* Posts by Doctor Syntax

16427 posts • joined 16 Jun 2014

HMRC IT boss quit £185k job for more cash

Doctor Syntax Silver badge

Re: Golden Handcuffs ??

"no competition clauses to avoid anyone jumping ship to other companies competing in the same space"

Governments tend to treat taxation as a monopoly*. There are no companies competing with HMRC, at least not within the UK.

*Note that they don't achieve this when it comes to taxation of multi-national companies.

Good luck securing 'things' when users assume 'stuff just works'

Doctor Syntax Silver badge

Re: How about what BT/VM do?

"Plus it doesn't help if the manufacturer is on razor-thin margins such that 2-3 cents per devices pivots it into unprofitable."

Which is why some of us keep saying the solution is to make such security provisions mandatory. You want to sell your stuff here? This is what you have to do.

To some extent it levels the playing field - those costs are common to all products. And for manufacturers who can't afford that, maybe they're best kept out of the market. If they were selling cars would you consider it acceptable to omit bakes to enable them to compete on price?

Doctor Syntax Silver badge

Re: "Nice to Have"

"if the standard involves effort (sliding the bolt on the door)"

Too late, there's probably a patent on that.

Internet of S**t things claims another scalp: DNS DDoS smashes StarHub

Doctor Syntax Silver badge

Re: sanitise customer kit

Percussive sanitisation.

Data ethics in IoT? Pff, you and your silly notions of privacy

Doctor Syntax Silver badge

Some people made their own decisions.

"not quite on the topic of “data ethics” the audience was led to believe. Some got up and left."

Cyber-crooks menacing hospitals are put under the microscope

Doctor Syntax Silver badge

Bingo

“Gaining the upper hand in cybersecurity requires a rejection of conventional paradigms in favor of radical new thinking. Where health care organizations have relied on old playbooks, they must be newly unpredictable. Where they have hoarded information, industry players must become more collaborative. Where they have undervalued cyber defense overall, they must prioritize it.”

Microsoft: We're hiking UK cloud prices 22%. Stop whining – it's the Brexit

Doctor Syntax Silver badge

Re: UK is doomed!!!

"And who needs Microsoft?"

Those who've already been sucked into Azure? Note how those who are more strongly locked in get a steeper price rise than those who might find it easier to move to Linux. Nevertheless this is still slicing the salami rather thickly.

Doctor Syntax Silver badge

"Another US conglomerate decides to hike its prices and everyone immediately blames the brexit voters, looking for a scapegoat."

Well, the article clearly says that it's currency related. If we're not to see this as Brexit related should we start referring to the sudden-but-entirely-coincidental-devaluation-of-the-pound?

Today the web was broken by countless hacked devices – your 60-second summary

Doctor Syntax Silver badge

"The devices come from China and are imported direct. Who gives a damn?"

Market traders if they're importing them when Trading Standards come calling.

ISPs when they're exposed to fines for routing non-compliant stuff. As I said in another post, there are multiple points to apply pressure to make stuff unsaleable.

Doctor Syntax Silver badge

Re: persuading

"it's not Happy Panda's problem, it's ours."

It's theirs if they can't sell their stuff. Contains full of instant land-fill being turned away at the docks? The message will get through PDQ.

Doctor Syntax Silver badge

"Finally - as to the suggestion of arresting USERS because they have insecure IoT kit - that's stupid, there is no way that could ever be proposed to be added to law"

That depends on how bad the problem becomes. There are several points to apply pressure.

One is the market place via the types of regulation and certification that's in place already for electrical safety etc. It gives Trading Standards or the like to deal with vendors in the country and for customs to turn away incoming shipments. There's absolutely nothing novel in principle about this, it's just that govts. need to be kicked into motion to get a round tuit.

Another is the ISPs and through them the users. They can be required to put it into T&Cs that non-compliant kit can't be exposed on the net, either outside of firewalls or via uPnP.

Finally, after due warning, the users themselves if they insist on connecting stuff it can be made an offence. In practice, of course, the ISP would almost certainly deal with it by cutting off the customer but having the illegality as back-up to deal with awkward customers.

All this combined would make non-compliant stuff unsaleable. That would lean on the manufacturers more effectively than trying to negotiate international standards.

That leaves countries that are reluctant to get round to doing such things. "Nice internet connection you have there. Shame if it got disconnected for an hour or two now and again. Or a day or two."

Doctor Syntax Silver badge

Re: The blacklist of things

"Then what happens when innocent users SUE for the collateral damage of them not being able to go on the Internet for no fault of their own?"

What happens? The ISPs learn the advantage of making sure it doesn't happen again. Or, to put it another way, they learn the cost of not having made sure it couldn't happen in the first place.

As per another of your posts, we;re dealing with Stupid here so we need to to take actions that don't depend on Stupid understanding things.

Doctor Syntax Silver badge

Re: Today the web was broken ...

"Believe me, it's only going to get worse"...

...before it gets better.

Doctor Syntax Silver badge

Re: Capt. Hindsight

"As long as you are happy to pay manufacturer to have support team that will be resetting these passwords 24/7. Are you ?"

The user sets those. The default password is on the label. You reset it to get that and you then have to set a new password before you can get it online.

You, the user, lost the label? Sorry, can't help you, we don't have a record of it.* You'll have to buy a new one. Please look after that better.

* That prevents anyone ringing up trying to get the default password if it transpires the pile of crap device can be reset remotely.

Doctor Syntax Silver badge

"DNS resolution is needed for a lot more than just the URL you typed into the browser or clicked in Google. Each of the secondary domains that site calls have to be resolved too, and there can be dozens of them on a fairly typical site on the internet."

To say nothing of the tertiary and quaternary domains. OTOH if this forced sites to serve all their own crap this could be seen as a useful by-product

Doctor Syntax Silver badge

"The problem as ever will be no company having the balls to do this."

Turn that one round. As one of Nixon's henchmen said, when you have them by the balls their hearts and minds will follow.

Require them to do this.

Doctor Syntax Silver badge

Re: Home Router Traffic

"Also, to all the standards-talkers, persuade China first, discuss afterwards."

No, require stuff legally on sale and/or in use to meet standards and China will be persuaded.

Doctor Syntax Silver badge

Re: Standards Bodies need notice

"There is solution but it's not even remotely close to what you're rallying for."

I haven't seen you suggest it.

Doctor Syntax Silver badge

Re: Standards Bodies need notice

"Do you really want to live in communist utopia where government can control which device you can use to connect to Internet ?"

I didn't see that being suggested. It's not a matter of controlling which device, it's a matter of controlling the safety standards they meet. They'll already by subject to all sorts of safety requirements. For instance the telecoms network operators will already have specs as to what can be connected to ensure it doesn't put harmful voltages on the line or draw excess current. Or are your telecoms providers communist-run?

Doctor Syntax Silver badge

Re: Standards Bodies need notice

"I just wonder if you notice subtle difference between $30K car and $50 electronic device and how differently both industries regulated."

Your $50 electronic device should already be regulated as regards electrical safety.

Doctor Syntax Silver badge

Re: Maybe..

"This is obvious clickbait, it suggests all IOT devices are vulnerable,biy the reality is, its a single manufacturer (XiongMai Technologies) that had a default password and login."

The answer lies somewhere in between. It might be a single manufacturer in this case and not everything is necessarily vulnerable but there have been enough reports of routers with telnet ports open on the internet side etc. You don't need to look back very far in el Reg to pick up these.

Doctor Syntax Silver badge

Re: Maybe..

"mostly the same stands for their customers."

It's the customer end that you start with. Does the kit meet UL/CE standards? If not then it becomes illegal to put it on the 'net in the relevant country or, even better, it becomes illegal for the ISPs to route it. It also becomes illegal to offer it for sale so if it's on sale from a local vendor then they get a visit from Trading Standards or whatever in that particular jurisdiction. If it's being offered for sale on eBay from China or wherever then eBay gets a visit.

The manufacturers will get the message without direct action - they want to sell stuff, they meet the standards.

Make no mistake, something will be done, the only questions are what and when.

Doctor Syntax Silver badge

Re: Maybe..

"Problem is proving that the USERS/Owners suffered at all."

No It's the suffering that users/owners are causing to others that's the problem.

Doctor Syntax Silver badge

Re: Maybe..

"Another fine law to make criminals out of ordinary people."

Dunno where you live but hereabouts if you're running an unsafe car on the roads you can get a conviction however ordinary you are.

Doctor Syntax Silver badge

Re: Maybe..

The "TPTB" would not take the action you require simply because Twitter and Netflix were down for a while.

Can't Neflix and Twitter afford to buy a few politicians do any lobbying?

Doctor Syntax Silver badge

Re: Maybe..

"I doubt any legislative action will actually be all that effective. The average Congress critter is not noted for critical thinking skills but emotional pandering."

I think a few large corporations being exposed to risk like this will be able to apply as much emotional pressure as is needed to produce results.

Doctor Syntax Silver badge

Re: A few points

"CE-marking and US equivalents are good for purchasers to aspire to buying, but faced with a choice between high-price or low-price, with the difference in features being purely a few regulatory stickers affixed to the casing, which one will the purchaser end up buying?"

The alternative should be between the device being legally offered for sale or not. That doesn't provide the buyer with much of a quandary. If he buys from Del-boy he risks the device being forfeit, and maybe a fine.

Doctor Syntax Silver badge

"Brick the devices and watch US and European companies go bust very quickly as consumers just stop buying devices with internet connections that can use their subscription services."

As per my comment above, apply a bit of Darwinian selection. Make it worth while to ship secure stuff. Having sold/issued to the subscriber a steaming pile of ordure isn't an excuse for losing business, it's just a reason.

In established fields it simply wouldn't be allowed to sell a dangerous design of electrical equipment or vehicle. If it later transpires that something wasn't fit then the vendor will be expected to recall it for remediation; that option should be available to vendors of insecure IoT devices. The the vendor simply goes bust or the customer refuses to accept the recall then there has to be a mechanism for ensuring it's not exposed on the 'net.

If you want an alternative analogy, consider a contagious disease - of humans or animals. If the disease is sufficiently dangerous TPTB usually have sufficient powers to ensure that humans are isolated and animals destroyed. It's draconian but essential for the wider community.

Doctor Syntax Silver badge

Re: Too simple solution?

"You have to take Stupid into consideration."

Stupid is the problem. If the punter is too stupid it has to be their problem rather someone else's. I'm a biologist by training. I see no problem in applying Darwinian selection to the IoT.

How about "Here's your device, there's the password. We have no copy of it. Looking after it is your responsibility."

Doctor Syntax Silver badge

Re: no internet

"in which case you'll NEXT be hearing from my attorney."

In which case we'll produce stills from the camera as evidence.

If you expose a camera on the web it's hard to deny that it's there.

Doctor Syntax Silver badge

Re: Maybe..

'As for "illegal".. that part would be ignored as any fines will be relatively miniscule and that's only if a law can get past the corporate lobbyists.'

Fines can be whatever legislation and the courts make them. There's also the possibility of raising sanctions against ISPs who continue to permit their customers to continue to use such devices.

As to lobbying, recent events have resulted in some large corporations having incentives to lobby for action.

In general history shows that eventually potentially bad stuff does get regulated but unfortunately governments traditionally don't operate at internet speed.

Doctor Syntax Silver badge

Re: Standards Bodies need notice

"Perhaps it's time those bodies also include network safety standards being met? Companies need to be held to a high standard on these things, and they're clearly not."

Agreed. This is something I've been saying for some time. Also it should be added to CE requirements in Europe.

The trouble is the existing deployed fleet. Those need to be fixed or taken off-line if they're not fixable.

Doctor Syntax Silver badge

Maybe..

..just maybe this will finally spur TPTB into taking some action.

For a start oblige the manufacturers of IoTs to stop selling vulnerable devices until they're fixed.

At the same time, put out a recall for all those currently installed to be upgraded - or do over the net upgrades if for kit that supports that.

And then make it illegal to run a vulnerable device if it's connected to the net.

The second item might well cost vendors more than the profit they made in the first place - good, it's time vendors were exposed to the costs of cutting corners.

Hapless Network Rail contractors KO broadband in Uxbridge

Doctor Syntax Silver badge

Re: 6 days to fix?

"Virgin (I hate them) only took 2 days after some numpty with a JCB pulled out all the Portsmouth feeds a few years ago....."

Was that adjacent to a railway line?

Doctor Syntax Silver badge

Re: Enquiring minds and all that?

"Oh believe me, some people think councils are responsible for absolutely everything."

Our local council seems to avoiding responsibility for as much as it can except for the PC bits or those which get column inches for the leaders, even if they're not part of the council's remit.

Verizon: Data center sale going nicely. Yahoo! bid? Not so much

Doctor Syntax Silver badge

Just knock off the bn from the end of the figure.

What will happen when I'm too old to push? (buttons, that is)

Doctor Syntax Silver badge

Re: Holiday season

'Quick piece of advice - never look up how the YEAR was "established"'

There's also years BP (before present) in radiocarbon dating, "present" being taken as 1950. We used to round dates to the nearest 5 years but I never took into account the absence of year 0, partly because it would have looked odd to have nice round numbers in the BP version but not in the BC and it didn't really matter until one result came out at 1950 BP. Thanks to the link I now know it wasn't a bug, I was just anticipating ISO 8601.

Doctor Syntax Silver badge

"An adjustable spanner and a hammer."

Or just one very heavy adjustable spanner.

DNS devastation: Top websites whacked offline as Dyn dies again

Doctor Syntax Silver badge

Re: ENOUGH!

"ISPs and network operators being compelled to police their own user base for illicit traffic on pain of having some of their service access cut off which means, by implication, they have to police their users the same way."

If a large enough number of devices are involved the illicit traffic from any one device might not be easily discoverable. A better variation would be policing their user base for vulnerable internet-exposed devices. Where the device is an ISP-supplied router this would have the immediate effect of requiring the ISPs to be more careful in deciding what kit they supply.

Doctor Syntax Silver badge

Re: ENOUGH!

"Does this include the countless people / businesses / etc who cut every possible corner to produce cheap IoT style gadgets because they dont really give a toss about how they could be misused?"

Yes. With extreme prejudice.

Doctor Syntax Silver badge

"If *you* are an attack target, it is *your* infrastructure that is going to be targeted,"

For some values of "you". If "you" means the US internet business community then DNS is part of that infrastructure and, from what's happened, appears to be a single point of failure for quite a large portion of "you".

Judge nailed for trying to bribe Fed with fizzy water (aka Bud Light)

Doctor Syntax Silver badge

Presumably both suspected the other of corruption and were attempting that well-known procedure of US law enforcement, entrapment. At least that will be the case by the time of the appeal.

Lessons from the Mini: Before revamping or rebooting anything, please read this

Doctor Syntax Silver badge

I don't know if it's true but I read somewhere that the reason for the external seams on the original mini was to enable the panels to be held together by mole grips whilst they were being spot welded.

Doctor Syntax Silver badge

Re: you must be joking.

"Proper minis today are the ... Ford Ka"

Never been inside one but from the external appearance I'd guess they fail to meet the Issigonis principle of maximising internal space for a given footprint and height. They look as if the design objective was to minimise it.

Doctor Syntax Silver badge

"Not true, my first car was a 1964 mini and the sliding windows DID overlap. I don't miss them."

But in that case you had door pockets. When they changed to the wind-up windows almost all the internal storage was gone.

Dirty COW explained: Get a moooo-ve on and patch Linux root hole

Doctor Syntax Silver badge

Re: Utterly inexcusable...

"I already saw a fix fly by in the Debian updates"

Not only that but it wasn't rolled up into a big batch combined with a whole lot of other half-explained stuff; it downloaded quickly, was applied quickly and was one of only very few to actually need a reboot.

Doctor Syntax Silver badge

Re: There will always be another bug..

"It is really not fair to blame the final users."

However, for the stuff that's actually in operations and exposed to the net the users are likely to be the only ones who can actually take action, especially if the only possible action is to disconnect it.

Doctor Syntax Silver badge

Re: Utterly inexcusable...

"Your risk comes from your own staff" who can be pwned with a spear-phished email.

Despite best efforts, fewer and fewer women are working in tech

Doctor Syntax Silver badge

Re: Yup, women are smarter.

in 74 - but this was around the time that industry experts were saying things like " there will only ever be a need four 4 computers on the planet" and suchlike

I stand by my statement that it seems acceptable for people in tech to not know history. Without checking the exact date I think you're about a quarter of a century out.

Doctor Syntax Silver badge

Re: Yup, women are smarter.

When I see those statements I usually point out that "people over 50" (as of today) invented computers.

That's well over 50 given that I'm in my 70s and the first generation stuff is only marginally younger then me.

Biting the hand that feeds IT © 1998–2019