* Posts by Mike 137

3371 publicly visible posts • joined 10 Sep 2009

Prompt engineering is a task best left to AI models

Mike 137 Silver badge

Model specific results?

From the paper: "[a]lthough we aspired to assess widely recognized commercial models such as GPT-3.5/4,Gemini, Claude, etc., conducting experiments involving 12,000 requests per model was deemed financially prohibitive [...]. Consequently, we opted to utilize models hosted by VMware NLP Lab’s LLM API."

So the results may not reflect the performance of the models most folks use. Indeed the authors found that "As evidenced in the subsequent sections, certain overarching patterns become apparent; however, they do not universally apply to each model across all prompting strategies. We will explicitly illustrate that there is no straightforward universal prompt snippet that can be added to optimize any given model’s performance."

This strongly suggests that there's no underlying rationale for the optimisation of prompts, leading to (my) conclusion that there's no actual (even artificial) intelligence present.

Mike 137 Silver badge

"I certainly would never have come up with anything like that by hand"

Obviously, Battle isn't a trekkie. If he was, the result might have been relatively obvious, considering the quantity of Star Trek material that the LLM had probably digested while training.

The source of most of the apparently anomalous output of LLMs is most likely bizarre biases in the online cultural data set used for training (see 'social' media for examples). That's primarily due to [a] the dominance of "entertainment" as a motive and [b] the prevalence of everyone with a momentary idea rushing to publish it to the world whether or not thousands have already done so. Given that the LLM understands absolutely nothing but merely assembles a string of tokens based on probabilities inherent in its training, the resulting biases inevitably emerge in its output.

This is most likely not purely a technology issue, so it would be informative to examine LLM behaviour in terms of comparisons between training data, queries and output from a psychological/cultural perspective.

EU wants to make undersea internet cables more resilient

Mike 137 Silver badge

Good intentions, but ...

Neither of the Commission documents makes any even high level suggestions about how to actually make undersea cables more resilient. They're essentially administrative and address only the intent. Other than to stress the need for mapping of cables and a generic requirement for testing and repair, they say nothing concrete about resilience. IMHO, repair capability is not the key to resilience. It's ideally the ability to ward off attack without detriment rather than merely an ability to recover after a successful attack. But of course that's all down to definitions, and the Commission is not a technology body but a political one.

Consequently, particularly bearing in mind that undersea cables are laid and maintained by corporates, not national bodies, it's probable that these proposals will drive little material change.

City council megaproject mulls ditching Oracle after budget balloons to £131M

Mike 137 Silver badge

Re: So whose bright idea was it in the first place?

Philip Macpherson, a recently appointed Oracle program lead for the Council, said: "We are looking at doing some options analysis to genuinely weigh up the pros and cons around that to sort of underpin the case for reimplementation [of Oracle] and spec out the outcomes the council's after."

I think this goes a long way to explaining the problem. Firstly, it's prime example of muddled thinking -- combining choice of a specific product at the same time as specifying intended outcomes. Secondly, it exhibits a (probably unconscious) prejudicial bias in seeking to underpin a specific product choice. Thirdly, it's incoherent and ('sort of') vague. Fourthly, didn't they do sufficient options analysis before starting the programme?

What's needed to get these programmes implemented cost effectively is a coherent process of evaluation, design and implementation consisting of a sequence of stages with defined outcomes that can be verified as accomplished successfully before proceeding to the next stage. But of course everything is now 'agile', which (contrary to the manifesto) typically just means jumping to conclusions and launching into implementation without sufficient planning or risk assessment. Delivery is quicker, but commonly the wrong thing gets delivered.

Google releases Gemma – LLMs small enough to run on your computer

Mike 137 Silver badge

But more importantly

"In the right hands, it carries incredible opportunity, but in the wrong hands, it can pose a threat to public safety."

As these LLMs don't learn once initially trained, how long before they cease to be useful (supposing of course...)? It's very unlikely that retraining would be possible on 'your computer', even if you had access to the training data set.

Giant leak reveals Chinese infosec vendor I-Soon is one of Beijing's cyber-attackers for hire

Mike 137 Silver badge

Realistic threats

This is a much more realistic threat model that that Huawei supposedly built snooping functionality into their appliances. Quite apart from the consistent failure to find any such functionality, a 'service' such as that ostensibly provided by I-Soon can be much better focused on targets of real interest. The essence of effective espionage is concentration on what is likely to be important rather than the building of random haystacks, so commissioned attack of selected targets is a better proposition than merely placing listening devices all over the place.

Boeing-backed air taxi upstart Wisk plans to fly you across town at UberX prices by 2030

Mike 137 Silver badge

Not on your life sunshine!

"The aircraft would be supervised by a Wisk staff member on the ground, monitoring and taking on the role of communicating with air traffic control for several vehicles at a time"

Sullenberger famously pointed out two fundamentals of safe flying1: [a] constant detailed situational awareness and [b] the experience and willing to make quick decisions to depart from procedure in emergency to save the situation. To achieve these fundamentals, a pilot needs to be right up there in the air with the seat of their pants directly coupled to what's going on.

So two things militate against the ground staff controlling several of these 'vehicles' at once safely. Firstly, the situational; awareness is attenuated, particularly in respect of emergencies (note that all remotely operated drones to date have been expendable kn emergency), and secondly multi-tasking involves task switching which both slows reaction time and further reduces situational awareness. The task of a current air traffic controller (who does indeed typically supervise several planes at once) is much simpler than the task of flying even one plane, but the suggested scenario requires the ground staff to 'fly' several planes at once.

1 Highest Duty, pp 186-190 [Harper Collins 2009, paperback edition, ISBN 978-0-06-192469-9 (pbk.]

.

Europe's data protection laws cut data storage by making information-wrangling pricier

Mike 137 Silver badge

Privacy?

"Past research suggests that the privacy afforded consumers under GDPR is mostly beneficial, but can be detrimental when a monopoly is involved."

Judging by the abstract, the paper ('Privacy Rights and Data Security: GDPR and Personal Data Markets') considers privacy breaches as equating to data leaks. This is the most common (and excessively narrow) interpretation of privacy to be applied to the Regulation. But the Regulation clearly expresses that privacy means data subject control over the processing of their data, so its definition is much wider -- including, for example, the right to object to specific processing on the basis of ethical grounds. So in principle if I object ethically to some social media platform I have a right under the Regulation to complain against any business that passes my personal data to it without giving me a prior opt-out, or to object to a business profiling my activities without my consent. Unfortunately, businesses have in general ignored this, and regulators have tended to refuse to act when alerted to such breaches of broader data subject rights. Consequently the Regulation has effectively been neutered as a real protection almost from day one because nobody has taken seriously the fact that the GDPR is human rights law relating to data, not data law.

Cutting kids off from the dark web – the solution can only ever be social

Mike 137 Silver badge

Re: Root causes?

@doublelayer

"you and the campaigners here are alleging that it's a large group"

Nowhere did I suggest it was a large group that perpetrate extreme acts. However, it should be noted that quite probably a majority of "detective" stories and movies centre around murder, the most popular video games by far seem to be those relating to mayhem of one sort or another (e.g. "first person shooters"), and a high proportion of kids do indeed find them entertaining. The kind of incident that triggered the current debate is an extreme exception, but the general level of acceptance of violence as entertainment is objectively pretty high. As the baseline is so high, the threshold for deviance into extreme behaviour is closer to the norm that it should be, resulting as it does in "hardening of the arteries" -- loss of empathy for suffering.

Mike 137 Silver badge

Root causes?

"As soon as one kid in a school finds something online of interest "

The fundamental question we need to answer is "why are torture and murder sites interesting to kids?", and then find a fix for that. However the effective answer will probably need such a societal culture shift that it's not going to be deliverable.

Part of that answer is that the adrenalin rush has been exploited for ages to sell goods and services, and unfortunately it's subject to habituation, requiring ever stronger stimuli to trigger it, so the baseline itself has become an excessive level of excitement.

Another part is that passive consumption of electronic media has largely supplanted actually doing things that resulted in sufficient satisfaction at lower levels. When I was a kid, we built and flew model aeroplanes, scrounged components from old kit and built radios, hiked for miles cross country at weekends and played a lot of sport. All of these were challenging and delivered recognition of real achievement, which was our 'high'.

Finally, although it's unpopular to say so, most of us live in societies that are excessively pre-occupied by sex and violence from a very early age (via movies and marketing).

Putting all this together, it's clear that reversing these trends is fundamental to the societal change that might solve the problem. But who among the media moguls and marketeers is going to start?

Cybercriminals are stealing iOS users' face scans to break into mobile banking accounts

Mike 137 Silver badge

Yet again the same stupid error

"From July 2023, all Thai banking apps had to comply with the new initiative and replace one-time passcodes with facial biometrics to decrease the threat of financial fraud in the region."

A one-time passcode is an authenticator (a stronger version of a password). A 'face ID' is an identifier (like a user name). When, oh when, will the bank wonks realise that the two are quite different? An authenticator absolutely must be rescindable and changeable (hence the one-time passcode) and as far as I know (barring surgery) one's face can't be changed.

The big problem is that the actual security of accounts is primarily a customer problem, not the bank's (because they can wriggle out by blaming the customer), so a great deal of the provisioning is theatrical. It's not as if they couldn't afford competent security experts, so this all too common idiocy must be down to not really caring.

IT body proposes that AI pros get leashed and licensed to uphold ethics

Mike 137 Silver badge

Non sequitur

"The importance of AI ethics was amplified by the Post Office scandal, says the BCS boss, "where computer generated evidence was used by non-IT specialists to prosecute sub postmasters with tragic results.""

Since when did the horizon system make use of "AI"?

Quite apart from which, unless there are some pretty specific definitions of 'good' and 'bad' ethics in relation to 'AI', it will be impossible to apply objective judgement to the vast variety of applications and outcomes. Existing 'registrations' and 'codes of conduct' in the IT sphere have so far not demonstrably contributed to good practice, but have involved costs and hoop-jumping for practitioners to no great gain for anyone. Most practitioners behave ethically anyway, some don't, and those that don't rarely get held to account regardless of their 'registrations'.

It's time we add friction to digital experiences and slow them down

Mike 137 Silver badge

Re: just use website technology

"Use of industry standard website coding techniques would stop these attacks"

We have de facto standards already -- they consist of doing absolutely everything in javascript whether or not it's strictly necessary (rendering images for example) and then building pages from assemblages of script fragments from multiple sources on the fly. The resulting unverfiable chaos is indeed an industry standard -- just a very unsafe one.

Waymo services driverless car software after Phoenix truck collision

Mike 137 Silver badge

"that bit of exception handling must have been fun to write"

There, maybe, is a key root cause of the whole problem. An unusual situation encountered while driving can not realistically be classed as an 'exception' (i.e. one of a predicted list of specific events that trigger specific actions). Driving requires continuous re-evaluation of what's going on, consideration of the range of possible outcomes and dynamic choice of optimum responses, even where the specific situation has not been previously encountered. In fact, it requires forethought, which these 'autonomous' vehicles are incapable of -- they only respond reactively to stimuli.

Any attempt to create an 'exception list' in advance will fail as not every eventuality can be foreseen, and incrementally updating one will not only require an incident to occur before every update is considered, but will ultimately result in an unmanageably huge list that will still miss some possible events.

Microsoft might have just pulled support for very old PCs in Windows 11 24H2

Mike 137 Silver badge

"Most people I work with tend to use their phones for most things now"

I guess they don't use CAD or do video editing then. There are quite a number of creative and technical tasks that demand a high resolution display and precise pointer control. For example I do a lot of PCB design and couldn't manage at all with less than a 24" screen.

Mike 137 Silver badge

"famed for backward compatibility and keeping old kit going"

Certainly not the case with their driver model. It's sufficiently different in every version of Windoze to prevent old peripherals being ported, but there seems no necessity for this.

Cruise swerves to hire safety guru after series of misadventures on the streets

Mike 137 Silver badge

A fundamental defect

"The Cruise vehicle had interpreted this accident as a side impact and pulled forward approximately 20 feet"

This exemplifies the problem -- the tech can't reason.

There's a T junction in my area (in the UK) where the minor road (tail of the T) meets a main road and folks park on the verge of the main road, so there's never a complete clear view of fast traffic coming from the left along the main road. A driver wanting to turn into the main road has to rely on brief glimpses of moving vehicles passing the gaps between the parked ones (often quite a long way away from the junction) to tell whether it's safe to turn. This is quite a common situation, but I seriously doubt whether an "autonomous" vehicle would be able to handle it reliably as the 'signals' are quite subtle and require an inference to be drawn from them based on experience about how much time there is to manoeuvre safely.

Apart from which, it's hard to understand why the response to a "side impact" is to drive forwards for 20 yards -- sure it would be more sensible to just stop?

Chrome engine devs experiment with automatic browser micropayments

Mike 137 Silver badge

Re: Flip Side

"This is the point where you should report the website to the ICO (in the UK) or your local equivalent"

Unfortunately, they'll do nothing about it, and in the UK it looks like the proposed new legisaltion will cease to take this seriously, even in principle.

However there are third party tools (at least for Firefox) that can control cookies and other intrusive elements -- e.g. uMatrix.

NHS in Wales bets big on Microsoft with deal worth nearly half a billion

Mike 137 Silver badge

Re: How much?

"offering totally secure functionality"

Of course there's no such thing -- even in the 'cloud' at a premium price. The primary way to breach a cloud based service is (as always) via the client's end points. Cloud providers' security commitment is to their security, not yours. You remain responsible for that, regardless of the hype.

Mike 137 Silver badge

Re: How much?

Making the running of your entire enterprise dependent on a subscription-based lock-in doesn't seem the safest of business strategies. To paraphrase Charles Colson: when they've got you by the balls, the contents of your wallet will inevitably follow.

But of course for public services it's not their money so the excess cost doesn't hurt much.

Tesla's Cybertruck may not be so stainless after all

Mike 137 Silver badge

Re: Musk? Who trusts this guy?

Fortunately, not directly on the goof. Yes, he owns SpaceX, but the folks that do the actual work are experts. Although he's apparently constantly butting in, they probably to a great extent ignore him, not least because the aerospace industry has established standards that have to be met. The US auto industry, on the other hand, is largely self regulating.

Mike 137 Silver badge

Re: Stainless?

"corrosion resistance varies inversely with the strength of the steel"

Not quite as simple as that, There's a very informative set of data sheets on stainless steels here.

Mike 137 Silver badge

Stainless?

"immediately remove corrosive substances (such as grease, oil, bird droppings, tree resin, dead insects, tar spots, road salt, industrial fallout, etc.)"

Bird droppings, road salt and (some) industrial fallout -- OK, these are known to be corrosive, but grease, oil, resin and dead insects?

"Stainless" steel is a rust resistant alloy by virtue of containing chromium among other constituents (in some cases, molybdenum), resulting in a surface that's highly reactive with atmospheric oxygen, rapidly forming molecular scale impervious barrier of oxide on the surface. Corrosion resistance depends to a great extent on the composition of the alloy. So "stainless" is a term without real meaning unless qualified. Standard alloys include 301, 302, 303, 304, 316, each of which has different properties including resistance to corrosion. The lower grades are (obviously) cheaper, so there's something to think about if the grade is not mentioned.

Drowning in code: The ever-growing problem of ever-growing codebases

Mike 137 Silver badge

Re: Thank you Liam

"people tinkering with RISC-V cores on FPGAs"

Not just FPGAs -- there's a huge assortment of extremely versatile microcontrollers with 32-128 Mb of memory (e.g. the PIC 18F range), for which there are some dev tools implementing very efficient optimising C compliers (e.g. Wiz-C). The bloat starts once you want your code to run over an OS as opposed to on bare metal, as modern OS all seem to require massive bloated libraries.

Mike 137 Silver badge

“Everybody and their dog is coding”

There lies the problem -- neither anybody nor their dog has been taught to program for far too long, just to 'code'. Coding the most trivial part of the art and science of programming (it's actually a mix of both). It's just one stage of a process that starts with understanding a problem to be solved, proceeds through definition of mechanisms for solving it ('algorithms'), translation of those algorithms into specification of procedures (yes, at the lowest level even objects contain procedures), further translation into the syntax and semantics of a specific language, rendering of an executable, and , finally, testing and acceptance. Concentrating exclusively on that one, essentially mechanical, stage inevitably results in poor quality results, as it misses out the critical factor of whether the right problem is being solved in the most appropriate way. In any case, coding is the one bit that AI might eventually fully automate, but the other stages of the development cycle require human understanding to accomplish properly. They'll always be needed so they're the ones we should have been teaching all this time.

Mike 137 Silver badge

Thank you Liam

An excellent article and right to the point. With my infosec hat on, ! wish more folks would echo this message:

"a teetering stack of dozens of layers of flakey unreliable code, which in turn needs thousands and millions of people constantly patching the holes in it, and needs customers to pay to get those fixes fast, and keep paying for them for years to come."

Europe's largest caravan club admits wide array of personal data potentially accessed

Mike 137 Silver badge

"including anti phishing training"

Training alone is insufficient as regardless of how intensively you train, front line staff remain non-expert in detecting phishing attempts (which requires both technical understanding and investigative action in each case). There are, however, technical fixes that can make a huge difference (e.g. stripping the clickable element from URLs in emails from outside the enterprise). That's rather obvious, isn't it, but hardly any organisation seems to do it.

Forcing AI on developers is a bad idea that is going to happen

Mike 137 Silver badge

Re: Software Development != Coding

"It has no context on which to work so cannot incorporate real world elements (except for explicitly being made to stop part way so as to allow human intervention)"

A very valid argument, which goes right back to the roots of machine intervention. A wood turner I know pointed out once that a motor driven lathe takes away the sense of whether the work piece is cutting cleanly, as it drives it regardless of things like tool blunting, leading to reject work pieces. A treadle driven lathe turner finds out very quickly by feel whether the tool is sufficiently sharp, well before the work piece is spoilt.

In the same way, even where motor drive is unavoidable as in metal machining, a skilled operator can detect whether the cut is going well by a combination of sound and the appearance of the swarf, whereas a CNC machine will just barge on regardless. So in both cases (and many others) we sacrifice quality for convenience by automating.

Mike 137 Silver badge

Re: "JetBrains' own developers are, well, developers"

"it has blighted your life often enough: it's the unwanted new feature"

Aren't (at least a high proportion of) developers, particularly web devs, guilty of this themselves? I can't count the number of perfectly usable (and necessary) web sites that work fine until one day they include changes that require the latest kit to render the new page, despite it having identical function from the user perspective. In a couple of critical cases I've had to buy a new laptop to continue using some work-related portal or other.

This is most likely an outcome of a self-defined and self-opinionated technocracy that's obsessed with the 'bleeding edge' for its own sake, and believes it knows better than its customer what the customer should want.

Meet VexTrio, a network of 70K hijacked websites crooks use to sling malware, fraud

Mike 137 Silver badge

Re: WordPress

Abandon Wordpress.

Mike 137 Silver badge

Re: CMS...

"how many of these afflicted sites are running WordPress [...]?

That's one of the key vectors the report's authors identified (relying yet again on javascript injection) and indeed javascript injection in general. Others of interest are URL shorteners (how on earth is anyone to know where they'll land?) and look-alike sites using character spoofing in URLs (why, oh why, are mixed character sets allowed in URLs?).

The wide open appified web we now have to put up with is the easiest of targets.

Search chatbots? Pah, this startup's trying on Yahoo's old outfit of web directories

Mike 137 Silver badge

"Google maintains its results are still better than other search engines"

Or more realistically, they think other search engines are even worse. Do they include all the engines that are effectively proxies for Goooooooooooooooogle, or only the independents? And BTW, how do they quantify search engine quality?

One of my most important criteria is whether a query returns relevant results, and another is whether these are buried or not in irrelevant garbage. On both counts Gooooooooooooogle scores pretty poorly. For example, when I specify a search phrase in quotes (supposedly indicating I want the phrase as a whole searched for) I do not want masses of results based on individual words dragged from the phrase, and when I search for a specific word I do not want results based on all possible grammatical variants of that word. I want what I bloody well asked for (or to be told it can't be found.)

AI PC hype bubble swells, but software support lags marketing

Mike 137 Silver badge

Hype indeed.

" taking meeting minutes, organizing a fantasy football league, automating enhancements for photo and video editing, or laying out the perfect itinerary for a family reunion based on everyone's arrival and departure times"

They always come up with utter trivia, don't they. The only remotely challenging task in this list could be 'automating enhancements for photo and video editing', although even there human experts seem to have done pretty well so far, but I suppose 'AI' might save time by speeding up complex processing *. However the rest of the suggested applications are negligible tasks for any thinking human so why cite them as examples where 'AI' might be needed? One can't avoid the impression that this is technology seeking problems to solve -- self-congratulatory technocrats shouting "look at me Mum - I'm so clever!" rather than attempting to serve their public with what it actually wants or needs.

* however, attempts at 'AI enhancement' of video so far, for example on the Internet Archive seem to have been restricted to appallingly crude colorization of classic BW movies, which I have had to spend quite a lot of effort undoing.

.

Joint European Torus experiments end on a 69 megajoules high

Mike 137 Silver badge

Re: 69 megajoules

fusion power for five seconds, "resulting in a ground-breaking record of 69 megajoules using a mere 0.2 milligrams of fuel."

Nice, but how much electrical energy went into driving all the kit that achieved this? That's one the hurdles that fusion power still has to leap.

Billions lost to fraud and error during UK's pandemic spending spree

Mike 137 Silver badge

Re: Oops, we stole it

"Hanlon's razor breaks when incompetence serves malice"

In this case, not so much malice as avarice.

When red flags are just office decoration: Edinburgh Uni's Oracle IT disaster

Mike 137 Silver badge

"identifying risks but not influencing the go-live decision which had already been made"

Over three decades in IT and infosec management, and I yet have to see a risk assessment actually being used to inform decision making. The annual assessment exercise exists to be annually audited.

Cybercrime duo accused of picking $2.5M from Apple's orchard

Mike 137 Silver badge

Hardly worth the effort?

""Company A was a corporation headquartered in Cupertino, California, which developed, manufactured, licensed, supported, and sold computer software, consumer electronics, personal computers, and services,""

So much for anonymising. I wonder why they bothered at all -- probably some legal rule or other, but if so why not do it right?

Leaked memo: Microsoft employees should be using Copilot too

Mike 137 Silver badge

"The hype around the technology has driven its valuation to new highs"

A reprise of the South Sea Bubble (and of course the 'dot com boom')? Didn't Gartner publish a graph (the adoption curve) about these phenomena some time back? And yet the cycle repeats and repeats and repeats and ........

I wonder what will happen to the stock price when we all finally decide what the various versions of "AI" are actually good at and bad at and just start using them as tools where they really help us reliably.

Half of polled infosec pros say their degree was less than useful for real-world work

Mike 137 Silver badge

Re: It's pretty much the same for anything..m

Indeed so. But sometimes the barriers to reality are insuperable. I remember that, while in charge of infosec for an international group organisation, I alerted the CIO to the need for improved risk assessment based on evidence. His initial response was "when you don't have evidence you use judgement". On my questioning the basis for judgement in the absence of evidence, he replied that "he assumed I wanted to continue with the company, didn't I?".

In actuality, although they did risk assessments they never actually used them to inform risk management decisions, there were multiple independent blokes who didn't communicate with each other in charge of different parts of a fragmented technical infosec regime, both the CIO and the CTO were only interested in technologies, and nobody took any notice of the human equation. Of course they had incidents, but they didn't learn from them.

This sort of 'infosec management' seems pretty typical in large organisations, which goes a long way to explaining the incidence of data breaches. 'Sophisticated attacks' are mostly unnecessary -- we're wide open.

Mike 137 Silver badge

Real purposes

"People seem to think that a degree is for getting a job and are upset when it turns out it's about learning to think."

As an AC stated above that their Masters programme was built around the CISSP curriculum, at least that course seems to have been designed for getting a job. To equate Masters with a 200-odd question multiple choice quiz is ridiculous as a test of knowledge or expertise. In all the time CISSP has existed, I've never been able to identify any (supposed) content of it that directly addressed operating in the real world as an infosec professional -- it's all been around parrot memorisation of obscure facts that any sensible pro would look up when (and indeed if) needed. I say 'supposed' advisedly as the actual exam content remains a state secret. That very fact should make one instantly suspicious. If it were testing understanding of the principles of infosec there would be no need for the secrecy. But nevertheless CISSP certainly does land the most lucrative jobs.

Mike 137 Silver badge

"Security technology — and tech in general — moves fast and becomes "legacy" in one or two years"

Maybe in detail, but two things are durable -- first principles of both technologies and their management and the essential human elements of infosec (neither of which features to any great extent if at all even in dedicated infosec degree courses).

We have a culture that views infosec almost exclusively as a technology discipline and considers 'users' to be stupid (as opposed to just uninformed), whereas in reality probably the majority of successful attacks are down to sloppy management on the victim side. Examples include 'policies' that don't work because they're not backed up by training and resourcing or they assign to front line staff responsibilities they can't fulfil rather than employing technical fixes to eliminate the hazard; incident response plans that are never tested and which often only address a limited list of predicted incidents rather than allowing for the unexpected; blame cultures that fail to learn from experience, and many more.

Some years ago I was invited to deliver a masters module on infosec policy management, but I was deeply disappointed to find almost all the students were utterly uninterested in the underlying principles that contribute to effective policies -- they just wanted to be fed and regurgitiate standard template policies without consideration of whether they were any good.

Microsoft seeks patent for tech to put words into your mouth

Mike 137 Silver badge

Theoretically speaking?

This patent application is very odd to a UK observer. Nowhere is any finite mechanism described that fulfils any of the proposed functionality, so it's an entirely conceptual document. If this high level kind of application can succeed in the US it means that entire disciplines could be locked down by opportunists without the need to actually implement any demonstrable invention. I do hope that's not the case, as it would stifle innovation, the very thing patents were created to encourage.

IT suppliers hacked off with Uncle Sam's demands in aftermath of cyberattacks

Mike 137 Silver badge

Inconsistency Inc.

The stringency of these requirements does not accord well with the recent proposal for software developers to self-attest. What's really needed is a coherent overarching set of standards coupled with impartial formal review of performance, not this fragmentary scatter-gun approach.

Furthermore, considering that local time to detection is still typically measured in months, reducing 72 hours to eight will almost certainly make zero improvement in incident management, but result in cascades of erroneous reports as it inevitably takes longer than this on average to work out what's going wrong.

Consequently, these proposals look a lot like politically motivated "control theatre", but that's no surprise given the number of 'national cybersecurity initiatives' over the last couple of decades that have made absolutely no difference.

Rust can help make software secure – but it's no cure-all

Mike 137 Silver badge

"Security is a process, not a product. Nor a language"

More than any of these, it's an outcome of a mind set. In addition to tech-specific factual knowledge, it requires solid understanding of first principles, attention to detail, the ability to synthesise possible outcomes from what's observed, and most of all an ethical commitment to taking responsibility for the results. No tools, languages, dev systems or other tech can substitute for these human capacities, which are in reality elements of character. But, unfortunately, exercising them during development and testing slows it down and greatly increases the cost of production.

These capacities also have to be learnt, and they're not being taught. Just for example, a recent report by the Social Market Foundation entitled 'Character building: Why character is essential for career readiness' mentions '• Self-belief • Determination • Self-control • Coping skills' but makes no reference either to cultivating enquiring minds or to commitment. And IMHO self-belief should not top the list as an objective in itself, but be an outcome of verified capacities. There's far too much unfounded self-belief in the IT sector, witness the deluge of project failures and the parlous state of infosec.

Alaska Airlines' door-dropping flight was missing bolts

Mike 137 Silver badge

"... when you replace a skilled worker with an unskilled worker ..."

It's much more serious than that. There's actually a Boeing-originated photo (DCA24MA063 report, figure 16) of the MED plug as installed with the bolts missing at the stage where they were about to restore the interior linings. So the record shows that nobody spotted this omission right up to the end of the job.

AI models just love escalating conflict to all-out nuclear war

Mike 137 Silver badge

To be expected

"We observe that models tend to develop arms-race dynamics, leading to greater conflict, and in rare cases, even to the deployment of nuclear weapons."

Not surprising really. The mind set of an effective military is necessarily focused at least on retaliatory response, even if not pre-emptive attack, and this is reflected widely in TWIT (the Western intellectual tradition) culture. So there must be a preponderence of references to it in the training data, considering where it is drawn from.

See 'Dr. Strangelove' and 'Level 7'.

Aircraft rivet hole issues cause delays to Boeing 737 Max deliveries

Mike 137 Silver badge

Re: Reap what you sow

"you cannot have paying passengers on the wings"

"Clearly, you've never flown Ryanair"

Not since the quality of their duct tape declined.

EU repair rights bill tells manufacturers to fix up or ship out

Mike 137 Silver badge

Re: I haven't read

"You cannot copyright a schematic (apart from what it looks like, not what it does or represents), so once it's up anyone can make their own product from it".

You can of course patent the whole or parts of the design it represents provided they're sufficiently original. If not, they're fair game anyway as they're probably obvious, all the more in this age of ultra-high integration -- chips that perform entire high level functions that are fundamental to functionality. For example, there are only a couple of alternative basic circuit design choices to make for the AK4620 audio codec, so all implementations will be pretty much the same.

But let's not forget that the statutory 'open sourcing' of the IBM PC was what drove the world wide dominance of its design, because it allowed hundreds of independent vendors to provide support products. If IBM hadn't lost the plot they'd have stayed on top as a result of this boom.

However, on another note, this legislation is going to be a directive, not a regulation. This means that individual member states can define their own legislation 'aligned' to the directive. The resulting variation in efficacy caused a legislative mess (just for example) in data protection that forced the replacement of the directive with a regulation (the GDPR) that all states had to follow explicitly.

Lurie Children's Hospital back to pen and paper after cyberattack

Mike 137 Silver badge

"During El Reg's investigation, we were pointed to a December concept paper from the US Department of Health and Human Services' (HHS) cybersecurity strategy. [The paper] included proposals for enforcing new standards that if met, would offer financial support and incentives for hospitals."

Unfortunately the four substantive pages of the HHS paper are so 'high level' that they provide no warranty of effective results. What's actually needed is not yet more policy but sufficient local resourcing and expertise to render the targets of attack maximally robust and resilient. As was proven by NotPetya in the UK, health services are typically wide open targets because they are not informed or equipped enough to address the threats realistically.

Still no love for JPEG XL: Browser maker love-in snubs next-gen image format

Mike 137 Silver badge

Re: Write a javascript conversion library

",,, eliminate most of the images you are sending ..."

Or at least adjust them to the size allotted to their use on the web page. I've given up counting the number of multi-megabyte images thousands of pixels in height and width that commonly must be downloaded to render in a space typically no larger than 1024x768 on some web page. OK, keep the master image at full camera resolution, but resample server side, not client side, to fit the page. The bandwidth saving from this would far outweigh any gains in improved compression, and it would also save comparable space on the web server.