* Posts by yoganmahew

331 posts • joined 1 Apr 2014


At 900k lines of code, ONOS is getting heavy. Can it go on a diet?


Ditched for Kafka

Essentially he is saying ditch SDN for Kafka - have your semi-dumb controller (that only does network layer processing) talk to and from a Kafka cluster and make Kafka stream processes do the hard work. It turns out there's life in the OSI 7-layer model and specialised processing by layer is a good idea.

Aside from efficiency concerns, it would seem yet another point of failure is added on an already failure-ridden comms stack. Getting from front-end to back-end used to be straighforward to operate. Now layers and layers of SD firewalls and SD networks intervene. The idea that this can be E2E tested for all situations is no longer tenable.

'It's like they took a rug and covered it up': Flight booking web app used by scores of airlines still vuln to attack – claim


Re: GDPR much?

If they allow brute force (aren't checking for it), it supposes they aren't checking who is accessing their APIs. So they may have no idea whether it has been used...


A spokesdroid said:

"The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale.

"Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which will require industry collaboration"

IATA standards me hole.

There's nothing in IATA standards that says you have to spill unsolicited customer details (what other detail is being json'd out and just not displayed?).

The rest of the world's airlines will laugh Amadeus out of the room if they try and bring this up.

It sounds almost like some at Amadeus think API stands for api and not API ;)

(Advanced Passenger Information, security messages to states governed by IATA versus Application Programming Interface, a woefully inadequate way of outsourcing your security to the cheapest code chop-shop).

Once you get into the booking, you have access to all sorts of juicy personal data, some of it PII too, so it's not just GDPR for EU citizens that is in scope.

Begone, Demon Internet: Vodafone to shutter old-school pioneer ISP


Re: Wild West Days

And another beer from me!

Ah, Trumpet winsock, WinDis and poking around in .ini files. Kind of like Linux is today :/

You have deleted my usenet download history, right? Right??

Marriott: Good news. Hackers only took 383 million booking records ... and 5.3m unencrypted passport numbers


Friday night special...

Classy burying of bad news there Marriott; ticking all the boxes...

Boffins manage to keep graphene qubits 'quantum coherent' for all of 55... nanoseconds


This page is unintentionally left blank?

Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage


Re: Their Site


"It could all get a bit messy if they go down the GDPR route."

Absolutely it could, it could end with TM being fined for sharing privileged information with unauthorised third parties. TM have stuck themselves into a choice of:

1. It was us, sorry guv, QC issue on adding scripts.

2. It was them, we sent them everyone's information and they unsurprisingly stole it, but we sent it, don't worry.

Actually, 2 breaks PCI and PII rules too, never mind GDPR. TM have managed the insecure trifecta; the trilogy of swillogy; the trio of wankio.

They say software will eat the world. Here are some software bugs that took a stab at it


Re: That's news

@david 12

Yeah, I don't think we as developers can just blame management. Those of us who have been around long enough have seen enough shit code, lazy coders, and people who should really have been doing something else. That's not to let management off the hook, they hired these people and keep them (because they're fast and cheap, presumably), but as a professional, a developer need to stand up for their profession, not blame it's known inadequacies always on someone else.

European fibre lobby calls for end to fake fibre broadband ads


Re: "Or, um, rather the 'lack' of significant cost :-)))"


"$100 for 1Gb? Quite pricey, even in Canadian dollars, in other parts of the world you can have it at half the price, or even less."


Marriott's Starwood hotels mega-hack: Half a BILLION guests' deets exposed over 4 years


Re: Just wondering

"Hopefully it won't be too long before banking switches to using MFA with an one time pad App on peoples phones."

Ha! I'll see your one-time pad and raise you contactless.

Then I'll raise you signatures in the US...

Then I'll raise you adding the tip in after you've signed the bill...

IBM's Ginni Rometty snipes, er, someone for being irresponsible with data, haven't a clue who


"If law doesn't cover a particular topic adequately (not even devolving responsibility to, for example, a medical body), then the law should be updated."

Well, no, principles based law defines categories of misbehaviour; it doesn't deail every possible transgression. Principles based law is what is required here.

Oh and Mrs. Ginny, Facebook-> Cambridge Analytica WAS B2B, so I suggest that B2B is where the bigger danger lies - one company takes from the public, then sells to another business that misuses the data; your ill-aimed potshots at GDPR are ill-founded, it hits the responsibility mark reasonably well.

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)


Re: Javascript


"In this specific case, is it reasonable for a developer to anticipate the introduction of malware which leaks confidential keys to a thief, and test for it? Until the theft actually occurs, the app works perfectly in a normal testing scenario"

Well, a specific malware threat, maybe not reasonable to expect, but that unspecified malware can be introduced through a repo the developer has no control over? Absolutely reasonable. It has happened multiple times so it must now be considered a known risk and you should have mitigations in place.

That sphincter-flexing moment for devs when it's time to go live


Re: Experience is a harsh teacher

@Graham 2

"The challenge comes when *someone* (it doesn't matter who, but they often count beans for a living, decides that the carefully prepared plan "takes too long" and needs to be done in less time."

A secondary issue is that the 'plan' doesn't make economic sense if properly specified to the correct hardware/network/redundancy/DR/day-to-day debugging capability; the imaginary savings are much sweeter if they use imaginary numbers for capacity and support cost.

Imagine that!

Excuses, excuses: Furious MPs probe banking TITSUPs*


Re: Rare Events One And All (@ tfb)


"their infrastructure is a chaotic mass of history and complexity which they can't just do a clean-sheet reinvention of because no-one really knows how a lot of it works except that it does, and it is just really, really hard to predict what is going to go wrong as a result."

Going back to your original well made point - the thing is, we see from thebigG, MS, AWS etc. that their infrastructure is also a mess of complexity. I blame (as I suspect you do with pointing to the number of Linux kernel lines) the amount of code being written in ever lower cost, lower experience shops.

I work in an industry riddled with ancient technology beating up against new tech. I work in old tech and I'm distinctly unimpressed with the new. The chaps programming it care mostly about writing pretty code; they don't care to understand the business, they don't care whether it works or not, just that it is leading edge. Performance is always a hardware problem to them. The languages themselves are opaque and insecure by design. Each environment seems to be hand crafted to be different to every other environment that's gone before. Communications between systems is a black hole fiasco (I suspect the Barclays issue was MQ related, I too have seen roque MQ messages block an entire network as they block every listener and no easy way to spot where the blockage is or where the bad packets are coming from).

And agile means there's no architecture, no low level technical direction. "As a user I want a banking mobile app that lets me check my account balance". Architecture seems to be limited to specifying components as if bricks, mortar, wood, nails are all all you need to design a house. "As a user I want a shelter that keeps me warm in the winter" - welcome to your brick oven; no windows...

A 5G day may come when the courage of cable and DSL fails ... but it is not this day


Re: Cost

Unless my sums are wrong, two-forty knicker a year is a score a month. That appears to be less than the cheapest fivegee whiffy at twenty-two a month?

What's big, blue, and short on Intel? The supercomputer world's podium: USA tops Top500 with IBM Power9


It takes a lot of horses to make weather this bad.

Cathay Pacific hack: Airline admits techies fought off cyber-siege for months


Re: Flight Pattern


Nope, the hardware is new.

The software, that's different, it's old in some cases. Very old.

Perhaps that you can't use the correct term identifies your experience and capabilities in this matter.

But, the old software is also not designed to be accessed in bulk, so the changes of old software being used to access is close to zero. The newer software? That stores bulk copies of DBs in SQL-readable format? So once you're in, you have access to everything?

Yeah, keep kidding yourself it's legacy software that's the issue and nothing to do with modern systems, modern architectures, open system, open protocol, open access.

McAfee says cloud security not as bad as we feared… it's much worse



"The recommendations for companies are fairly straightforward: McAfee says companies should NOT USE THE CLOUD!"

Run for your lives, we're all doomed.

Memo to Microsoft: Windows 10 is broken, and the fixes can't wait


Re: "Office was always far more reliable"


True, but for sheer bloody-mindedness, the refusal of o365 apps to move a cursor, respond to a click, or accept typed input through a human interface device takes the biscuit. o365 has to be the worst version of an office application for actual working since, hmmm, DW370...

That syncing feeling when you realise you may be telling Google more than you thought


Re: "yo FYI you're currently logged in to Gmail"


Mr. Yo?

Ah, I see...

Herr Yo!

How an augmented reality tourist guide tried to break my balls


Re: Almost SNCF but not quite

@We have come a hell of a long way.

Yes! It no longer makes a noise!

Cisco loses focus over TelePresence blurry videoconferencing bug


Potato quality

of desktop sharing on webex can't be so easily blamed on someone else, eh Cisco?

British Airways hack: Infosec experts finger third-party scripts on payment pages


Re: BA - Oh the irony

@Yet Another

My, my, the virgins seem not to like your comment much! ;-)

Microsoft sharpens its claws to cut Outlook UI excess, snip Ribbon


Re: Desktop UI please

Or have the UI's as skins - one for mobile, one for desktop (and a separate one for touch? Does anyone actually use touch on their laptops?).

The mobile app is already different enough that it bears little resemblance to the desktop one and is really only useful for the most basic of functions.

Go Pester someone else: TSB ditches CEO over bank's IT meltdown


Re: Dreaming

@Pete 2

"This is always going to be a problem for banking systems since they are so completely interconnected. I assume that is one reason why they have so much otherwise obsolete systems and software - nobody has the foggiest idea how it works and they are all too scared to try and change it!"

Yes, but:

1. The failures are not in the external interfaces to other banks. They are between the bank and itself. This should be entirely predictable.

2. This is a new system! They should know exactly how it works! And it's no dinosaur legacy uptime monster with five nines reliability. It's the cloud mate, where 4 hour scheduled outages each month are required?! What happened to "no planned downtime"? When did that die as a thing? What about five nines? 4 hours a month is 99.45%, even with rounding that's not three nines... Is this really what we have to look forward to? My fridge is going to be down for a minimum of 4 hours a month, but the outage may extend until tuesday?

Game over, machines: Humans defeat OpenAI bots once again at video games Olympics


If the AI is not learning itself from its defeat, then surely it is programmed intelligence rather than artificial?

Everyone screams patch ASAP – but it takes most organizations a month to update their networks


Re: and in big End of town


Absolutely! Change approval is the homeplace of charlatans and idiots with a god complex. The poor techie has to fill in the PIR and the RCA and be subject to enhanced scrutiny for every other change for the next month. CI/CD is a dream of children along with pink fluffy unicorns. For most of us, change is hell. Putting in somebody else's change is inhabiting somebody else's hell.


"A server outage due to a patch is easier to explain than a data breach lawsuit..."

Unfortunately it isn't. A patch is a change, and failed changes, particularly those that cause customer impact are ITSM black-death.

Customer: "Why weren't told you were going to patch?"

Us: "We patch every night and have told you so"

Cust: "Why didn't you give us the opportunity to test?"

Us: "Because we waited weeks the last time, and you still didn't do any testing that we could observe, other than asking us to switch if off one night"

Cust: "Why don't you use something secure?"

Me: "You don't like our mainframe and demand something shinier"

Cust: "Why didn't you tell us this change would break our geegaw?"

Us: "!@##$%$#"

London's Gatwick Airport flies back to the future as screens fail


Re: "no redundancy in the internet link"


"DId they reall need someone else's computer"

No, but, generally you stick the flight information data on a server somewhere so you can access it from multiple sources. Of course, if you build that as PUBSUB and there was a local server serving coax to the airport... (why coax? Coax can be fixed by anyone with pliers and a piece of tape... Bring back coax!).

It's a bit weird, that they are having problems still suggests it's not just a fibre cut?


Re: "no redundancy in the internet link"


"It's an Arrivals and Departures system. The data grows stale in no more than a couple of minutes. A local cache doesn't really help. "

Not really, the scheduled departure and arrival times are well known days in advance. The gates are usually well known, but at lest could be manually updated (so at least people stand a chance of finding their gate). The amount of data that tranmits by FLIFO for FIDS updates is vanishingly small, being essentially designed in the 1960s. Never mind LTE, you could run it on dial-up...


Re: "no redundancy in the internet link"

Outages happen. The question for me is why there was no local cache? It would have grown stale over time, but a well installed local cache with a GUI for updates could put everything into manual mode with zero impact.

Is this the Internet of Tripe future? One failing link and your IoT belt unbuckles and your trousers fall down exposing your single-point-of-failure-arse?

Second-hand connected car data drama could be a GDPR minefield


Uxbridge English Dictionary

Paramount = where you hang your parachutist after you've shot tthem

Or "couldn't give a stuff while there's money to be made doing lowest cost development where they'll just do what the spec said, and the spec said nothing about security"

The ICO or Advertising Standards should start looking at the product specifications for anything like this and see if security is mentioned at all and levy fines accordingly.

Holy ship! UK shipping biz Clarksons blames megahack on single point of pwnage


Re: Copies

The whole response publication is idiocy. One isolated account = they only used one account, the information was loose on the intranet and once you could log on to the VPN you could get any of it.

Immediately = After six months (May to November)

As above, the whole "stole the data", "got the copy back" lark.

I wouldn't trust them to float a boat, never mind run an IT system.

Oh wait...

edit: I see AB Hands made the same points! Sorry!

UK cyber security boffins dispense Ubuntu 18.04 wisdom


Re: Good idea.

Really? You'd put passwords in a script? Where do you store it, GIT?

(Genuine question, mainframe chap here; the idea of anyone outside the console having rights to install software is bizarre to me in a server environment).

IBM Watson dishes out 'dodgy cancer advice', Google Translate isn't better than humans yet, and other AI tidbits


Re: Don't worry IBM!

IBM, reclaiming POS for IT from cash registers since Ginni.


You're half right I suspect, "improve outcomes" is marketing speak for cheaper... improve bonus outcome.

Another German state plans switch back from Linux to Windows


Re: Surprise may be coming

Indeed, the cloudy o365 if far inferior to vanilla desktop versions for 90+% of the average workday. For all the talk, the truth is that most of the day is not spent collaborating, it's spent working and response time is and the consequent flow interruption of lag is the biggest irritant.

Sysadmin sank IBM mainframe by going one VM too deep



@VTAM (I'm sure I've just blocked a virtual route doing that)

"Not a shining example of software technology from that era."

You say that, but it would work on the end of a dodgy copper wire that SITA would string on trees in the arse end of nowhere. At least until the wire got nicked for the copper.

California lawmakers: We swear on our avocados we'll pass 'strongest net neutrality protections' in America



Things that make you go hmmm: Do crypto key servers violate GDPR?


Required for processing

The permanent nature of the keystore (the immutable nature of it) is required for the secure processing of the cryptographic services. Erm, that's all the justification needed... Next!

Who fancies a six-core, 128GB RAM, 8TB NVMe … laptop?


Re: What does it run?

Will it run W10 basic edition without hanging?

The jury is still out...

Startup bank Monzo: We warned Ticketmaster months ago of site fraud


Re: If Stupidity Were a Crime

I'm not sure Ticketmaster are a startup...

Mrs. YM was hacked following a Ticketmaster transaction, like many others reporting in the original thread. I'm sure those banks are capable of seeing Ticketmaster as the common factor and reported to them. I suspect there's a cosiness of relationship involved in bad publicity, but that other banks will come forward.

I also suspect that the reason for Ticketmasters complacency is that they had another leak, one they quietly fixed (perhaps back-office personnel based?) and finding one bomb left to comlacent as to the presence of another.

... you're right, though, Ticketmaster are clearly incompetent.

Europe's scheme to build exascale capability on homegrown hardware is ludicrous fantasy


Re: I beg to differ



How long did it take China to go from a standing start?

Ticketmaster gatecrash: Gig revelers' personal, payment info glimpsed by support site malware


Even if you never checked it (we don't), you got hacked.


Re: Coincidence?

Me too! This is from Ireland buying ticketmaster UK tickets.

And quite a panic'd affair it was too since the tickets require the original purchase card to accompany them.

Some questions too other than the above about what were Ticketmaster storing - what were they sending to the chatbot company? Everything? There's nothing that you agree to to have your details sent to a third party.

GDPR's first test case?

Test Systems Better, IBM tells UK IT meltdown bank TSB


@Martin M

"The only difference is you’re doing it just in time rather than all up front."

No, you're cramming it into a sprint having played ludicrous poker to come up with a number in story points which doesn't mean hours but you have to fit the right number of story points into a sprint that is set at 2 weeks because that's what the guys at corporate do when they put out the company website and they're really efficent and it hardly ever breaks.

The practice of agile (and scrum) is a fiasco. It is far, far, worse than everything else that has gone before it. It is being used to control, to artificially measure (velocity is all that matter apparently), and to fire people.

As you say, pick the project. The reality in a large organisation is "do agile for everything, that's the company operating model, if you're not with the team, you're a loose cannon".


Re: Vapourware

@Martin M

Stories are not functional specifications.

Show and tell to "real users" - you mean customers? Really?

Some products are not suited to agile. Anything that can't be developed by a single thing that does it all, it sometimes looks like, but that may just be my own poor experience of it.

To me, regardless of the method, inexperienced/badly led/poorly trained/poorly tested cannot be saved by process and this dive to lower common denominator code monkeys is bad news for all involved.

EU negotiator: Crucial data adequacy deal will wait until UK hands in homework


I believe the bananananana was just for scale...

What can you do when the pup of programming becomes the black dog of burnout? Dude, leave


When you're 50 and overspecialised, moving on isn't as easy as it used to be.

A question for the panel, what do you do when Devops and Agile are the cause of menial, not the solution to it?

"Write these stories for work you know how to do"

"Make sure you update them every day"

"Arbitrarily split your work up so it fits into two week sprints because children can only concentrate on writing rubbish for two weeks"

"Be permanently on call forever since you're the system owner"

"Work in a large company where you have no control over the tools you use"

Actually, you can boil most of it down to - working in a large company = burnout.

Unbreakable smart lock devastated to discover screwdrivers exist


Re: Yeah - but if I am a "common criminal" I'll definitely find another non-indiegogo to pawn

"WTF is an "attack dog"?"

It's one that's been fed 100 hash and has lost the plot.

Comcast's mega-outage 'solution'... Have you tried turning your router off and on again?


Re: Mama Said:



Biting the hand that feeds IT © 1998–2019