Posts by Mike 137

Old as the hills and still being perpetrated

"The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software."

When, oh when, will developers accept that specific white list based context dependent validation is essential for every input?

It's far from sufficient to declare that you "haven't heard of our cock-up being abused", particularly as it's so simple to avoid making it in the first place.

Anyone heard of OWASP?

In the foreseeable future ...

I anticipate a near future where the majority if not all of new hires are contracts under IR35. As this absolves the employer from paying for pensions, holiday and sickness benefits and permits dismissal at a moment's notice it's likely to catch on quickly. The "employee" is still likely to be expected to provide professional indemnity and public liability insurance and to travel on the employer's business at their own expense.

This could well be the future for all of us not just the much maligned "contractor".

Roll on unregulated

It took over a hundred years to establish the regulatory frameworks for reasonably safe banking services. Now we're throwing all that away and allowing all and sundry to operate without adequate oversight. But of course it must be OK because it's "online".

"course the entire point of meditation is to not move around and just relax"

Actually, the point of meditation is supposed to be working towards enlightenment. Stasis and relaxation are merely means of entering a state where the mind becomes more receptive.

Whereas in the UK ...

Unfortunately these excellent arguments cut no ice in respect of IR35. Courtesy of an inexplicable bigotry here in Blighty, as soon as hirers catch on to the advantages, we likely face a future of "Uberized" employment where every new hire is a "contractor" under IR35, saving the hirer all the costs of pensions, sickness and holiday pay and allowing staff to be dismissed on a whim. They've set the clock back 200 years to the days of the early Industrial revolution.

Qui bono?

"I think it's just a design that we will keep iterating."

I have two questions:

[1] you "think" you'll keep iterating - are you not sure?

[2] Why keep iterating? Most developers want familiar non-intrusive tools so they can get on with concentrating on their development, not constantly running up a learning curve for the tools.

To me, this sounds like nonsense akin to the infamous "ribbon".

Scary precedent?

"The hearing began as a YouTube livestream ..."

Quite apart from the issues of reliability and maintenance of the public record,. using "social media" to conduct court proceedings seems just a little inappropriate, given the attitude to both user rights and truth of most social media providers.

Vive la difference

"attack vector that AI would likely miss without the creative flexibility of human decision-making."

That sums up exactly what the difference is between artificial and real intelligence. AI is essentially token matching (mentation at the level of the bumble bee) whereas the human can be creative. We don't understand the mechanism of creativity - we can only infer from examples, and the range of inferences is almost as wide as the range of examples. Consequently we can't tell a mindless machine how to do it. I suspect that a key component of it is understanding.

Yet again ... yawn ...

'"Occasionally their product will have to modify the server response, for example on search pages where they inject the script implementing the Safe Search functionality," Palant explained.'

When will it finally sink in that client side scripting should never be used for security. Client side scripting is the primary vector for automatic client compromises, so it's the exact opposite of the right approach. If you want a secure browser, design one from the ground up in native code (or if you really must, an interpreted language like Java). That doesn't of course ensure it's not vulnerable, but it should be obvious that any code that sits within a web page is open to malicious tampering.

Microsoft adds another attack vector to Windows

"Good news from Redmond – Microsoft said it can scan UEFI firmware with Windows Defender Advanced Threat Protection."

There's a lot of evidence from several years of independent research to show that, regardless of vendor, "protection" that breaks system segregation (either by hooking to ring zero or this for example) increases the attack surface of the target. It's typically coded to the same standards as all other software so it has attackable vulnerabilities in it just like everything else.

Probably not entirely a bad thing but ...

Despite the ambiguities identified by others here, I guess it's a good idea to ensure that the basis for establishing fundamental units is itself standardised. The overriding serious flies in the ointment in this case are [a] the metre is an arbitrary standard based on a faulty measurement in 1793 and not corrected when found to be wrong in 1858, [b] we still don't know the exact speed of light in vacuum, and [c] they seem to feel eight decimal places are sufficient for everything.

"Getting to them is, however, quite another kettle of fish"

Actually, getting to them will probably be the lesser of your worries unless you just want to commit suicide expensively. Ecosystems are complicated, and finding a niche is hard even on Earth where all life has fundamentally co-evolved. Hard in the sense that there are masses of failures, both at the species and the individual level. This will be all the more the case for an entirely alien species (us) on a distant planet with its own evolutionary history.

Even if the lovely fantasy of a perfect human-supporting habitat devoid of competitors were to be found, staying a live long enough to take advantage of it would be a serious challenge as adaptation takes generations to accomplish. Either way, we should expect more than half of the human settlers to die before they reproduce - probably vastly more than half, so we'd have to send huge populations of settlers with a known high probability of snuffing it as part of the deal.

Only on Star Trek are small human communities able to settle stably on alien planets, and that's just because the writers ignore the science.

"Some of the programming blunders..."

Thank you Shaun - thank you a thousand times! It's about time we all faced up to the fact that that's just what "exploitable bugs" are - no more no less.

Until software development becomes a genuine engineering discipline with formally ratified standards and an expectation of their universal application by qualified practitioners, we'll never have safe, or even adequate IT systems. Every other branch of engineering demands this - even plumbing.

"nine out of ten 'ethical' hackers are being a bit naughty..."

There's no need for the quotes around the word ethical. if your community ethics include being naughty, then it's OK within your community. The problem arises only when the ethical systems of different communities are in conflict.

However at least in the UK, such activities are potentially unlawful. They could therefore backfire badly supposing service providers and law enforcement really gave a hoot, but they don't really seem to so the habit gets reinforced until it becomes a norm.

"Autonomous self-driving computer systems eliminate [...] human error..."

Even an "autonomous vehicle" has to be told where you want to go. It can't decide that for itself. The same applies to "autonomous self-driving computer systems" - they can't decide your business strategy, or even your business tactics for you.

In my experience as a business risk consultant, the majority of human error stems from bad judgement at these strategic and tactical levels, so the "autonomous ... etc" computer system won't actually help at all. But it will probably sell like hot cakes to those whose lack of attention and vision causes them to make the strategic and tactical mistakes, because they'll be conned into thinking the machine will save them the hassle (see the growing number of tesla autopilot incidents for confirmation). And of course that's all any vendor is interested in.

Artificial intelligence

"Slipping it a question that contains a typo like “explsinable" instead of “explainable” can confuse the system and slow it down"

Humans can typically handle this very well - usually able to read text at normal speed even if it's littered with typos. Indeed they usually go unnoticed, which is why proof reading is so hard. The critical factor is that for the AI machine the words have no meaning - they're just "tokens".

"users could find themselves with a big, frosty brick"

Why would the basic mechansim of a fridge (compressor, circulation pipe work, radiator, thermostat) stop working if it loses its " online support"? Only because they can make it like that so you'll have to replace it. A friend who's not on the internet has a 60 year old fridge that still works fine - it's needed one replacement compressor in that time.

One of many

There appear to be dozens of "web site builder" services out there, and pretty much every one ties you to its platform like MrSite does. I don't think this is a very good idea.

A huge mystery has been made of web development, in most cases quite unnecessarily, although it has to be said that the complexity of web sites has increased dramatically (also in most cases quite unnecessarily). However, supposing that "builder" services are actually needed by some people, I'd like to see a service that allowed a web site to be created to strict W3C standards and then taken away and hosted independently. Then, termination of the "builder" service would not be a problem.

Consciensciousness theatre

Both FB and Twit seem to be merely pandering to public expressions of concern. They have no genuine vested interest in promulgating truth - it's irrelevant to the business models of both. But then, whose business model these days includes that interest?

"PHE and the NHS confirmed that a DPIA has not been conducted..."

Naughty and unlawful, but conducting one will probably make little difference. Under Article 35 of the GDPR the arbiter of the necessity, proportionality, risks to data subjects and risk control measures is the party intending to process the data. Not the ideal basis for objective evaluation.

Is Amazon alone?

Once you're dealing with any behemoth corporation that can exhaust the resources of complainants at law and can negotiate their own penalties, this is an inevitable kind of outcome. It's identical to the position in the UK cotton industry of the 19th century. So things go full circle as they always do. It's only when something exceptional like COVID occurs that our attention is drawn to the problem.

"Red Leicester has taken the top spot"

Red Leicester is one of the most varied of English named cheeses. It ranges from pale bland and rubbery (a la Tesco) to sharp, crumbly and delicious. At its best it deserves the top spot (at least on a shared basis). At its worse, even mice aren't attracted to it.

"The government [...] spaffed £46m on an ineffective "Get Ready For Brexit" campaign"

Primarily ineffective because it explained nothing. A list of "things you should consider" is not sufficient guidance. Businesses have never been told so far with the pros, cons and implications will be of the various alternative courses of action.

The least of our worries

An "almost certain" no deal Brexit will be vastly more complicated to navigate for most businesses than a change of domain name. Not least, the issue that nobody, right up to ministerial level, has been willing to discuss with my consultancy is that some of the standard contractual clauses we're supposed to implement once the UK is a third country aren't actually GDPR compliant.

"Westminster, we could have a problem..."

I've been saying this for over a decade

Any system is entirely as weak as its weakest link. The most remote smallest end of your supply chain can be (and often is) the entry point for your data breach and it has been the case for a very long time.. But this seems to have only just registered with the pundits, witness the 2016 request for comment to the US Commission on Enhancing National Cybersecurity and similar initiatives. We submitted to that, pointing out that cyber security has no boundaries. Among all submissions, ours was the only one that stated this. Equally, ours was the only submission that included attackable internet connected home security systems used by millions of Americans in the definition of critical national infrastructure.

Actually it's quite different from the GDPR

This legislation is essentially about data sharing - hence "§ 999.305. Notice at Collection of Personal Information (d) A business that does not collect personal information directly from the consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information."

The GDPR is about protecting the data subject's human rights (which include privacy), and it takes into account a wide definition of harm.

This is a fundamental difference that is consistently overlooked.

"The BBC is selling Beeb as a privacy-friendly option"

"transcripts will be shared with Microsoft to improve its Azure AI"

Not quite sure how these two statements can be considered compatible, but maybe I'm missing something.

"nerd-goggles-for-suits"

Where will the goggles fit? None of my suits go anywhere near my face. They typically stop around the neck.

"...not paying attention"

That's actually an offence in the UK if you happen to be driving at the time, and with damned good reason. If you want to day dream en route take a taxi.

Open is already relative

With Linux embedded in Windows, "open" is already a relative concept. "Proprietary open" meaning they tell you just as much as they think is safe while protecting their IP is probably the realistic future. Ironic as the predominance of the IBM PC was entirely due to it's being mandatorily an open standard. The manual that came with my first PC included full circuit diagrams and BIOS listing. That openness directly drove both PC clones and the huge add-on industry that put the current closed source big players on the map.

Why single out the Aussies?

"a symbol of the Australian government’s seeming inability to execute technology-led initiatives"

Australia is not alone. I can't immediately think of a government technology initiative that has delivered as desired, or even as expected. Governments aren't alone in this either. I can't immediately think of any technology initiative that has delivered as desired or even as expected. Until IT becomes a real engineering discipline, this will remain the order of the day.