* Posts by Drew Scriver

13 posts • joined 28 Sep 2017

British Airways' latest Total Inability To Support Upwardness of Planes* caused by Amadeus system outage

Drew Scriver

Re: Amadeus

That would make sense. A BMI of 21 could be the baseline and every point above or below could translate to a, say, 5% surcharge or discount, respectively.

It may even have a positive effect on the global obesity crisis.

Granted, I may be a wee bit biased in favor of such a formula as many passengers weigh more than my luggage and I weigh combined...

Interesting related detail: the load limit of passenger vehicles is calculated as "number of seats multiplied by 175 lbs (80 kg)".


Open plan offices flop – you talk less, IM more, if forced to flee a cubicle

Drew Scriver

Re: What execs and HR can't seem to understand...

"In some places, workplace disability / human rights regulations may mandate accommodation for those people adversely affected."

In the USA, anyone with a challenge like AS/ASD, ADHD, SPD, et cetera would be able to apply for a "reasonable accommodation" under the ADA (Americans with Disabilities Act) if the open office environment presents a hindrance to perform one's job adequately.

Noise-cancelling headphones would be almost certain to be seen as a reasonable accommodation (perhaps not by the employer, but they don't get to define "reasonable"), but cubicles, enclosed offices, and working remotely are also options that (especially larger) companies may be required to offer.

Many companies even have insurance to cover equipment like NC-headphones.

Drew Scriver

What execs and HR can't seem to understand...

Shocking observation: there are essentially two types of people: extroverted/gregarious and introverted.

Executives and HR tend to attract the gregarious people. They are convinced that there's something wrong with introverted people and one of their missions in life is to fix those poor souls. Office parties, picnics, barbeques, and, of course, open floor plans.

Notwithstanding their stated commitment to "the inclusive workplace", they cannot fathom that many people (especially in IT) don't enjoy open workspaces and are distracted by the additional audible and visual queues - which in many cases hurts productivity and quality.

Millions are spent converting offices from cubicle farms to open floorplans, and any negative feedback is seen as an attack on the wisdom of spending all that money on their commitment to better the world.

Which, of course, it is.


Four US govt agencies poke probe in Facebook following more 'oops, we spilled your data' shocks

Drew Scriver

Since US Representatives are supposed to represent their voters, how likely is it that they will indeed hold Facebook's feet to the fire? If they threw the book at them and Facebook is dismantled, their constituents, the majority of whom cannot fathom their lives without Facebook, would be rather displeased.

Facebook's business model and market value is based on monetizing the data and private information of those very constituents. Thwarting that would akin to banning TV commercials on commercial TV stations.

Just as the average viewer does not realize that commercial TV is watching commercials interrupted by 'programming', they do not realize that without the ability to monetize their private information Facebook could not survive.

Even scarier is that many younger people don't even understand the concept of privacy and they fail to see any value in protecting it.

Combine that with the government's own desire to track as much as they can and this whole political effort is likely no more than an elaborate show.

Wouldn't be surprised if the policy makers strike some kind of deal that allows Facebook to continue on the current track as long as they give the three-letter agencies access to the data.


It's time for TLS 1.0 and 1.1 to die (die, die)

Drew Scriver

About that pot and the kettle...

"[...] it's a surprise to realise that there are still lingering instances of TLS 1.0 and TLS 1.1 [...]"

Right. Like www.theregister.co.uk...


TLS 1.3 Yes

TLS 1.2 Yes

TLS 1.1 Yes

TLS 1.0 Yes

SSL 3 No

SSL 2 No



Too many bricks in the wall? Lego slashes inventory

Drew Scriver

LEGO isn't what it used to be...

The '70s and '80s where probably the haydays of LEGO in Europe.

Back then, it was possible to build large, sturdy structures. Since, however, the company changed the bricks so they don't stick together as well. Not as many broken fingernails, but it's no longer possible to build the same large structures that used to be popular back in the day.

In addition, LEGO tends to look more and more like Playmobil in that the pre-formed pieces are getting larger and larger. I don't much care for the popular themed stuff either. I guess that's what people want these days, though.

On the other hand, the Creator sets are quite fantastic.


US broadband is scarce, slow and expensive. 'Great!' says the FCC

Drew Scriver

Reasonable? Perhaps. Timely? Not

"advanced telecommunications capability is being deployed to all Americans in a reasonable and timely fashion"

Given that rural areas often require long cable runs/trenching, it is to be expected that rolling out broadband runs into some ROI-issues. At a commercial cost of about $30 per foot (~$90 per meter) of trenching/cabling it is easy to see how reaching a cluster of a couple of houses miles away from the nearest node can be hard to justify from an ROI-perspective. In addition, trenching is a time-consuming endeavor. To make it worse, ISPs often run into government-induced delays when they apply for permits.

Therefore, one could argue that broadband is in fact being rolled out at a reasonable pace.

However, for Pai to jump from "reasonable" to "timely" is, well, an unreasonable leap. Timely infers that people will have access to broadband in the foreseeable future. However, for many families in rural areas it is not unlikely that their elementary-school age children will be graduating from high school long before broadband is available to them.

I'm not sure what the solution is. In my case I'd have to come up with $72,000 to get Comcast to extend cable to my house. The next neighbor would be another 1,000 feet or so. It would take a rather long time before I and my neighbors ever became profitable customers.

Satellite isn't an option because of the latency. Perhaps WiFi or LTE.

Now, having said all that, I'm not sure 20 Mbps is a necessity. It's mainly in place so people can watch TV. Not exactly a necessity, and arguably not good for a thriving society. Time to read a book. I recommend "Amusing Ourselves to Death" by Neil Postman. Even on my 3Mbps connection that shouldn't take more than a couple of minutes to download to my Kindle.


Leaky credit report biz face massive fines if US senators get their way

Drew Scriver

The problem will remain until executives are personally liable

The problem is not going to go away until executives can be personally prosecuted for gross negligence if it can be demonstrated that they willingly and knowingly failed to implement adequate security policies and programs.

We keep hearing about employees in the trenches who flag security issues, only to have it go no-where. They often do this at their own peril and frequently it does not lead to an improvement in the company's security posture.

In addition, we need be a public clearinghouse where customers can report security issues. That too should have some teeth. If a company fails to address a reported issue and it results in a breach, that should be grounds for meaningful penalties. In addition, some agency must have enforcement powers to go after companies that fail to fix reported issues. Any enforcement action should be made public.

There should also be a timed trigger for publication of reports. Give a company some time to fix the issue and make it public after the deadline. No pulling punches here - let's use the PCI-DSS standard of one month (after patches are available) for CVEs that are rated 4 or higher.

While I'm on the subject, the legislature needs to codify the meaning of "adequate security". As a starting point, maybe require PCI-DSS compliance as a baseline for all PII (not just credit cards) and also require adherence to the NIST security standards.

Massachusetts tried to pass a bill to hold executives personally liable for security breaches, but I don't believe it became law.

As for this proposed fine, as a rule of thumb, companies already assume that it will cost an average of $200 per breached account (direct and indirect costs). Some of that can even be mitigated by purchasing an insurance policy.


Universal basic income is a great idea, which is also why it won't happen

Drew Scriver

To try new things...

One of the keys to understanding the fallacy of UBI is Zuckerberg's statement that "“We should explore ideas like universal basic income to give everyone a cushion to try new things."

How many people would actually "try new things"? Sure - I few would. But most people in the western world already have the opportunity to do this. Libraries offer free books to read, countless organizations offer free volunteer opportunities, and there are virtually unlimited free courses (even at a college level) available to anyone with an internet connection.

The vast majority of people have the time and opportunity to pursue these options but chose not to engage.

In reality, UBI will enable even more people to simply spend their time to watch commercials (occasionally interrupted by TV programs) and, of course, spend more time in the echo chamber of Facebook. Also,

UBI might work if society were stripped of non-essentials and everyone pulled together to provide the essentials. That's been tried before and while it seems to work on a small scale (e.g. communes, kibbutzes, Amish communities) it doesn't scale up well.

Human nature just doesn't seem to be compatible.


Rejecting Sonos' private data slurp basically bricks bloke's boombox

Drew Scriver

Sonos isn't the only one...

I ran into a similar issue with GE. Got their Bluetooth-controlled light bulbs since I don't want my bulbs to leak data. Couldn't get their app to work, though - turns out my firewall was blocking it since it was connecting to a Chinese domain.

As others have noted, the issue with Sonos (and GE, and others) brings up an interesting legal issue. Do consumers have any rights if the manufacturer changes the functionality or terms of use? GE, for instance, advertised their bulbs with a "follow the sun"-feature that would mimic the sunrise and sunset. However, they have since removed the option from their app.

In addition, what happens if a company suddenly fails on security? Case in point, GE currently gets an "F" from Qualys on one of their API-servers (https://www.ssllabs.com/ssltest/analyze.html?d=api-ge.xlink.cn&latest). Prudence would lead consumers to stop using the app, but that would leave them without the means to control their light bulbs (beyond turning them on and off).

Is this covered under warranty? Tricky legal question...


US Senate stamps the gas pedal on law to flood America's streets with self-driving cars

Drew Scriver

Re: A dangerous hands-off approach to hands-free driving

Being an immigrant from Europe, I had to take a driving 'test' in the US. My European license could not be converted.

First I had to take the written test. Ten questions and I had to get six correct answers. Many of the questions were about non-traffic issues, like drunk driving, minimum age to drive, etc.

It was all multiple choice and the incorrect answers were easily identifiable. An example:

Q.: If the traffic light changes from green to yellow, should you:

a) Speed up.

b) Stop if you can safely do so.

c) Honk your horn.

d) [can't remember that one]

Add to this the problem with the driving brochure from the Department of Motor Vehicles. It's an extract of the traffic laws, but much of the space is taken up by information on safety issues. Come to think of it, much like product user manuals here.

There is little information about actual traffic laws, and some information is simply wrong.

Lastly, there's the infamous driving test. Whereas in Europe (at least the northwestern countries) the test seems to be designed to fail unwary candidates, the test in most states is designed to "not deny people their right to drive". My test lasted 1:27. One minute and 27 seconds, that is. Now, I'd had my license for many years by then so the officer didn't get too excited. Literally once around the block and I was done. In a sleepy village. However, the gal before me (who seemed to be around 16, 17) got her license in less than 7 minutes.


Sole Equifax security worker at fault for failed patch, says former CEO

Drew Scriver

Management is not responsible for their decisions...

If indeed it is true that the failure of "a single person" lead to the issue, the obvious conclusion is that it was *management* failed to implement proper controls. Leaving the monitoring of the "news about critical vulnerabilities" to a single person would seem to point to management, not this person.

I wonder what would happen if this "single person" were to be forced to appear before the House Committee. Chances are that we'll hear a) he's overworked, b) he lacks authority, and c) there were ample warnings but the company tends to downplay or ignore those.

Remember when [a very large bank in the US] got hacked? As a customer, I was concerned. Yet, when I contacted them (multiple times) that Qualys rated them as "F" on their main web site this fell on deaf ears. I even went to a branch and talked to the branch manager. Mentioned PCI-DSS. Turns out she'd never even heard of that, not did she share my concerns. I closed my account on the spot.

Similar story with [one of the largest ISPs in the US]. Eventually I did speak to an IT-engineer who was in fact in the know. He let slip "we know, but there's nothing we can do about it because management doesn't listen to us".

Couple of years ago I had to cover for a co-worker who was on vacation and configure a web interface for an application from a large European vendor. Since it processed credit cards I figured it ought to be PCI-DSS compliant. One quick look told me it wasn't - first giveaway was that the vendor name appeared in all (public-facing) URLs. Second was that it was installed (per their instructions) in the default locations.

Did a quick test and discovered that the error log was a text file in the root of the web site... Every error was written there - even credit card failures (e.g. address verification errors). And, you guessed it, *all* the transaction details were there: name, address, card number, expiration, CVV2, etc.

Now came the fun part of alerting the vendor. And, you guessed it, I got the expected, "Oh no, we are in fact PCI-DA certified". And, you guessed it again, they alerted my executive management to complain that I was a roadblock...

Fortunately our security officer stood his ground and blocked the project from going forward, but I'm afraid that these situations are commonplace.

This will not improve unless:

1) Legislation is enacted to hold executives personally responsible for willful failure (or ignorance).

2) A clearinghouse is set up where consumers and security experts can report vulnerabilities. Reports would have to become public automatically a set time after a patch is available.

3) Companies are mandated to create processes so employees and customers can report security issues. Again, with full disclosure after x days.

4) Fines for failing to properly protect PII.

All without exceptions for small companies, non-profits, government agencies, and the like.


Out, damned Spot! Amazon emits Echo ball with screen, inevitable ever-listening mic

Drew Scriver

One man's thought is another government's crime...

A lot of people are thinking they don't have anything to worry about because "they're not doing anything wrong".

History teaches us that we don't get to decide what's right or wrong - governments, elites, and special interest groups do. In addition, your location plays a role.

Imagine travelling to a western country from a more repressive country. You visit some people at home and speak freely about some concerns you have. You don't even notice the Echo devices scattered throughout the home, and your hosts don't even think twice about them. After all, they make life "so much easier". Voice recognition has already determined your identity and AI/ML kicks in and your gov's law enforcement agency is alerted. At least you won't have to carry your bags yourself when you return to your home airport.

Well, you say, this is perhaps an issue if you live in a repressive country. However, quite a few western countries have their own restrictions. The German High Court, for instance, have ruled that the government is bound to “counteract the development of religious and philosophically motivated parallel societies.”

You might argue that collecting evidence this way is illegal. You would be wrong.

Remember that European countries went after tax evaders after illegally obtaining a CD from a Swiss banker? Also, under the rubric of "national security" a lot of laws have been circumvented. Furthermore, often foreigners do not enjoy the same protections as nationals.

Lastly, in many US states it is not illegal to make a recording if "one of the parties agrees". Arguably, the owner of internet-enabled "convenience devices" has already given consent to be recorded.

Unfortunately, the genie is already out of the bottle. Can you really expect that any conversations are private if one or more of the participants carries a smart phone, wears a smart watch, or uses listening devices from Amazon, Google, and the like?

It is merely a matter of time before we see authorities act on the data these devices collect. Be it for "national security", to "fight crime", to "counteract parallel societies", or to "protect society from individuals who harbor undesirable convictions".



Biting the hand that feeds IT © 1998–2018