Posts by Mike 137 711 posts • joined 10 Sep 2009
The interaction of the various ideally completely separate functions suggests insufficient process segregation. This in turn suggests that the software as a whole has "evolved" rather than being designed as an integrated deliverable. Most software today "evolves", so we need a radical rethink of our approach to application design.
Any improvements in the quality of code being written will never be sudden - if they happen at all it will result from a complete redefinition of "software professional" making the requirement for formal expertise coincide with those of other more established engineering disciplines.
Software is the only engineering product that is accepted as created by entirely self-taught and unverified practitioners without recourse to ratified common standards. Not the case in civil engineering, not the case in electrical engineering - not even the case in plumbing or gas fitting. But as software gets ever more embedded in products otherwise engineered to more rigorous standards, these themselves get dragged down to its level. Witness several aviation incidents and near misses in the last few years.
An alternative answer is fear. Fear doesn't have to start out as of something specific. It can start out unfocused and find something to attach itself to. What that something is depends on current cultural obsessions.
Fear can make us stupid in respect of the thing it attaches to while we quite possibly remain entirely rational in all other respects. Consequently, we are all probably stupid in some things without any of us being entirely stupid.
Unfortunately, it's more likely a mark of being too expensive for the bean counters. Young new entrants are much cheaper and also better conditioned to being abused as they're mostly might relieved to have a job at all in an overcrowded market place. Expertise and experience are not significant decision factors, which is why software is mostly such a pile of excrement and projects fail so often.
The "bottom line" for most companies is not quality or customer retention, it's net profit. A cheap readily replaceable workforce is s significant contributor to this.
And thereby guarantees the churn that keeps these behemoths in funds. If computing kit was durable and standards were stable, the market would have completely saturated at least a decade ago. None of this "innovation" is really for us users, which is why it now takes four 4 GHz cores and 8 GB memory to run your word processor.
I concur, it's not fundamentally about "privacy" per se. It's about ensuring that processing does not infringe the human rights of the data subject, of which rights privacy is just one. Unfortunately the law is not (and probably never can be) specific enough to ensure all eventualities are covered for.
On material scope the GDPR states:
" 2.This Regulation does not apply to the processing of personal data: [...] (c) by a natural person in the course of a purely personal or household activity;"
The definition of "purely personal or household activity" is the point at issue here. There's no definitive interpretation and negligible precedent. This case might indeed contribute some provided the opinion is explained properly. Nevertheless, as the legislation is only invoked on the basis of complaints by data subjects, the body of precedent is likely to be slow in accumulating, and in the meantime it's pretty safe for most organisations to ignore the law. That's not so much a fault of the legislation, but of how it's universally enforced.
Although the GDPR mandates transparency, just telling people that you're abusing them does not constitute genuine compliance even if it seems to fulfil the "letter of the law". The purpose of transparency under the GDPR is to provide data subjects with a basis for challenging processing that infringes their human rights. In the absence of effective mechanisms for redress, transparency alone is useless.
This is also a key reason why infosec has got worse rather than better over the last 30-odd years. All the losses are either externalities (the customers') or effectively coffee money for giant corporations. As far as I know, DigiNotar is the only company that actually went out of business as a result of a data breach, and that was because it was a subsidiary to a holding company that shut it down just to avoid embarrassment.
Another key reason (although not in the case of Equifax, where we don't have a choice) is that despite the breaches, "we" the public go on using the services (e.g. Yahoo, Facebook) so quite a bit of the problem is actually down to us as well.
Once, I got a letter revising the time of a physio appointment by one minute. On arriving, I waited until around 45 minutes after the appointment time without being called, then had to leave as I had to be somewhere else. The lack of control is not just in IT projects.
"... the Windows giant was "on the wrong side of history" when it came to open source ..."
Of course the original IBM PC that put Microsoft on the map was open source. I remember the manual including both full circuit diagrams and a complete BIOS listing. it was this that made it such a success. P/S2 failed because it didn't follow the same principle, so the add-on industry didn't support it.
What is unclear, though, is how open source licenses can be respected if open source code is absorbed into closed source products, which is clearly what is happening. That would seem to amount to breach of intellectual property rights.
From Conductivity Of Metals Sorted By Resistivity
Copper pure IACS 100%.
Copper deoxidised IACS 85%
Aluminium 99.99% pure IACS 64.95%
However aluminium is about a quarter the price of copper, so and Al wire 1.3 times the area (1.144 times the diameter) would have equivalent resistance per length to deoxidised copper and be a lot cheaper. Does make sense, except possibly for the greater difficulty of making long term reliable connections at the ends.
Actually that's not the case. Consent is only one of the lawful bases for processing.
And it won't hinder vaccine development. There's a specific provision - Article 9.2(i) - that permits the (otherwise prohibited) processing of the "sensitive" categories "[...] for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health [...]".
The GDPR is not a barrier to any legitimate processing by any organisation provided its requirements (intended to respect the human rights of data subjects) are fulfilled.
It's about time someone actually read the GDPR before pronouncing on it, particularly where the person pronouncing is high profile and likely to be taken as an authority..
The problem with designing for security from the start is that it requires two rare human attributes: forethought and dedication. Both are spectacularly absent in government circles, where short term planning and knee jerk reaction provide an adequate route to the "top"..
The best outcome for any identified risk is that you've pre-emptively reduced its likelihood to zero. Short of that, you've pre-emptively reduced its potential consequences as far possible. Either way, the common factor is pre-emptively.
Most incidents arise from ignoring the signs until it's rather late in the day to act. But Nassim Taleb was right in saying we rationalise after the fact to explain the incident away (typically as "unprecedented").
Bad for Europe, but of course once the UK becomes a third country there's be nothing to lose anyway (except your browsing history). We may have the "UK GDPR", but Privacy Shield is external to the Regulation and is negotiated between Europe and the USA, so unless some very creative machinations are negotiated the UK will not be party to it.
How about F***ing Facebook? Who actually committed the offence? It must be recognised that behemoth corporations on this scale are essentially extra-judicial as they can wheel, deal and bargain with resources that outstrip all other interested parties. This is the real problem, and until we have internationally consistent laws to prevent such abuses of position, no legal action against these corporations can really be made to stick.
Hardly "littering" considering how much junk is already up there and how long it's been accumulating. As long ago as 1991, Heinz Wolff suggested we needed a "vacuum cleaner - to clean the vacuum up there" and it's been increasingly necessary ever since. However the real hazard of these events typically comes later. Collisions with other debris can break up large fragments, but even tiny fragments can be lethal at orbital speeds. You can track and steer past big debris, but pebble size bits are virtually impossible to avoid.
"... deploy its lightsail again and return to Earth ..."
Driven by what? This is necessarily a "square rigged" spacecraft. It can probably tack a bit but can't sail into the wind or even close to it.. The Earth-based laser (supposedly) got it to Alpha Centauri, but it can't bring it back.
"... the apps, which are supposed to be pro-privacy, use Google Analytics and the Firebase Analytics framework, configured in a way to allow personalized web advertisements."
Translation: "Where there's an opportunity, however slim, to monetise, we will. That's our definition of capitalism".
However, it's possibly unlawful. Quite apart from any "cookie" use, we need a decision to set the precedent - are personalised adverts "electronic communications" within the definition used by the Privacy and Electronic Communications (EC Directive) Regulations? If so, prior consent would be required. But who actually cares? Practically nobody it seems. Business and government currently stomp all over personal privacy and the ICO mostly seems to turn a blind eye.
It took over a century all told to develop the financial regulation regimes that silently protect all of us from expensive fraud. Now (at least for the last couple of decades) we're happy to abandon that safety by signing up to entirely unregulated financial intermediaries. Can't see why...
Great idea, provided the automation is not set running and left unsupervised ("fire and forget" management). Equifax had all the technology and automation it needed to prevent the massive 2017 data breach. The problem was an almost total lack of management control, so nobody knew, not only whether they were vulnerable (and subsequently whether they were under attack) but even who was responsible for finding out.
Blind faith in technological "solutions" does not protect against harsh realities, particularly where the technologies are so fundamentally flawed (take a look at the CVE or the national CERT notices).
and they get it whether the advertising converts to sales or not.
I have a strong suspicion that "personalised" ads that aren't relevant to the page content against which they appear are likely to have a very low conversion rate. Relevance to the page content is much likelier to convert (basic human psychology). But of course content-relevant ads are harder for the middle men to place, and are a lot less amenable to high speed auctioning.
Good enough for what?
There are purposes for which well defined passwords are sufficient, and other purposes for which they are not. There are no purposes for which the normal idiotic password rules are sufficient - "Pa55w0rD!".
The Register - Independent news and views for the tech community. Part of Situation Publishing
Join our daily or weekly newsletters, subscribe to a specific section or set News alerts
SUBSCRIBE
Biting the hand that feeds IT © 1998–2020