* Posts by Paul Johnson 1

48 posts • joined 14 Jun 2013

Our vulture listened to four hours of obtuse net neutrality legal blah-blah so you don't have to: Here's what's happening

Paul Johnson 1

Re: So where is Congress in all this?

Actually the UK also has regulations made by government departments. See for example http://www.legislation.gov.uk/uksi/1986/1078/introduction/made, which is the intro to the regulations for car construction. It says:

The Secretary of State for Transport (hereinafter referred to as “the Secretary of State”), in exercise of the powers conferred by sections 34(5), 40(1), (2) and (3) and 172 of the Road Traffic Act 1972 now vested in him(1) and of all other enabling powers, and after consultation with representative organisations in accordance with the provisions of section 199(2) of that Act, hereby makes the following Regulations:—

Suunto settles scary scuba screwup for $50m: 'Faulty' dive computer hardware and software put explorers in peril

Paul Johnson 1
Alert

Its not just dive computers

I once heard a very scary talk by a manufacturer of professional dive kit. He mentioned this kind of thing, but dive computers were actually one of the less scary parts.

The really scary stuff was rebreathers. These are bits of kit that take the air you breath out, scrub the CO2, add the oxygen back in, and let you breath it again. Advantages are much smaller tanks of compressed oxygen rather than air (8o% nitrogen), and no stream of noisy bubbles to scare the fish. The disadvantage is that if the oxygen replenishment fails you die before you realise there is anything amiss. One horror story among many: a device that reset itself to "off" when it got knocked.

Paul Johnson 1

Re: Isn't that what the watches with the numbered bezels are for?

No, these are not just watches. They have pressure sensors and they track your depth over time to compute how much air you have used (greater depth means more air usage) and nitrogen absorption in order to give you a decompression schedule. The algorithms are complicated and the results obviously safety-critical.

Windows 10 can carry on slurping even when you're sure you yelled STOP!

Paul Johnson 1
FAIL

Renaming doesn't fix the problem.

The GDPR is explicit about this: if the users consent is required for processing, then that consent has to be active and explicit. Setting the default to True and hiding it in an Options dialog doesn't count. See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

What a meth: Woman held for 3 months after cops mistake candy floss for hard drugs

Paul Johnson 1

Taste test for drugs

Even American cops are not dumb enough to taste suspected drugs. https://tvtropes.org/pmwiki/pmwiki.php/Main/FingertipDrugAnalysis

Paul Johnson 1
Big Brother

Pretextual traffic stops

Unfortunately that is the law in the USA these days. https://www.themarshallproject.org/2015/08/03/how-the-supreme-court-made-it-legal-for-cops-to-pull-you-over-for-just-about-anything

Paul Johnson 1

Re: How many constitutional rights were violated ?

Unfortunately, probably not. The doctrine of qualified immunity (https://en.wikipedia.org/wiki/Qualified_immunity) says that the police could reasonably pull them over, and then notice that there was a bag on the floor which they might reasonably suspect contained drugs, and then arrest them on that suspicion. Everything that happened after that is just routine muddle. There *might* be a case for damages for the two weeks she was held after evidence was found that she was innocent, but I don't know enough about the law; it might have been her responsibility to file a writ of habeas corpus to get released.

So in short, tough luck.

Wombats literally sh!t bricks – and now boffins reckon they know how

Paul Johnson 1
Go

IgNobel prize incoming

Looks like this perfectly fits the IgNobel definition: first makes you laugh, then makes you think.

I find your lack of faith disturbing, IBM: Big Blue fires photon torpedo at Pentagon JEDI cloud contract

Paul Johnson 1
Alien

The Hitch in the Hikers Guide to the Galaxy

Of course we all know it was the Sirius Cybernetics Corporation attacking the Vogons.

Share and Enjoy!

UK.gov withdraws life support from flagship digital identity system

Paul Johnson 1
FAIL

It sucked lemons!

I tried to use this to get identified last year. You had a choice of four or five identification providers such as banks and the Royal Mail. Each would give you three or four questions to verify that you were you. The kicker was that if you got one answer wrong then you failed verification, and you weren't allowed to go round and try again with that provider. Obviously this was to prevent fraudsters from repeatedly guessing until they got a hit. However the banks only worked if you were an account holder, so most of them were out.

I started with the Royal Mail, but misremembered the year I moved in to my current house (getting the month right wasn't good enough!), so that failed. Then the only bank I had an account with simply wouldn't work and kept taking me back to a question I had already answered.

Python joins movement to dump 'offensive' master, slave terms

Paul Johnson 1

Re: All aboard the euphemism train!

"Shell shock" was based on the assumption that the problem was due to repeated loud bangs.

"Battle fatigue" was an inaccurate euphemism which suggests that it can only happen to soldiers in battle and not to e.g. civilian emergency responders. "Fatigue" also suggests that it will go away with a good night's sleep.

"Operational exhaustion" ditto.

"Post traumatic stress disorder" may be inelegant, but it is the only one in your list that is a precise description of the problem.

Paul Johnson 1

History of this terminology

The "master" and "slave" terminology goes back a lot further than RFCs. It was used to describe the operation of the Decca radio navigation beacons back in 1945.

https://en.wikipedia.org/wiki/Decca_Navigator_System

Creaky systems 'cost lives': Health secretary Matt Hancock pledges to solve NHS IT woes

Paul Johnson 1

How to solve this

The standard government approach to this kind of problem is to hire a big company, set a budget and delivery date, watch the delivery date come and go, throw more money at it in the hope of rescuing the sinking project, and finally publish a report saying that the project was doomed from the start by lack of good requirements. If we are really unlucky then the project will get as far as an attempted roll-out where the entire NHS switches over on D-Day, with total chaos when the IT goes TITSUP. We will never get a working IT system using this approach.

Instead the central government should set interoperability standards and then require IT suppliers to demonstrate actual interoperability with each other before giving them the green tick of approval. That way each hospital, GP surgery or NHS Trust can update its own computers in its own time, training staff and managing the transitions as they go, while still ensuring that the end result is a broader system that works. That is how the Internet was created, so we know that we can produce a planet-wide IT system like that.

Now you can tell someone to literally go f--k themselves over the internet: Remote-control mock-cock patent dies

Paul Johnson 1

Patent not patient

I read this as "patient dies" not "patent dies".

'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway

Paul Johnson 1

Stingray list?

So if I'm understanding it correctly, these things are Stingrays or similar devices (https://en.wikipedia.org/wiki/Stingray_phone_tracker). The EFF has been trying to find out about police using these devices, as their ability to spy on individuals without a warrant is a matter of concern. https://www.eff.org/search/site/stingray

Oh my Tosh, it's only a 100TB small form-factor SSD, SK?

Paul Johnson 1

How many electrons per bit?

"Quad level" is a misnomer: with 4 bits per cell, that actually means 16 levels for the electronics to distinguish. So with 16 levels and the cells getting ever tinier, how many electrons does each cell store? Divide that by 16, and you know how many electrons are used to store each bit. Does anyone know what the number is?

IPv6: It's only NAT-ural that network nerds are dragging their feet...

Paul Johnson 1

Re: If past ipv6 articles are anything to go by...

Actually IPv6 will reduce router memory load. The IPv4 space is heavily fragmented. IPv6 will be much less fragmented, so routing tables will have much fewer entries.

The issue with bandwidth efficiency is not significant. While it is true that there are some tiny packets flying around (ssh sessions spring to mind, with each keypress generating two packets), they don't make a big dent in the overall bandwidth because once the bandwidth goes up the data can be chunked, and the high bandwidth applications like video streaming already use big packets anyway.

US taxman wants AI to do the security checks it seemingly can't do itself

Paul Johnson 1

I disagree: this is becoming routine and the IRS should be doing it as well.

Google for "AI fraud detection" and you get a lot of hits. Its becoming standard. See https://en.wikipedia.org/wiki/Data_analysis_techniques_for_fraud_detection for more details.

UK.gov outsourcers must prove their 'social value' to win contracts

Paul Johnson 1
Holmes

The reason why companies like Carillon and Capita exist is that getting a contract with the government, or indeed any large organisation, involves a certain amount of hoop-jumping. The Purchasing dept in any such organisation simply cannot be allowed to make it up as they go along, so they have rules and procedures for evaluating bids and choosing the winner. So far so logical.

However this means that the company most likely to win the business is the one that knows its way around the bid process of the customer, and has also previously spent time and money building a relationship with the people running the process. This doesn't mean anything corrupt; you just have someone visit the prospect with a Powerpoint deck and spend some time listening to the people who will make the decision. Then you can fine-tune your bid to address their personal concerns as well as the formal requirements.

Unfortunately the upshot of all this is that the winners are people who's core competence is generating winning bids, not doing the actual work.

This "social value" thing is just another of these hoops. It will turn into a section in the bid document which reports on the KPIs. The company will previously have considered what KPIs it should have in here, talked informally to customers about what they are looking for, and then put in place a process to generate auditable KPIs with the minimum cost. Nothing dishonest, just careful engineering. Meanwhile a company down the road that might actually do a better job and be more socially responsible doesn't get the job because they haven't previously put in place a process to identify, collect and collate the necessary data.

The harbingers of Doomwatch: Quist is quite the quasi-Quatermass

Paul Johnson 1

Sex and violence: the double standard

I wonder if the decision to show the firing squad was a deliberate "take that" to the Mary Whitehouse brigade: it contrasted the extreme violence we were allowed to see with the very mild sex that we were not.

UK gov grilled over massive exposure to struggling outsourcer Capita

Paul Johnson 1
Holmes

Core competence: getting contracts

The idea behind outsourcing something is that instead of a government department bumbling its way through, costing whatever it managed to spend, you get a specialist company doing it and bidding in a competitive marketplace to keep prices down and quality up.

This is a nice theory, but in practice it isn't working. When you look at companies like Capita, they are obviously not specialists in any of the things they get paid to do. What they are really specialists in is navigating the complex world of government procurement and jumping through all the hoops in the bid process. Since you need to be a big company to do this there aren't many of them around, so its not surprising that the same few names keep cropping up in government outsourcing contracts. Because there are so few there is no real pressure on prices, and quality is measured by short term numerical targets rather than long-term desirable outcomes, so the desirable outcomes tend not to happen either.

UK 'meltdown' bank TSB's owner: Our IT migration was a 'success'

Paul Johnson 1
FAIL

The operation was a success...

... but the patient died.

OK, this time it's for real: The last available IPv4 address block has gone

Paul Johnson 1
Facepalm

Its the business case, stupid.

Look at it from an ISPs point of view. Most of their customers have never heard of IPv6, and will require a lot of support and hand-holding as they learn the new system. All sorts of old and obsolete bits of kit will break. Some software won't work. Imagine explaining to Joe Homeworker that they need to tell their corporate IT to upgrade to IPv6 before they can start work again. There will have to be an IPv4 to IPv6 gateway for the foreseeable future, and that is going to be a big headache for all sorts of applications.

And from an ISPs point of view the current situation is actually very good for business. If you hold a block of IPv4 addresses then you own a valuable commodity. If nobody else can get them then this is a barrier to entry for competitors, which is something that all the business strategy books say is a very important thing to have. So the ISPs are highly disincentivized to migrate to IPv6.

Australian Feds cuff woman who used BTC to buy drugs on dark web

Paul Johnson 1

Re: Either that or

"here in the States, the cops have to be prepared to disclose exactly where and how they gathered evidence".

Unfortunately in the new world of "parallel construction" that is no longer the case. The DEA routinely arranges events such as traffic stops in order to create a version of the story that will pass legal muster.

https://en.wikipedia.org/wiki/Parallel_construction

Surprise UK raid of Cambridge Analytica delayed: Nobody expects the British information commissioner!

Paul Johnson 1

On the other hand...

Maybe they are trying to give CA enough rope. Its not enough just to delete a few files. As others have mentioned, they will have backups. They will also have email logs, and finally they have quite a few employees and ex-employees, one of whom is already a whistleblower who knows where the skeletons are.

If a company does something big then information about it gets scattered everywhere. So you deleted the main database. What about the scratch copy that someone made for testing purposes? What about the email with the link to the CSV files? Are you sure you got everything?

Of course given a few weeks and plenty of manpower CA could probably get most of it, but its still going to leave any number of holes. Prof Kogan has emails assuring him that it was all legal, but where are the copies of those emails on the CA servers? If the two sides don't match, its clear evidence of the destruction of evidence.

And destroying evidence is a crime (in the UK it comes under "perverting the course of justice"). Which means that any sensible employee at this point is either going to refuse point blank to delete stuff, or at least to demand instructions in writing. If the CA bosses don't have plenty of manpower then trying to delete a few bits of stuff ad-hoc is worse than doing nothing. And of course the senior CA people won't have read/write access to every employee mailbox. Yes, they could order the sysadmin to provide it, but see above about employees.

Ethics? Yeah, that's great, but do they scale?

Paul Johnson 1

Something like "fiduciary duty" for software engineers?

Some time ago I wrote a blog post (see link below) wondering if "fiduciary duty" would cover it. That is the kind of duty that lawyers owe clients and doctors owe patients; to act in their best interests and not take advantage of a position of trust. The consensus in the comments was that it didn't fit. However I still think that something like that is needed; software acts as a trusted agent for the end user, and should be designed to act in their best interests. Obviously you can only cover the end users as a class, and in the case of cloud software its a nice question whether the end user is the cloud company or their client (but perhaps the cloud company owes a duty to the client, so its transitive).

The key issue is that, whatever these duties are, they need to be legally enforced. The principles of the GDPR do actually go some way in this direction, but they don't fully embrace it. For instance, what about a program that ostensibly gives medical advice but actually steers the user towards a specific drug? (This is not hypothetical). This would be fine under the GDPR but is clearly not in the end user's best interests.

https://paulspontifications.blogspot.co.uk/2016/12/what-duties-to-software-developers-owe.html

Heathrow's air traffic radio set for shiny digital upgrade from Northrop

Paul Johnson 1

Re: Secure?

ATC still broadcasts in the clear on voice. This isn't because they haven't considered various forms of encryption, but any form of digital encryption or authentication means having absolutely reliable key distribution and revocation mechanisms across the entire world, including bits that aren't very sophisticated. The risks of doing this and getting it wrong are higher than the risks due to the current system.

Paul Johnson 1

Its actually for the airline to communicate with its aircraft. ATC don't use it.

Didn't install a safety-critical driverless car patch? Bye, insurance!

Paul Johnson 1

Separate safety updates from everything else.

All well and good, provided that the manufacturers are prohibited from tying safety critical updates to other things, like changing the way the user interface works, the features available in your car, and any other reason that someone might say "I like the car the way it is, thanks" instead of upgrading.

After we ran our article about the fate of .sk, the nation of Slovakia flew into a rage. And now, here's part two...

Paul Johnson 1

Stealing the meaning?

You complain about the hyperbolic use of the word "stolen", but then say that a political movement is hoping to "steal" seats from the mainstream parties.

So are you against hyperbola or not?

One-third of Brit IT projects on track to fail

Paul Johnson 1

Why I am always skeptical about surveys like this.

These are not the reasons why the projects failed, they are the reasons why project managers *said* they failed. I notice that 0% of the failures are attributed to "poor project management", and that 11% are attributed to "over-run budget", which is a symptom not a cause.

Its all very well attributing causes of failure after the fact, but nobody (AFAIK) has ever done the obvious experiment, which is to rate projects on attributes such as "clearly defined goals" and "right staff allocated to project" at the start, and then see if any of these things have predictive power. Until we do that the question "why do projects fail?" remains nothing more than folklore.

My fortnight eating Blighty's own human fart-powder

Paul Johnson 1

Re: Food is not only sustenance

For some yes, but there are a lot of people for whom cooking and eating is a joyless and solitary chore. If you live on your own then spending an hour or two every evening cooking, eating and cleaning gets old real fast.

Did EU ruling invalidate the UK's bonkers Snoopers' Charter?

Paul Johnson 1

Living under a permanent caution

You have the right to remain off the Internet, but if you do use the Internet, anything you do will be taken down and may be used in evidence against you.

Google turns on free public NTP servers that SMEAR TIME

Paul Johnson 1
FAIL

This is a bad idea. Google are free to use whatever system they like internally, but all public-facing NTP servers should agree. Google is deliberately making its servers give the wrong time for 20 hours. If someone uses a mix of Google and non-Google NTP servers for their time then the results will depend on which version of time is in the majority in their list.

Petulant Facebook claims it can't tell the difference between child abuse and war photography

Paul Johnson 1

Re: The Blurred Generation

Many children have good reason (e.g. mother hiding from violent father) not to have their faces shown on national TV. You *can* broadcast a child's face if you get parental permission. But unless there is good reason its easier just to blur them out.

Paul Johnson 1

The problem is libel

Facebook is caught in a double-bind here. They can see, just as well as anyone else, that this is an important historical image and that the nudity is unimportant compared to that. However that is an editorial decision. Once Facebook makes editorial decisions (as opposed to mindlessly enforcing blanket rules like "no nudity") it becomes liable for anything libelous posted on the site.

So then if you post something about Mr Warbucks that he doesn't like, he can tell his lawyer to threaten Facebook with a libel suit. Facebook can then do one of two things:

1: Hire a QC and spend a million pounds to defend your post, and risk many millions more if it turns out that you don't have the evidence to back up your claims.

2: Delete your post.

Be careful what you wish for; you might get it.

Paul Johnson 1

That is not the case. The law bans "indecent" images rather than nudity per se, and if the images are part of a collection then the collection must be considered as a whole. Context and prior history are very relevant.

Muddying the waters of infosec: Cyber upstart, investors short medical biz – then reveal bugs

Paul Johnson 1

What happens if Muddy Waters turn out to have exaggerated the scope of the problem? If you boost a stock and sell at the top its called "pump and dump", and is illegal. What is the other way around called? "Short and Diss"? And would that be illegal?

Microsoft cancels Remain speech after death of Labour MP

Paul Johnson 1
Headmaster

Debrief.

Small point: you brief someone before the event, and debrief them afterwards.

Unless you mean something altogether different...

Computerised stock management? Nah, let’s use walkie-talkies

Paul Johnson 1

There are still a few traditional shoe shops who know how to handle unusual sizes and stock a wide range. If you are in the right area I'd recommend French's of Southampton, as that is where we go.

HaLow, is it me you're hacking for? Wi-Fi standard for IoT emitted

Paul Johnson 1

Only for the Americas

According to Wikipedia the 900MHz band is only for ITU Region 2, which means the Americas. Region 1 (Eurasia and Africa) have a 433MHz band, but the bandwidth available is only 1.74Mhz instead of 26, so many 900MHz applications aren't going to get the bandwidth they need there.

https://en.wikipedia.org/wiki/ISM_band

Software bug sets free thousands of US prisoners too early

Paul Johnson 1

How to miss the whole point of reforming prisoners

Quote: "The authorities are now trying to find prisoners who were let out early and will send them back to the cooler to finish off their time inside."

So lets say you did your time and you are trying to go straight. Despite all the usual problems with being an ex-convict, over the past year you've managed to land a minimum-wage job, rent a room somewhere cheap, and start trying to put some kind of order in your life.

And then the prison department decides to haul you back in for another 40 or 50 days. Its totally meaningless as far as punishment is concerned, but by the time you get back out your job and room have evaporated, and you are back to square one again.

Final countdown – NSA says it really will end blanket phone spying on US citizens this Sunday

Paul Johnson 1

Re: Same old program, different name.

Do you have any evidence about the CIA internship? The Wikipedia page lists his first jobs, and neither were with the CIA.

Paul Johnson 1

This won't change anything real

So the law says that the NSA now has to "ask" for the data, and it must be related to an investigation. But the easiest and cheapest way to implement this would be to create a database interface at the telephone company which can receive queries from the NSA. The NSA in turn promises only to send queries about things it is interested in, which is no problem because it already promises only to look at its mass data when it is interested in it.

So the only change is that the data is stored with the phone company instead of at the NSA.

GCHQ director blasts free market, says UK must be 'sovereign cryptographic nation'

Paul Johnson 1

So presumably the Great Firewall of China will soon be joined by Hadrian's Firewall.

Bitcoin can't be owned, says Japanese court, as Karpeles sweats in cell

Paul Johnson 1

What this really means

Talk about Japanese Whispers! This has been summarised, translated, interpreted; its a wonder there is anything left.

If a laundry went bust, it would owe money to its creditors and also would have a load of clothes that had been left for washing. The point of the "tangible asset" law is just that the clothes can be reclaimed by their individual owners, while any money goes into a common pot. So someone who has left a load of dirty laundry gets their clothes back, but the bank can't use the same logic to say "the money we lent them last week is ours, so we should get it back".

The court in this case has said that Bitcoins are more like money than clothes; the plaintiff in this case was arguing that he had deposited a load of Bitcoins at MtGox, so he should get those Bitcoins back, exactly like clothes left at a bankrupt laundry. The court has decided that Bitcoins are more like money than clothes, so his argument doesn't work. That is all.

Edward who? GCHQ boss dodges Snowden topic during last speech

Paul Johnson 1

Mission Shift

Note the mission shift here. GCHQ was originally created as a descendant of Bletchly Park, with the mission to eavsdrop on foreign nations that intended us harm (meaning Russia). Now its morphed into a part of the law enforcement system, but one that doesn't need warrants or articulable suspicion before hoovering up your private information and poking its nose in yor business.

Former QiComm CEO cleared in money-laundering case

Paul Johnson 1
Facepalm

So, high tech innovative successful business destroyed, bunch of people made redundant, and no recourse whatsoever. If that's justice, I'm a banana.

Biting the hand that feeds IT © 1998–2019