isnt the core issue here that Apple had been offered a company specific tax scheme which was not the same as most Ireland based companies had applied to them? My understanding is that the rules are that tax should be consistent within a country
164 posts • joined 6 Mar 2009
...although it would really help if you could leave your home address as the scene of the crime! Thanks muchly, FBI
a brief reading of the history of cryptography shows that this statement/assumption has been made many times over the years - generally its been found to be incorrect (and often also subject to side channel attacks in the implementations). Just because there aren't currently articulated attacks doesn't mean that don't/wont exist.
Re: real challenges still facing human civilisation – regulatory compliance.
so says someone who clearly has never read a regulatory requirement - while there are some areas of compliance which are very clear cut, there is a lot of it which is littered with principle statements and words like "appropriate".
by way of example can I direct you to SYSC 13.7 "Systems and Processes"
and in particular 13.7.5 which deals with IT systems.
I doubt machine learning can deal with those high level requirements that I just referenced, but even at the specific end (e.g. required disclosures for retail sales) it would be extremely hard to write a general case ruleset in a traditional linear logic fashion.
Quite... having failed to detonate successfully around 70 years ago and then being submerged in salt water and silt for the intervening period you'd expect a successful explosion now to be well within their original design parameters.
are you sure its not a stottie?
Re: Smells of...
well no... to do insider trading you have to be an "insider", i.e. privy to knowledge only held within the organisation. From a regulatory perspective this is an outsider having done some research and understanding more about the company than it knew itself.
This would be insider trading if the research had been performed in house or if the results had been made known toe SJ and then one of thier management team acted on it.
From a legal perspective this is much closer to "we've looked at firm X and discovered that they have missed out applying for key business licences in half of the countries they operate in"
Re: I've just installed Cyanogenmod 12
I'm not sure if its a Cyanogen OS thing or a WileyFox thing, but when I took my Swift up to Marshmallow (6.0.1) the device started crashing during audio playback and needed a factory reset (still on 6.0.1) to resolve. Its fine again now but there does hint at some quality control issues there.
Other than that really happy with the handset - albeit that the GPS isn't great and really struggles if there isn't a mobile signal to assist the location services.
As someone currently holding a CISO title, I have huge sympathy with the CEOs in this report. But the thing is, for most companies their security problems are something they have built for themselves in terms of internal systems architecture, politics and processes. They arent objecting to the requirement or desired outcomes, just the method of delivery.
A more fundamental issue which is that you cant "do" security - it may seem trivial but security as a word is an adjective not a verb. You can be secure, you can feel secure but you cant do secure it just doesn't make sense. Also from a branding perspective, security isn't a very engaging word; assurance, trust or resilience are much better topics to discuss with someone.
People holding any form of security title should really be concerned with one or more of the following; identifying risk, defining good practice, measuring actual practice against standards and finally breech monitoring and incident management.
The risk management piece is the central one from a senior stakeholder perspective. A lot of the friction comes down to the fact that most security professionals instinctively have a low risk appetite while most CEOs have a moderate to high appetite; but also a lot of security people simply dont understand the risks inherent in other areas of the business which is what a CEO will compare a security risk against. A good security person can explain the risk without over playing it and allow reasonable decisions to be made, an excellent security person will find ways to move security forward.
Firewall and similar roles admins are to my mind an element of infrastructure and the career path for people in that space will be dictated by infrastructure and network management trends.
I have to confess to being a bit skeptic regarding immersive VR films as an art medium (and I use that term in the broad Hollywood sense). So much of how we currently make films is predicated on being able to control the framing - which essentially is a refinement of plays which operate on a stage. As a medium that's existed for thousands of years and I dont see that form of presentation disappearing as a result of this medium.
I absolutely get the idea of VR for gaming, remote drone control/medical robots, live streaming of events (especially sports - e.g. in cockpit formula 1 feeds), possibly nature documentaries or basically any other medium where the wearer wants to exhibit control over how they are viewing something and probably have some ability to move through a scene.
I also accept that there will probably be some films made in an immersive VR sense - but I do suspect they are going to be very much a minority and probably feel somewhat Blair Witch.
Re: I saw one of these proposals recently
There are a range of options on the market, some of which are very low cost (i.e. premium in the £400 type range) which unsurprisingly provide a fairly low level of cover and are essentially a take it or leave it option which would cover the early stage incident response costs.
Once you get into the higher cost options with cover in the £X million range then the premiums get larger and some negotiation over policy wording isn't unheard of (this is also where the improvement program requirements tend to kick in).
having recently moved to commuting by train, the free access to pickup services (e.g. Doddle) at my local station do matter to me and are included in prime. The next day bit is nice, but if I'm honest it probably generates more impulse purchases
Amazon prime video?
The main gap on my Roku stick is that there isn't an option to play Amazon video, just a big wall o silence on why and when (if ever). I'm much more interested in that vs a hardware bump. The sell is content independence and its a big gap
Re: more to this than meets the eye
it looks like a phone that's been put together using the cheapest good commodity parts (including OS) and the given a decent brand design. Everything about this phone screams thats its been taken from a parts bucket.
While some people might think the above is a criticism its absolutely not meant that way, putting together a good usable system from cheap reliable parts is a skill.
More to the point, Cyanogen is essentially Android plus some features; the vast majority of people are still going to use it with gmail, google play, etc... I seriously doubt that Google cares how many people use this particular fork as from their perspective its really just the same as any hardware or network based skin.
surely its less effort just to use the list published? People trying this sort of fraud are looking to turn a profit so will be trying to minimize effort (unless there is a good reason to believe that additional effort will increase profit).
Re: “is not funny or clever for people from other parties to try to cheat their way into our system”
Its an odd position, surely the whole point of allowing people to "affiliate" for the purpose of the contest is to add in the views which are non-core in order to broaden party appeal - its not as if the Labour party itself is particularly coherent at the moment so I do wonder what set of views are being used as a filter. It just seems so utterly logically inconsistent
Completely agree here - I have an original Moto G and its on 5.0.2, I've had a couple of Samsung "Flagship" devices (original Galaxy S and Note 10.1) that had a single update but then just dropped off the support schedule.
I'm looking for a new handset in a couple of months, quite tempted by the Moto X Play which looks like it might be worth the relatively limited uplift from the new G (and still keeps the clean Android install)
Re: A simple patch
there is pretty much no correlation between salary and access to data in my experience, there are lots of relatively low paid call center workers with access to "sensitive" data sets.
This question is very much a "rational choice" model of offending and the main factor which would influence behavior (beyond personal ethics) will be the expectation of monitoring.
Unless the sum of money is large enough to be prepared to lose the job and go to jail its the likelihood of getting caught which will be dominant. I'd say £50k is probably getting to that level for a lot of call center people (2-3 times gross salary)
For a lot of organisations its the people who'd do it for free to make a moral point that could be more scary (e.g. Snowden)
It depends very much on what you want to claim... I'm currently 39 and holding onto "mid 30s" until my birthday. As far as I'm concerned mid life can be interpreted as anything between birth and death.
Re: I'll go with Wernher von Braun there.
Given that anyone else would just ditch the booster (and presumably SpaceX are costing/charging on that basis) its not an overly big deal if they keep having these problems for a while.
Also given its a drone barge there isnt any life at risk here - and I'd assume the barge is a relatively low cost item in the context of a launch.
Its not as if their business model requires them to get this stage working in the next couple of attempts - its just that if they do suddenly they can charge a lot less or make a lot more profit.
Naturally it'll be massively cool when it does eventually work, but realistically if it takes them another 20 attempts its probably not financially a big deal as they are already delivering the primary mission.
Re: comments like this...
Wow.... I've never met a business as scale which could give a complete list of systems it relies upon, a network device centered view is vastly more narrow than what you need to consider.
What about developers that reuse a single database server for multiple instances? (that ought to go through change control but might not) What about if they reuse a single database for multiple apps segregated by a table naming convention...
Lets assume you get one top of the "server" type systems - what about the "applications" built in Excel, or Access (you are kidding yourself if you think you don't have any in your business - almost certainly within the Finance team).
What about the cloud solutions which business teams have a tendency to buy via expenses (or use the free versions to avoid that control) - what about the cloud solutions provided by business partners?
none of the above is theoretical I've seen all of those as real world examples - people just want to get their job done and if they think that the central IT options don't fit or are too slow they will go and find their own workaround.
you might want to read up on tax treaties, the US FATCA legislation means that the UK is already committed to reporting on any US relevant tax data in a format requested by the US.
From a legal perspective companies within the UK are required to report these transactions to HMRC who then provides them to the US IRS.
My guess is that from a national security point of view tax data just isn't that important (note that the article talked about information classified as OFFICIAL which I believe is the lowest level of government data - see https://www.gov.uk/government/publications/government-security-classifications)
(I was in the room btw so this is first hand opinion and not based on the article)
It was a little odd given the audience... you are presenting to a room full of infosec professionals either in management or vendors, but essentially everyone was in the industry.
It wasn't particularly linear, and seemed to repeat quite a lot and could essentially be boiled down to "security is important, and don't trust corporations or governments". I don't disagree with any of that, but I don't think it added very much to the understanding that was in the room already - I cant say I left feeling that there was anything new that I ought to be considering.
It would have been a pretty good awareness raising type speech for a room full of non-tech business managers
There was also a chunk of time where he talked about his new business ventures which included something he referred to as social encryption and an app to monitor fetal heartbeats... eclectic to say the least.
Re: "and they're losing faith.'
Ok so I've used the majority of the software you mention (both the commercial and FOSS elements) (minus the CAD/3D stuff - I tried playing with that once and decided I simply didnt have the mind set for it).
Something I find that is often missed in these conversations is skills/training and consistency. FOSS projects are much better than the 1990's and early 2000's but they still generally lag behind, more over because they tend to have smaller user bases the availability of training (as opposed to online learning materials) is much more limited.
A phrase that I heard once is that an amature practices until they get it right, a professional practices until they dont get it wrong (ok big generalisation as I know that pro/amature is about being paid and that there are big skills variances on both sides - but in aggregate people being paid then to be better than people just doing stuff for fun)
Basically what I'm saying is that the FOSS solutions are good, and certainly helpful for home users who want to stay on the right side of licencing. But the dominant commercial products tend to stay that way and to produce more consistent and better quality output for a whole load of reasons which are much more about users than about products.
Re: OK... teased us with the scenario and methods..
The article slipped in without emphasising application white listing as a necissary adjunct to patching (which is much harder at enterprise scale than patching outside of locked down call centre type environments).
For most organisations patching is a horrendous activity, in order of difficulty
a) understanding what applications you have installed
b) understanding what applications are actually run (or are a depenancy)
c) understanding what patches are available
d) understanding which you can apply without breaking compatibility
e) distributing patches
f) tracking when patches have actually applied
then trying to do all of that on a regular cycle, for end user devices (i.e. off network and powered down regularly) when it’s going to be looked at as pure cost and inconvenience by the business.
Its worthy of proper discussion
Re: OK... teased us with the scenario and methods..
yep - something of a content free article there
I didnt do anything special - just popped up a couple of weeks back (and then wouldnt shut up about it until I did the update). Have you tried a manual check for updates when on WiFi?
I have a mk1 Moto G on Tesco and it got Lolipop about a month ago. Still a perfectly usable phone and does everything I want - maybe the occassional bit of lag but nothing to get stressed over.
I'm a little disapointed by the latest upgrade to be honest, had been hoping for 2GB or RAM and 16GB of storage at which point I'd probably have got one. As it is I dont see this as much of an improvement over what I've got which as I say is working perfectly well
I very nearly put some cash into this as I'd love a laser trigger but at the time I couldn't quite justify it (right now I'd still buy the product if it was made as per original specs)
I think the main problem here is how they originally represented the project - it was defiantly presented in the early stages as a product which essentially just needed funding for a production run. When I read their original pitch I expected product to ship within a few months of funding.
I struggle to know how seriously to take this...
As I read this, it can be summed up as:
a) Project went badly off tracks - was reset in 2013
b) Project has now slipped 6m on revised timeline (which for Gov projects is barely anything)
c) Project is at the end of pilot stage and about to start rollout
Criticism being levelled:
a) costs are justified by future benefits
b) extrapolation of current pilot claimant count leads to long timescales
Now I'm not an idiot, I don't believe any gov IT project is going to be running smoothly and its always going to cost more than budgeted - but seriously these criticism seem ridiculous. All projects are justified by future benefits and all phased implementations start with small user numbers and then aim to snowball into greater volume.
Re: Obsolete for whom?
Think authentication rather than privacy
dont think this is such a big issue for website certificates either as under current CA arrangements its really very easy to get your own root CA if you have some cash to splash in which case you can issue new certs for any website you want to impersonate.
Plus for serious players (APT types) they probably can compromise the client devices of people they are interested in and then HTTPS is utterly irrelevant.
What this is more significant for is if you are using PKI based signing by a fixed key for any kind of validation - that is a big deal. Thats software components (think MS root keys), financial transactions, etc... there is a lot of "infrastructure" that this would completely wreck.
Re: IT and Banks
Ulster Bank owned by RBS, outsourced IT operations to RBS - that's a pretty common arrangement.
You could equally take the view that if you're a smallish business owned by a big business it would be bonkers *not* to use their presumed greater capability to operate your IT.
From a strict regulatory point of view Ulster Banks board and approved persons would need to assure themselves that the service was appropriate and therefore could in theory say no, but in practice its very hard to say no to a parent company which wants to consolidate costs across a group and has the compelling argument that they already do the job on a bigger scale.
Or i could work through a proper 3 month introduction to accounting course to understand financial reporting in detail... And yes there are lots of firms which publish non-GAAP numbers with some common conventions in certain industry segments
Its can be useful year on year for a given firm, provided the policy is reasonable and consistent
what you absolutely mustn't do however is treat non-GAAP as if its a single category which your comment implies. GAAP for all its faults is at least an external standard
As a selected industry though are you really wanting to use banks as an example of why its OK to pick your own financial reporting standard? (A better example is genuine property management firms where the difference can be do you treat a property as inventory for sale or not, inventory under GAAP gets marked at cost while investments get marked to market but again the policy differs between firms)
I guess my question here is why does a firm that's essentially a standard manufacturer need to deviate from standard accounting? (cool product yes but from a company perspective its still a company that makes physical things) . what is it in their business model which makes GAAP conventions not suitable for them when in summary they ought to be a very standard business just with a cool product
For example why do they have a non-GAAP revenue that's higher than GAAP? The article talks about excluding interest and stock costs , but neither of those should impact revenue
Just as a note, GAAP stands for "Generally Accepted Accounting Principles" so non-GAAP means a model the company selected itself which shows the results they want. Its not necessarily wrong but its certainly a significant difference.
two sets of GAAP accounts should be reasonably comparable at least line by line (although there can still be some big differences in accounting policies especially relating to inventory and deprecation so the overall P&L or balance sheet figures may differ substantially) but non-GAAP figures are generally only comparable with the company itself year on year assuming no changes to accounting policy.
A less charitable view is that non-GAAP figures are the PR release numbers.
There was some good research a few years ago which found that "balanced" reporting was more likely to leave people without an opinion while more partisan reporting led to readers considering the issue more deeply and either actively agreeing or disagreeing with the piece.
Re: But against the backdrop of your British readership...
even making a basic black powder isn't that hard (although it is potentially quite dangerous especially if you start wanting to grind it for a faster burn).
That said, even in the UK if you really want to buy a gun outside of the normal checks I suspect its not ridiculously hard - just very illegal.
Re: For the price of a night out
That's odd - I've had a Moto G for a year and am completely happy with the performance
Re: Absence of evidence = evidence of deletion?
The standard is reasonable doubt for a jury
In fairness, the article did say that when the house was raided they found him looking at the site! Lack of one particular piece of evidence within the context of a wider set of evidence isn't a water tight defence.
Total lack of images being found on the PC when you are known to have viewed the content at least once is arguably pretty damning - especially if the prosecutor can point to a known secure deletion utility (not sure if that's the case in this one).
Having done a number of IT investigations over the years, gaps or missing information can be pretty damn suspicious within a wider pattern of evidence. Its certainly not supportive of a casual / accidental viewing of a couple of images.
I have a number of Goth friends - several of which I think would dearly love to have a 3d print of their own skull on the mantelpiece.
Re: It's less about utility...
For presentations, fidelity needs to be 100% - but as others have said there can be issues between versions of powerpoint (and in some cases between the media codecs for embedded video). Frankly for anything more than simple slides at present I only want to use the laptop I authored the presentation on.
Stock splits have nothing at all to do with the rate of growth of a share, their sole purpose is to put the share value at a level where smaller investors can afford to buy a minimum block. In theory a stock split or consolidation should have no impact at all on overall company value (although if you allow more small investors to purchase you may push up demand slightly and therefore slightly increase your overall market cap).
Re: ICO ?
Oh god I've got my compliance geek on here:
a) FCA/PRA (who replaced the FSA) would not have jurisdiction over a travel agent as they are financial services regulators - with the exception that the FCA might have jurisdiction in relation to a credit licence, but that wouldn't be relevant in this case.
b) as others have said, PCI-DSS is a card scheme standard so any fines for non-compliance with that would typically be issued via the merchants acquiring bank.
c) and this actually bugs me a *LOT*, under the DPA financial records are not considered sensitive personal data (this designation being reserved for medical history, political affiliations, union membership and sexual orientation) - as a release from the ICO they really shouldn't be using that phrase incorrectly.
d) I also find it slightly odd that the FCA state that there was no fraud as a result, that would be extremely hard demonstrate and from what I understand it tends to be done by statistical analysis at the card issuers/schemes to identify spikes in fraud where clusters of card numbers all made purchases via a particular merchant within a particular window. The fact that nobody might have felt sure enough to state that there was fraud to the ICO has almost no value here.
Re: Will he really make a huge profit though?
Kickstarter isn't what I'd call an investment - its a funding platform where people donate to enable a project to proceed. Typically for larger donations they get something back, but the low level donations this may simply be their name listed on a website.
If one of these projects suddenly becomes a multi-billion dollar success, then the original people who funded it don't get a large return.
At most this is an "investment" in the same way that an ebay purchase is.
There are true investment type sites for start-ups, but they are high risk and require a lot more than a couple of £/$ to participate.
The alleged damage that this sort of thing causes doesn't lead to an immediate terror attack - what it would do is get some intelligence sources killed as their identity gets leaked, it damages diplomatic relations, etc... this damages the infrastructure used by an intelligence service so that its not as effective in the future.
This doesn't translate into "we can directly trace attack X back to the disclosure of this information", you'd never be absolutely certain that you'd have caught it anyway. Plus you'd probably not want to disclose the change in capability if you could prove it.
I personally think that you can choose to argue somewhere on the scale of:
(*) the damage is a good thing as all intelligence services are evil
(*) that its a bad thing which is justified because intelligence is getting too invasive
(*) the damage is a bad thing which isn't justified as security is worth any price.
But I don't think you can argue that it causes no damage at all - after all wasn't the whole point of the disclosure to make some level of impact.
fair point re "low income" - what I actually meant was not on banker salaries.
One of the arguments I've seen which I have quite a bit of sympathy with relates to the surge pricing in Uber (which incidentally I've never used) - i.e. if you want a taxi when its raining its likely to cost more and a *lot* more in more extreme events.
This does mean that should the Uber model cause normal taxis to be a non-viable business then there could be real issues with getting access to transport for those on low incomes at those times. Ultimately that's a social policy question.
Re: Sigh ...
its not so much shoulder surfing as Trojan software which is the threat, if I have a Trojan installed on your PC (probably including a browser plug in) that can identify target bank sites and then capture both key strokes and a screenshot of the login page, then at least with the partial characters the attacker needs to observe a number of attempts before they can guarantee access.
I did think it should be filed under rise of the machines in boot notes
Re: I thought this was about Carmack
There is a big difference between IP and code. While cut and paste code is always going to constitute IP theft, it is possible to infringe IP while writing completely new code.
By the time I was in York (mid 90's) Netrek was the game