* Posts by big_D

5434 posts • joined 27 Nov 2009

UK Parliament's human rights committee pushes for better protections of coronavirus contact-tracing data in law

big_D Silver badge

Contract Tracing app...

Why does everybody call it contract tracing? It is contact alerting, not tracing.

UK govt urged to bolt tough legal protections onto Arm and protect jobs – or simply veto Nvidia's £31bn acquisition

big_D Silver badge

Re: Why sell Arm anyway ?

SoftBank made some disastrous investments (E.g. Uber and WeWork) and their major shareholder has pulled out, so they need some liquidity, so they are selling off ARM to help out.

Poor move to my mind, it is one of the investments that will bring long term rewards... But the investment "industry" is only interested in the next 3 months and anything long term is not sexy, if it doesn't bolster their immediate earnings.

MP promises to grill UK.gov over revelations that Uber handed '2,000 pieces' of user data to London cops a year

big_D Silver badge

Re: "Police units supporting Uber's appeal"

"We'd like to prosecute you under GDPR, but the information is very useful... Just keep it coming, nudge is good as a wink to a blind bat!"

big_D Silver badge

Re: Dirty business?

Passing the information onto the police or TfL without a valid warrant or the informed consent of the identifiable persons whose data is being shared is a grave breech of GDPR.

I guess that their only hope is that Brexit goes through and the UK data protection laws are castrated, before this gets to court.

We don't need maintenance this often, surely? Pull it. Oh dear, the system's down

big_D Silver badge

Re: An ex employer did that too.

A case for the BOFH, 3 rolls of carpet, quicklime and a building site doing a pour with lax security...

Amazon staffers took bribes, manipulated marketplace, leaked data including search algorithms – DoJ claims

big_D Silver badge

They often threaten to sue over here, if you don't give a 5* review of the 3P.

I've never had any problems, but it is reported every now and then by heise.de that customers have been intimidated by suppliers trying to get non-5* reviews removed or upgraded to 5*.

It's IPO week and one of Wall Street's own is raising the spectre of a stock market crash

big_D Silver badge
Joke

Re: @AC - There is a huge bubble

You dared to put a blight on Electric Jesus' Tesla. That is not allowed!

Woman dies after hospital is unable to treat her during crippling ransomware infection, cops launch probe

big_D Silver badge

Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

The problem is, this is medical equipment, so any changes to the device need to re-certified, before they can be issued. That costs the company money to go through the external re-certification process and it also takes time (limited federal testing capacity etc.).

big_D Silver badge

The problem is, that information collected by the disparate machines have to be collected centrally and put under tight access controls, so that only the relevant doctor can see the patients information, and that from the bedside, in his office, in an operating theatre etc.

And that central patient information also needs to pull in the external medical record from the insurance company...

big_D Silver badge

The Iranian government would beg to differ. Their nuclear research labs were affected, despite being air-gapped. As long as there are humans in the chain, nothing is 100% secure.

And being full patched is a 100% guarantee either. There are still hundreds or thousands of unknown attack vectors that can be exploited once found until the manufacturer can get around to patching them.

All you can do is minimise risk as best you can.

We get calls from our users every day about, "is this genuine or a fake email?" I'd rather have to deal with 10 cases a day of a user being unsure than one case of a user not bothering to ask and infecting the whole network!

big_D Silver badge

Re: Why?

Again, the hospital carried on operating in emergency mode. Existing patients were still cared for. Non-essential operations were postponed, but critical care continued.

Then the emergency plan was put in place, which says that all incoming patients get diverted to a fully functioning hospital. The problem is, the emergency plans don't always take into account the travel time, just that the affected hospital isn't running at 100%, so patients are diverted to a hospital that is at 100% effectiveness. In this case, the patient didn't survive the extended journey. There is, unfortunately, no evidence that she would have survived if she had been taken to the affected hospital running in emergency mode either.

big_D Silver badge

Re: Why?

They could operate, they could take care of their existing patients. The problem is the emergency procedures.

If the systems fail, SOP is to divert all incoming patients to another hospital that is fully functional. In a catastrophe, where multiple hospitals have all lost key systems, they run manually. But the insurance says, if there is another hospital that is fully functioning, the patient has to go there. It is risk minimisation, but that doesn't take all things into account - like whether the patient can live through the extended journey time.

Airports are the same. If their systems fail, they land the aircraft already on final manually, everything else with enough fuel gets diverted to its alternative.

big_D Silver badge

Re: Why?

We also have a sign printing system (signs printed on metal and perspex). It is DOS only. We have a spare machine and "collect" old PCs, for when the controller PC dies. The spare printer cost only a couple of grand (25 years old), a modern replacement costs high 5 figures, so there is no hurry to replace a working system.

big_D Silver badge

Re: Why?

Virtual XP doesn't usually help. I had a telephone system at home (still being sold by Siemens in 2014) that only worked with XP. I tried the virtual XP environment in Windows 7 Pro at the time and a full virtual machine. No dice. It needed low-level hardware access and could only run on bare metal.

In the end, I repurposed an old laptop just for managing the telephone system, and that device was never attached to the network. I then looked at replacing the system with a more modern alternative that doesn't need dedicated management software.

big_D Silver badge

Re: Why?

Part of the problem is that the equipment still has to be certified and that includes the patch level of the PCs running it. You can't apply security patches until they have been tested and certified by the manufacturer...

big_D Silver badge

Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

Linux isn't a magic pill (pardon the pun). It has bugs itself and can be poorly configured, just like Windows.

There have been problems with ssh and other key services in the recent past that would have allowed hackers to capture a Linux box, especially if it hadn't been kept up to date and patched straight away... Something that is very common in such institutions - the hardware and software suppliers only guarantee and support their kit and software if certain patch levels are used. If you patch a critical flaw without their permission, you are on your own if there are any problems...

I've worked at places where the PLC manufacturer have caused months or years of backlogs on Windows updates, because they don't keep their software current and test it in a timely manner against the critical patches coming out of Redmond. The same would be true if the PCs were running Linux, no updates without prior authorization. Medical equipment is also certified, which means it can't get OS patches until they have been certified by the equipment manufacturer, which can take an age.

The only real option is isolating the networks, but there still has to be some automation with the outside world, to exchange patient information and billion information.

Having a Linux admin who doesn't know how to batten down a Linux box doesn't bring you any advantage over a Windows admin who doesn't know how to batten down a Window box. Then you have the weakest link, the users...

I love Linux and I have used it extensively and administered it. But keeping it up to date and safe is not any easier than keeping Windows up to date and safe. And the more services you are running on the computer, the more complex the issues of keeping that Linux box secure.

big_D Silver badge

Re: Some ransomware slingers have promised not to hit hospitals

In this case, they had assumed the were attacking the medical university, not the medical university clinic (hospital).

The local reports say, that as soon as they realised what they had done, they stopped the attack and handed over the keys.

Good of them, in the circumstances, but it would have been better if they never attacked anyone...

big_D Silver badge

Re: Why?

If it's the case of needing to transfer patient data, say for blood type, couldn't a doctor just call another hospital (by phone) for the patients emergency records and perform the operation?

It isn't just blood type, it is the full medical history.

One of the problems is manufacturer support... They do remote support these days and access the devices and applications over the Internet. No Internet, no support when something doesn't work.

I know the admin at a manufacturing facility, they have an old cutting machine that is bound to software running under XP - it won't install or run on Windows Vista, 7, 8 or 10. To upgrade the software to Windows 10, they'd need a new machine. The old one works fine, reliably and does what is needed of it, so why throw it away and replace it with a new machine costing 7 figures, when it is just the software that doesn't work on newer versions of Windows?

They have isolated it and they do force the manufacturer to do remote support. The first question is the TeamViewer ID, the support are told the device is offline. They say to put it online. They are told, provide software for Windows 10 and we'll put it online. Until that happens, you will remote-control the machine operator with verbal instructions.

That might work for a single manufacturing machine, but a whole hospital full of "machines that go bing" is another matter, unfortunately.

Then there is patient data transfer. The Krankenkassen (health insurance companies) hold the patient data and they collect the billing information from the hospital systems. This should be over a secure Telematik system, but that is still running over the Internet, albeit in a secure tunnel.

That individual monitors, and whole operation rooms are online is a different matter, they should certainly be isolated, whether standalone or an internal isolated network. And there should be disaster recovery scenarios to allow them to keep working if the systems go down. But re-directing patients that are en-route to other hospitals, if there are problems, is SOP - and according to local news, the woman was en-route to the hospital and her ambulance diverted, because the ER was offline and couldn't accept new patients, she wasn't transferred.

Did this airliner land in the North Sea? No. So what happened? El Reg probes flight tracker site oddity

big_D Silver badge

Re: Obviously not GPS jamming

My father went out to the Isle of Barra in a Sadler 25. No GPS, this was early 80s, just chart navigation and tidal charts. They got caught in a fog bank. Taking into account wind, tide etc. they carried on course for Barra and they ended up about 25 yards from the marker buoy they had aimed for.

Video encoders using Huawei chips have backdoors and bad bugs – and Chinese giant says it's not to blame

big_D Silver badge

Or the devices are all OEMed and all using badged versions of the same application software provided by the OEM manufacturer.

big_D Silver badge

It isn't their suppliers, it is their customers building the bugs in.

It is like blaming Intel for faults in Dell BIOS code or Windows. Well, other than Spectre and Heartbleed...

big_D Silver badge

Re: "The hardcoded password is a deliberate backdoor."

Why not? It is the tactic Cisco has followed with great success for years. They've spent the last 2 years or so removing one backdoor after another from their kit.

Thunderbird implements PGP crypto feature requested 21 years ago

big_D Silver badge

Re: Independent key verification

Agreed. Poorly formulated on my part.

big_D Silver badge

Re: Encryption should be automatic

Without some sort of independent key verification, sending the public key is pointless.

A man-in-the-middle just need to intercept the email, remove the senders public key and put theirs in and sent the email to the destination. The same on the return leg.

Both ends believe they are sending encrypted emails that only they can read, the man-in-the-middle can happily read along.

* And also notice that Google monitors its public keys, which is how they spotted Symantec issuing fake certificates, but you do not. You would not be aware if the 'trusted' keyholder starts issuing a different public key. PGP was never adopted because it is flawed.

Issued SSL certificates are very different from how PGP works.

Safety driver at the wheel of self-driving Uber car that killed a pedestrian is charged with negligent homicide

big_D Silver badge

Except, in this case, it was a trial of a fully autonomous vehicle and the drivers job was to keep a constant eye on the situation and make sure the car didn't do anything stupid or cause an accident.

So, she knew it was a self driving car and she knew it wasn't perfect and that she was there to monitor it and take over in an emergency, not daddel with her phone.

We want weaponised urban drones flying through your house, says UK defence ministry as it waves a fistful of banknotes

big_D Silver badge

Re: Dystopian future

I had my first mobile phone 8 years before Dark Angel came out.

Heck, the X-Files used mobile phones extensively!

big_D Silver badge

Re: Dystopian future

Ah, you've read Kill Decision then...

big_D Silver badge

Re: Dystopian future

We don't need a dystopian future, we moved to Dystopia a few years back, but nobody noticed until it was too late.

As an aside, have a look at Daniel Suarez "Kill Decision", an excellent novel about a dystopian near future, where AI controlled drones are used to escalate tensions between the Middle East and the USA.

£2.5bn sueball claims Google slurps kids' YouTube browsing habits then sells them on

big_D Silver badge

Oooh, follow-up case...

Google Ireland Ltd is said to have denied that it is the data controller for YouTube's EU-based users, instead pointing at US parent company Google LLC.

Oooh, part 2 of the case following in 3...2...1... With Privacy Shield now defunct, that means Google LLC can't be the data controller for EU based user data.

Brit MPs to Apple CEO: Please stop ignoring our questions about repairability and the environment

big_D Silver badge

If they are losing money on repairs, it means that the products are poorly designed... You know, all glued together and everything breaks if you try and take it apart.

There needs to be a change in attitude from just supplying new shiny-shiny to actually designing sustainable products, like we used to have. The world of electronics design has taken huge steps backwards over the last couple of decades, at least in terms of repairability and sustainability.

If a TV broke in the past, it was probably a capacitor or another component that could be de-soldered and a new one soldered onto the board, job done, TV works again. Now everything is so small and tightly packed, that it is next to impossible to repair And whilst the integration of components onto single chips brings benefits in reduced production costs, it comes with a high cost on quality, longevity and repairability.

The same goes for smartphones or anything else, right up to automotive, aviation, shipping etc.

Whilst Apple is the poster child for poor repairability of their devices, it is an industry wide trend and we need to take a step back and look at what we are doing and what we will accept as consumers - although it will be hard to get away from, unless everybody suddenly switches to Fairphone and its ilk.

Family wrongly accused of uploading pedo material to Facebook – after US-EU date confusion in IP address log

big_D Silver badge

Re: FFS

ISO format also makes sorting of written dates (as opposed to date/time variables) easier.

Up from the depths, 864 servers inside, covered in slime, it's Natick!

big_D Silver badge

Nitrogen?

I'm sure BOfH recommends halon for a meatbag free server room.

ByteDance rebuffs Microsoft's TikTok purchase proposal

big_D Silver badge

Re: Let Trump buy it

This is a poison chalice for whichever company buys it/partners with it. It is never a good look to the forced buyer/forced partner, when the other side is faced with signing on the dotted line of having their legs broken...

Nvidia to acquire Arm for $40bn, promises to keep its licensing business alive

big_D Silver badge

Correct, CPU architecture designer.

VMware staff in Silicon Valley can leave a pandemic, wildfire-ridden zone – if they're willing to accept less pay

big_D Silver badge

Re: Is

Works both ways... A friend was in a hostile environment, found a better job on more money and still had to wait out the 6 months of his notice period.

big_D Silver badge

Re: Is

That is the question, whether it is in the contract.

I've had it in the UK, London weighting. All the time I was working in the London catchment area, I got the London weighting, when I transferred to an office outside, the London weighting was removed from my salary.

So, yes, you can have this legally in Blighty, but it has to be in the contract - in fact, I believe many unions have forced employers to use it over the years and tried to get it extended to other major cities.

big_D Silver badge

Re: Take on a Roommate or 15

I think Psmo was referring to something like a corporate get-together, where they are all suddenly in town and all trying to stake their claim on the apartment.

big_D Silver badge

Re: They may be in for a nasty surprise.

It depends on how they have moved...

If they have kept their flat in SV/SF and are currently living with relatives away from danger, then it would be wrong to reduce the salary. If they have given up their flat and moved permanently to somewhere cheaper, it is another matter.

If VMware can clearly show that it is just a cost-of-living reduction, I don't see the problem. BUT the question remains, can they retro-actively state that part of the salary is a cost-of-living benefit to SV? If that is already in the contract, again, it seems fair, if it isn't, I guess a court will have to decide whether they can claim it is CoL or not.

If not, there are other ways, like the salary remaining stable, until the CoL has been taken into account by inflation. Obviously an immediate CoL reduction is cheaper for the company, if they can get away with it.

I've certainly had it applied to me (and removed) in the past, in the UK. I had a London weighting at one point, then I was moved to another office outside the catchment area and lost the London weighting. But that was communicated in advance and written into my contract.

big_D Silver badge

Yes, I used to get a London weighting, when I worked in the London catchment area. When I worked at a customer site outside that area, I lost the weighting.

I think it depends though, are these people temporarily fleeing a situation (i.e. the fires) and living with parents/friends etc. whilst maintaining their flat in the Silicon Valley catchment area? Or have they quit their contract and moved to cheaper accommodation elsewhere? That is the big question. If the former, then it is wrong to cut the salary, if the latter I removing a weighting is fair enough.

Ireland unfriends Facebook: Oh Zucky Boy, the pipes, the pipes are closing…from glen to US, and through the EU-side

big_D Silver badge

Re: SCCs

Which is the whole point, the US agreed to enforce the EU regulations, including the warrant situation, but they have done diddly squat, so it isn't really a surprise. The surprise if Facebook moaning at the EU and the Irish DPO and not the US Government and Trump.

big_D Silver badge

Re: SCCs

It wasn't issued in the EU, so it isn't a valid warrant.

big_D Silver badge

SCCs

While last July's ruling did not strike down the Standard Contractual Clauses (SCCs) used as opt-outs by many companies, it seems likely that will come under the gaze of the courts before long.

As SCCs work on the same basis as Privacy Shield - the promise not to hand the data over to third parties, including the government, without a valid warrant (i.e. no FISA, Patriot Act or NSA letter interference), I don't see how SCCs have a leg to stand on.

China, Russia and Iran all attacking US elections and using some nasty new tactics, says Microsoft

big_D Silver badge

Re: This could al be avoided

As long as you have humans in the equation, it doesn't make any real difference.

You can configure Linux to be just as vulnerable, if not more vulnerable than Windows, if you don't know what you are doing. Linux isn't a magic bullet to make things suddenly better, you still need to follow best practices in securing the installation and you still need to make sure the user doesn't fall for a phishing attempt and hand over the keys to the kingdom.

Microsoft to charge $200 for 32 GPU cores, sliver of CPU clockspeed, 6GB RAM, 512GB SSD... and a Blu-Ray player

big_D Silver badge

I'll raise you Colossal Cave and Startrek at 300 baud.

When Huawei leaves, the UK doesn't lead in 5G, says new report commissioned by... er... Huawei

big_D Silver badge

The other thing is, as far as I understand it, the high-speed, low latency signals from 5G are blocked by things like walls, glass or human bodies etc. and ranges are incredibly short (a few metres). There are also long-range, low speed parts to 5G, which will be more robust for IoT devices that need little bandwidth or for rural areas.

big_D Silver badge

I'd be happy with 4G or even 3G here. Currently ISDN would be faster than the "4G" I'm getting. In the city, I get 50 - 150mbps, at home 2 - 3mbps and at work 0.001mbps - so slow that Vodafone's own speed test app says there is no internet connection. My contract says 4G "up to 500mbps", to be honest, I'd be happy with 5mbps at work and 50 at home.

Customers defecting to Oracle? Not according to our research, says SAP chief number cruncher

big_D Silver badge

Re: Believe Leisure Suit Larry?

It is also amazing that he looks more and more like Leisure Suit Larry with each passing year. Must be the Botox.

I can 'proceed without you', judge tells Julian Assange after courtroom outburst

big_D Silver badge

Re: Blackmailed

Yes, but if the testimony was illegally obtained, it is not allowed as evidence. And duress is, I believe, still illegal in the UK, if not the US.

big_D Silver badge

Re: Blackmailed

Doesn't that fall under duress and all testimony would be inadmissible?

Remember the Titans: Yubico jangles new NFC and USB-C touting security key

big_D Silver badge

Re: Standardise 2FA

The Yubikeys support most of the 2FA standards that are currently in use (at least, dongle based methods). They are also programmable, so additional methods could be added.

I've been using keys for about 6-7 years for providing 2FA on LastPass and for Microsoft, Google and a few other services. Just holding the key against my smartphone to unlick LastPass is great - worked with my old Lumias and with my Android phones.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020