* Posts by Edward Kenworthy

193 posts • joined 1 Oct 2008

Page:

'Dear diversity hire...' Amazon's weapons-grade fail in recruitment email to woman techie

Edward Kenworthy

A quote in the article:

"Loden said doing so feeds into the backlash against women in tech by those who feel female candidates are getting jobs solely because of gender. "That just makes everyone in the organization angry and encourages the perception that this is not a merit-based hire," she said."

So companies have to give female candidates jobs just because of their gender but you're not allowed to say it.

Slavery is Freedom, War is Peace, Ignorance is Strength!

1
0

Compsci degrees aren't returning on investment for coders – research

Edward Kenworthy

Re: Still seems worth it

@Cuddles

Even a 16 year ROI is pretty shitty.

And you forgot to take into either interest -which is pretty high on student loans- or the three years of lost salary.

Let's call that another £60K and now you're looking at closer to 40 years to even break even.

That a truly dreadful ROI.

And of course it assumes you graduate and get a job at all. Some won't.

5
2
Edward Kenworthy

About 30 years ago, when I was at Uni roughly 25% of students got a 2:1 or first.

Today it's 75%.

2
0

UK PC prices have risen 30% in a year since the EU referendum

Edward Kenworthy

Silly Remoaner El Reg

Do you also refer to the referendum in 1975 to join the Common Market as the time "the majority of Brits (that voted) opted to join the Common Market"?

I would like to have said "when we voted to join the EU super state and dictated to by some third rate politicians with delusions of grandeur" but of course that never happened.

Those that didn't vote literally do not count. They'd have probably all have voted brexit anyway because the Remainers are too clever to have not voted, am I right? ;)

1
6

Ethereum will have transaction chops of Visa in 'a couple of years', founder claims

Edward Kenworthy

$32M lost, $7 million lost. And that's just Ethereum

O'rly.

https://www.cryptocoinsnews.com/hackers-seize-32-million-in-parity-wallet-breach/

http://fortune.com/2017/07/18/ethereum-coindash-ico-hack/

And the current is incredibly volatile and subject to manipulation, same as any crypto currency.

And their primary use seems to be to enable cybercriminals to monetise their exploits.

When government finally wakes up they'll ban crypto currency trading.

1
0

Crypto-busters reverse nearly 320 MEELLION hashed passwords

Edward Kenworthy

@EnviableOne

> Firstly no one put upper limits on the number of charachters, just lower ones

Yeah actually they do. Several sites I use, that really should know better, absolutely do put upper limits. Which is really stupid.

> Secondly length trumps complexitly significantly:

Length is one aspect of complexity, so that statement makes little sense. And in case it will be hashed.

fwq1sAs is FAR better than Password123, despite the latter being longer.

Complex and unique is what you want.

> 10 upper and lowercase letters (52^10) is stronger cyryptographically than

I don't think you understand what 'cryptographically' means. All that using upper and lowercase means is that there are more possible passwords.

Unfortunately password dictionaries are far more sophisticated than you seem to think they are and 56^10 is only double 26^10 which is insignificant.

> Thirdly, re hashing a hash, is exactly what hashes do. but collisions wont happen more frequently as you need to do the same work to the plaintext to get the cryptext

As he said, if that really had any value the authors of the SHA-2 hash family would have already done it.

> Fourthly and fifthly, ideally salt should be the full key space combined, so the combination of user specific and global should be that size. Using any pre known value is risky as the attacker may find this, the recommended method is random salts, (but you need to erify your entropy source)

That's just wrong.

A salt isn't an encryption key. It doesn't need to be secret, just unique. It's there solely to defeat *pre-computed* rainbow tables.

0
0
Edward Kenworthy

Yes, just yes.

> No. Just no.

Yes. Just yes.

> https://xkcd.com/936/

Randall is showing you how to create memorable complex passwords.

But in that he's also wrong: use a Password Manager to both remember and store randomly generated and unique passwords.

> http://www.telegraph.co.uk/technology/2017/08/08/man-wrote-password-bible-admits-advice-completely-wrong/

If you look at the examples in the article none are actually complex. Simple number-letter substitution doesn't make them complex.

The actual problem is having to remember many 'complex' passwords across multiple sites that they have to change every 30 days.

The result is users work around it by using the same password across multiple sites and simply incrementing a number on their essentially fixed password.

This means that if one site is compromised all the sites you use are: a breach late last year at Tesco was a result of attackers using usernames and passwords they stole from a completely different site to access customers' accounts at Tesco.

The correct answer is to use unique, which means randomly generated, and complex passwords *and to use a Password Manager*.

1
0
Edward Kenworthy

> Secondly, known dumb password check is good, but increased complexity is better e.g. mandating symbols.

Unique is even better. But that's trickier to enforce. It can be done -system generates the password- but most don't.

> Thirdly, re-hashing a hash isn't necessarily better - or the writers of SHA512 would have done it.

That was exactly what I thought, although I'd take it further: at best you're just wasting time. And is a classic example of why you don't design your own crypto functions. You can actually inadvertently make it weaker. Consider a stupidly trivial example: XOR. Repeating it gets you back to your original clear text.

> Fourthly, user specific salting is great....if it includes internal values (account number etc.) - just adding the username to the front isn't going to help any.

Err hmm. Salt should be unique but they don't need to be secret: they're not encryption keys. Their sole purpose is to defeat precomputed rainbow tables.

1
0
Edward Kenworthy

Re: Hashes

> Isn't that "fact" somewhat locale-dependent?

Yes. Everywhere (UK, Aus, Can, NZ) but the US we distinguish between the verb and the noun, in US English they use 'practice' for both.

0
0
Edward Kenworthy

Re: Don't use any hash

Hashing functions and KDFs are used for two quite different things.

You wouldn't use a KDF when creating a digital signature, storing a password or when creating a consistency checksum.

And in any case, a KDF is a hashing function: the clue was in the name of the competition.

0
0
Edward Kenworthy

I keep saying:

And what you keep saying isn't very helpful.

The problem is that most people, including you based on your post, don't understand how difficult it is to do crypto properly.

This isn't your fault, but more the fault of crypto library providers, whether in .Net or Java. They provide a seemingly random collection of functions that the developer has to string together in order to get what they actually needed. And the decisions on how to string them together, and even what to string together, takes a lot of knowledge and is prone to error.

For example use System.random rather than System.Security.Cryptography.RandomNumberGenerator, perhaps because you don't understand the difference or just took Visual Studios' suggestion, and it doesn't matter what else you do, your crypto is borked.

1
0

Apache Struts you're stuffed: Vuln allows hackers to inject evil code into biz servers

Edward Kenworthy

> and I personally prefer rest webservices, you can implement them as you want, be it with struts2, spring, python, nodejs...

This is Struts 2 we're talking about, which has something of a history https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/ . The other frameworks you mention will all have vulnerabilities, the good guys just haven't found, fixed and published them (hopefully in that order) yet.

We have no idea whether the bad guys have found and are even currently exploiting them.

2
0

Dark web doesn't exist, says Tor's Dingledine. And folks use network for privacy, not crime

Edward Kenworthy

> I'm sorry; I didn't get that. Please say the reason for your call. You can say things like, "I have a question about my bill," or "I need technical support."

> "AGENT"

And your point was to show us you're bad at speech recognition?

0
1

Apple crumbles: Mac sales slump while Dell, HP Inc, Lenovo shift PCs

Edward Kenworthy

> Apple, how would it be to ship a little desktop build of desktop parts?

Why would they want to do that? Part of Apple's model is an OS they control running on hardware they control for an allegedly stable experience and mark up.

> Is everyone who wants this building a Hackintosh?

As they demonstrated by abandoning the real Mac Pro a few years, replacing it with an underwhelming designer dustbin, they're not targeting the kind of people who would build a Hackintosh.

0
0

May the excessive force be with you: Chap cuffed after Star Trek v Star Wars row turns bloody

Edward Kenworthy

Re: AH!! Sapphire and Steel!!

> Back to ST TNG, I always had big issues with the huge effing mistake in the opening Credits; they had the sunlight on the WRONG side Jupiter. Sun clearly on the left, right hand side of the Planet lit up.

Obviously the answer is time travel.

Clearly the Xindi went back in time and gave the solar system two suns for the duration of the title and then Captain Archer went back and fixed it.

1
0
Edward Kenworthy

Re: This is the correct order

Nice: it was getting a bit boring reading all those lists of the best sci fi, so you decided to list the worst.

Good job.

0
1
Edward Kenworthy

Re: I'm going Luddite and voting for Game of Thrones!

> I'm going Luddite and voting for Game of Thrones!

Not so much Luddite as Mr Irrelevant.

GoT is not Star Wars or Star Trek, it's not even Sci-Fi.

3
2
Edward Kenworthy

Re: No contest

> Sigh, I must be the only one who liked Caprica

Did you forget to tick 'Post Anonymously'?

5
1

Judge used personal email to send out details of sensitive case

Edward Kenworthy

> This article raises a number of concerns and questions. The fact that the article references sensitive personal data indicates that this judgment could be a family court judgment

No it doesn't. Sensitive Personal Information (SPI) also includes information relating to commission of a crime, medical data, sexuality, union membership etc.

So it could be any court.

4
1

Cheeky IT rival parks 'we're hiring' van outside 'vote Tory' firm Storm Technologies

Edward Kenworthy

> "VOTE CONSERVATIVE so I can pay you under £10 an hour and so I can pay even less tax while you all use food banks"

It's Labour, bizzarely, and the Lib Dems -not the Conservatives- that want to continue unlimited immigration in order to depress the wages of their Rumanian nannies, maids and prostitutes.

Oversupply of labour is exactly the reason employers can get away with paying less than a living wage.

1
12

Lloyds finally inks mega 10-year cloudy outsourcing deal with IBM

Edward Kenworthy

Apparently Lloyds don't think IT is part of their core business...

I guess modern banking doesn't rely 100% on the proper operation of their business and so can be outsourced... to the cloud...

1
0

IBM: ALL travel must be approved now, and shut up about the copter

Edward Kenworthy

Re: Investment

@Anonymous coward

> Have you seen an IBM car park lately?

Last time was about a year ago, IBM Warwick, and all of the cars were normal: no ranks of Ferrarris, Bentleys, Porsches or even large Mercedes.

What's your point exactly?

0
0
Edward Kenworthy

Re: Effective use of time?

@Anonymous Coward

> They should also look up the term "opportunity cost"...

That's something they just don't get: they consider it a cost saving that they get expensive staff working for customers to do work that was previously done by cheap back office staff.

Presumably because they do it on time paid for by the customer...

0
0

First-day-on-the-job dev: I accidentally nuked production database, was instantly fired

Edward Kenworthy

@kirk_augustin@yahoo.com

> The purpose of making backups is not to hide them away in a cabinet, but to have those be the ones users are making changes to. Then at the end of each day the modifications are rolled up into the real database.

All you have done is redefined "backup" to "real database" and "real database" to backup.

The live production database is, by definition the one that's being used live and in production. The backup is by definition the one you update every night.

2
0
Edward Kenworthy

@Grunchy

> Firing the ignorant clumsy new guy who wrecks the whole operation seems wrong, but is it?

No, it is not.

You seem to be confused between 'wrong' and 'illegal'.

This was clearly wrong.

1
0
Edward Kenworthy

a) The developer should not have had access to production at all. Separation of Duties. Fundamental tenant of security. Enforced by network and host separation.

b) WTF was confidential material, DBA account details, doing in the developers document in the first place?

c) No backups. W.T.F.

The CTO should have been marched out of the door.

The fired developer can undoubtedly claim unfair dismissal.

0
0

Hotel guest goes broke after booking software gremlin makes her pay for strangers' rooms

Edward Kenworthy

Re: never use a debit card for credit ?

@DougS

> I can't understand why anyone who has a credit card would choose to use a debit card. In what way is using a debit card ever better?

In the UK at least, there is often a % or fixed charge to use a credit card, but no charge for using a debit card.

1
0
Edward Kenworthy

Re: never use a debit card for credit ?

@Version 1.0

> Some people don't want to inadvertently get into debt... but that worked so well in this example didn't it?

So you're blaming the victim now.

Nice.

8
0
Edward Kenworthy

Re: One of my pet peeves

@BongoJoe

> is that when a company messes up and offers a refund it always seems to take longer coming back into the account then it does leaving.

Indeed.

My wife and I had our flight to Munich cancelled by LUFTHANSA whilst we were waiting to board, having spent two hours getting through check in and security...

It took three months and multiple 'phone calls to get them to refund us.

13
0

No H-1B visas? No problem, we'll offshore says Tech Mahindra

Edward Kenworthy

Re: Even a blind pig...

> I despise Trump, and all he stands for.

> However, he's right on this one,

So you don't despise all he stands for.

0
0
Edward Kenworthy

Re: Simple government response...

To all the unimaginative:

@James 51

> This one is so illy throught through it's hard to know were to start. Instead of having someone in the USA write the back end code for a webpage, it's written and hosted outside the US.

> How would that account for the cloud

and

@Brewster's Angle Grinder

> The first thing would be to determine whether duty was even due. Imagine a lengthy rulebook that determines whether a service is SAAS or something else

The service provider pays. How they charge the customer is up to them.

Wasn't that obvious? Clearly not to you...

@DavCrav

> OK. What if other countries do this?

You mean if American companies in India started off-shoring to America?

Hahahaha.

You didn't think that through, did you.

0
0
Edward Kenworthy

Simple government response...

Subject all code developed off shore to import and customs duties.

And this is on-shoring, not off-shoring.

> The European branch of my company is regularly receiving people who didn't win the US visa lottery.

That sounds more like on-shoring, and the obvious solution is for governments to ban the use of foreign staff.

The stupid argument that we need them because we have pensioners to pay or there's a supposed skills gap is just replacing a medium term problem with a permanent one.

5
3

The open source community is nasty and that's just the docs

Edward Kenworthy

I'm not surprised.

I used to contribute to JBoss and wrote the first guidance on how to use JAAS.

A couple of weeks later one of the other contributors, Scott somebodyorother, stole the whole of my guidance and included in his guide, where it made up more than 50% of the content and without giving me any credit.

He repeatedly denied stealing it from me, until I pointed out that 'his' example code was not only identical to mine but contained the same errors as mine (and so weren't simply 'obvious' as he'd originally claimed).

At that point I concluded the JBOSS community was a toxic group of thieves and walked away.

It appears now that the problem is much, much wider.

22
0

At the feet of the Great Monad, or, How the functional programming craze plays out

Edward Kenworthy

Re: Sort in a functional language

> You know you can do recursion in almost all procedural and OO languages?

Inefficiently, yes, and with the danger of blowing the stack, yes.

2
4
Edward Kenworthy

@James 47

> So how exactly does one sort an array without a) mutating state, or b) running out of RAM?

Recursion + Tail call optimisation.

1
0

German court says 'Nein' on Facebook profile access request

Edward Kenworthy

Re: a solution @big_d

> The data protection law also covers WhatsApp, Instagram, Telegram and any other messaging service.

Data protection law only applies to the living.

"The definition of personal data is data relating to a living individual who can be identified"

4
1
Edward Kenworthy

Privacy? What nonsense.

Firstly, Facebook only respects its users privacy because it wants the sole rights to sell their information.

Secondly, the EU Data Protection law only respects the privacy of the living, so Facebook can't fall back on that one.

And thirdly: it was a child! Is it not obvious this is a wrong decision on both moral and legal grounds.

It just go to show that most judges are indeed idiots.

4
4

Attempt at building kinder, gentler Reddit downvoted off the Web

Edward Kenworthy

Re: So basically an echo chamber of conformity.

So, basically reddit then.

5
0

Trump's cartoon comedy approach to running a country: 'One in, two out' rule for regulations

Edward Kenworthy

Politician Does What He Was Elected to Do! Shock!

It is amusing to read the (il)liberal (un)elite getting their frilly knickers in a twist because a politician said he was going to do it, got elected because he said he was going to do it, and then did it.

I can understand why all you Obama-bots (including, shame on you, El Reg) would get upset at that.

http://www.independent.co.uk/news/world/americas/obama-will-close-guantanamo-bay-1021731.html

5
17

When customers try to be programmers: 'I want this CHANGED TO A ZERO ASAP'

Edward Kenworthy

@Nick's story

The monkey looked the buzzard right dead in the eye and said

"Your story's so touching, but it sounds just like a lie"

0
0

Gremlins in the first six months? It's the seller's problem – EU court

Edward Kenworthy

Possibly more apt?

I would have gone with: "Hard pounding, gentlemen. Let's see who pounds the longest."

0
0

Plod IT spending fails to fall down the stairs as taxpayers cough £385m

Edward Kenworthy

Scotland is tiny

I think people tend to forget how tiny, in terms of population, Scotland actually is: 5.3M.

That's significantly less than the population of London alone, 8.6M, and and just under 10% of England's population of 53M!

0
0

Page:

Forums

Biting the hand that feeds IT © 1998–2017