Shame on you El Reg
clickbait title -boring report
144 posts • joined 10 Sep 2009
clickbait title -boring report
See "The Machine Stops" - E. M. Forster 1909/1928
A well-established principle - see Logan's Run
One UI to rule them all;
One UI to blind them.
One UI to thwart them all
And to the blue screen bind them.
Nice to see from the above comments that not everyone still subscribes to the "must be supported" - i.e. "we must be allowed to continuously tamper with your computer to apply often broken fixes to our crap code" bullshit.
How about us insisting the vendors get it right before release?
And BTW, how about vendors (including Mozilla) recognising that business users need long term stable systems?
Unfortunately this fashion for making even static pages into 'web apps' is essentially born of crashing ignorance. For example, I found today an online shop which declared that in the interest of security "our shopping cart runs entirely on the client, so there's no server to hack". Where do they think the shopping cart code resides at rest? What happens if that repository is contaminated by malicious actors?
Until software development has been raised to at least the minimum standard of a professional engineering discipline we remain at the mercy of fools and ignoramuses. Dunning and Kruger rule!
you can't rescind, remove or ignore it, as it has never really existed in the first place. Moore made a thought experiment suggestion in the context of much wider and more interesting matters, and as usual everyone jumped on the bit they fancied, canonised it and continues to worry it to death. Reminds me of the Monty Python sketch where the broadcast interviewer of a successful composer wants to discuss nothing except how many sheds he has in his garden.
Never ascribe to malice what can be simply explained by stupidity. I am convinced that there is no evil intent to control the masses here - just complete lack of understanding (of the entire societal condition - not just of encryption). They think they understand a 'problem' which is in reality merely a symptom of a massive cluster of social failures, and genuinely believe they can fix it piecemeal - and governments never last long enough to find out they were wrong. Witness the progressive dismantling of our education system by successions of 'bright ideas'.
'The best way to acquire a programming skill - by "skill" I mean a working understanding of a framework, a language or ... a "paradigm"'
These are coding skills, not programming skills. They merely represent the technicianship aspects of programming. Relying on technicianship alone is equivalent to having your new commercial premises designed by bricklayers rather than architects and civil engineers.
What we currently suffer from (in respect of functionality, performance and security) is software bricklayers being in full command. What we need to cultivate is programming as an engineering discipline which is conceptual and based on established fundamental principles, of which coding is a necessary but potentially small part. If that were achieved, we might be supplied with software that did not need a torrent of bug fixes, would be less OS and upgrade dependent and did not take seconds to launch dialogs.
Only in the sense that the Vikings 'converted' people - "convert or die now".
Win 10 is now pretty much all you can get on new equipment, so it's not actually a case of 'conversion' but compulsion.
Everything from MS after Win 7 has been crap if you're trying to do real work on your computer. They seem to view the market as exclusively made up of media consumers, but some of us have to create the media in the first place, and for that we need simple, intuitive, configurable and customisable tools with presentation that complies with the well established principles of good human-machine interface design so we can get on with the job rather than fighting with the tools. Instead we get the opposite in every material respect. The rot started with the Ribbon and fixed colour scheme options in Office - suddenly, your familiar and preferred system presentation was ignored by Office because nanny knew better, and "where the hell is that menu item?" - and it's gone on from there.
Shortly we will be sold nothing but dumb terminals controlled entirely from Redmond, and every day they will look and work differently than the day before because some juvenile smartass in the US has had a 'bright idea'. And let's not even start talking about software quality...
Encryption may indeed be used by terrorists. However they have also been known to wear underpants, and underpants have been actively used in at least one attempted terrorist attack. Please consider making the wearing of underpants illegal. That should significantly reduce the threat of terrorism.
not quite as dark as other methods though. Twenty years ago I briefly worked on an attempt to use evoked potentials (brain waves) to do the same thing. I never found out whether the team as a whole finally 'succeeded' in their own terms, but the principle was fundamentally flawed due to individual variation masking the common factor of interest. However that didn't deter them from the apparent ultimate objective of a diagnostic helmet with two lights on it - green for sane and red for mad.
We're still waiting for a link to the report so we can find out what it really says. Leyden seems to habitually fail to link to the reports he quotes, which is not very helpful. I emailed the Register requesting this at 07:01 today but not a squeak out of them so far.
It is not.
The Internet is the physical infrastructure - the international network of networks of routers, switches and server racks, and it is entirely neutral (except insofar as it carries the bulk of the world's financial transactions without us noticing). The World Wide Web is what we (and they) are talking about here.
It pays to get your ideas right and use the correct words in expressing them.
While I can not disagree with the tweet by Jim Killock (the 'security expert' referred to) as a statement of fact, I must point out that he is not actually a security expert, but a privacy and open source activist.
There are numerous much more important issues at stake if we're contemplating backdoors in encrypted services than whether you can break end to end encryption if you have control of one of the end points (frankly that's a bit obvious).
Speaking as a security expert of some 20 years standing, I find that real security experts currently have too little voice in the media and activists and journalists to much (even when they happen to be right). The outcome, as in this case, is a superficialising of the issues that misleads and debases the public debate.
It's wider than that - it's businesses that process the personal data of EU citizens (anywhere).
an interestng offence in US law: the act of killing something that has no distinguishing attributes.
It would be rather nice if occasionally we could keep on topic. I can't find a single mention above of the important matter that was the subject of the item - the potential effect on EU/US personal data transfers.
However this seems to be increasingly the case - almost every piece in the Register is becoming a mere trigger for personal rants and strained attempts to be 'comic'.
Readily misled moorings for boats?
'variance' does not mean 'variability'.
the new fivers are already developing permanent sharp creases, as the material seems to be unable to relax after being folded. This could well shorten their effective life. Also,more than one shopkeeper and a bank teller have all told me they're difficult to count quickly because they don't pick up on the fingers like paper.
All he needs now is a fluffy white cat and a volcano to live in
"While biometrics are just another kind of shared secret,..."
Oh no they're not. Any biometric can only serve as only an identifier, not an authenticator. An identifier is permitted to be public (e.g. your name); an authenticator must be private to the legitimate parties (a shared secret).
Two fundamental and essential characteristics of an authenticator are that it can be changed and revoked. As a biometric can not be changed or revoked, and can in many cases not be private (e.g. fingerprints and DNA are left behind everywhere you go) it cannot legitimately be used as an authenticator.
It would be so nice if this basic principle would finally sink in...
"...over a quarter (26 per cent) believed the data encrypted wasn’t valuable or confidential, and hence was not worth paying for."
Why keep it then? If it isn't an asset it's automatically a liability.
You're right there's no simplistic explanation, but this 2008 paper
provides some very interesting insights.
Where does this "ram packed" and "rammed" come from? The train would have been rammed if another train had run into it. This train was just jam packed.
So once again, as almost everywhere we have pseudo-education: folks just off crash courses passing on what they think they remember to those who cannot judge. But I forgot - Teaching is the real skill, subjects are just bags of facts. I obviously wasted decades studying systems engineering.
As a matter of fact I may have, given the culture. I have taught in various regions here in Blighty, and on every occasion bar one I have been handed a "Tutor Pack" containing everything necessary for the course - including crib sheets of acceptable answers to all the test questions. Almost anyone could "deliver' a course from that, without any subject matter expertise. Indeed one of my students complemented me on my ability to answer his questions, stating that my predecessor always reached for and thumbed through the text book when asked anything.
So our problem is not the quality or content of this or that syllabus - they are merely symptoms of shatteringly low expectations of both students and teachers. While we continue to impart very little, very little will result. This may explain to some extent the already abysmal and declining quality of engineering products - particularly in the software driven space. As long ago as the 1920s Owen Barfield coined the term "dashboard knowledge" for the capacity to do things by manipulating knobs and levers without any understanding of how they work, and this is what is primarily being "taught" - "How-tos" rather than the understanding of principles. This directly contributed to the Chernobyl nuclear incident, and is clearly implicated in a huge and proliferating number of broken systems from office software that needs monthly repairs to hackable "internet things" and military drones that think they've landed when they're still in the air.
"using Windows when they can -- most of the holes have been discovered" - if that's the case why do we still have monthly Update Tuesdays? Some of the holes have been discovered, but it's unreasonable to assume "most" as we just can't tell how many more there are. There's never been an OS or a major application from any vendor that has ceased to need patching before it was superseded by a "new version".
Before we assume, as this consultation seems to do, that autonomous vehicles are "the way forward" and all we have to consider are a few procedural and regulatory issues, I'd like to see the following test performed at least once (preferably more than once:
take around 200 autonomous vehicles and set them off in the rush hour alongside other traffic down the six roads to enter the Hemel Hempstead Plough Roundabout (National Grid ref: TL0549706394) with the aim of crossing the roundabout and exiting on various different roads. Then see what happens.
This roundabout consists of six mini-roundabouts surrounding a bidirectional central roundabout, and is quite a challenge for human drivers when it's busy. Any fool computer can drive down a motorway in steady traffic, but this would test its capacities realistically.
Embrace Zombie - the new innovative development framework that allows you to generate terabytes of code without thinking at all. We plan to train 10 million Zombie developers worldwide by this time next year.
Oooops - too late, we already have them...
Here is a sample standard letter for restriction of medical records sharing, created when this scheme was first proposed. It might still be of use.
"I absolutely prohibit in perpetuity any sharing of my medical records with any person, other legal entity or agency, except in the specific cases of  access to my records with my explicit consent or exclusively for therapeutic purposes in support of treatment of a medical condition with which I present or  where required without the option by statute or order of the Court.
For avoidance of doubt, this prohibition applies to any current or proposed scheme of medical records sharing envisaged or planned at the date of this letter and equally to any plan or scheme of medical records sharing to be conceived, invented or proposed at any time in the future."
"The paper concludes that a new approach is needed where policy making should lead technology; not vice versa." - from an organisation promoting this concept in an online paper entitled "Fulltext.pdf"
Might "doing things wronger" include posting a paper for download with a filename of Fulltext.pdf? Relying on the file path to define the nature of the document seems very similar to the sort of thing that is being castigated. Minor example maybe, but it highlights the fundamental problem - failure to think before acting.
The most fundamental principle of the world wide web from the very start was endpoint agnosticism - the ability of any browser to get to the content, independent of presentation. I have no objection to bells and whistles - provided they are optional and don't prevent basic access to the content.
Web developers who create sites like this do their clients a huge disservice - they deny the intelligent and infomed access to the content.
it would be nice to be able to read the original
It'd be really nice if the author were to mention what country he's talking about. I didn't realise this was about Oz until I saw the graph caption near the end. This is not by any means a unique instance.
"You can prioritise blocking attacks.
You can develop processes that let you respond to attacks.
Or you can put most effort into cleaning up after an attack."
Put that way it sounds really stupid - they are not mutually exclusive. You need to do all three in just proportion all the time. Getting the balance right is the key to success, and it may not be a static balance - the priorities can change depending on what's happening right now, so you need to be continuously attuned to the threat space. Ergo, being aware of the changing threat space is always your highest priority.
Nothing discussed here is really infosec - it's ITsec. ITsec is a small part (maybe 30%) of infosec. Conflating the two is the error that almost everyone makes and it results in a technocentric view that fails to deliver real security however much you spend. Infosec is about management of risk - ITsec is about choosing and deploying defensive technologies. Unless this is done with reference to business risk, it will be at best very expensive and at worst both very expensive and a failure.
"24/7/365 support", Talk about over-working the team - 24 hours a day, seven days a week, 365 weeks a ... oh, hang on! Something's not quite right here. In the real support world, you provide either 24/365 or 24/7/52.
As always there has to be a happy medium (something nobody seems to have ever managed to achieve sustainably).
However, what has been happening for some time is that against an objective standard of best available performance, median performance has been declining so we're all becoming "rejects". Here, maybe, is a reason. Instead of, as in the past, creating technologies primarily to enhance innate capacities, for some time we've been creating them to supplant those capacities, so the innate capacities are allowed to atrophy. It's even beginning to show in the quality of the supplanting technologies, as people with atrophied capacities have entered the roles of creator, designer and QA inspector. Evidence of this is readily to hand - witness the appalling quality of software, even in mission- and life-critical systems.
who's running a flat network then? I see this all the time - exclusive reliance on Active Directory for control over access to resources over an otherwise exhaustively interconnected user network. Apparently nobody's heard of network segregation.
"When a web site is able to 'remind' you of your password by emailing it back, that's a symptom of very poor security practices."
Ironically the Register did this the last time I forgot my password. I still have the email containing my password in clear in the body of the message.
"distrust turned to uncertainty; uncertainty to excitement; excitement to disappointment; disappointment to acceptance; acceptance to affection."
Exactly the process of hostage conversion - right up to Stockholm Syndrome
Actually, the distinction seems to be whether this device (the smart phone and/or app) is actually calculating the charge. It has been decided that it is only reporting the charge, which is calculated elswhere - hence it's not a taximeter.
No it doesn't - it serves a good chunk of the world wide web. The web is not the internet.
"...Cyber Essentials – the UK government-backed scheme which protects businesses against the most common threats on the internet."
Cyber Essentials Basic just requires an attestation that specific minimal security technologies (e.g. antivirus and a firewall) and practices (e.g. patching) are in place - not even that they're actually working. Cyber Essentials Plus adds an annual one-off penetration test, which of course does not actually prove they are working properly, only that they haven't absolutely failed at the time of the test. Furthermore, the originators of Cyber Essentials explicitly limited its scope to the most elementary low grade threats, and even there it's only the equivalent of an MOT ("annual vehicle safety test" for those of you in foreign parts).
I actually recommended that the Cyber Essentials Basic attestation should include a CMM-based self-assessment of the level to which these minimal technologies and processes are managed, but the suggestion was ignored. Consequently Cyber Essentials does not really protect against much at all.
Really? It's often a good idea to read the original report before summarising it.
Actually, the malicious code is hiddent in image LINKS.
The very first sentence of the orginal report states this clearly: "Yesterday a vulnerability was discovered that made it possible to inject malicious code into an image link on Imgur."
Come on Reg - you're not a red top!
'carton' (картон) doesn't mean carton (a box) in Russian - it means 'cardboard'.
Why could it be that two letters of mine this year relating to important issues, sent directly to the ministers responsible, have elicited zero response but the govt is dead keen to find out at our expense what some of us have tweeted about it?
Biting the hand that feeds IT © 1998–2017