* Posts by Doctor Syntax

16426 posts • joined 16 Jun 2014

Rip up secretive patent royalty deals, says new tech'n'biz coalition

Doctor Syntax Silver badge

From whose point of view is this going to be "fair"?

Microsoft chief Satya drops an S bomb in Windows 10, cloud talk

Doctor Syntax Silver badge

Re: "He spoke about four pillars upon which this trust is built:"

"a change to Windows 10 such that the user can turn off all telemetry"

Even better - a change that removes the "telemetry" so there's nothing to turn off.

Doctor Syntax Silver badge

Re: "why not try for devotion?"

"security value at an acceptable privacy cost."

Given that most of us view privacy as one of the reasons we want security or, perhaps, that privacy is part of what we understand by security, this has to be an oxymoron.

FCA paves way for cloud computing in UK financial services

Doctor Syntax Silver badge

'Cloud customers should also be aware that they may not be able to control where data is stored and that sub-contracting arrangements may exist without them "initially realising", it said.

The draft guidance outlines ... and ensure regulators have effective access to data.

...

One of the recommendations the FCA made was for financial services companies to determine whether their cloud contracts are governed by UK law and subject to UK court jurisdiction. It said that even if it is not those cloud customers must ensure that they, their auditor and the FCA have "effective access" to its data as well as the cloud provider's "business premises".'

Given the premise in the first paragraph the other points seem likely to be difficult to achieve. In particular there'd be a need to ensure other court jurisdictions (other than higher EU courts) don't try to push their noses in and that other organisations don't have access to the data.

'It said companies need to have an "exit plan" that is "understood, documented and regularly rehearsed" which allows it to come out of outsourcing arrangements "without undue disruption to their provision of services, or their compliance with the regulatory regime".'

And one that will still work when the cloud operator's administrators walk in?

TalkTalk boss on Joe Garner exit, Virgin Media support for Openreach and THAT attack

Doctor Syntax Silver badge

"We asked the TalkTalk boss what she had made of Virgin Media's chief Tom Mockridge recently coming out in support of Openreach remaining wedded to BT."

Was that really the best question you could have asked her? How about "Shouldn't the next head of a telecoms company like Openreach be someone with an engineering backgorund rather than another banker?".

Google wants to add 'not encrypted' warnings to Gmail

Doctor Syntax Silver badge

Re: Yeah, right.

" It needs to be baked into the mail protocols so that encryption is the default. It would need to be phased in in a backwards compatible manner

You've already got that. SMTP aleady supports the STARTTLS verb"

But that's only encryption in transit. AIUI what Eugene was looking for was PGP to encrypt the message end-to-end so it would only be readable by its intended recipient. And, of course, there would also be the possibility of signing it to verify the sender.

The impediments to this are (a) if your correspondents aren't set up to use it there's no point setting it up for yourself so almost nobody uses it and (b) as Pascal says, it needs an infrastructure for the public keys.

As I see it the solution for that would be to revise the protocol to build in message encryption rather than making it an add-on. It would need to be rolled out in stages so that in the interim stage new versions of clients would prompt users to set up their key-pair and make use of keys where both ends had them set up but after a given date email to a user who didn't have a key would require specific user approval followed by an end stage where unencrypted email wouldn't be supported.

Doctor Syntax Silver badge

Re: Yeah, right.

I don't think it's a matter for Google alone. It needs to be baked into the mail protocols so that encryption is the default. It would need to be phased in in a backwards compatible manner but at some point the existing SMTP would be deprecated and any lagging clients & servers would find themselves shut out.

What Google needs to do is start pushing RFCs for this. Except I'm not sure Google would be the best party for this. They're likely to want something that would end up with plain text on their servers so they can scan it.

Ex-GCHQ chief now heads up infosec firm's advisory board

Doctor Syntax Silver badge

If I've understood this PR speak correctly what they plan to do is rebuild the attachments with any nasties removed. But if a file's only purpose is to hide the nasty & persuade the victim to open it, why bother? Just throw the file away.

Trouble brewing as iThing coffee machine seems to be hackable

Doctor Syntax Silver badge

Presumably all this wifi enabled stuff, routers, kettles, webcams or whatever, has to have FCC, UL & a stack of other approvals. That provides a chance to introduce a very simple rule. When first installed factory settings only make provision for setup. Only when it's been configured to at least some degree of security does it start to route, boil water, show pictures or whatever.

Doctor Syntax Silver badge

Re: Pot, kettle ..

"Idiots make these things and other idiots buy them."

Second part right, first part wrong. If you know you're selling to idiots it's common sense to put as little effort as possible into making the thing. Why do more work if it doesn't improve sales?

No, the EU is not going to make hyperlinks illegal

Doctor Syntax Silver badge

If companies choose to put stuff on the web without understanding how it works then they've got nobody to blame but themselves.

Drop the obsession with Big Data, zero days and just... help the business

Doctor Syntax Silver badge

Bingo

"infused priorities switch towards supporting the business"

Infused priorities switching?

TalkTalk hired BAE Systems' infosec bods before THAT hack

Doctor Syntax Silver badge

Same old same old

"TalkTalk takes cyber security extremely seriously and we have increased investment in this area by a third over the last three years"

1. Increasing expenditure by a percentage is only meaningful if you say what the previous expenditure was. And even so....

2. It's not the inputs that matter, it's the outputs, in this case the security of the systems.

And that's ignoring the usual ritual "we take it very seriously".

Do these MBA types actually believe all this stuff they spout or does it just flow from textbook to mouth without passing through the brain?

Microsoft rolls out first 'major update' to Windows 10

Doctor Syntax Silver badge

Re: Why is an OS update changing my applications?!

"You could not make it up."

Far from it. It's common to large organisations of all kinds. They are unable to learn from experience. The people involved in one cycle might be badly burned enough to learn but next time round they've gone on to other employers or left to spend more time with their money. There's no mechanism which records "we don't do that because..." so a whole new lot of people come along to make the same mistake.

Of course there may well be people in the organisation who do remember but they're in pay grades which rate their knowledge as irrelevant.

Doctor Syntax Silver badge

Re: Oh yeah, enterprise, almost forgot about them...

"I really don't understand Microsoft on this."

It's not difficult to understand. Enterprise doesn't want untested software so the little people get to be beta testers. It's not enterprise coming second, it's non-enterprise clearing the minefield first.

Doctor Syntax Silver badge

Re: Work In Process

"Thus W10 will act more consistently like a very late beta/release candidate over time; which is the nature of rolling release Linux distros."

AFAICS that was the plan for the consumer versions. The business versions get the fixes after the beta testers have checked them out. They've learned from Red Hat/Fedora.

Doctor Syntax Silver badge

Re: Work In Process

Software is usually work in progress and people sneer at it for not being finished. When it stops being work in progress it gets called legacy & people sneer at it for not being new shiny.

Doctor Syntax Silver badge

DNA based login

PostgreSQL learns to walk and chew gum

Doctor Syntax Silver badge

Re: MySQL versus PostgreSQL comparison

"MySQL will make smart guesses about what you mean"

In my book this is a bad thing.

Your taxes at work: Three hours driving to turn on politician's PC

Doctor Syntax Silver badge

Back when ATX PSUs, Win95 etc were new I was just leaving the client's premises for the night & got waylaid by the MD - or maybe he was just the FD back then. His PC wouldn't shut down either by software or the power-button-that's-not-not-really-a-power-button-but-just-sends-an-interrupt-to-the-motherboard-if-it's-listening. That sort of thing happened back then. Windows PCs weren't really my thing except that Windows was good for lots of Telnet sessions to the Unix box. But I wandered over to take a look. As he said, it wouldn't shut down from the button or anything else and you can't do "shutdown -g0 -i0 -y" on Windows. So I just leaned over & unplugged the mains from the back. Cue a silent "why didn't I think of that?" expression.

Doctor Syntax Silver badge

Re: Really - there wasn't a cleaner or anyone else in the building...

Maybe a good engineer would have pointed out that it should have been "We mere mortals".

BOFH: We're miracle workers. But you want us to fix THAT in 10 minutes?

Doctor Syntax Silver badge

Re: Last minute

"a small computer company called SCO"

You mean a small litigation company. I think by that time they'd mostly lost sight of being a computer company.

Ex-competition watchdog and TalkTalk adviser calls for Openreach split from BT

Doctor Syntax Silver badge

Re: why oh why?

According to the article he's ex-head of the Office of Fair Trading so maybe he's advising them on the fair way to deal with customers who want to leave.

German ATM displays bank’s network config data to infosec bod

Doctor Syntax Silver badge

"Bank Sparkasse has reportedly pushed out updates that fix the issue"

Presumably they became vulnerable again during the update.

IT contractors raise alarm over HMRC mulling 'one-month' nudge onto payrolls

Doctor Syntax Silver badge

The problem is that HMRC is staffed by salaried people with secure employment contracts. They've designed an income tax system for salaried people with secure employment contracts because that's what they understand. I have a slight variation on this which might help here. Firstly everyone pays income tax on receipts which is what HMRC want and understand. We then treat security of employment as a benefit in kind and tax that. BIK is also something HMRC understand so they shouldn't have a problem with that. Because part of the tax is being collected as BIK the tax on income can be at a much lower than at present. It works out reasonable equitably. Zero hours contracts have no security at all so they have no benefit. A contractor on a 3-month gig with an easy termination rate will have some security so they pay more tax than the zero-rate.

It shouldn't raise political problems. MPs should like it, they have a 5-year fixed term contract with no guarantee of renewal so their benefit is also limited. Ministerial appointments such as the Chancellor's are essentially at the whim of the PM but usually there aren't more than one reshuffle a year so this can be taken as a 1-year rolling contract so the cabinet would approve.

Really secure jobs provide the largest benefit so they have to pay more tax and, for this to be tax neutral, the overall tax paid by those holding such jobs would end up more than is paid at present. The unfortunate side effect of this is that HMRC staff would end up paying much more than they currently do. However, as this is the consequence of a fairer tax system I'm sure they wouldn't mind.

Doctor Syntax Silver badge

Re: I'm sure I'm missing something but...

"Your not contracted to them now (mostly), you're contract is with your agent"

They'd probably weasel themselves out of the way.

Doctor Syntax Silver badge

Re: @Ian 45: Long overdue

"I look forward to your hopefully lucid replies..."

That would be a lot different from his original post. Don't hold your breath.

Microsoft capitulates, announces German data centres

Doctor Syntax Silver badge

Re: UK customers?

"But even if it did do you really think that the Home Secretary and minions will not be making a MITM attack as soon as it goes live?"

That's the problem with any country whose govt doesn't grok privacy. It'll probably need someone to take them to the ECJ. I think we'll probably see a few iterations of that before govts. start to get the idea.

Doctor Syntax Silver badge

The first of many

The use of non-US intermediaries has been on the cards for a good while now. Customers are starting to be concerned about security from spying, hence the the appearance of end-to-end encryption, Google pushing for HTTPS everywhere and so on.

The Irish access case has been a wake-up call for MS who must have been thinking about it since before the ECJ decision on Safe Harbour. The only surprise is that they now seem to be looking at establishing data centres to serve individual EU countries rather than just setting up a fire break for the Irish operation. Given the amount of time they've had, however, they've probably taken a lot of legal advice as to the best way to achieve their objective under German law. They may take different approaches in other countries.

I think we'll see other US corporations looking at similar solutions. There's been a window of opportunity for EU companies to get a slice of the action as well. I hope some of them take it.

Doctor Syntax Silver badge

Re: Good job...

"are unable to lie to their customers"

AIUI they are required to lie to their customers. That's part of the problem.

Doctor Syntax Silver badge

Re: UK customers?

When the details of the UK data centre are revealed I wouldn't be surprised to see something similar, at least in principle. As I've written here a number of times since the MS/Ireland case started, it's the obvious solution - set up a legal firebreak. A franchise operation is the one that comes to mind but presumably the trustee arrangement is one appropriate to Germany.

As MoD are being talked about as an initial customer for the UK site it seems likely that they've looked at what's proposed. Unfortunately they might be comfortable with an arrangement that gave GCHQ access so it might not be ideal for everyone else. If I were in a business looking for a secure hosting company I'd still be looking at Switzerland as a preferred location.

Doctor Syntax Silver badge

Re: How is this different?

"MS could do something similar by spinning off their Irish datacenters as local businesses except that might unravel a lot of their current tax avoidance schemes."

I doubt it would unravel it by much. The obvious approach would be to have an Irish company, not owned by MS - repeat for the hard of reading NOT OWNED BY MS - as the intermediary operating as a franchise. Franchise operations seem to have worked pretty well for Starbucks as a mechanism for handling tax avoidance. I'm sure MS can find a few lawyers not too far from home who can advise them on such details.

Doctor Syntax Silver badge

Re: How is this different?

"What's to stop the US government simply forcing Microsoft HQ in the US to hand over all the data anyway?"

RTFA!

Big Bang left us with a perfect random number generator

Doctor Syntax Silver badge

Re: How random is random?

"These days it's common to use the thermal noise generated by a zener diode"

Yup. Reading the article it seemed likely that they could have dispensed with the dish bit of the radiotelescope & just used the noise of the input stage of the amplifier.

Got a time machine? Good, you can brute-force 2FA

Doctor Syntax Silver badge

Re: This might be useful

"Mote likely your gadget doesn't know what time it is."

No, more likely my bank!

Doctor Syntax Silver badge

This might be useful

The only time I had to use my bank-provided 2FA gadget it didn't work. I can only assume that my bank doesn't even know what time it is.

UN privacy head slams 'worse than scary' UK surveillance bill

Doctor Syntax Silver badge

Re: "Reading is fundamental" too....

"ISP's have to log activities because YOU voted for the idiots who made that a law that they collect the info."

Dunno about your environment but here the effective choice is between two parties each of who will put either such an idiot into the Home Office or at least one who will promptly go native.

Boffins teach Wi-Fi routers to dance to the same tune

Doctor Syntax Silver badge

"Frank lives in a Faraday cage so no use to him either"

OTOH if Frank lives in a Faraday cage there's not a lot of interference between his network and the neighbours.

Doctor Syntax Silver badge

"an FM baseband receiver that's either lying unused in a device, or could be cheaply added to it."

Oh yes? Here's a device without an FM receiver. Now how do you propose to cheaply add one? Soldering iron, piece of twin-flex & a cheap tranny? Or is "add" an abbreviation for "throw it away & buy a new one"?

Most developers have never seen a successful project

Doctor Syntax Silver badge

Re: Success is whatever you define it to be

"You deliver what the customer asked for, but that's not usually the same as what the customer wanted."

Which in turn isn't what they eventually discover they needed.

Doctor Syntax Silver badge

Re: But... Linux isn't finished yet

Software development is the process of launching a product into the maintenance phase.

Doctor Syntax Silver badge

Re: Needs just a tweak.

"On civil construction / arquitecture[sic], normally, the project is sucessful when the building stands the test of time (aka doesn't fall due to structural flaws)."

The ratio of design/physical construction phases are very different.

The civil engineer/architect team draws up a design & then hands it over to the construction contractor who in turn hands over to the direct labour to the brickies, sparkies, plumbers etc. but a good deal of the detailed design to the host of manufacturing companies who make the bricks, the cement, the screws etc. (and good old nature which has been in the wood making business for millions of years).

In software the physical construction is trivial. The design team is responsible for a much higher proportion of the work. Where pre-built components (libraries) are available the effort needed by the design team in understanding their interfaces is much greater (how complex is the interface of the common house brick?).

There is also a difference in the regulative environment. The building client can't decide that proper lintels, electrical insulation and ventilation aren't needed but nobody will stop the software client deciding to forego proper encryption or sanity checks between the web front-end and the database.

TalkTalk boss: 'Customers think we're doing right thing after attack'

Doctor Syntax Silver badge

I posted a comment under the T-Moblie/Experian report to the effect that one solution to dealing with major corporate failings would be that adopted after the Apple ebook pricing case: the appointment by TPTB of a competent, independent auditor/inspector to be paid for by the company. The role would be to investigate thoroughly and require any remedial action. I'll extend that idea to include vetting any statements made by or on behalf of the company during and after the event and to correct them and censure the spokesperson where appropriate.

Doctor Syntax Silver badge

"some customers had initially attempted to kill their contracts immediately after TalkTalk revealed it had suffered a security breach, only to apparently change their minds"

s/apparently change their minds/be threatened with penalties/

T-Mobile US megahack cost Experian $20m, class actions coming

Doctor Syntax Silver badge

Maybe the way to deal with this would be similar to the conditions imposed on Apple after the ebook pricing business. TPTB impose an auditor who the company has to pay for who can go through everything they consider relevant to the issue - in this case security - to ensure appropriate action is being taken.

TalkTalk to swallow £35m ‘financial impact’ after attack

Doctor Syntax Silver badge

"But you can bet that once it happens, I'm out of there."

Why wait? When the sale of Be to Sky was announced I just upped & left.

Doctor Syntax Silver badge

Re: "TalkTalk takes the security of customers’ data extremely seriously"

This is statement, devoid of meaning, ritually uttered by any large company run my marketeers. Its antiphon is "Your call is valuable to us".

Doctor Syntax Silver badge

"we're not waving exit fees"

They seem to be waving exit fees at anyone who wants to leave. They're not waiving them.

Doctor Syntax Silver badge

Re: CEO

"She chose not to give a meaningful answer."

This seems to be her standard MO.

Tim Cook: UK crypto backdoors would lead to 'dire consequences'

Doctor Syntax Silver badge

Re: Weak crypto

@A/C

I think things are more nuanced than you imply. For a start some of the problems we've seen recently were implementation problems, Heartbleed for example. Then there's the question of computational resources and message value & currency.

Consider, for example that an announcement is due to be made tomorrow which will affect a company's share price. If you could get the content now you could make a killing but the message is encrypted with a system it would take you until next week to decrypt then you won't get any benefit. If it used a system you could decrypt in the next minute you could. According to your definition both would be broken but one is strong enough to do the job it's used for and the other isn't.

Biting the hand that feeds IT © 1998–2019