"Any parent should know that a three-year-old's rreach is much bigger than you'd think..."
It might be much bigger than you'd think. I think bigger.
16426 posts • joined 16 Jun 2014
" what if email processing is outsourced to an organisation which has a financial interest in collating what drugs you are taking"
There's a simple answer to that. DON'T DO IT.
Apart from any immediate security issues there's the longer term one. If email purports to come from one organisation but actually comes from another you're training recipients to blindly trust that what it purports to be. In short, you're training them to be phished.
We really need to have signing as a required part of the email protocols. No wonder email isn't secure.
"and there's an argument for keeping the sensitive notes in paper form, and never committing them to computer."
It must be a bad argument! The consequence would be anybody who feels they really must have access to them will photocopy them and then there'll be uncontrolled copies around the place. Uncontrolled because there'll be a ban on copying them so all the copies will be sub rosa.
"Is the recipient authorised to receive it?"
It goes far beyond that. Once it's gone it's out of your control. The recipient may be authorised to receive it but how do you know they won't: show it to colleagues who aren't? Print it out and leave it lying about? Keep it on a laptop left lying on the back seat of a car in central London?
This doesn't just apply to email. On my last permie job the vendors of a new warehouse management system said they would need access to the network and it was decided to simply hand them some 2FA device. So the whole company network was now accessible to whoever had this device and the relevant instructions - which were probably written on a label tied to it - and completely beyond our control. I left before the whole thing had gone live so never found out how it turned out.
And, in my opinion, if it's humorous enough (a user once reported the loss of his expensive pager to my team as “We think my three-year-old put it either in the bin or down the bog”) then that's fair game.
No it isn't. Any parent should be aware of keeping important stuff out of a three-year-old's reach.
It seems all too likely that if Nest/Revolv get away with this one others will try it too. Once the money's been taken all those customers are just so many nuisances.
Alternatively you might wonder if Revolv's intended product was the users. If that was the case then it might indicate that the market for that product wasn't sufficient to make the business viable. That might suggest that other businesses run on those lines could be in trouble too.
I can only respond to this from my own experience which, admittedly, is now many years ago and from before the privatisation of the old Forensic Science Service:
"Yes, that's the scientific method. Police method is one of the following:
1) Look for something to prove what we've already decided. Ignore anything else."
Evidence was usually collected by SOCO trained by us or by the police surgeon as appropriate and occasionally by a scene visit from the lab. It was then examined along exactly the lines I laid out which I can summarise as: "This appears to support the allegation. Let me try to disprove it".
"2) Find a likely suspect, beat them round the head until they confess to whatever you want."
If this was alleged scene investigation would be by a forensic scientist from the lab, not by SOCO.
From experience I can tell you it's a complete pain searching for possible splashes of blood on the walls of a cell treated with anti-graffiti paint which consists of flecks of different colours.
Bear in mind that allegations are made from people with something to gain. I had one instance where it was alleged a suspect had been hit with a brush handle so hard it broke and, indeed, a broken brush handle was produced in evidence. Direct experiment showed that however hard one hit a pig carcase a similar handle couldn't be broken but if the end hit a floor or wall it would break. Nevertheless the end of the broken handle had fibres which matched clothing from the complainant. The complaint was exaggerated but it seemed likely that the complainant had been poked with the broken shaft. I don't know what the outcome was but in the past there'd been 2 or 3 junior detectives whose name I didn't know hanging about on the fringes of investigations in that division and who I never saw after that.
My experience was that the senior levels of the force wouldn't tolerate that sort of behaviour whether as a point of principle or from a practical point of view in that it could lead to a case being lost in court if it even got that far. One consequence was the introduction of CCTV in interview rooms.
Self harm by prisoners in cells was one problem. And I'm quite convinced that police cells are not the right place to house comatose drunks; there's not enough resources to monitor them continually and so they're at risk of choking to death on their own vomit. I don't know what the solution is there because A&E certainly won't want them.
Let's go back to basics and remember the scientific method. You have a hypothesis (there's been a crime and chummy committed it). You then test the hypothesis based on evidence that you've obtained (crime scene investigation), specifically you try to see if the evidence can disprove the hypothesis. The more the hypothesis can withstand efforts to disprove it the more it can be relied on. Clearly the evidence used to test the hypothesis should not include the evidence that led you to formulate it.
Some sort of evidence is better than others in this respect. Take the ABO blood group system. AB as far as I can remember, is found in 10% of the population (A, B & O are present in greater percentages). So if there was an AB blood stain recovered from the scene and thought to be from the culprit 10% of innocent people would match it. This means that ABO on its own isn't a very discriminating test (in pre-DNA days ABO was combined with blood enzyme polymorphisms).
At present DNA is the form of evidence that has the best discriminating power. It is, therefore, not a good idea to use DNA to form your hypothesis as to who might be guilty unless you have to; it means you have to look for other, less discriminatory lines of evidence to test it. If I were a juror and it became clear that a DNA database had been used to identify a suspect I'd look to other the rest of the case as the sole probative evidence.
Apart from discriminating power there are two other things that matter in forensic science.
One is sensitivity - how small a sample can give you results. This matters because the material from a scene or exhibit is often no more than a trace. DNA is very sensitive.
The other is contamination. It's no use spending time examining material unless it's relevant to the crime. In this respect sensitivity works against you. If the method is sensitive it's more likely to pick up contaminants. This is why DNA as a source of a hypothesis should be supported by other evidence.
BTW the contents of your vacuum cleaner will approach 100% contamination and should be discounted entirely.
"If there's a bypass that will grant access to data without entering the passcode, then the encryption isn't as strong as it's claimed to be, is it?"
There's a difference between the strength of encryption - algorithms & key lengths - and the effectiveness of its deployment.
The more directly a system is aimed at consumers the more likely it is that deployment will be tailored to the convenience of the user rather than the inconvenience of the attacker.
" Not because it's an evil conspiracy, but because it doesn't contain a demos. There is no homogenous electorate, and so even if the European Parliament did have proper power, it still wouldn't work that well."
Even worse. Since the UK vote in the '70s all the treaty revisions have gone through virtually on the nod. Hardly any country has been given the chance to hold a referendum on what were, in fact, constitutional changes. And what happened when Ireland was given a chance to vote on the Lisbon treaty was hardly a ringing endorsement on the role of democracy in the EU. Referenda should have been held to endorse or otherwise the treaty revisions. The new treaties might have been different if the negotiators had been aware that they'd have had to face their electorates.
On the whole I'm in favour of staying in the EU but it has built up a huge democratic deficit over the years and I wouldn't be surprised if "leave" were to win.
"Yeah, the EU is great at caring for the populous! It must have just been a mistake when they deliberately crippled the Greek economy last year, in order to screw them down in some particularly unpleasant negotations, plunging the country back into recession. Funny definition of caring..."
An unfortunate but inevitable consequence of suspending disbelief to admit Greece to the Eurozone in the first place. Disbelief can be suspended - reality is a different matter.
I'm not against the idea of a core without extensions but it would have to be smaller than the present core, not bigger. It would have to be small enough to be safe - i.e. a remote display platform, not a remote execution platform and web sites need to adapt.
However the original concept of the web is now so seriously broken and I can't see how it can be fixed. Any browser attempting to go back to an intrinsically safe core would break so many sites it would be rejected by users. The browser authors should have said "no" when the first requests to subvert the original concept came in and they should have kept saying "no".
1. Was this disclosed to the extension authors with sufficient time for them to produce fixes? If not it's an irresponsible disclosure.
2. Is this a vulnerability which can be exploited by simply browsing a malicious site or does the user have to be tricked into doing something active?
3. If the latter what should we avoid?
And today we learned that massivelySerial hasn't realised that ABP has a facility to turn off whitelisting.
I looked at uBlock. It blocked more than ads. Specifically it was blocking the videos of weather forecasts on the Beeb's site. It was removed forthwith & ABP was back with whitelisting turned off.
"I haven't heard of NoScript before, yet it has 2.5 million users? A quick search says its in the Tor browser bundle, so they will be Tor users."
Where did you search? If you use your browser's search for extensions options you should find it there. Tor might bundle it but lots of us use it without using Tor. I'm surprised the count is as low as 2.5 million. You seem to have much to learn.
"If they need Windows, why would they not want the updates?"
You've never heard of an update (for any OS) breaking things?
You've never heard of people holding back applying updates until they're reassured by the absence of bad reports? In the new world of W10 you only have a limited option to do this. The rest of the users are sent out across open country to discover the hard way whether there's a minefield there or not.
"I remember speaking to a corporate IT at a bank a few years ago. He told me that Windows 7 was the last they expected to provide and support with a shift to BYOD by 2018."
Which bank? I want to avoid them. As a freelancer I could provide my own kit but in a security-conscious client it wouldn't be allowed. I'd have hoped banks would fall into that category.
'Let me see. My private/BYOD "Notebook" is a Lenovo Helix (A-series). If I put a Linux on it I will loose:
+ Use of the WACOM hardware (Linux drivers are "early beta" IF they exist for the choosen Distri)'
Wacom tablet works just fine for me on Debian Wheezy/LTS.
"From an engineering point of view it's efficient to move as much of the processing as possible to purpose-built servers that can serve many clients as possible, rather than each customer having to have a standalone computer at their house which would need to be automatically patched etc."
The web works on the opposite principle by having the customer provide a remote execution platform, with all its attendant risks, rather than a remote display platform. Two examples of doing it wrong even if the wrong things are the exact opposites of each other.
"FreeBSD is seriously lacking in desktop support... PC-BSD is trying to bridge the gap"
I haven't cut over to FreeBSD as yet because I've a few things to check out first & other stuff keeps getting in the way whilst Debian LTS is able to keep a non-systemd system going a little longer. But I ran KDE, LibreOffice etc on it without noticing any particular differences. I suppose if I lusted after Gnome 3 things might be different...
One thing I have noticed is the lack of the equivalent of Synaptic for S/W management. Yes, the modern package management is comparable to apt but the advantage of Synaptic is that you can make a keyword search where you know the functionality you want but not what supplies it. Having to go via the website to look for packages is a bit half-arsed in comparison. PC-BSD sets out to fix that but I found its entire package management system to be such a CPU-hog that I gave up on it.
My impression is that Linux started out with considerable usability issues back in the '90s but picked up a lot of effort to polish it. There were major glitches - the 2.4 to 2.6 period broke a lot of pre-compiled S/W (it might have been libc6 that was actually responsible) and certainly leaves me with the impression that the overall Linux ecosystem has more devs who don't mind breaking stuff than is comfortable. Overall Linux has gained an edge in usability but platform-independent stuff at desktop and application level means that the edge isn't that great. What's an interesting question is whether people moving over from Linux, prompted by systemd, will erase that edge altogether.
"I must re-read the manual, because your tale suggests it isn't clear enough which is never a good thing IMHO"
On the whole the FreeBSD manual is pretty good. I did discover a weakness in that, unless they've fixed it, installation doesn't offer an option to make the system you've just installed bootable and this isn't addressed by the manual. If you can't boot your new system the rest of the manual, however good, isn't much use. StackOverflow to the rescue.
'the Richard Heads don't understand "You can have it cheap, you can have it right, or you can have it now. Pick any two"'
Definitely. I remember some course organised at corporate level but by chance one of the facilitators/instructors/wankers/whatever was a senior manager from the business I was in. He was spouting about having quality, low costs and rapid delivery. I raised the concept of the iron triangle. Not only had he never heard of it, he just didn't believe it.
"SLAs mean very little. What counts is actual performance."
True. If your work is on someone else's computer and that someone else is N times larger* than your company and something goes TITSUP what priority does your problem get from that that someone else compared to the priority it would get in-house?
*Where "N times larger" is measured in orders of magnitude.
"Quite often, the PHB has been trying to accomplish something for a decade or more."
And failing to explain exactly what they want, to furnish the same attempt at explanation more than once or to answer questions as to the little details they omitted. Not that any of these things will stop them trying to do something themselves nor from expecting someone else to sort it out a few months down the line.
"I'm pretty sure the /apps/ per se aren't being written in COBOL and Oracle Server. Are they somehow including the backend all the way back to the mainframe as well?"
I also did a double-take on this one. I suspect they're just talking about the applications that runin the data centre but someone trying to be trendy has called them "apps".
"Code spends most of its life in maintenance, so anything that makes things clearer is a good feature."
And it was always thus. You know that, I know that, so, in all probability do most readers of elReg. So why do the Continuous Lifecycle mob treat it as something they just invented?
They've been trying to diversify away from Windows as the cash cow for a good while. Services seems to be the general idea & its true that they've been thrashing about with different ideas for that. One was Windows with Bing as a give-away to try to get people to use Bing. W10 as a free update to draw in users-as-a-product was another. But it looks like Azure is the main thing and as customers want to use Linux on Azure then they have to get into that irrespective of what's gone before. I think they've finally realised if you can't beat 'em, join 'em.
Nevertheless I'd still beware the gifts they bear.
a "Macintosh way" for designing programs in a consistent manner so that users could concentrate on what they were doing, rather than how they were doing it.
When the Mac was first released there was an article in Byte about Apple's extensive usability testing. As they were growing rapidly and taking on office staff they had a steady supply of recruits who'd never seen the interface, and maybe no other computer interface either, so each iteration of the design could be tested on subjects who had no preconceptions. It was from that testing that the importance of principles such as consistency emerged.
A few days ago this emerged - http://fossforce.com/2016/03/usability-study-gnome/
Look at the 2nd item on things that could be done better: consistency.
I started off with "Mac vs Gnome" as a headline but that would be unfair to Gnome (says he through gritted teeth) as it was simply the test system in this particular study. A third of a century has rolled by and we can still have criticism like this emerging from usability studies! And is it any wonder when we have "user experience" designers who prefer style and novelty over consistency and functionality?
"Just having a warrant canary in the first place seems to be close already (sad to say)."
Maybe, given that it requires a specific statement. However, an alternative occurred to me as I was typing the comment about the vulture. Why not simply put a picture of a canary in the site's banner. No need to say what it is, people will just get the meaning PDQ. It could be removed instantly but given that its meaning would be implicit it would be difficult to bring about a prosecution. After all it would just be a picture of a canary. The only problem would be that people would confuse it with the twit's bird.
Biting the hand that feeds IT © 1998–2019