* Posts by Drew Scriver

49 posts • joined 28 Sep 2017

F5 Networks buys into open source, hands over $670m for Nginx! Double Nginx! Infinity Nginx!

Drew Scriver

Re: Oh Joy...

I've managed BIG-IPs since the days of v4. While tech support has at times been somewhat of a challenge, I cannot recall a single instance where I was told by Tech Support to go to DevCentral.

Secret mic in Nest gear wasn't supposed to be a secret, says Google, we just forgot to tell anyone

Drew Scriver

Re: Don't be........

Your approach is due diligence in my opinion, but have you considered that a speaker could double as a microphone?

Facebook didn't care if your kids ran up gigantic credit card bills – lawsuit

Drew Scriver

Re: Yuk

Zuk can't do anything without the billion or so people who have signed up for the service.

Every single one of them agreed to Facebook's terms. Before someone starts making the point that the average person can't understand the Terms or doesn't bother to read them and thus cannot be held responsible, consider what would happen if one were to suggest that people who can't understand laws, (inter)national affairs, economic concepts, and politics should not be allowed to vote...

Drew Scriver

Re: Is there a scammier corporation

The world would be a much better place without Facebook et al, but let's be honest; people agree to their Terms of Use in hopes of getting stuff "for free".

Drew Scriver

Re: Returning digital goods?

I'd have to disagree, presuming that the company does not know that this is a minor using a credit card without permission.

The responsibility, IMHO, lies with the parent(s).

1) How is it that the children are able to transact business without them noticing?

2) How is it that the children have access to the parents' credit cards?

At some point parents/consumers need to take responsibility.

Dozens of .gov HTTPS certs expire, webpages offline, FBI on ice, IT security slows... Yup, it's day 20 of Trump's govt shutdown

Drew Scriver

Re: Operational Incompetence

Oh man... and the scary thing is that it's probably worse than what you're describing.

Drew Scriver

Re: Operational Incompetence

Hmmm... good points.

Drew Scriver

Re: Operational Incompetence

Wonder why they're not using Let's Encrypt. Given that they're already use Go Daddy certs it can't be argued that they can only use top-tier (and expensive) CAs like NetSol.

With Let's Encrypt it the renewal process can be fully automated.

Maybe not attractive to our public servants since it lessens our dependency on them?

Americans are just fine with facial recognition technology – as long as they get shorter queues

Drew Scriver

Once it's implemented hardly anyone will object

Proof: how many travelers exercise their right to bypass the "naked scanners" at airport 'security' checkpoints?

Senator Wyden goes ballistic after US telcos caught selling people's location data yet again

Drew Scriver

Re: Oh the Irony!

But did John Legere really lie?

"I’ve personally evaluated this issue & have pledged that @tmobile will not sell [we may trade it or give it away] customer location data [does not include other markers like SSID neighbors] to shady middlemen [i.e. any other type of middleman is fine]."

Oregon can't stop people from calling themselves engineers, judge rules in Traffic-Light-Math-Gate

Drew Scriver


Microsoft Certified Systems Engineer...

There. Now it's official.

O little town of Bethlehem, Georgia. How still we see your internet lie... US govt throws another $600m at rural broadband

Drew Scriver

The Obamacare web guys are at it again?

Maybe the Obamacare website contractor was awarded the contract?

Just checked the USDA's ReConnect web site. It rivals my rural broadband options - nothing...

Eligible Service Area page: blank

Then this. From the press release:

"To help customers with the application process, USDA is holding a series of online webinars and regional in-person workshops. The full list of upcoming public webinars and workshops can be found at the ReConnect Program’s resource portal at reconnect.usda.gov. This website is best viewed using Chrome, Firefox, Safari, or Microsoft Edge."

So I happily checked, and found:

No events to show Dec 2018

No events to show Jan 2019

No events to show Feb 2019

No events to show Mar 2019

No events to show Apr 2019

No events to show May 2019

No events to show Jun 2019

I'm using Chrome, so that can't be it. Ha!

On to the page "Keys to Success". No success, I'm afraid, as this too is a page without content.

Alright, Scoring Criteria then. Ah - you guessed it - another blank page. Score: 0. F.

Oh goodie - a mapping tool! Let me check if my area is covered! Er - it just says "Introduction to Mapping Tool". No map or tool, I'm afraid. I'm lost.

Maybe I should have checked the "Eligible Service Area" page. Guess a map was too much to expect. Alas, blank. No service. Just like our broadband options.

Well, let's check if we're eligible. On to the "Who May Apply" page. None of the information applies since there isn't any...

I'm afraid to check out the other pages...

Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time

Drew Scriver

Trust us...

Rest assured, the authorities will never abuse this new right. They have earned our trust. Good thing Aussie authorities aren't like their US, French, or Dutch counterparts.


"Chicago cops took bribes to share crash report details with attorney."

"Two Chicago Police officers charged with stealing cash and drugs."

"Galveston police officer arrested on felony organized criminal activity charges."

"Wilmington Police officer has been caught on the wrong side of the law."

"A police officer has been given a final written warning after she admitted accessing and sharing information about a case she was not involved in."

"What do a police chief, a reverend, and a lawyer all have in common? They’ve all been caught in recent years improperly accessing or sharing information from Massachusetts’ restricted database of criminal records."

"The Henry A. Wallace Police Crime Database includes 8,006 arrest incidents resulting in 13,623 charges involving 6,596 police officers from 2005 through 2012, with more years of data to come. Nearly half these incidents, Stinson and his research team concluded, were violent."

US draft bill moots locking up execs who lie about privacy violations

Drew Scriver

Re: No "right to be forgotten"

The existing Consumer Data Protection Act bill do have counterparts in both the House and the Senate, so it would still seem odd to now introduce a completely different bill under an identical name.

Wyden is a senator, so I would expect his bill to be introduced there first - alongside its namesake.

Drew Scriver

No "right to be forgotten"

The draft seems to significantly differ from the GDPR in scope. Most notably, it does not seem to include a "right to be forgotten".


Oddly, there already is a bill with the same name (S.2188 - Consumer Data Protection Act/H.R.4544 Consumer Data Protection Act), also submitted by a Democrat. Poor coordination?

It's also a bit strange that there is no co-sponsor yet. Wyden isn't on the ballot this year, so it's unlikely that the release date is related to Tuesday's elections.


F5: Don't panic but folks can slip past vulnerable firewall servers, thanks to libssh's credentials-optional 'security'

Drew Scriver

Here we go again...

They're ADCs, not merely "load balancers", and yes, they still very much play a crucial role in today's fabric. Granted, many companies use them for little more than load balancing, but that's a whole different story. Kind of like using only the scissors of your Victorinox Champ and complaining how much the company charges for scissors.

It's a bit baffling that El Reg calls them "load balancers", but then again, whomever wrote the article also doesn't seem to know how the name of F5's main product line is spelled.

F5 stopped calling them load balancers over a decade ago. Gartner concurred. To top it off, the bug affects only the AFM-module. Load balancing is performed by the LTM-module...

Rather sloppy reporting.

US and UK Amazon workers get a wage hike – maybe they'll go to the movies, by themselves

Drew Scriver

What's the net benefit to workers?

According to Sanders, the goal of the bill is to eliminate government subsidies to workers due to low wages. A bit surprising since Sanders is on the far left of the political spectrum. He must be torn between sticking it to Bezos et al and doling out other people's money.

However, once the wages are increased to $15 an hour many workers will no longer qualify for many taxpayer-supplied payments from the government - exactly as intended by Sanders' bill.

While this is a good thing, the article misses the mark by failing to report whether the pay increase will in fact result in a (significant) net benefit for Bezos' army. I highly doubt it will.

What's Big and Blue – and makes its veteran staff sue? Yep, it's IBM

Drew Scriver

Providing goodies is sooo much easier than dealing with those unreasonable old folks...

"In fact, since 2010 there is no difference in the age of our US workforce"

Hmmm... context? Could this rather ambiguous statement mean that they purged older workers around 2010 and are now (8 years later) finding themselves with a new crop of old people?

Regarding older workers being more expensive, this might be true.

However, when was the last time you heard a Millennial or Snowflake complain about lack of planning, documentation, diagrams, standardization, best practices, proper security, and the like?

Just make sure they have their foosball tables, beanbags, and munchies. Much easier to deal with than demands for the aforementioned roadblocks.

US govt confirms FCC's broadband speeds and feeds stats are garbage

Drew Scriver

More loopholes?

Figured I'd look up my address at https://broadbandmap.fcc.gov to see how the ISPs are reporting on my area.

While it's accurate that only Verizon offers service (ADSL), there are two major misrepresentations:

1) Speed for my address is listed as 15 Mbps. However, VZ has capped my account at 3 Mbps. Since my house is the closest one in the neighborhood to the CO I actually have the fastest connection in the area...

2) Verizon no longer offers new contracts/connections in our area. This reveals another loophole in the FCC's survey, as they ask about current service - not if the ISP is offering service to new residents.

Time for another chat with my congressman...

In the meantime, I'll give VZ a call to ask how I can get that 15 Mbps connection they reported to the FCC...

Drew Scriver

Solution: crowd-source the coverage map

Since crowd-sourcing is all the rage these days, how hard would it be for the FCC to set up a website where consumers can plug in their address and indicate which companies serve their location and at what speeds?

Now THAT would generate a revealing coverage map...

Since Pai is unlikely to spend any of my tax payments on such a mapping site, maybe I'll create one myself...

Solid password practice on Capital One's site? Don't bank on it

Drew Scriver

SMS auth for poor/no mobile coverage

I too live in an area with poor cell phone reception, which does pose a problem for MFA. Although I wished more companies would add U2F keys (or even old-fashioned fobs), I have found that getting a Google Voice number works in most cases since SMS messages are forwarded via e-mail.

Non-profits push back against Big Cable's bumpkin broadband blueprint for America

Drew Scriver

Local governments often lack the required sophistication...

In the US, the lowest tier of geographic government are the counties. Especially in the rural areas this can be a rather colloquial situation, although one gets the impression that they try hard to look official/important. The meetings can in fact be more formal than those of "the big boys".

Having said that, this often results in contracts with ISPs that aren't particularly suited to serving the local population.

From memory, the county I reside in (on the East Coast of the USA) has the following requirements:

ISPs wanting to provide service in the county should (not: must):

1) Service residential dwellings on rural roads if there are more than 20 houses on a linear mile.

[Comment: there is no requirement to start counting at the first house. Therefore, a two-mile stretch of road with 22 houses could be regarded as two one-mile stretches with only 11 houses each.]

2) Dwellings more than 300 ft (100 m) from the road are exempt.

[This is very common in many areas, exempting yet more areas]

3) Service does not have to be established if it would not be cost-effective to do so.

[There is no requirement for the ISPs to disclose their calculations or provide justification, creating yet another huge loophole.]

Of course the main ISPs are all too happy to agree to such a 'contract'. For now I have a 3 Mbps DSL connection. Our neighbors on one side (300 feet away) are getting 7 Mbps, but the neighbors on the other side are getting 1.5 Mbps. The rest of the road (another 30 houses along a 2-mile stretch) is out of luck. In addition, Verizon no longer offers new contracts in our area.

There's a Comcast subscriber about half a mile away who has 3 Gbps service, but running cable to our house would cost around $72,000.

It remains to be seen if things were different if the county had a real contract with the ISPs, but it is a fact that other counties (with more tech-savvy Boards of Supervisors) are able to negotiate much more meaningful services.

ABBYY woes: Doc-reading software firm leaves thousands of scans blowing in wind

Drew Scriver

"It's not lost - we still have the original files."

No data was lost to an unknown party during the exposure.

lost - lôst,läst

1. unable to find one's way; not knowing one's whereabouts.

2. denoting something that has been taken away or cannot be recovered.

None too chuffed with your A levels? Hey, why not bludgeon the exam boards with GDPR?

Drew Scriver

"Please erase all evidence of me and my poor grades..."

Does the right to be forgotten apply too?

Everyone screams patch ASAP – but it takes most organizations a month to update their networks

Drew Scriver

Fear and pride...

Management is commonly driven by (mainly) two factors: fear and pride.

Apply that combination to any project or service and the chance of success are greatly diminished.

Pride drives hasty releases ("Watch me meet deadlines!"), a preference for the latest-and-greatest ("I'm hip and modern"), results in jumping on the latest bandwagon ("Always ahead of my golfing buddies"), cutting costs ("See me stay under budget!") - you name it.

Fear drives hasty releases ("If I miss the deadline I'll be in trouble"), avoids patching ("I'm not going to be the one who causes stuff to break"), doesn't enforce standards and requirements ("The best conflict is the one avoided"), and so forth.

Many companies therefore have created an environment where patching is all but impossible. Rather than saying that compliant applications are a requirement, all app-owners, vendors, and the like have to test and sign off - and each has the power to halt patches, even if only one application out of hundreds might break if, lets say, SSL3 is disabled...

Of course, if they don't have the time (or knowledge...) to test their application they won't be able to sign off on the required patch, and fear then drives the decision to forego patching.

Fire chief says Verizon throttled department's data in the middle of massive Cali wildfires

Drew Scriver

Where will it end?

Where will it end? There was a statement that the contract with Verizon was sufficient for the FD, but it obviously wasn't. Emergency services commonly have overcapacity - most of the time the majority of their equipment sits idle. Why should this be different for service contracts?

Having said all this, the situation does give Verizon a black eye. Verizon ought to learn from this that they need to create dedicated accounts for customers that provide emergency services that are burstable.

And emergency responders ought to learn from this that services are not all that dissimilar from tangible equipment.

SentinelOne makes YouTube delete Bsides vid 'cuz it didn't like the way bugs were reported

Drew Scriver

Reminds me of the (Australian?) bank that demanded that Qualys' SSLLabs stop returning results for their domain because they didn't like people seeing the rating (F).

Et tu, Brute? Then fail, Caesars: When it's hotel staff, not the hackers, invading folks' privacy

Drew Scriver

Caesar's policy doesn't add up

"[...] hotel giant decided that if someone has a do-not-disturb tag on their door for more than a couple of days, a search has to be made. In other words, if the maids can't be allowed in to clean up and clock any assault rifles and grenades, security guards will do the latter for them – whether guests are present or not."

According to the hotel the maids will not be going through the guests' belongings. However, that makes little sense as someone could simply hide their gear and allow room service to come in.

Also, the policy wouldn't catch anyone who manages to smuggle gear into the room before the deadline of "a couple of days". Paddock had a lot of gear, but could have done with much less. So "a couple of days" to avoid a "stockpile" is nonsense.

More TSA-like feel-good 'security' measures. Much less expensive than installing sensors on the window panes to detect someone breaking the glass, though.

Brit banks must disclose outages via API, decrees finance watchdog

Drew Scriver

Bank security litmus test...

Here's my litmus test to determine if a bank might truly care about security:

1) Is there a way for customers to report security issues, and

2) How quickly does a bank patch known issues.


As a customer I have found several (sometimes major) security issues with some of my banks. I have dutifully called customer service every time and it's always been the same: the customer service reps do not have a procedure to report my findings internally. My conclusion: the bank does not truly care about security.


Even though PCI-DSS should not be mistaken for a solid security policy, it does require that CVEs rated 4 and higher be patched within a month of the availability of a patch.

Remember POODLE, Heartbleed, et al? Under PCI-DSS these should have been patched within a month. However, many (major) banks took six months or longer - even though the public could see (e.g. through SSLLABS) that they were failing to do so.

Had these banks truly cared about security they would have had processes and architectures in place that enable them to actually patch in a timely fashion - at least the front end.

When's a backdoor not a backdoor? When the Oz government says it isn't

Drew Scriver

Just a ploy to circumvent the GDPR?

Unless governments find a way to get copies of the data before people exercise their "right to be forgotten" they are likely to find that the information they are after has been erased.

Kind of like hackers who delete/alter the log files to erase their tracks.

Could bills/laws like the one that's being considered in Australia just be a tactic to ensure they get around the GDRP?

Hackers manage – just – to turn Amazon Echoes into snooping devices

Drew Scriver

Hotels and... college campuses?

As troubling as it would be to have someone place rogue units in a hotel room and potentially access units in other rooms this way, what about college dorms?

The students tend to be on the same WiFi network, which was a requirement for this hack. I can imagine students either hacking a unit themselves, or falling for an ad for a free (used and hacked) unit somewhere.

Life is getting more and more complicated. If I were to encounter a digital assistant in my hotel room I would either unplug it or call the front desk to have it removed. College dorms are more problematic, especially since dorm rooms in the USA are generally shared with other students. What if your roommate insists on having these spy gadgets in the room?

Funnily enough, no, infosec bods aren't mad keen on W. Virginia's vote-by-phone-app plan

Drew Scriver

Re: Smartphone only voting???

The argument generally is that requiring an ID-card disenfranchises potential voters because of the cost and/or effort involved in obtaining an ID-card. Even making ID-cards available at no charge to low-income voters does not satisfy the groups that object to identification.

Usually the statement is that "Exercising a right that is explicitly guaranteed by the Constitution may not be hindered by cost or effort."

If this were the true reason for their objections we would be hearing calls for eliminating taxes, fees, waiting periods, and the ID-requirement associated with purchases made per the rights under the Second Amendment...

This inconsistency begs the question what the real motives are.

Drew Scriver

Re: Could I vote?

Very good point. Want to add that requiring voters to show ID is somehow too much of a hurdle/cost, according to a lot of people. Compare that to the voters in Iraq who stood in line for hours, risking their lives in some areas.

Having said that, even in the early days of the US (and before) it was common to manipulate the elections with sly tactics and alcohol...

Top tip? Sprinkle bugs into your code to throw off robo-vuln scanners

Drew Scriver

Interesting concept - but code and bugs should be separated...

As an application delivery engineer I dread the concept of introducing (lookalike) bugs at the code level.

However, it would be interesting to configure an application delivery controller (ADC) to respond to probes with bug-like 'features'.

That would keep the code clean, allow implementation of these 'bugs' without involvement from dev and/or app vendors, and still provide troubleshooting/validation without running into the security bugs.

It would, however, cause madness with security teams running (external) scans. I already have to 'patch' non-existing vulnerabilities because the security team's audit scan fails. Quick example: a scan from a well-known security scanning firm sent OpSec into a mad spin because a request to /xyz.cgi resulted in a 200 OK... At times I wonder if Don Quixote secretly is the patron of OpSec, but I digress.

Make Facebook, Twitter, Google et al liable for daft garbage netizens post online – US Senator

Drew Scriver

Those who live in glass houses...

It's a mixed bag.

In related news, Senator Warner called on his own party to remove the inaccurate claim from its web site that it was Democrats who succeeded in passing the Civil Rights Act of 1964 despite vehement opposition from the GOP. He added that even though it may be hard to accept for his party, it is time to admit that it was in fact members of his own party who formed the strongest opposition to passage of the bill. "Continued proliferation of inaccurate information on our own party's web site is awkward in light of my bill."

British Airways' latest Total Inability To Support Upwardness of Planes* caused by Amadeus system outage

Drew Scriver

Re: Amadeus

Alright - I was wrong. From the Toyota Corolla's owner's manual:

"Seating capacity means the maximum number of occupants whose estimated average weight is 150 lb. (68 kg) per person. Toyota does not recommend towing a trailer with your vehicle. Cargo capacity may increase or decrease depending on the weight and the number of occupants."


If you tow a trailer you have to add the tongue weight of that also.

Drew Scriver

Re: Amadeus

That would make sense. A BMI of 21 could be the baseline and every point above or below could translate to a, say, 5% surcharge or discount, respectively.

It may even have a positive effect on the global obesity crisis.

Granted, I may be a wee bit biased in favor of such a formula as many passengers weigh more than my luggage and I weigh combined...

Interesting related detail: the load limit of passenger vehicles is calculated as "number of seats multiplied by 175 lbs (80 kg)".

Open plan offices flop – you talk less, IM more, if forced to flee a cubicle

Drew Scriver

Re: What execs and HR can't seem to understand...

"In some places, workplace disability / human rights regulations may mandate accommodation for those people adversely affected."

In the USA, anyone with a challenge like AS/ASD, ADHD, SPD, et cetera would be able to apply for a "reasonable accommodation" under the ADA (Americans with Disabilities Act) if the open office environment presents a hindrance to perform one's job adequately.

Noise-cancelling headphones would be almost certain to be seen as a reasonable accommodation (perhaps not by the employer, but they don't get to define "reasonable"), but cubicles, enclosed offices, and working remotely are also options that (especially larger) companies may be required to offer.

Many companies even have insurance to cover equipment like NC-headphones.

Drew Scriver

What execs and HR can't seem to understand...

Shocking observation: there are essentially two types of people: extroverted/gregarious and introverted.

Executives and HR tend to attract the gregarious people. They are convinced that there's something wrong with introverted people and one of their missions in life is to fix those poor souls. Office parties, picnics, barbeques, and, of course, open floor plans.

Notwithstanding their stated commitment to "the inclusive workplace", they cannot fathom that many people (especially in IT) don't enjoy open workspaces and are distracted by the additional audible and visual queues - which in many cases hurts productivity and quality.

Millions are spent converting offices from cubicle farms to open floorplans, and any negative feedback is seen as an attack on the wisdom of spending all that money on their commitment to better the world.

Which, of course, it is.

Four US govt agencies poke probe in Facebook following more 'oops, we spilled your data' shocks

Drew Scriver

Since US Representatives are supposed to represent their voters, how likely is it that they will indeed hold Facebook's feet to the fire? If they threw the book at them and Facebook is dismantled, their constituents, the majority of whom cannot fathom their lives without Facebook, would be rather displeased.

Facebook's business model and market value is based on monetizing the data and private information of those very constituents. Thwarting that would akin to banning TV commercials on commercial TV stations.

Just as the average viewer does not realize that commercial TV is watching commercials interrupted by 'programming', they do not realize that without the ability to monetize their private information Facebook could not survive.

Even scarier is that many younger people don't even understand the concept of privacy and they fail to see any value in protecting it.

Combine that with the government's own desire to track as much as they can and this whole political effort is likely no more than an elaborate show.

Wouldn't be surprised if the policy makers strike some kind of deal that allows Facebook to continue on the current track as long as they give the three-letter agencies access to the data.

It's time for TLS 1.0 and 1.1 to die (die, die)

Drew Scriver

About that pot and the kettle...

"[...] it's a surprise to realise that there are still lingering instances of TLS 1.0 and TLS 1.1 [...]"

Right. Like www.theregister.co.uk...


TLS 1.3 Yes

TLS 1.2 Yes

TLS 1.1 Yes

TLS 1.0 Yes

SSL 3 No

SSL 2 No


Too many bricks in the wall? Lego slashes inventory

Drew Scriver

LEGO isn't what it used to be...

The '70s and '80s where probably the haydays of LEGO in Europe.

Back then, it was possible to build large, sturdy structures. Since, however, the company changed the bricks so they don't stick together as well. Not as many broken fingernails, but it's no longer possible to build the same large structures that used to be popular back in the day.

In addition, LEGO tends to look more and more like Playmobil in that the pre-formed pieces are getting larger and larger. I don't much care for the popular themed stuff either. I guess that's what people want these days, though.

On the other hand, the Creator sets are quite fantastic.

US broadband is scarce, slow and expensive. 'Great!' says the FCC

Drew Scriver

Reasonable? Perhaps. Timely? Not

"advanced telecommunications capability is being deployed to all Americans in a reasonable and timely fashion"

Given that rural areas often require long cable runs/trenching, it is to be expected that rolling out broadband runs into some ROI-issues. At a commercial cost of about $30 per foot (~$90 per meter) of trenching/cabling it is easy to see how reaching a cluster of a couple of houses miles away from the nearest node can be hard to justify from an ROI-perspective. In addition, trenching is a time-consuming endeavor. To make it worse, ISPs often run into government-induced delays when they apply for permits.

Therefore, one could argue that broadband is in fact being rolled out at a reasonable pace.

However, for Pai to jump from "reasonable" to "timely" is, well, an unreasonable leap. Timely infers that people will have access to broadband in the foreseeable future. However, for many families in rural areas it is not unlikely that their elementary-school age children will be graduating from high school long before broadband is available to them.

I'm not sure what the solution is. In my case I'd have to come up with $72,000 to get Comcast to extend cable to my house. The next neighbor would be another 1,000 feet or so. It would take a rather long time before I and my neighbors ever became profitable customers.

Satellite isn't an option because of the latency. Perhaps WiFi or LTE.

Now, having said all that, I'm not sure 20 Mbps is a necessity. It's mainly in place so people can watch TV. Not exactly a necessity, and arguably not good for a thriving society. Time to read a book. I recommend "Amusing Ourselves to Death" by Neil Postman. Even on my 3Mbps connection that shouldn't take more than a couple of minutes to download to my Kindle.

Leaky credit report biz face massive fines if US senators get their way

Drew Scriver

The problem will remain until executives are personally liable

The problem is not going to go away until executives can be personally prosecuted for gross negligence if it can be demonstrated that they willingly and knowingly failed to implement adequate security policies and programs.

We keep hearing about employees in the trenches who flag security issues, only to have it go no-where. They often do this at their own peril and frequently it does not lead to an improvement in the company's security posture.

In addition, we need be a public clearinghouse where customers can report security issues. That too should have some teeth. If a company fails to address a reported issue and it results in a breach, that should be grounds for meaningful penalties. In addition, some agency must have enforcement powers to go after companies that fail to fix reported issues. Any enforcement action should be made public.

There should also be a timed trigger for publication of reports. Give a company some time to fix the issue and make it public after the deadline. No pulling punches here - let's use the PCI-DSS standard of one month (after patches are available) for CVEs that are rated 4 or higher.

While I'm on the subject, the legislature needs to codify the meaning of "adequate security". As a starting point, maybe require PCI-DSS compliance as a baseline for all PII (not just credit cards) and also require adherence to the NIST security standards.

Massachusetts tried to pass a bill to hold executives personally liable for security breaches, but I don't believe it became law.

As for this proposed fine, as a rule of thumb, companies already assume that it will cost an average of $200 per breached account (direct and indirect costs). Some of that can even be mitigated by purchasing an insurance policy.

Universal basic income is a great idea, which is also why it won't happen

Drew Scriver

To try new things...

One of the keys to understanding the fallacy of UBI is Zuckerberg's statement that "“We should explore ideas like universal basic income to give everyone a cushion to try new things."

How many people would actually "try new things"? Sure - I few would. But most people in the western world already have the opportunity to do this. Libraries offer free books to read, countless organizations offer free volunteer opportunities, and there are virtually unlimited free courses (even at a college level) available to anyone with an internet connection.

The vast majority of people have the time and opportunity to pursue these options but chose not to engage.

In reality, UBI will enable even more people to simply spend their time to watch commercials (occasionally interrupted by TV programs) and, of course, spend more time in the echo chamber of Facebook. Also,

UBI might work if society were stripped of non-essentials and everyone pulled together to provide the essentials. That's been tried before and while it seems to work on a small scale (e.g. communes, kibbutzes, Amish communities) it doesn't scale up well.

Human nature just doesn't seem to be compatible.

Rejecting Sonos' private data slurp basically bricks bloke's boombox

Drew Scriver

Sonos isn't the only one...

I ran into a similar issue with GE. Got their Bluetooth-controlled light bulbs since I don't want my bulbs to leak data. Couldn't get their app to work, though - turns out my firewall was blocking it since it was connecting to a Chinese domain.

As others have noted, the issue with Sonos (and GE, and others) brings up an interesting legal issue. Do consumers have any rights if the manufacturer changes the functionality or terms of use? GE, for instance, advertised their bulbs with a "follow the sun"-feature that would mimic the sunrise and sunset. However, they have since removed the option from their app.

In addition, what happens if a company suddenly fails on security? Case in point, GE currently gets an "F" from Qualys on one of their API-servers (https://www.ssllabs.com/ssltest/analyze.html?d=api-ge.xlink.cn&latest). Prudence would lead consumers to stop using the app, but that would leave them without the means to control their light bulbs (beyond turning them on and off).

Is this covered under warranty? Tricky legal question...

US Senate stamps the gas pedal on law to flood America's streets with self-driving cars

Drew Scriver

Re: A dangerous hands-off approach to hands-free driving

Being an immigrant from Europe, I had to take a driving 'test' in the US. My European license could not be converted.

First I had to take the written test. Ten questions and I had to get six correct answers. Many of the questions were about non-traffic issues, like drunk driving, minimum age to drive, etc.

It was all multiple choice and the incorrect answers were easily identifiable. An example:

Q.: If the traffic light changes from green to yellow, should you:

a) Speed up.

b) Stop if you can safely do so.

c) Honk your horn.

d) [can't remember that one]

Add to this the problem with the driving brochure from the Department of Motor Vehicles. It's an extract of the traffic laws, but much of the space is taken up by information on safety issues. Come to think of it, much like product user manuals here.

There is little information about actual traffic laws, and some information is simply wrong.

Lastly, there's the infamous driving test. Whereas in Europe (at least the northwestern countries) the test seems to be designed to fail unwary candidates, the test in most states is designed to "not deny people their right to drive". My test lasted 1:27. One minute and 27 seconds, that is. Now, I'd had my license for many years by then so the officer didn't get too excited. Literally once around the block and I was done. In a sleepy village. However, the gal before me (who seemed to be around 16, 17) got her license in less than 7 minutes.

Sole Equifax security worker at fault for failed patch, says former CEO

Drew Scriver

Management is not responsible for their decisions...

If indeed it is true that the failure of "a single person" lead to the issue, the obvious conclusion is that it was *management* failed to implement proper controls. Leaving the monitoring of the "news about critical vulnerabilities" to a single person would seem to point to management, not this person.

I wonder what would happen if this "single person" were to be forced to appear before the House Committee. Chances are that we'll hear a) he's overworked, b) he lacks authority, and c) there were ample warnings but the company tends to downplay or ignore those.

Remember when [a very large bank in the US] got hacked? As a customer, I was concerned. Yet, when I contacted them (multiple times) that Qualys rated them as "F" on their main web site this fell on deaf ears. I even went to a branch and talked to the branch manager. Mentioned PCI-DSS. Turns out she'd never even heard of that, not did she share my concerns. I closed my account on the spot.

Similar story with [one of the largest ISPs in the US]. Eventually I did speak to an IT-engineer who was in fact in the know. He let slip "we know, but there's nothing we can do about it because management doesn't listen to us".

Couple of years ago I had to cover for a co-worker who was on vacation and configure a web interface for an application from a large European vendor. Since it processed credit cards I figured it ought to be PCI-DSS compliant. One quick look told me it wasn't - first giveaway was that the vendor name appeared in all (public-facing) URLs. Second was that it was installed (per their instructions) in the default locations.

Did a quick test and discovered that the error log was a text file in the root of the web site... Every error was written there - even credit card failures (e.g. address verification errors). And, you guessed it, *all* the transaction details were there: name, address, card number, expiration, CVV2, etc.

Now came the fun part of alerting the vendor. And, you guessed it, I got the expected, "Oh no, we are in fact PCI-DA certified". And, you guessed it again, they alerted my executive management to complain that I was a roadblock...

Fortunately our security officer stood his ground and blocked the project from going forward, but I'm afraid that these situations are commonplace.

This will not improve unless:

1) Legislation is enacted to hold executives personally responsible for willful failure (or ignorance).

2) A clearinghouse is set up where consumers and security experts can report vulnerabilities. Reports would have to become public automatically a set time after a patch is available.

3) Companies are mandated to create processes so employees and customers can report security issues. Again, with full disclosure after x days.

4) Fines for failing to properly protect PII.

All without exceptions for small companies, non-profits, government agencies, and the like.

Out, damned Spot! Amazon emits Echo ball with screen, inevitable ever-listening mic

Drew Scriver

One man's thought is another government's crime...

A lot of people are thinking they don't have anything to worry about because "they're not doing anything wrong".

History teaches us that we don't get to decide what's right or wrong - governments, elites, and special interest groups do. In addition, your location plays a role.

Imagine travelling to a western country from a more repressive country. You visit some people at home and speak freely about some concerns you have. You don't even notice the Echo devices scattered throughout the home, and your hosts don't even think twice about them. After all, they make life "so much easier". Voice recognition has already determined your identity and AI/ML kicks in and your gov's law enforcement agency is alerted. At least you won't have to carry your bags yourself when you return to your home airport.

Well, you say, this is perhaps an issue if you live in a repressive country. However, quite a few western countries have their own restrictions. The German High Court, for instance, have ruled that the government is bound to “counteract the development of religious and philosophically motivated parallel societies.”

You might argue that collecting evidence this way is illegal. You would be wrong.

Remember that European countries went after tax evaders after illegally obtaining a CD from a Swiss banker? Also, under the rubric of "national security" a lot of laws have been circumvented. Furthermore, often foreigners do not enjoy the same protections as nationals.

Lastly, in many US states it is not illegal to make a recording if "one of the parties agrees". Arguably, the owner of internet-enabled "convenience devices" has already given consent to be recorded.

Unfortunately, the genie is already out of the bottle. Can you really expect that any conversations are private if one or more of the participants carries a smart phone, wears a smart watch, or uses listening devices from Amazon, Google, and the like?

It is merely a matter of time before we see authorities act on the data these devices collect. Be it for "national security", to "fight crime", to "counteract parallel societies", or to "protect society from individuals who harbor undesirable convictions".

Biting the hand that feeds IT © 1998–2019