* Posts by Thomas Whipp

165 publicly visible posts • joined 6 Mar 2009


Lloyds Bank bans Bitcoin purchases by credit card customers

Thomas Whipp

Re: "When did banks get to tell their customers what they can and cannot buy?"

Off the top of my head a number of reasons:

a) These are credit card transactions, so its more a question of what are they prepared to lend against. If there has been a run up in these, they might suddenly worry that they have a large increase in lending (against which there is very dubious security)

b) There are considerable concerns about crypto currencies from a money laundering / proceeds of crime perspective (see news articles on people not being able to use profits to buy a house, etc...). Directors can go to jail if they dont try and prevent money laundering.

c) there could easily have been a spike in card related fraud - get card details, buy bitcoin, transfer to another wallet, cash out. They might have seen a big spike in claims for these.

To be clear, I dont know if any of the above are the reason, but they'd all be pretty reasonable - and with the exception of the money laundering point would also be consistent with allowing debit cards to continue.

Ireland to fight against billing Apple for back-taxes

Thomas Whipp

isnt the core issue here that Apple had been offered a company specific tax scheme which was not the same as most Ireland based companies had applied to them? My understanding is that the rules are that tax should be consistent within a country

'Hacker' accused of idiotic plan to defraud bank out of $1.5 million

Thomas Whipp

...although it would really help if you could leave your home address as the scene of the crime! Thanks muchly, FBI

Rise of the photon clones: New method could lead to 'impenetrable' comms

Thomas Whipp

"impenetrable privacy"

a brief reading of the history of cryptography shows that this statement/assumption has been made many times over the years - generally its been found to be incorrect (and often also subject to side channel attacks in the implementations). Just because there aren't currently articulated attacks doesn't mean that don't/wont exist.

Regulatory compliance problems? Promontory, my dear Watson

Thomas Whipp

Re: real challenges still facing human civilisation – regulatory compliance.

so says someone who clearly has never read a regulatory requirement - while there are some areas of compliance which are very clear cut, there is a lot of it which is littered with principle statements and words like "appropriate".

by way of example can I direct you to SYSC 13.7 "Systems and Processes"


and in particular 13.7.5 which deals with IT systems.

I doubt machine learning can deal with those high level requirements that I just referenced, but even at the specific end (e.g. required disclosures for retail sales) it would be extremely hard to write a general case ruleset in a traditional linear logic fashion.

Portsmouth bomb about to be detonated

Thomas Whipp

Design Parameters

Quite... having failed to detonate successfully around 70 years ago and then being submerged in salt water and silt for the intervening period you'd expect a successful explosion now to be well within their original design parameters.

We live in a world where a 'Hamdog' burger hybrid is patented

Thomas Whipp

Re: Bun?

are you sure its not a stottie?

Muddying the waters of infosec: Cyber upstart, investors short medical biz – then reveal bugs

Thomas Whipp

Re: Smells of...

well no... to do insider trading you have to be an "insider", i.e. privy to knowledge only held within the organisation. From a regulatory perspective this is an outsider having done some research and understanding more about the company than it knew itself.

This would be insider trading if the research had been performed in house or if the results had been made known toe SJ and then one of thier management team acted on it.

From a legal perspective this is much closer to "we've looked at firm X and discovered that they have missed out applying for key business licences in half of the countries they operate in"

Obi Worldphone MV1: It's striking, it's solid. Aaaand... we've run out of nice things to say

Thomas Whipp

Re: I've just installed Cyanogenmod 12

I'm not sure if its a Cyanogen OS thing or a WileyFox thing, but when I took my Swift up to Marshmallow (6.0.1) the device started crashing during audio playback and needed a factory reset (still on 6.0.1) to resolve. Its fine again now but there does hint at some quality control issues there.

Other than that really happy with the handset - albeit that the GPS isn't great and really struggles if there isn't a mobile signal to assist the location services.

Cybersecurity is slowing down my business, say majority of chief execs

Thomas Whipp

As someone currently holding a CISO title, I have huge sympathy with the CEOs in this report. But the thing is, for most companies their security problems are something they have built for themselves in terms of internal systems architecture, politics and processes. They arent objecting to the requirement or desired outcomes, just the method of delivery.

A more fundamental issue which is that you cant "do" security - it may seem trivial but security as a word is an adjective not a verb. You can be secure, you can feel secure but you cant do secure it just doesn't make sense. Also from a branding perspective, security isn't a very engaging word; assurance, trust or resilience are much better topics to discuss with someone.

People holding any form of security title should really be concerned with one or more of the following; identifying risk, defining good practice, measuring actual practice against standards and finally breech monitoring and incident management.

The risk management piece is the central one from a senior stakeholder perspective. A lot of the friction comes down to the fact that most security professionals instinctively have a low risk appetite while most CEOs have a moderate to high appetite; but also a lot of security people simply dont understand the risks inherent in other areas of the business which is what a CEO will compare a security risk against. A good security person can explain the risk without over playing it and allow reasonable decisions to be made, an excellent security person will find ways to move security forward.

Firewall and similar roles admins are to my mind an element of infrastructure and the career path for people in that space will be dictated by infrastructure and network management trends.

Samsung Gear VR is good. So good 2016 could be year virtual reality finally makes it

Thomas Whipp

Film makers?

I have to confess to being a bit skeptic regarding immersive VR films as an art medium (and I use that term in the broad Hollywood sense). So much of how we currently make films is predicated on being able to control the framing - which essentially is a refinement of plays which operate on a stage. As a medium that's existed for thousands of years and I dont see that form of presentation disappearing as a result of this medium.

I absolutely get the idea of VR for gaming, remote drone control/medical robots, live streaming of events (especially sports - e.g. in cockpit formula 1 feeds), possibly nature documentaries or basically any other medium where the wearer wants to exhibit control over how they are viewing something and probably have some ability to move through a scene.

I also accept that there will probably be some films made in an immersive VR sense - but I do suspect they are going to be very much a minority and probably feel somewhat Blair Witch.

How cyber insurance actually works

Thomas Whipp

Re: I saw one of these proposals recently

There are a range of options on the market, some of which are very low cost (i.e. premium in the £400 type range) which unsurprisingly provide a fairly low level of cover and are essentially a take it or leave it option which would cover the early stage incident response costs.

Once you get into the higher cost options with cover in the £X million range then the premiums get larger and some negotiation over policy wording isn't unheard of (this is also where the improvement program requirements tend to kick in).

Bezos' BAN-HAMMER batters Chromecast, Apple TV

Thomas Whipp

Pickup locations

having recently moved to commuting by train, the free access to pickup services (e.g. Doddle) at my local station do matter to me and are included in prime. The next day bit is nice, but if I'm honest it probably generates more impulse purchases

Roku 4 specs leak: Yes, it's got 4K streaming and a games controller

Thomas Whipp

Amazon prime video?

The main gap on my Roku stick is that there isn't an option to play Amazon video, just a big wall o silence on why and when (if ever). I'm much more interested in that vs a hardware bump. The sell is content independence and its a big gap

Wileyfox Swift: Brit startup budget 'droid is the mutt's nuts

Thomas Whipp

Re: more to this than meets the eye

it looks like a phone that's been put together using the cheapest good commodity parts (including OS) and the given a decent brand design. Everything about this phone screams thats its been taken from a parts bucket.

While some people might think the above is a criticism its absolutely not meant that way, putting together a good usable system from cheap reliable parts is a skill.

More to the point, Cyanogen is essentially Android plus some features; the vast majority of people are still going to use it with gmail, google play, etc... I seriously doubt that Google cares how many people use this particular fork as from their perspective its really just the same as any hardware or network based skin.

Reg reader shares AshMad blackmail email about which he gives 'zero f***s'

Thomas Whipp

random emails

surely its less effort just to use the list published? People trying this sort of fraud are looking to turn a profit so will be trying to minimize effort (unless there is a good reason to believe that additional effort will increase profit).

Legal eagles accuse Labour of data law breach over party purge

Thomas Whipp

Re: “is not funny or clever for people from other parties to try to cheat their way into our system”

Its an odd position, surely the whole point of allowing people to "affiliate" for the purpose of the contest is to add in the views which are non-core in order to broaden party appeal - its not as if the Labour party itself is particularly coherent at the moment so I do wonder what set of views are being used as a filter. It just seems so utterly logically inconsistent

Testing Motorola's Moto G third-gen mobe: Is it still king of the hill?

Thomas Whipp

Completely agree here - I have an original Moto G and its on 5.0.2, I've had a couple of Samsung "Flagship" devices (original Galaxy S and Note 10.1) that had a single update but then just dropped off the support schedule.

I'm looking for a new handset in a couple of months, quite tempted by the Moto X Play which looks like it might be worth the relatively limited uplift from the new G (and still keeps the clean Android install)

A third of workers admit they'd leak sensitive biz data for peanuts

Thomas Whipp

Re: A simple patch

there is pretty much no correlation between salary and access to data in my experience, there are lots of relatively low paid call center workers with access to "sensitive" data sets.

This question is very much a "rational choice" model of offending and the main factor which would influence behavior (beyond personal ethics) will be the expectation of monitoring.

Unless the sum of money is large enough to be prepared to lose the job and go to jail its the likelihood of getting caught which will be dominant. I'd say £50k is probably getting to that level for a lot of call center people (2-3 times gross salary)

For a lot of organisations its the people who'd do it for free to make a moral point that could be more scary (e.g. Snowden)

Tim Worstall dances to victory over resources scaremongerers

Thomas Whipp

Re: Duplicitous

It depends very much on what you want to claim... I'm currently 39 and holding onto "mid 30s" until my birthday. As far as I'm concerned mid life can be interpreted as anything between birth and death.

SpaceX gets ready to crash barge-land ANOTHER rocket

Thomas Whipp

Re: I'll go with Wernher von Braun there.

Given that anyone else would just ditch the booster (and presumably SpaceX are costing/charging on that basis) its not an overly big deal if they keep having these problems for a while.

Also given its a drone barge there isnt any life at risk here - and I'd assume the barge is a relatively low cost item in the context of a launch.

Its not as if their business model requires them to get this stage working in the next couple of attempts - its just that if they do suddenly they can charge a lot less or make a lot more profit.

Naturally it'll be massively cool when it does eventually work, but realistically if it takes them another 20 attempts its probably not financially a big deal as they are already delivering the primary mission.

CISOs' newest fear? Criminals with a big data strategy

Thomas Whipp

Re: comments like this...

Wow.... I've never met a business as scale which could give a complete list of systems it relies upon, a network device centered view is vastly more narrow than what you need to consider.

What about developers that reuse a single database server for multiple instances? (that ought to go through change control but might not) What about if they reuse a single database for multiple apps segregated by a table naming convention...

Lets assume you get one top of the "server" type systems - what about the "applications" built in Excel, or Access (you are kidding yourself if you think you don't have any in your business - almost certainly within the Finance team).

What about the cloud solutions which business teams have a tendency to buy via expenses (or use the free versions to avoid that control) - what about the cloud solutions provided by business partners?

none of the above is theoretical I've seen all of those as real world examples - people just want to get their job done and if they think that the central IT options don't fit or are too slow they will go and find their own workaround.

HMRC ditches Microsoft for Google, sends data offshore

Thomas Whipp


you might want to read up on tax treaties, the US FATCA legislation means that the UK is already committed to reporting on any US relevant tax data in a format requested by the US.

From a legal perspective companies within the UK are required to report these transactions to HMRC who then provides them to the US IRS.

My guess is that from a national security point of view tax data just isn't that important (note that the article talked about information classified as OFFICIAL which I believe is the lowest level of government data - see https://www.gov.uk/government/publications/government-security-classifications)

Mad John McAfee: 'Can you live in a society that is more paranoid than I'm supposed to be?'

Thomas Whipp

Re: Undermined

(I was in the room btw so this is first hand opinion and not based on the article)

It was a little odd given the audience... you are presenting to a room full of infosec professionals either in management or vendors, but essentially everyone was in the industry.

It wasn't particularly linear, and seemed to repeat quite a lot and could essentially be boiled down to "security is important, and don't trust corporations or governments". I don't disagree with any of that, but I don't think it added very much to the understanding that was in the room already - I cant say I left feeling that there was anything new that I ought to be considering.

It would have been a pretty good awareness raising type speech for a room full of non-tech business managers

There was also a chunk of time where he talked about his new business ventures which included something he referred to as social encryption and an app to monitor fetal heartbeats... eclectic to say the least.

World of the strange: There will be NINE KINDS of Windows 10

Thomas Whipp

Re: "and they're losing faith.'

Ok so I've used the majority of the software you mention (both the commercial and FOSS elements) (minus the CAD/3D stuff - I tried playing with that once and decided I simply didnt have the mind set for it).

Something I find that is often missed in these conversations is skills/training and consistency. FOSS projects are much better than the 1990's and early 2000's but they still generally lag behind, more over because they tend to have smaller user bases the availability of training (as opposed to online learning materials) is much more limited.

A phrase that I heard once is that an amature practices until they get it right, a professional practices until they dont get it wrong (ok big generalisation as I know that pro/amature is about being paid and that there are big skills variances on both sides - but in aggregate people being paid then to be better than people just doing stuff for fun)

Basically what I'm saying is that the FOSS solutions are good, and certainly helpful for home users who want to stay on the right side of licencing. But the dominant commercial products tend to stay that way and to produce more consistent and better quality output for a whole load of reasons which are much more about users than about products.

Automation eases the pain of software patching

Thomas Whipp

Re: OK... teased us with the scenario and methods..

The article slipped in without emphasising application white listing as a necissary adjunct to patching (which is much harder at enterprise scale than patching outside of locked down call centre type environments).

For most organisations patching is a horrendous activity, in order of difficulty

a) understanding what applications you have installed

b) understanding what applications are actually run (or are a depenancy)

c) understanding what patches are available

d) understanding which you can apply without breaking compatibility

e) distributing patches

f) tracking when patches have actually applied

then trying to do all of that on a regular cycle, for end user devices (i.e. off network and powered down regularly) when it’s going to be looked at as pure cost and inconvenience by the business.

Its worthy of proper discussion

Thomas Whipp

Re: OK... teased us with the scenario and methods..

yep - something of a content free article there

Motorola's 5-incher finds the G-spot: Moto G 4G budget Android smartie

Thomas Whipp

Re: Lolipop

I didnt do anything special - just popped up a couple of weeks back (and then wouldnt shut up about it until I did the update). Have you tried a manual check for updates when on WiFi?

Thomas Whipp


I have a mk1 Moto G on Tesco and it got Lolipop about a month ago. Still a perfectly usable phone and does everything I want - maybe the occassional bit of lag but nothing to get stressed over.

I'm a little disapointed by the latest upgrade to be honest, had been hoping for 2GB or RAM and 16GB of storage at which point I'd probably have got one. As it is I dont see this as much of an improvement over what I've got which as I say is working perfectly well

£280k Kickstarter camera trigger campaign crashes and burns

Thomas Whipp

Re: Risk?

I very nearly put some cash into this as I'd love a laser trigger but at the time I couldn't quite justify it (right now I'd still buy the product if it was made as per original specs)

I think the main problem here is how they originally represented the project - it was defiantly presented in the early stages as a product which essentially just needed funding for a production run. When I read their original pitch I expected product to ship within a few months of funding.

Who uses the Universal Credit system? ALMOST NOBODY, says report

Thomas Whipp

I struggle to know how seriously to take this...

As I read this, it can be summed up as:

a) Project went badly off tracks - was reset in 2013

b) Project has now slipped 6m on revised timeline (which for Gov projects is barely anything)

c) Project is at the end of pilot stage and about to start rollout

Criticism being levelled:

a) costs are justified by future benefits

b) extrapolation of current pilot claimant count leads to long timescales

Now I'm not an idiot, I don't believe any gov IT project is going to be running smoothly and its always going to cost more than budgeted - but seriously these criticism seem ridiculous. All projects are justified by future benefits and all phased implementations start with small user numbers and then aim to snowball into greater volume.

Quantum computing is so powerful it takes two years to understand what happened

Thomas Whipp

Re: Obsolete for whom?

Think authentication rather than privacy

dont think this is such a big issue for website certificates either as under current CA arrangements its really very easy to get your own root CA if you have some cash to splash in which case you can issue new certs for any website you want to impersonate.

Plus for serious players (APT types) they probably can compromise the client devices of people they are interested in and then HTTPS is utterly irrelevant.

What this is more significant for is if you are using PKI based signing by a fixed key for any kind of validation - that is a big deal. Thats software components (think MS root keys), financial transactions, etc... there is a lot of "infrastructure" that this would completely wreck.

RBS's Ulster Bank whacked with enormous IT cock-up fine

Thomas Whipp

Re: IT and Banks

Ulster Bank owned by RBS, outsourced IT operations to RBS - that's a pretty common arrangement.

You could equally take the view that if you're a smallish business owned by a big business it would be bonkers *not* to use their presumed greater capability to operate your IT.

From a strict regulatory point of view Ulster Banks board and approved persons would need to assure themselves that the service was appropriate and therefore could in theory say no, but in practice its very hard to say no to a parent company which wants to consolidate costs across a group and has the compelling argument that they already do the job on a bigger scale.

Elon Musk hits the brakes on Tesla's e-SUV Model X production

Thomas Whipp

Re: non-GAAP

Or i could work through a proper 3 month introduction to accounting course to understand financial reporting in detail... And yes there are lots of firms which publish non-GAAP numbers with some common conventions in certain industry segments

Its can be useful year on year for a given firm, provided the policy is reasonable and consistent

what you absolutely mustn't do however is treat non-GAAP as if its a single category which your comment implies. GAAP for all its faults is at least an external standard

As a selected industry though are you really wanting to use banks as an example of why its OK to pick your own financial reporting standard? (A better example is genuine property management firms where the difference can be do you treat a property as inventory for sale or not, inventory under GAAP gets marked at cost while investments get marked to market but again the policy differs between firms)

I guess my question here is why does a firm that's essentially a standard manufacturer need to deviate from standard accounting? (cool product yes but from a company perspective its still a company that makes physical things) . what is it in their business model which makes GAAP conventions not suitable for them when in summary they ought to be a very standard business just with a cool product

For example why do they have a non-GAAP revenue that's higher than GAAP? The article talks about excluding interest and stock costs , but neither of those should impact revenue

Thomas Whipp


Just as a note, GAAP stands for "Generally Accepted Accounting Principles" so non-GAAP means a model the company selected itself which shows the results they want. Its not necessarily wrong but its certainly a significant difference.

two sets of GAAP accounts should be reasonably comparable at least line by line (although there can still be some big differences in accounting policies especially relating to inventory and deprecation so the overall P&L or balance sheet figures may differ substantially) but non-GAAP figures are generally only comparable with the company itself year on year assuming no changes to accounting policy.

A less charitable view is that non-GAAP figures are the PR release numbers.

Million Mask March: Anonymous' London Guy Fawkes protest a damp squib

Thomas Whipp

Re: Hackery

There was some good research a few years ago which found that "balanced" reporting was more likely to leave people without an opinion while more partisan reporting led to readers considering the issue more deeply and either actively agreeing or disagreeing with the piece.

3D printed guns: This time it's for real! Oh, wait – no, still crap

Thomas Whipp

Re: But against the backdrop of your British readership...

even making a basic black powder isn't that hard (although it is potentially quite dangerous especially if you start wanting to grind it for a faster burn).

That said, even in the UK if you really want to buy a gun outside of the normal checks I suspect its not ridiculously hard - just very illegal.

Nokia Lumia 530: A Windows Phone... for under £50

Thomas Whipp

Re: For the price of a night out

That's odd - I've had a Moto G for a year and am completely happy with the performance

Ex US cybersecurity czar guilty in child sex abuse website case

Thomas Whipp

Re: Absence of evidence = evidence of deletion?

The standard is reasonable doubt for a jury

In fairness, the article did say that when the house was raided they found him looking at the site! Lack of one particular piece of evidence within the context of a wider set of evidence isn't a water tight defence.

Total lack of images being found on the PC when you are known to have viewed the content at least once is arguably pretty damning - especially if the prosecutor can point to a known secure deletion utility (not sure if that's the case in this one).

Having done a number of IT investigations over the years, gaps or missing information can be pretty damn suspicious within a wider pattern of evidence. Its certainly not supportive of a casual / accidental viewing of a couple of images.

Finally, a practical use for 3D printing: Helping surgeons rehearse

Thomas Whipp

Goth friends

I have a number of Goth friends - several of which I think would dearly love to have a 3d print of their own skull on the mantelpiece.

Google kicks PowerPoint in the fondleslab

Thomas Whipp

Re: It's less about utility...

For presentations, fidelity needs to be 100% - but as others have said there can be issues between versions of powerpoint (and in some cases between the media codecs for embedded video). Frankly for anything more than simple slides at present I only want to use the laptop I authored the presentation on.

Power of iPhone 6 hype-gasm: Apple a sniff away from record stock high

Thomas Whipp

Stock splits have nothing at all to do with the rate of growth of a share, their sole purpose is to put the share value at a level where smaller investors can afford to buy a minimum block. In theory a stock split or consolidation should have no impact at all on overall company value (although if you allow more small investors to purchase you may push up demand slightly and therefore slightly increase your overall market cap).

Who has your credit card data? 1 million HOLIDAY-MAKERS' RECORDS exposed

Thomas Whipp

Re: ICO ?

Oh god I've got my compliance geek on here:

a) FCA/PRA (who replaced the FSA) would not have jurisdiction over a travel agent as they are financial services regulators - with the exception that the FCA might have jurisdiction in relation to a credit licence, but that wouldn't be relevant in this case.

b) as others have said, PCI-DSS is a card scheme standard so any fines for non-compliance with that would typically be issued via the merchants acquiring bank.

c) and this actually bugs me a *LOT*, under the DPA financial records are not considered sensitive personal data (this designation being reserved for medical history, political affiliations, union membership and sexual orientation) - as a release from the ICO they really shouldn't be using that phrase incorrectly.

d) I also find it slightly odd that the FCA state that there was no fraud as a result, that would be extremely hard demonstrate and from what I understand it tends to be done by statistical analysis at the card issuers/schemes to identify spikes in fraud where clusters of card numbers all made purchases via a particular merchant within a particular window. The fact that nobody might have felt sure enough to state that there was fraud to the ICO has almost no value here.


Wannabe Startup CEOs Hate This Guy: Potato Salad man and the $60k

Thomas Whipp

Re: Will he really make a huge profit though?

Kickstarter isn't what I'd call an investment - its a funding platform where people donate to enable a project to proceed. Typically for larger donations they get something back, but the low level donations this may simply be their name listed on a website.

If one of these projects suddenly becomes a multi-billion dollar success, then the original people who funded it don't get a large return.

At most this is an "investment" in the same way that an ebay purchase is.

There are true investment type sites for start-ups, but they are high risk and require a lot more than a couple of £/$ to participate.

CIA rendition jet was waiting in Europe to SNATCH SNOWDEN

Thomas Whipp


The alleged damage that this sort of thing causes doesn't lead to an immediate terror attack - what it would do is get some intelligence sources killed as their identity gets leaked, it damages diplomatic relations, etc... this damages the infrastructure used by an intelligence service so that its not as effective in the future.

This doesn't translate into "we can directly trace attack X back to the disclosure of this information", you'd never be absolutely certain that you'd have caught it anyway. Plus you'd probably not want to disclose the change in capability if you could prove it.

I personally think that you can choose to argue somewhere on the scale of:

(*) the damage is a good thing as all intelligence services are evil

(*) that its a bad thing which is justified because intelligence is getting too invasive

(*) the damage is a bad thing which isn't justified as security is worth any price.

But I don't think you can argue that it causes no damage at all - after all wasn't the whole point of the disclosure to make some level of impact.

Cabbies paralyze London in Uber rebellion

Thomas Whipp

Re: Argument

fair point re "low income" - what I actually meant was not on banker salaries.

Thomas Whipp


One of the arguments I've seen which I have quite a bit of sympathy with relates to the surge pricing in Uber (which incidentally I've never used) - i.e. if you want a taxi when its raining its likely to cost more and a *lot* more in more extreme events.

This does mean that should the Uber model cause normal taxis to be a non-viable business then there could be real issues with getting access to transport for those on low incomes at those times. Ultimately that's a social policy question.

EBAY... You keep using that word 'ENCRYPTION' – it does not mean what you think it means

Thomas Whipp

Re: Sigh ...

its not so much shoulder surfing as Trojan software which is the threat, if I have a Trojan installed on your PC (probably including a browser plug in) that can identify target bank sites and then capture both key strokes and a screenshot of the login page, then at least with the partial characters the attacker needs to observe a number of attempts before they can guarantee access.

Boffins teach robo-arm to catch flying beer bottle

Thomas Whipp

Re: Enter

I did think it should be filed under rise of the machines in boot notes

Oculus rips ZeniMax over claims of Carmack foul play

Thomas Whipp

Re: I thought this was about Carmack

There is a big difference between IP and code. While cut and paste code is always going to constitute IP theft, it is possible to infringe IP while writing completely new code.