncertainty; uncertainty to excitement; excitement to disappointment; disappointment to acceptance; acceptance to affection."

Exactly the process of hostage conversion - right up to Stockholm Syndrome

1
0

Minicab-hailing app Uber is lawful – UK High Court

Mike 137

Re: What am I missing

Actually, the distinction seems to be whether this device (the smart phone and/or app) is actually calculating the charge. It has been decided that it is only reporting the charge, which is calculated elswhere - hence it's not a taximeter.

0
0

Revealed: Why Amazon, Netflix, Tinder, Airbnb and co plunged offline

Mike 137

"(AWS), which powers a good chunk of the internet"

No it doesn't - it serves a good chunk of the world wide web. The web is not the internet.

1
0

UK.gov creates £500K fund to help universities teach cyber skills

Mike 137

"Oh no it doesn't..." - "Behind you!"

"...Cyber Essentials – the UK government-backed scheme which protects businesses against the most common threats on the internet."

Cyber Essentials Basic just requires an attestation that specific minimal security technologies (e.g. antivirus and a firewall) and practices (e.g. patching) are in place - not even that they're actually working. Cyber Essentials Plus adds an annual one-off penetration test, which of course does not actually prove they are working properly, only that they haven't absolutely failed at the time of the test. Furthermore, the originators of Cyber Essentials explicitly limited its scope to the most elementary low grade threats, and even there it's only the equivalent of an MOT ("annual vehicle safety test" for those of you in foreign parts).

I actually recommended that the Cyber Essentials Basic attestation should include a CMM-based self-assessment of the level to which these minimal technologies and processes are managed, but the suggestion was ignored. Consequently Cyber Essentials does not really protect against much at all.

0
0

Hackers upload bot code to Imgur in 8Chan attack

Mike 137
FAIL

"...to hide malicious code in images..."

Really? It's often a good idea to read the original report before summarising it.

Actually, the malicious code is hiddent in image LINKS.

The very first sentence of the orginal report states this clearly: "Yesterday a vulnerability was discovered that made it possible to inject malicious code into an image link on Imgur."

Come on Reg - you're not a red top!

1
0

Hackers use 'cartons' with 'sticks', may be foiled by 'watermelons'

Mike 137

there's just one tiny problem... (Edmund Blackadder)

'carton' (картон) doesn't mean carton (a box) in Russian - it means 'cardboard'.

0
0

Painfully insecure GDS spaffs £21,000 on online narcissism tool

Mike 137

Can anyone answer this?

Why could it be that two letters of mine this year relating to important issues, sent directly to the ministers responsible, have elicited zero response but the govt is dead keen to find out at our expense what some of us have tweeted about it?

0
0

Ford's 400,000-car recall could be the tip of an auto security iceberg

Mike 137

Re: OTA updates are NOT the solution

Tell all that to the guy who did the forensics in Bookout v. Toyota - several really basic systems design and programming errors. But we're not just blaming coders here, nor just the auto industry - there have recently been some quite spectacular aeronautical software design snafus.

The bottom line is that the whole software development process still fails to meet the standards expected of all other branches of engineering. And falling back on 'testing' is not an appropriate solution. We don't build bridges without doing the math and then just test them by running trucks across (we used to: there's a famous 19th century verse about Crystal Palace, London that goes "... the sappers and miners who marched and who ran ... To test the girders to Plaxton's plan..." but we've advanced beyond that by now.

So the reality is that software engineering is not yet a mature enough discipline to apply with confidence to safety-critical systems. With luck and persistence it may become so, but presently it's too damned dangerous to trust your life to software.

1
0

Bank of England CIO: ‘Beware of the cloud, beware of vendors’

Mike 137

Responsibility?

"One of the purported benefits of public cloud is you no longer need to buy and maintain your own servers – they become the responsibility of somebody else."

Oh no they don't - they get to be _managed_ by somebody else, but the responsibility remains firmly in your corporate lap. That actually increases your exposure, as you can't control the screw-ups of your providers.

0
0

Oi, UK.gov, your Verify system looks like a MASS SPY NETWORK

Mike 137

"no explanation has been provided"

The simplest one is that GDS has conclusively demonstrated via a succession of projects that they couldn't design their way out of a wet paper bag. Any other explanation needed?

1
0

British Library publishes Digital Magna Carta – written-by-web-vote because it's 2015

Mike 137

Re: Predictable but interesting - "today's kids are waking up"

but still clearly incapable of maintaining a coherent train of thought or coping with basic grammar:

"not sell our personal information and preferences for money, and will make it clearer if the company/website intends to do so."

0
0

LastPass got hacked: Change your master password NOW

Mike 137

"256 bit ... is beyond overkill"

Actually worse for you than that. For a collision-free hashing algorithm the safe limit is for the total length of the clear text to not exceed the length of the hash (in bits). If it does, there _will_ be (not just may be) collisions. So very long plaintexts (regardless of their make-up) actually make the attacker's job more rewarding, as brute forcing a given hash may yield more than one plaintext. Thus the attacker can potentially obtain more credentials from the same number of captured hashes.

However your '50% probability' depends on the hashing algorithm's transfer function having a uniform distribution. I'm not sure whether it does, but I'd be surprised if it did considering the principle of how it works.

0
0

Confusion reigns as Bundestag malware clean-up staggers on

Mike 137

Re: I'm sick and tired of hearing this excuse!

And that excuse too. "An attack in this class..." - what class? We don't seem to have any details yet, but as a security professional I'm regularly less than amazed when the latest "sophisticated attack" eventually turns out to have been a total push-over that circumvents deficient or degraded controls. Our biggest problem is that the "defenders" only defend reactively, but the attackers are proactive. If we managed our systems (and our business processes) robustly, a lot of these attacks would bounce off without doing much (or any) harm. But we just skirmish defensively in a guerrilla war in the enemy's territory, so we keep losing.

2
0

'Use 1 capital' password prompts make them too predictable – study

Mike 137

Nice research - obvious results

A nicely conducted piece of statistical research, telling us what we've actually known for years. The entire "character set + template" approach to authentication credential creation is well recognised by both experts in systems and psychologists to be flawed, but we're stuck with it because the people defining login requirements currently have no understanding of either.

The silliest recommendation after "character set + template" is the supposedly random character string. This is grounded in a misunderstanding (and misapplication) of Shannon entropy, and fundamentally fails because (even if generated by a true random process) no-one (OK, maybe one in a million) can remember it. It's actually impossible for a human to create because the mind can't wrap round true randomness - what looks like a "random string" to a human is usually biased to emphasise a small subset of the possible code space.

Even the random word sequence advocates ("horse staple ...") have it wrong. The essence of a robust authentication credential subsists in three requirements:

[1] it must be long enough to make brute forcing hard - the required length will change with time and the criticality of what is being protected;

[2] it must be memorable to its creator - so in principle it must mean something to him or her;

[3] it must not be readily guessable by anyone else - so a problem arises for folks who are not very original ;-)

Within the string space fulfilling these three requirements, the strongest strings against guessing attacks will be the ones that conform least well to a common template. So the best rule set will contain the fewest, simplest rules. Here's my take with commentary in square brackets:

"A logon credential [note that we intentionally don't say 'password'] is not to allow you access to our systems - it's to prevent anyone else gaining access by pretending to be you. It must therefore be easy for you to remember but difficult for anyone else to guess. To achieve this, here are some basic guidelines:

[1] think up a memorable but not well known phrase or sentence of at least four words totalling at least 15 characters [reasonable length at time of writing, but may need to increase]. This phrase should mean something to you to make it easy to remember, so be imaginative, consider using humour and/or your native language.

[2]certain obvious words are blocked and therefore cannot be used, including [e.g.] your user name, the company name or date words (month and day names) [but keep the excluded words list to a minimum to avoid user frustration].

[3] you may, but are not obliged to, separate the words in your phrase with non-alpha symbols."

Not the ultimate maybe, but probably a better start than the standard rules that render all words in any dictionary illegal (rather a challenge for a literate user) but permit 'Pa55w0rd!'. I've written about this elsewhere (http://intinfosec.com/library/policies/2011-Instant_Compliance_for_a_Grand.pdf)

0
0

Radio 4 and Dr K on programming languages: Full of Java Kool-Aid

Mike 137

Haskell v. thinking

The item on Haskell included mention of its use to create a statistical analysis tool for assessing drug rehab clients, during which 'Dr. K' made the statement that it was a surprising use of such a mathematically oriented language. I've seldom heard such a silly statement from a supposed expert - a mathematical approach is essential to solving statistical problems, so a mathematically oriented language would in principle be the ideal choice.

1
0

BBC gives naked computers to kids (hmm, code for something?)

Mike 137

Still too abstracted and complex to be really useful

This device (although less abstracted and obscure than the Raspberry Pi) is still too complex to really impart the fundamental concepts of computer technology. Kids would be vastly better served by a simple board carrying an 8-pin or 14 pin PIC, plus the device data sheet. The skills we are primarily short of (even among developers) are much nearer the metal than current programming practice encourages or imparts. A PIC solution would offer two key advantages: it would probably be cheaper, and the device architecture and instruction set are so simple that a child could grasp them in a few days, leading to basic understanding of machine architecture, Boolean logic and the electronics of interfacing, little or none of which is acquired by high level coding practice, particularly at school level.

0
0

Security vendor's blog post pinched to make HMRC phish look legit

Mike 137

Not unduly convincing

The offending phish email (on the netcraft site) is not actually very convincing. I'm not going into details as I don't want to assist the perps, but there are several tell-tale signs that anyone who was paying attention would immediately spot. If you're not paying that much attention you'd get stung by anything!

1
0

BBC: SOD the scientific consensus! Look OUT! MEGA TSUNAMI is coming

Mike 137

What's all the fuss about?

Auntie is never wrong - even about trivial things. There is one presenter of the morning shipping forecast (Louise Lear) who, whenever the same conditions pertain in both the Forth and Tyne regions, always merges them into the non-existent "Forthtyne" with the stress on Forth. I've complained to Auntie several times over a period of several years, and all the responses I've received have simply stated that I'm mistaken.

If Auntie can deny such simple checkable matters of fact, she can deny anything.

0
0

Swots explain how to swat CPU SNITCHES

Mike 137

"...these results confirm what programmers should already know..."

I wish I knew where these knowledgeable programmers are hiding. Most "programmers" I've met can't even create bug-free code using "flat pack assembly" dev tools.

7
0

ONE in A HUNDRED reported bugs exploited, says Cisco

Mike 137

"So in 90 per cent of IE transactions, there would be some level of insecurity"

The (obviously) prevalent idea that patched=secure is spherical and plural, and always has been. It makes no more sense than "what you don't know can't hurt you" - indeed it's grounded in that false premise.

It's about time we stopped relying on reactive fixes based on blacklisting and got round to creating some real resilience - starting with the ability to write software that isn't littered with exploitable bugs.

1
0

Definitions matter. For crying out loud, securobods, BE SPECIFIC – ENISA

Mike 137

where's the link?

It would have been generous to link to the report so we could read it for ourselves!

0
0

Sucker for punishment? Join Sony's security team

Mike 137

The obvious wrong answer

This is a classic example of the exact opposite of what is really needed. The prevalent technocentric approach to infosec has got us where we are, so doing more of it will not improve our state of security.

What is really needed (and in my experience as a security consultant is almost universally missing) is a robust security management framework consisting of [1] a strategy that defines the security priorities of the organisation in terms of risk, [2] tactics for addressing the priorities, and [3] operational processes that fulfil the requirements defined by the tactics and strategy. The framework essentially needs to include monitoring and feedback to ensure that [a] perceived risk continues to accurately represent reality as things change, [b] control objectives have a realistic chance of protecting against threats, and [c] controls that actually work.

Appointing techie "hackers" to oversee the security of a vast corporate (or indeed a government, as we seem to be doing here in the UK) is about as useful as appointing a bricklayer (however skilled) to oversee the building of a city.

We need to wake up to the reality that information security is primarily a problem of business process management. Yes - we can be attacked via technologies and we use technologies extensively to protect ourselves, but as in the case of JP Morgan http://www.theregister.co.uk/2014/12/23/jpmorgan_breach_probe_latest/ it's in BAU management that the weaknesses mostly manifest themselves.

1
0

Care.data's a good thing? Tell us WHY, thunders watchdog

Mike 137
Joke

on a lighter note...

"the much-scaled back pilot programme" - clearly an attempt by airlines to save on salaries by employing fish.

0
0

CAPTCHA rapture as 'thousands' affected by seven year-old bug

Mike 137

"That dodgy code was according to Google searches cited 322,300 times..."

Just highlights the level of competence of our web developer community - don't write code with care, copy and paste from demos without attention. Explains a lot about the deluge of breaches.l

0
0

Cyber security: Do the experts need letters after their name?

Mike 137

when do these intellectuals get any time to actually do the work?

Accumulating these acronyms does not mean they're intellectuals (although being one is not necessarily a bad thing in a sphere where unconsidered rote learning and rule of thumb still dominate) - it means they've put up the money to take a bunch of computer marked multiple choice pub quizzes. Expertise cannot be evaluated that way, but it does free those who select practitioners from the burden of knowing the subject. It also creates multiple closed shop cliques that can capitalise on the "mysteries" of narrow subsets of infosec - witness PCI DSS, which is in reality little more than basic good practice in infrastructure security and information management - things you should be doing as a matter of course across your whole estate - but has spawned a huge and very lucrative specialist consultancy and conference industry.

BTW, I recently saw an UK advert for a PCI security contractor at 450 quid a day (that's over US$170k per year) that specified "at least two years IT security experience", and a recent survey of the security knowledge of software developers incidentally found that almost 50% of respondents in key fields including banking and systems software development had less than two years experience. It appears therefore that the pub quizzes are a fast track for the inexperienced into lucrative security-related roles where they can earn a lot while perpetuating the insecurity of our infrastructure.

0
0

Why did men evolve map-reading skills? They were PAID BY BONK - study

Mike 137
FAIL

evolved to ...?

'men have evolved a greater spatial ability to "benefit reproductively ...'

Supposing this is a direct quote, it's pretty sad that scientists (even if only anthropologists) continue to promulgate the fallacy that evolution is directed to defined purposes. If it's not a direct quote, shame on el Reg for doing likewise.

1
0

Vulnerable utilities, telcos, top of new Aussie natsec centre's to-do list

Mike 137

"40% unknown"

It says something about the threat intelligence service that (according to the graph in the image) it's failed to identify 40% of threat actors. Presumably the comment "Advanced Threat actors are getting smarter" is based on the assumption that the "unknown" 40% are smarter than the analysts.

0
0

Forget passwords, let's use SELFIES, says Obama's cyber tsar

Mike 137

strange reasoning

"We glue the wings on airplanes with evostick and they keep falling off, so let's abandon airplanes" - that's no sillier than this commonly repeated argument about passwords. We define them poorly and manage them worse (just for example, the last time I asked el Reg for a password refresh I was emailed my existing password in plain text), so they must be intrinsically crap.

They don't have to be, were we to get our act together, but we're stuck in a sloppy mind set that will actually make any alternative authentication method pretty much equally open to abuse.

Those who implement password controls must stop thoughtlessly repeating mantras ("special symbols and squirrel noises") and take notice of a vast and growing body of rigorous scientific research on both the psychology and technologies of authentication and breaches. The problems are actually much simpler than we have been led to believe, but require more effort and imagination that we have brought to them so far to solve.

So no, passwords are not dead - they just need to be created and used intelligently with reference to the real world. Then they are just as good as any other authentication method in their own context.

1
0

Just when you thought you were alone in the bath: Hi-res mapping satellite ready for launch

Mike 137

Objects as small as 30cm

Is 30cm the resolution limit, the pixel size or the size of an arbitrary object that can be recognised in the image?

Resolution limit means the ability to resolve a pair of high contrast lines not less than that wide, pixel size is typically a quarter to a ninth of the area of the minimum resolvable dot. Neither mean that objects of this size could be recognised from the images. I would guess that the size of a minimum recognisable object is more likely to be in the order of 1.5-3 meters.

0
0

'Things' on the Internet-of-things have 25 vulnerabilities apiece

Mike 137

Re: Use case?

"...I don't see it as any of my lightbulb's business if my electric car has paired with my washing machine..."

The light bulb, being quite bright, may be worried by the potential nature of the offispring...

2
0

Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees

Mike 137

Re: No Surprise

I spent a few years working on this (blind denoising of tree ring width series) in the '90s. The only moderately reliable first order separation was between signal components common to multiple concurrent series from a specific site and signals uniquely present in individual series. The assumption on which my work was based was that individual variation is less likely to be driven by a common influence, so removal of individual variation should leave a better approximation to the common signal indicating the common influence.

Admittedly this is a fairly loose argument, but my work did show fairly conclusively that high frequency components tend to be local to individual series and low frequency components have a better chance of being common to all the series. Unfortunately, the then (and I believe still) common practice of "detrending" by normalising each individual series to its own low frequency spline before any analysis tends to mask the lower frequency components that might be some of the most interesting in terms of climate change.

However tree rings are not alone in providing rather tenuous and noisy signals. All currently used climate proxies suffer from this, each in their own way, so using them has to be done with a great deal of caution.

6
0

NASA: ALIENS and NEW EARTHS will be ours inside 20 years

Mike 137

Fundamentally flawed thinking

"...the possibility we're no longer alone in the universe..."

reminiscent of Columbus "discovering" America - the native populations didn't even know it existed until he turned up and told them...

0
0

NSA man says agency can track you through POWER LINES

Mike 137

"...the secret signal sauce..."

"...the secret signal sauce that allowed location to be determined..."

An interesting culinary sidelight on what would otherwise seem to be a pure DSP problem.

1
0

Traffic lights, fridges and how they've all got it in for us

Mike 137

Re: No they haven't

The most serious culprit in all this is the EULA. As soon as you "license" rather than sell the product (or the software component of the product even if you just paid for the hardware) all the established legal protections relating to safety, functionality and even fitness for purpose suddenly cease to apply. Consequently there's absolutely no incentive to make the software secure or even robust against failure. In short - the EULA is a perfect get out clause and that's very unlikely to change due to the pressure of the vendor community on legislation.

It's ironic (and self-defeating) that you can, just for an obvious example, buy a car (a potentially lethal machine) the mechanics of which must meet increasingly stringent safety standards in order to prevent fatalities, but the software that controls many of its safety critical functions can be complete garbage and there's very little comeback. Indeed someone usually has to die before any action is taken, and even then there's financial penalty, but no guarantee the next piece of software will be any better.

If you aren't convinced yet, read http://www.safetyresearch.net/Library/Bookout_v_Toyota_Barr_REDACTED.pdf then extrapolate its findings to the entire hypothetical IoT. That's not unrealistic - the flaws Barr described are _seriously_ basic stuff - the kind of mistakes a student would be marked down for on any adequate programming course, and furthermore protecting the vendor's IP seems from that report to have taken precedence over the level of facilities provided to a court-appointed expert examiner. Does that not shout volumes about the way forward?

Then of course there's the rather funnier (in hindsight) incident of the Satanic Renault http://www.theregister.co.uk/2013/02/15/satanic_renault/

0
0

DARPA crazytech crew want to create HUMAN-FREE cyber defence systems

Mike 137

I have a dream...

How about spending all that money and ingenuity on teaching people to write code that isn't a bug-ridden load of excement in the first place...

0
0

Page:

Forums