* Posts by Mike 137

3455 publicly visible posts • joined 10 Sep 2009

Infosec teams must be allowed to fail, argues Gartner

Mike 137 Silver badge

"The pair recommended extensive rehearsal for recoveries"

I remember once when supposedly in charge of infosec for an international corporation, reporting problems with their incident response planning. Not least, the only testing they performed was to have an annual session with the executive led by an outsider consultant who talked them through an elementary scenario (on the occasion in question -- evacuating the HQ and continuing office work if a wartime UXB had been discovered nearby), all from the comfort of the boardroom. I suggested that there should be unannounced live exercises and that confusion should be intentionally injected into the scenario to simulate real conditions. They rejected both, on the grounds that they would be 'unpopular' with staff. There were numerous other deficiencies with their incident response, but they were essentially moot given the total unpreparedness of the organisation to respond with any semblance of speed or focus to anything they hadn't already anticipated (and they hadn't anticipated anything close to the realities of actual incidents).

The last mile's at risk in our hostile environment. Let’s go the extra mile to fix it

Mike 137 Silver badge

"Stop putting cabling in easy to reach, easy to breach ducting"

A neighbour here in the UK has FTP. The fibre emerges from the ground at the edge of the footpath and lies along the surface of their paved forecourt alongside a party wall for some four meters before rising in a loose loop about 30 cm into an equipment box of some sort on the house wall. None of this is trunked and there's a lot of slack in the run, so quite apart from vandalism it's highly likely to get snagged and broken accidentally. Seems to me it would have been so easy to bury a conduit and feed the fibre through it.

In the rush to build AI apps, please, please don't leave security behind

Mike 137 Silver badge

""They'll solve an interesting mathematical problem using software and then they'll deploy it and that's it. It's not pen tested, there's no AI red teaming, risk assessments, or a secure development lifecycle."

So much like any other dev project these days really. The fact that it's an "AI" project is really irrelevant to the problem. Stated simply -- there hasn't been a mainstream OS or major application in the entire history of microcomputing that's been fully freed of hazardous vulnerabilities before it's been superseded by the next version, which has repeated the same disasterous cycle from scratch.

That's the real problem we still have to fix, regardless of what ultimate purpose the OS or application is intended for.

Bernie Sanders clocks in with 4-day workweek bill thanks to AI and productivity tech

Mike 137 Silver badge

"American workers are over 400 percent more productive than they were in the 1940s"

Oh hell -- is that four times or five times as productive? The prevalence of using percentages instead of multiples both forces us to do rapid mental arithmetic and results in ambiguities of this kind. But I suppose it sounds much more impressive to say "1000 per cent" than "ten times", or even "200 per cent" rather than "double".

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Mike 137 Silver badge

Re: Too much tech?

"You have to wonder whether the old mechanical locks were better at least in this respect"

I was a witness once when a manufacturer's tech opened a safe when a business folded. He made two measurements on the front of the door, drilled one 6 mm or so hole, pushed a piece of stiff wire in and the door opened. This was a commercial grade safe by a reputable manufacturer, not a consumer contraption.

Cop shop rapped for 'completely avoidable' web form blunder

Mike 137 Silver badge

Why on Earth?

"ensure there are no unintended consequences"

It's much more basic than that. Why was internal access to the data expected to be via the public portal? Surely it's a fundamental that internal and external access are segregated? Or are we once again falling foul of the output of web devs who understand nothing about even basic security? I suspect that the general misunderstanding of "agile" has a lot to do with it, is it's commonly interpreted as "tinker without planning" so nobody actually designs anything -- they just implement on the fly until it "works" and release it.

Record breach of French government exposes up to 43 million people's data

Mike 137 Silver badge

Re: This clearly breaks GDPR

" I cannot think of a single reason why you'd need information going back 20 years"

E.g. pension entitlements, disability claim histories, marriage and birth records ...

Mike 137 Silver badge

Re: Any public cloud is safer

"Why is big cloud safer? Because it has concentrated the best cyber-security experts from all over the World"

But if, as frequently happens, the adversary penetrates your cloud instance via your own endpoints, none of that ostensible super-security of the cloud means diddly. This is a seriously common error -- to assume that because the provider's infrastructure is well protected against attacks on that infrastructure (and it usually is), your security can rely on that as your 'security'. If someone successfully masquerades as one of your employees, they can do whatever that employee is allowed to do with your data (and in fact, probably more in most cases).

Mike 137 Silver badge

Not again ...

Adversaries masquerading as another government department is an interesting departure, but (as usual) what we haven't been told is what the primary vector was -- e.g. how did the get into the position to be able to masquerade?

I'm becoming convinced that most of these massive breaches are actually pretty trivial to initiate, which reflects badly on the general infosec stance of the victims. We urgently need to beef up our pre-emptive defences, as opposed to continuing in the reactive mode in which infosec still largely seems to be stuck.

Voyager 1 starts making sense again after months of babble

Mike 137 Silver badge

Re: Just a thought

"With so many people in parallel tinkering, someone must come up with the answer fairly soon"

The million monkeys and Shakespeare? The big problem is knowing when you have the right answer so you can stop, and that takes the expertise (genius, or whatever) that's intrinsically missing from a crowd source, as it's an individual capacity.

Mike 137 Silver badge

(Sighs)

They just don't build kit to those standards any more.

International effort to disrupt cybercrime moves into operational phase

Mike 137 Silver badge

Re: "brought cybercrime to the forefront of discussion among CEOs and boards of directors"

"probably have some impact"

Ignoring for now the illegality of that proposal, it probably wouldn't work anyway as a deterrent for a couple of reasons. First, the adversary has for a long time been organised hierarchically, just like any other corporation, and it's in general only the grunts at the bottom (who do the actual cracking) that are exposed to consequences. Plus, even where a 'leader' is arrested, there's always someone else to take their place. Second, draconian and brutal punishments have historically never deterred crime (and there's plenty of precedent to prove that).

Mike 137 Silver badge

"brought cybercrime to the forefront of discussion among CEOs and boards of directors"

What hasn't joined 'discussion' yet at that 'forefront' is the Board's recognition that, without application of substantial resources most organisations remain wide open to even quite trivial attacks. The myth of the "sophisticated adversary" is for most victims, just that -- a myth.

Until infosec is properly funded and fully integrated into the corporate risk strategy, there's little point in focusing on the perps. Until then, what's needed is recognition of, and response to, the fact of being still a soft target.

Interestingly, the new version of the NIST Cybersecurity Framework, released on Feb 26th, is the first version to incorporate a governance function. Since the framework was first released in 2014, it's only taken a decade for this to register as necessary. This does typify the fundamental problem, doesn't it.

Developers beware, Microsoft's domain shakeup is coming soon

Mike 137 Silver badge

What would be really nice ...

would be if they'd consolidate all the domains used for "update" and "telemetry" into a single one I could block at the firewall.

Rancher faces prison for trying to breed absolute unit of a sheep

Mike 137 Silver badge

Re: Who pays for that?

But now in 'Great' Britain kids are doing it just for kicks. Brave new world.

Mike 137 Silver badge

"captive hunting operations – aka shooting sheep in a barrel"

I remember an account of a German "boar hunt" from around 1910. The boars were released into a long wire mesh tunnel from which they couldn't escape and the "hunters" took pot shots at them as they ran down it. If they got to the end of the tunnel alive, they were put back into it again. Aren't humans nice!

Poking holes in Google tech bagged bug hunters $10M

Mike 137 Silver badge

Alternatively

In one year: Google --> "$10 million to 632 bug hunters"; Microsoft --> "$13.8 million to 345 researchers". So that's $15.8k each at Goo, $40k each at M$.

They could with that expenditure have easily paid the salaries of a sufficient number of in house staff doing debugging, considering that in house staff wouldn't be paid on the same notional "one bug each" model. However, farming out quality control seems to be the norm now, apparently regardless of cost effectiveness -- yet another example of how IT and common sense continue to diverge.

Microsoft forges One Teams App To Rule Them All

Mike 137 Silver badge

[Teams] version capable of simultaneously logging in to multiple personae

What a wonderful way to support leakage of confidential information! Split tunnelling was bad enough, but this really takes the biscuit. I get the impression that M$ has for quite some time thought of itself as a glorified toy shop rather than a creator of robust business tools. And these are the guys who presume to remotely manage our "security".

Oh look, cracking down on Big Tech works. Brave, Firefox, Vivaldi surge on iOS

Mike 137 Silver badge

"make their websites dependant on Google's proprietary features"

Qui bono?

Somewhere along the line, web devs seem to have forgotten what they're doing all this dev for. When I taught web development (admittedly many years back) the first thing I said to the class was "remember, you're not developing this site for your client -- you're developing it for your client's customers. If you forget that and limit access by your design your client will lose business". That followed directly from the principle of client agnosticism enunciated by Tim Berners-Lee on 'day one' of the web. Now, unless you're using the recommended browser (brand and often even version) you're locked out of many sites, so they do indeed lose business.

Microsoft Copilot for Security prepares for April liftoff

Mike 137 Silver badge

Or possibly "my career"?

"I do believe this is going to be the most consequential technology of my lifetime" says Vasu Jakkal (quite by chance of course, corporate vice president of security, compliance, identity, and management at Microsoft)

Mike 137 Silver badge

Copilot for Security, Jakkal said, is "designed to help customers and users defend at machine speed

Rong with a capital R [it's recursive ;-) ]

If at all, that should not be "defend ..." but "respond at machine speed". Real defence starts way before any attack unless you're operating purely reactively. And if you are, you'll lose however fast you try to respond, 'coz you'll be wide open fragile. In infosec there are no substitutes for forethought and preparation.

Nvidia rival Cerebras says it's revived Moore's Law with third-gen waferscale chips

Mike 137 Silver badge

An unanswered question

"The 4 trillion transistor part is fabbed on TSMC's 5nm process and is imprinted with 900,000 cores and 44GB of SRAM"

That's an awful large target for production flaws. I wonder what the yield will be.

UK council yanks IT systems and phone lines offline following cyber ambush

Mike 137 Silver badge

Re: "Until people who click the links are fired, this will continue to happen"

"Just how hard is it to train people to hover the mouse over an email address or link to read the actual address/link behind the screen image one"

The hard part is instilling the understanding that allows folks to decide reliably whether the actual target is malicious or not, particularly in this age of contaminated legitimate sites, internationalised domain names, URL shorteners and incomprehensible hash parameters. Even we infosec bods would have a hard time doing this reliably at sight.

In any case, as it's perfectly possible to apply tech controls to this problem (e.g. cloud based security proxies have existed for ages) why should the inevitably non-expert user (who has a quite different full time job to do anyway) be expected to be the front line defender? Solely, I think, because many IT folks despise users as "stupid" and therefore fair game, whereas in reality they're just inadequately informed (and it's in reality impracticable to inform them sufficiently). The really stupid element here is the refusal to address the problem with appropriate controls.

Mike 137 Silver badge

"Until people who click the links are fired, this will continue to happen"

Or, preferably, technological means are employed to prevent malicious links being active before they get presented to users, who can not reasonably be expected to discriminate between legitimate and malicious links on sight.

Quite apart from which, punitive regimes such as dismissal for mistakes don't prevent accidents of this kind happening, as the next person appointed is just as likely to make a similar mistake if left unaided by proper controls. The culture of fear such regimes generate also results in people who make mistakes concealing them, which helps nobody.

Mike 137 Silver badge

"Cyberattacks happen a lot, they happen to councils a lot,"

' "Cyberattacks happen a lot, they happen to councils a lot," said Eerke Boiten, professor of cybersecurity at De Montfort University Leicester '

One has to ask whether councils are specifically targeted in advance, or whether they're simply in general so vulnerable that they fall victim by chance. Neither the victims nor the perps will ever disclose this or they'd lose face, but a combination of the recognised poverty of most UK councils (making them a poor target of choice) and my experience of local authority IT suggests that these are mostly opportunistic successes (just as the UK NHS wasn't specifically targeted by NotPetya -- it was just wide open and so fell victim).

The end of classic Outlook for Windows is coming. Are you ready?

Mike 137 Silver badge

Re: Rebranded Mail & Calendar

"not really standalone as it runs on top of the Edge Webview runtime"

The browser is the new OS -- one more step towards the dumb terminal connecting to the M$ "mainframe" (for a regular fee, of course).

Mike 137 Silver badge

Re: I need classic outlook

Re: POP3 "at least your email doesn't disappear from the server the moment you retrieve it"

It doesn't have to as POP3 has no hand in this -- it's down to settings on your email client, which either does or does not send a delete command after retrieving the email. It's perfectly possible to retrieve over POP3 and still leave all emails on the server if your email client allows this.

Can AI shorten PC replacement cycles? Dell seems to think so

Mike 137 Silver badge

"shorten PC replacement cycles"

The last bloody thing we want (to keep forking out on new kit).

The entire industry seems to have forgotten what IT is actually for (to perform tasks and run businesses painlessly and cost effectively). Forced obsolescence serves nobody except vendors. It's close to a protection racket -- "replace/ pay up or you'll be unsupported" (meaning of course no more than that the vendor will stop fixing its cock-ups, or worse -- "you need to upgrade [whatever] to continue using our service", which, from the user perspective, performs exactly as before but demands the new tech to operate).

Microsoft calls AI privacy complaint 'doomsday hyperbole'

Mike 137 Silver badge

Re: GDPR

"are they obliged under GDPR to tell me what is included in the ChatGPT data sets"

Unfortunately, even under the GDPR, Article 14.5(b) allows that if the effort to provide you with the information is 'disproportionate' or its provision 'is likely to render impossible or seriously impair the achievement of the objectives of that processing' they can refuse.

Fun, isn't it!

Mike 137 Silver badge

Re: the only way...

"Unless you run your own server and set your own terms about who can access it there has never been any expectation of privacy here"

That depends on your definition of 'privacy'. If you define it merely as 'confidentiality' you argument stands. However, at least in Europe, privacy is defined as data subjects' right to control over who does what with their data. That right specifically exists even where the data in question has been posted in a public space, just as copyright does.

Cisco is a fashion retailer now, with a spring collection to prove it

Mike 137 Silver badge

Re: What's trending

Some years back I ordered a flight case, and when it arrived it has the vendor's name silk screened in huge red letters across its lid. I contacted the CEO and suggested that if he wanted me to advertise his firm he should pay me royalties, as my flight cases should advertise (if anything at all) my enterprise, not his. His response was "you must be joking" to which I replied "no I'm not. You just lost a customer". And he did. Fortunately a well chosen solvent dissolved the ink.

Attacks on UK fiber networks mount: Operators beg govt to step in

Mike 137 Silver badge

Root cause

This has been going on for years already. I know of a major incident of this kind from the early 2000s -- it just seems to be accelerating. The underlying problem is the accessibility of the ducts (and indeed ancillary equipment). We haven't ever designed the infrastructure for physical resilience, and continue not to do so as it's 'upgraded'. This has to change as electronic comms is critical national infrastructure.

Network Rail steps back from geofencing over safety fears

Mike 137 Silver badge

Re: because...

I remember a conference presentation a few years back of a cunning smart card based system for ensuring that tower crane operators could only operate cranes within parameters defined by their level of training and certification. The idea was that the operator's card, once inserted into the crane's console, would limit the extent of its operation. At question time, I asked whether there was any mechanism for ensuring that someone could not use another (potentially better qualified) operator's card. Silence ensued, then the speaker suggested that this was down to site wardens to check when workers reported on site. Incomplete solutions like this abound in the race to automate.

How do you lot feel about Pay or say OK to ads model, asks ICO

Mike 137 Silver badge

"Anyone that only uses social media to advertise their job openings is not worth applying to"

Individual agents of several otherwise entirely reputable agencies frequently refuse to interact with candidates (i.e. go silent) unless they can do it on linkedin. Agencies love these asocial media platforms because it eliminates the need to contact candidates individually until a decision has been made. After all, what's wanted is least effort for the commission, which is essentially the same motivation in principle that drives folks to post their content on goooooooogle's Blogger.com instead of setting up their own blog independently, and the same motivation that makes Blogger the place to go to view a blog rather than taking the trouble to search for an independent one. All round, it's unwillingness to make more than a minimal effort for the reward (an intrinsic and perfectly understandable human characteristic).

Mike 137 Silver badge

"To blindly say "Pay or Ok" should be banned is ridiculous"

The site gets paid anyway, whenever someone clicks on an ad. Apparently, they also want to be paid whether you intend to or not. Does this suggest that the site revenue from ads is no longer sufficient? And might this further suggest that the "targeted advert" con is becoming threadbare? There have been quite a few rigorous studies suggesting that the primary beneficiaries of targeted advert broking are the brokers, not the advertisers, the platforms or the users, and this is supported by a lot of anecdote about the uselessness of the ads that turn up ("just bought a bed, so I'm inundated with bed adverts" etc.).

Mike 137 Silver badge

Re: Sir Humphrey wrote the survey

@Mark #255 Thanks for letting us know. I suspected as much but it's good to be informed that it's probably a waste of time.

Up to last year, free form submissions on such issues were invited, but this seems to be changing, finally confirming that the decisions have effectively already been made. That said, having submitted extensively as a data protection professional to successive consultations on data protection over several years right up to Parliamentary committee level, I can categorically state that there's zero evidence that any of my comments or suggestions have ever been considered. So it probably doesn't really matter how responses are invited as they're destined to be ignored anyway.

Data subject rights are obviously considered a drag on business, so they must be eviscerated while maintaining a facade of 'taking them seriously' and doing the minimum to keep the EU satisfied.

Mike 137 Silver badge

" The proposed DPDI bill already aims to nobble cookie banners"

The DPDI Bill aims to nobble practically every data subject protection except those relating to direct material losses resulting from data breaches. It remains to be seen whether the result will pass European scrutiny for "adequacy" but it's very likely that will be a political decision. The fundamental that the GDPR is human rights law, not just data law has proved so inconvenient to big business that almost everyone has been bending over backwards to circumvent its provisions ever since 2018.

Oh, and by the way, the GDPR is silent on 'cookie banners' (and indeed on 'cookies'). The relevant UK legislation is the Privacy and Electronic Communications (EC Directive) Regulations 2003, implementing European Directive 2002/58/EC. It relates to cookies and other tracking devices (a fact that's usually ignored) but 'cookie banners' are purely an invention of those attempting to circumvent the legislation, in that, as implemented, they're the most annoying possible way to 'seek consent', in the obvious hope that most folks will just click through.

Mike 137 Silver badge

Success story?

"We have seen an almost 80% success rate in effecting change from the 53 organisations we wrote to last year"

One a week contacted, with one fifth failing to co-operate. Well done, seeing that almost every commercial web site (pretty much regardless of scale) abuses user privacy, not only specifically by cookies but by scripted snooping tools that are typically not affected by "cookie banner" choices.

What's needed is a statutory opt in policy. It's really disappointing that this hasn't yet registered, despite Ofcom establishing in 2019 that "[...] only 15% of respondents were happy for online companies to collect and use their data to show more relevant adverts or information. Further, research conducted by Ofcom, the ICO and Which? all showed that the more consumers understood about how targeted advertising works, the more concerned they became about it, and began to feel less in control of their data and that, in addition, consumers can become less willing to receive personalised advertising" *

I suspect there are too many powerful vested interests for statutory opt in to be implemented. However it remains to be seen whether the targeted advert bubble will burst at some point. There are numerous studies indicating that user profile-based targeting doesn't really work for either web users or sellers, the primary beneficiaries being the brokers. It's with luck a just a matter of time before this becomes sufficiently known to drive reversion to page content oriented advertising (which does work and avoids the 'need' for user profiling).

* Competition & Markets Authority Online platforms and digital advertising Market study interim report 2019

.

AI models show racial bias based on written dialect, researchers find

Mike 137 Silver badge

Not at all surprising really

If a human were able to review the entire training data set they would probably find that such biases are deeply embedded in it. Our individual limits on how much information we can absorb causes us to miss just how revolting much of the "information" in the public space really is, and when we come across an example by accident, most of us dismiss it because we have a moral faculty. But the LLM hasn't got one, so it can't discriminate between the decent and the indecent. It sucks it all up regardless and spews it back. The only solution is human review of the entire training data before exposing the LLM to it, but it seems we're too late for that.

British Library pushes the cloud button, says legacy IT estate cause of hefty rebuild

Mike 137 Silver badge

Re: Somebody else's computer

"when one of the 'cloud' providers gets taken out"

More likely, the cloud client gets taken out via a wide open browser on its user base (actually, very likely indeed -- remember "somebody clicked on a link"?). The general assumption that the cloud is "more secure" is a gross misunderstanding. The cloud provider's infrastructure may be well secured, but a client's security effectively remains its own responsibility. There may be some support tools to help, but they (and other controls) have to be deployed with understanding to achieve adequate security. The big snag is that once you've sacked your IT staff because you've gone into the cloud, you've got nobody left who can optimise those controls. (Yes, that's an extreme scenario, but it does exemplify a real trend).

An engine that can conjure thrust from thin air? We speak to the designer

Mike 137 Silver badge

Full marks to the US of A

"I heard about air-breathing plasma engines, it sounds really cool, interesting, and something that could be potentially novel. So [my PhD advisor] said: Why don't you do this as a project? So for the last five to six years, this has been my PhD topic"

Choose your own research topic and take six years? Here in the UK PhDs are three years unless you over run, which is just about time to bone up on the subject, make a small contribution and write up. Furthermore, pretty much every PhD research topic is pre-defined for you -- usually your supervisor's pet topic or the one they landed a grant for. So essentially a PhD bursary is a cut price Research Assistant post, as the monthly bursary is typically half the pay of an RA. I sometimes wish I'd gone to the US.

You got legal trouble? Better call SauLM-7B

Mike 137 Silver badge

"serious legal advice you can actually use and rely on via AI"

The fundamental problem is that, as the AI doesn't actually understand anything, the only way to determine with confidence that the 'advice' it emits can be relied on is to ask a lawyer.

What makes a good lawyer is exactly that understanding, which is why in most jurisdictions judges are promoted from among the pool of most experienced lawyers. The current round of crude obvious 'hallucinations' doesn't even come close to the subtle kind of errors that could jeopardise or demolish cases if the automaton were relied on without human validation, and by the time a case goes to court it's too late to rectify its errors.

IBM lifts lid on latest bid to halt mainframe skill slips

Mike 137 Silver badge

Re: RE: Mainframe Skills Council

"You started pushing your skilled techs out BEFORE YOU REPLACED THEM"

The concept is that "technology moves really fast" so if it's more than a couple of years old it's "legacy" and irrelevant. Consequently, skills are considered to need constant "updating" (which is quite possibly why, incidentally, software needs constant updating). There are no such things as first principles or theory -- it's all about hands on practice. Funnily enough, this mindset was what primarily destroyed the Soviet industrial base. They sacked (or in that case shot) practically all the experienced engineers and managers and replaced them with others who had zero experience.

Mike 137 Silver badge

Re: Ironic

" if companies valued their over 50's workforce they might stick around for a bit longer"

but unfortunately, they cost more per capita than new youngsters, particularly if they've been on the staff for any significant time (accrued pensions etc.). As everyone is now merely a "human resource", related overheads "must be minimised".

IAB Europe's ad consent popups pose privacy problem

Mike 137 Silver badge

But here in Blighty ...

'either a "mortal wound" for online ad tracking, or a welcome clarification'

The current proposal in the UK (the Data Protection and Digital Information Bill) is to scrap the need to obtain consent, so apparently the problem is quite easy to "solve".

AI mishaps are surging – and now they're being tracked like software bugs

Mike 137 Silver badge

Maybe

@HuBo It would seem that Incident 69 ("when Lal reached behind the machine to dislodge a piece of metal stuck in the machine") is a typical human error industrial accident that could have happened without any actual AI involved. There have been numerous similar accidents relating to non-"intelligent" telefactor and programmed robots (and indeed entirely "unintelligent" machine tools) over the years. I accept that "AI" introduces an element of uncertainty into the equation, but there's nevertheless a danger of ascribing causality to it just because it's present.

This is not a defence of "AI" - it's an appeal for clarity in determining root causes in order that the record doesn't get contaminated.

Boeing paper trail goes cold over door plug blowout

Mike 137 Silver badge

Re: That one weird trick...

"It is possible that the team that needed to get at the bungled rivets in the door frame didn't consider that they were doing anything other than opening a door"

A very likely scenario, and a very common occurrence. I remember once when on a change control committee, challenging a "simple firewall rule change" that was about to be fast tracked without further investigation, to find that it was to allow a new POS terminal to be installed without reference to the existing scope under PCI-DSS (which would have rendered the organisation non-compliant). Nobody on the committee had considered the questions "what is this for and does it have any wider implications?"

Bank's struggle to replace Atos threw system back to dark ages

Mike 137 Silver badge

Planning (what's that?)

'since the three winning bidders had developed their plans in isolation, they "now need to be integrated." '

Sorry to use technical jargon, but what a cock-eyed way to manage a critical highly complex project. It reminds me of the case of the frigate HMS Belfast, where parts and systems made by different contractors didn't even fit physically -- notably, high pressure piping had to be hammered into alignment before it would connect up. At that time a naval expert expressed concern about whether the induced stresses would cause the piping to fail in heavy seas, let alone the shocks of combat.

But the wheel obviously just goes round and round and nobody learns from past mistakes. What we need to inject into the process is some real engineering expertise, which is primarily a discipline based on forethought.

Belgian ale legend Duvel's brewery borked as ransomware halts production

Mike 137 Silver badge

Re: A new 'zero day'?

@cyberdemon Sorry, that was actually an (obviously inadequate) attempt at a joke. However "... because they may have shut their whole network down to stop any further intrusion" once again suggests that network segregation is a concept of the past. The vast majority of serious intrusions have been achieved due to appallingly inadequate network security -- no "sophisticated attack" needed. We must start making systems genuinely resilient as opposed to just assuming that once inside the perimeter the attacker has free reign.

HP print rental service seeks more users to become subscription addicts

Mike 137 Silver badge

Re: A fool and his money

"If they put the prices up, I can leave"

At an additional cost of (apparently) $270.

Our newest printer is a 5 year old OKI laser that does everything we need. Over that time, the total cost of ownership has probably been much lower than that of any of these fancy subscription plans for a similar period. Not for nothing does HP state "we have given a significant shift of our business to a subscription model. We have more than 13 million subscribers now, and these are people that pay us every month to print." and "it's great for us because it's more margin per customer.". So they admit it's costing you more, and the touted 'convenience' is just no longer needing to remember to re-order paper and toner or ink. Quite apart from which, we choose our paper carefully as paper is not just 'paper' -- quality varies, as does the type of paper stock needed for different applications. I don't want HP or anyone else deciding these things on our behalf.

However, squeezing the customer till the wallet leaks seems to be the general trend in IT now -- this is just one more example.