* Posts by Headley_Grange

565 posts • joined 24 Feb 2010


Leaky AWS S3 buckets are so common, they're being found by the thousands now – with lots of buried secrets

Headley_Grange Silver badge

Re: And the corporate world ...

The vulnerability of the attack surface is a function of how big it is and how secure it is. If your security is perfect it doesn't matter how big the attack surface is because no one can get through it. If you've only got one point of attack and it isn't secure then you're at risk. Culture, risk management and funding priorities are the main drivers of good/bad security in most organizations and far more important than "technical" aspects like system design/partition, security policies and staff capabilities in deciding whether your confidential data end up being spaffed all over the web.

Headley_Grange Silver badge

Re: And the corporate world ...

If a company can't configure and use its cloud securely what makes you think it would be any better at securing its internal systems?

Firefighters to UK Home Office: Yeah, maybe don't turn off emergency comms network before replacement is ready

Headley_Grange Silver badge

Re: Business cases?

I've prepared a number of business cases for a variety of employers and clients. The main skill is the ability to understand/guess the outcome that's required and then to be able to make the business case support it.

There's a good one recently - the A9 dualling cost-benefit analysis showed that the project would return less value than it cost so the Scottish Gov. hired some consultants (not me) to assign a monetary value to the cost of driver frustration. This came to £430 million – £86 million more than the value given to collision reduction - and tipped the project return into the black.

Fitness freaks flummoxed as massive global Garmin outage leaves them high and dry for hours

Headley_Grange Silver badge

Re: Who Cares?

@Dr V - have an upvote and a beer for the Golden Cheetah tip.

Headley_Grange Silver badge

Re: Attack surfaces

@tip - I think you're right, but better safe than sorry in my view. I bet there are a lot of people at Garmin who were really surprised to find out that they'd suffered a ransomware attack.

Headley_Grange Silver badge

Re: Who Cares?

The motivation thing is a double edged sword in my experience. I ran with a slight calf twinge last year cos I was in last day of the 5th month of a 6-month "up mileage" badge and needed a few more miles. As a result the twinge turned to injury and I didn't run for 4 months afterwards. I've now given up running for badges - although when I sneaked a look at the badge page the other day I did notice that I only need................

Headley_Grange Silver badge

Re: Attack surfaces

Good call. I disable auto-updates anyway, but after reading your post I've just re-set Little Snitch rules to ask me for any Garmin interconnects. Cheers.

Headley_Grange Silver badge

Re: Who Cares?

@Quentin - horses for courses I guess. I used to run with a just a Casio and have a couple of routes where I knew the mile points plus a spreadsheet to plot them out and track "performance". Then I got a Garmin and the main thing I love about it is the freedom to run anywhere, not just the routes I've measured, and still get an idea of how well I'm doing. This is the main benefit for me but the ability to set a a "virtual racer" pace and use it to get faster and fitter is also pretty good.

Altitude aside, I've no complaints about the accuracy of the Garmin, so maybe you had a duff unit. I use mine for running, cycling and hillwalking and it's been going since 2014 - I bought a spare battery a couple of years ago just in case. Garmin apps, support and analysis are pretty rubbish, but at least they let you have your data for uploading to other apps.

Headley_Grange Silver badge

Re: Same Old

Because they have little choice. Manufacturers have realized that there's potential for making more money down the line by locking their hardware to the web, even if only through enforced obsolescence - like Garmin, effectively, did with the Tacx Neo, which they bought, "accidentally" bricked and then offered a repair service for £650. At the moment they don't charge recreational users for updates and it's still possible to buy offline maps for their navigation devices, but I expect that to stop pretty soon when they start milking the user base.

In a few years' time everything will want to be connected, from fridges to lawnmowers, so that they can sell your data, sell you updates and make you buy new stuff every five years.

Headley_Grange Silver badge

Re: But I NEED to know how 'old' I am

My experience is that Garmin make decent devices with rubbish support, apps and analysis. I tried Strava (running) but too much is locked behind a paywall. Smashrun is my go-to running app (web only, and probably not many other users if you're the sharing kind). It too has some stuff behind a paywall and it's the only exercise app that I pay the subs for the "pro" version. I'm not affiliated.

Headley_Grange Silver badge

Re: First World Problems

I agree that it's a first-world problem, but for some of the watches the only way to set up routes, waypoints, training plans, workouts, etc. is via the app on the phone and bluetooth. If you can't set up your £600 watch for your weekend's activities because the app won't work if it can't contact the mothership then you might have some justification in feeling a bit annoyed.

Headley_Grange Silver badge


.....allegedly. The production lines are down too, according to some reports and "Garmin planning multi-day maintenance window to deal with ransomware incident." according to interwebs.

Let's hope the first day of the multi-day maintenance window isn't spent shouting things like "what do you mean you've never tested the backups".

Assuming it's true, I guess I shouldn't be too surprised that the production line systems reside on the same network as the app servers.

Funnily enough only yesterday I was looking at one of their new solar powered "watches" for multi-day backpacking trips. It's due out Q3 this year - although it might be delayed now -- and I might be having second thoughts about buying one.

No wonder Brit universities report hacks so often: Half of staff have had zero infosec training, apparently

Headley_Grange Silver badge

Re: Do not pay off criminals

So what do you do if your system is held to ransom and you can't bring it back and you've kicked all the "would've, should've could've" people out of the office?

Headley_Grange Silver badge

Common Sense

I think it's a lot more than common sense. I regularly try to tell my family members about risks online. Most are gobsmacked to find out that an email can appear to have been sent my someone they know yet still contain dangerous content. As for it not being feasible to run courses - a simple cost-based risk evaluation should put paid to that - just ask the Garmin directors.

Raytheon techie who took home radar secrets gets 18 months in the clink in surprise time fraud probe twist

Headley_Grange Silver badge

Secure Bag

"...would take home work on various US government projects in items as secure as a plastic bag."

Ages ago, if you wanted to carry classified stuff around it had to be put in a special black leather briefcase secured by a big brass lock, all witnessed by the site security officer. The briefcases were standard throughout the industry, so if you saw someone on a train with one it was almost certain that there were classified docs in it. A Tesco's plastic bag would have been a lot less conspicuous.

The practice died out sometime in the 90s and my company tried to sell off its stock of the bags to employees. In the end they couldn't give them away partly because of how nickable they were but mainly because you really needed a bowler hat to complete the look.

It's handbags at dawn: America to hit France with 25% tariffs on luxuries over digital tax on US tech titans

Headley_Grange Silver badge

Re: Pay tax where users reside

"the prime reason I see very well off people and companies dodge tax like a devil dodges holy water is because it just keeps going up"

Not the case in the UK. Corporation tax has come down from about 28% to 20% over the past 10 years or so. The theory behind the reduction is that companies will be left more of their profit for investment in people, training, automation, growth, etc. In practice what's happened is that many companies have used the money to buy back their own shares which ramps the price and triggers director bonuses and/or they've distributed it to shareholders. Inward investment in the UK is the lowest it's been for years and the gap between director pay and workers is the biggest it's been for years and continues to grow.

Germany is helping the UK develop its COVID-19 contact-tracing app, says ambassador

Headley_Grange Silver badge


I can't understand the alleged NHSX £11.8M costs. With the generous assumptions that they started 1st Feb and ran till 30th June and worked 7 days a week, that's £78k per day. Even allowing £2.5k per day for salary plus business overheads (equivalent to about £1k/dy salary) that's a full-time team of 30 very expensive people. Where did the money go?

Maybe the Germans have done the same analysis and figured they can charge UK Gov £££££££ for their assistance.

CompSci student bitten by fox after feeding it McNuggets

Headley_Grange Silver badge

What did students do to me?

(UK) Students don't drink any more - so there must be something wrong with them. Numerous unis have shut their bars completely - Portsmouth, Dundee, etc. The bar in my local uni is tiny, often empty and sells more coffee than beer. If students don't drink then what's the point of them?

Headley_Grange Silver badge

@Twanky: "In other news....": that would be Fox News would it?

Headley_Grange Silver badge

Poxy Greys

The thing about range is true but the main problem is that grey squirrels carry squirrel pox which they are immune to but which kills red squirrels.

Beware the fresh Windows XP install: Failure awaits you all with nasty, big, pointy teeth

Headley_Grange Silver badge

Re: chewed wires

The chair caster thing happened to me once with a mouse cable and it was such a pain untangling it that I seriously considered throwing both of them away.

One year ago, Apple promised breakthrough features to help iPhone, iPad, Mac owners with disabilities. It failed them

Headley_Grange Silver badge

Lack of Support

I think the lack of progress is typical of Apple's approach to many apps; they release them with a fanfare then ignore them and the users and rarely update them. Apple's voice recognition "keyboard" could be useful to me (I'm able bodied) but the lack of a 'return' command means that for many apps I would have to use the keyboard on the screen to finish a command. It's been like it for ever, it's been reported as a bug/feature request, it's been ignored. Similar problems exist in other apps that have been around for ever: Contacts app has only one line for UK street addresses and custom ring-tones reset randomly. Calendar reminders default to midnight. I could go on (and frequently do).

I have the impression that Apple, the people working on the next new thing are much more important than the people working on making them better. I guess it's because the new things get people into the walled garden and once they're in they don't leave.

California Attorney General asks judge to force Lyft and Uber to classify drivers as employees – or else

Headley_Grange Silver badge

Radio Rentals

@Chris. Once you got the radio were you free to set your own rates and working times and could you pick and choose your fares?

After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors

Headley_Grange Silver badge

Re: OpenPGP

See my comment above. In the nineties they classified it as a weapon of war and could extradite you under the ITAR regulations. In return for the keys to the back doors most governments would play along today.

Headley_Grange Silver badge

In theory they could make non-USGov approved encryption software illegal and arrest you for using it. If you're not in the US then they could pressurize other countries to play ball as they are doing with Huawei, but I bet that they wouldn't need much pressure cos most countries, including the UK, would welcome back doors and would bend over backwards to help them in return for the keys.

Remember, they did this in the nineties by defining 128 bit (I think) encryption as a weapon of war and threatening people and companies under the ITAR regulations, which were extraditeable. I know that the company I worked for was terrified of ITAR in those days.

Admittedly, they'd have to catch you, but they could force DropBox or Samsung to check for non-approved encryption and dob you in.

Apple launches incredible features everyone else had more than a year ago – this time for the 'smart home'

Headley_Grange Silver badge

Re: What's the true cost ?

@Lee - I agree with you from a personal point of view and I've got no desire ever to be able to turn stuff on and off remotely because the convenience doesn't compensate for the risks it seems to hold. However, the security points you make could have been made about, say, air travel when it first started. Aircraft and air traffic management have hundreds, if not thousands, of potentially catastrophic and lethal failures modes. However, with standards, regulations, technology, training, certification, liability, etc. air travel turned out to be pretty safe. I appreciate that the analogy is lacking in some areas - miscreants aren't trying remotely to crash aircraft (or maybe the are) but in principle the same approach to standards, regulations, certification, etc. could deliver much safer IoT stuff - albeit at a cost. I guess it's a combination of the cost and the haste with which manufacturers are proceeding in fear of missing the boat that means it'll be the wild west for a long while yet.

Smart fridges are cool, but after a few short years you could be stuck with a big frosty brick in the kitchen

Headley_Grange Silver badge

Re: No, don't check how long it will be supported!

Until you can no longer buy a dumb fridge.

Headley_Grange Silver badge

Re: All part of the planned obsolesence

@Steve: you might not have a choice when you buy your next appliance. Why would you sell one fridge in 25 years (that's how old mine is) when you can sell one every 5 years by forcing them to become obsolete? The market is ready for it because people already do it with phones. In a few years you'll buy a new fridge and it won't work until you've connected it to the web, logged in to the app and accepted the EULA which includes daily emails from Tesco and Asda reminding you that the milk is nearly out of date as read by the RFID tags printed on the packaging and if you don't click here by 2 minutes ago then four pints is on its way. Stuff that doesn't have RFID tags will have to have its details entered manually with associated "unidentified product in the door shelf area" announcement and you won't be able to close the door until you enter the data.

Christ - after re-reading that it makes me nostalgic for the 80s when all we had to look forward to was nuclear war and living like "Survivors".

Headley_Grange Silver badge

Re: Yep, this need legislation

If the law were changed to force companies to support kit for 20 years then the white goods manufacturers would just become like builders and go out of business every few years only to reappear with a different name the next day. The law could deal with this (mandatory bonds, insurance, etc.) but given that current law can't even persuade Whirlpool to recall and repair tumble dryers that burn houses down, I don't hold out any hope.

Headley_Grange Silver badge

Re: Never understood this

The problem that it fixes is that the company mistakenly makes a fridge that works perfectly for 40 years. By attaching it to the internet they can make it obsolete and force you to buy a new one after any period they choose. Even better, they could also refuse to allow the software to be transferred to a new owner should you try to sell the fridge - like Tesla allegedly do with Autopilot - thereby ending the second-hand market too.

The option to buy unconnected stuff will disappear in a few years time and, unless the law is changed, we'll all be "upgrading" cars and most electrical goods as frequently as we do our phones. Welcome to the world of jailbroken toasters.

Ooo, a mystery bit of script! Seems legit. Let's see what happens when we run it

Headley_Grange Silver badge

Re: Last time my car stalled...

Only if you've got the cage with the bird in it.

If you bought a CRT monitor, TV 13+ years ago, hold on a little longer, there may be a small check for you

Headley_Grange Silver badge

Re: Last two bits of article sum it up nicely

I know some very sad people who scan and save receipts for anything they bought that cost more than a few quid. I've They've also got credit card statements going back at least 20 years to support them.

Watch an oblivious Tesla Model 3 smash into an overturned truck on a highway 'while under Autopilot'

Headley_Grange Silver badge

Re: I get that the cameras may not have picked out the truck...

The truck wasn't stationary relative to the car until the car hit it.

Publishers sue to shut down books-for-all Internet Archive for 'willful digital piracy on an industrial scale'

Headley_Grange Silver badge

Re: But what about...

"Nope, but anything that cannot be legally purchased ought to automatically be out-of-copyright."

They can all be legally purchased. Write to the publisher or author and ask them how much they'll charge you to set up a one-off print run for the one book you want to buy. If you pay enough they'll print it.

So you really didn't touch the settings at all, huh? Well, this print-out from my secret backup says otherwise

Headley_Grange Silver badge

Re: Load?


Headley_Grange Silver badge

Re: "the concept of saving face"

@Bloodbeastterror - I've got a suggestion for where we hide the printers.

Headley_Grange Silver badge

Re: Ah, customers.

We were on a customer site testing a system which was made by another company but had my card in it. Nothing worked and we ended up working overnight trying to find out why. Eventually I discovered that the other company hadn't put pull-up resistors on some of their inputs which was causing the problem. We were against the clock and it was physically easier for me to add the resistors to my card than to fix the inputs on their bits. I bodged them in and the test went OK - although it ran very late with customer staff on site overnight. As a result of this my company got the blame for the test delays and additional cost because, as the other company pointed out, I'd had to make mods to my card to make the system work so it was my card that caused the problem. I got a bollocking from my boss for adding the pull-up resistors to my card.

Headley_Grange Silver badge


"...running the unit at full load, continuously, for five days"

That's a pretty big resistor. How do you load up a power station?

Made-up murder claims, threats to kill Twitter, rants about NSA spying – anything but mention 100,000 US virus deaths, right, Mr President?

Headley_Grange Silver badge

Re: Comparing the death rates

Only 5G democrats.

Headley_Grange Silver badge

Re: But no one cares what Trump has to say

I think that the data analysis to-date is interesting, but until underlying cause is understood then it doesn't really mean much. BAME people seem to be more likely to die; this might be because they are generally poorer and unhealthy and/or because they are discriminated against and/or because of genetics. The UK's death rate looks higher than other countries'; this might be because we have managed it badly and/or because we count the numbers differently and/or because Britons have underlying health issues which some other countries don't. Etc..... I hope that in the aftermath we don't forget to do the detailed analysis and that whatever analysis is done isn't skewed to meet an agenda - as Warm Braw above notes.

Luckily for the US they don't need to waste their time on any such analysis because Trump will decree that the US has the lowest death rates and the reason they are so low is all down to the way he has managed it.

Headley_Grange Silver badge

That's Entertainment

Trump is a product of the US has believing their own hype. Their proudest achievements - democracy, the constitution, and the separation of the legislature, executive and judiciary - have proved powerless to reign in a spoilt tin-pot wannabee idiot. He lies, breaks the law, ignores scrutiny, fires the people employed to check his power, employs his cronies, uses his position to make more money,....., etc., and, apparently, there is absolutely nothing that the people can do to hold him to account.

The USA is a country which boasts of its democracy, where gerrymandering is rife and states routinely implement measures to disenfranchise opposition voters. I expect him to get another four years.

Trump issues toothless exec order to show donors, fans he's doing something about those Twitter twerps

Headley_Grange Silver badge

Re: Trumpetsters Trumpet Drumpfs Lumps

What he doesn't like is people talking back to him and telling him he's wrong. No one's ever done it to him - neither as a kid, as a business owner nor as president. Anyone that does gets fired. He's just trying to stop Twitter doing it to him.

Highways England waves around £62m contract for National Traffic Information Service after brief chat with vendors

Headley_Grange Silver badge

The problem with using the Cumming as a measure of distance is that one cannot be certain about how far it is.

Microsoft drops a little surprise thank-you gift for sitting through Build: The source for GW-BASIC

Headley_Grange Silver badge

Rocky Mountain

HP Rocky Mountain Basic was great. I agree that BBC basic was also pretty good. I used both in the 80s for writing test gear controllers, circuit design apps and a couple of simple games.

Competition? We've heard of it. MoD snubs cloud rivals to hand Microsoft £17.7m Azure hosted services gig

Headley_Grange Silver badge

Standards and Transferability

OK - I'm not a database expert, so forgive what might be a dumb question, but is there no way that the data format and functionality can be standardized so that the host doesn't matter?

In the US the defense department (their spelling, not mine) sometimes uses a "buggins turn" approach to procurement of expensive disposables like missiles. The initial development and first couple of manufacturing tranches are aggressively competed between the usual companies (Boeing, Lockheed, Raytheon, etc.). However, the development contract gives ownership of the design to the DoD, including a full technical data pack which includes everything needed to manufacture, test, deliver and maintain the missiles. In this way the DoD can compete future manufacturing tranches between the usual companies and sometimes, in effect, it becomes a sort of buggins turn. The advantages of this is that the DoD doesn't get locked into one supplie, with the resultant price hikes, and also that the money gets spread around the companies so that one doesn't end up as massively dominant or, as in the case of the UK, only one or two remain.

So, back to my original question - is there a way in which the databases and functionality that the MoD requires for this cloudy stuff could be designed in a manner that means it could easily be transferred from one supplier to another in the spirit of both keeping costs down but also avoiding market dominance, developing local expertise, jobs, etc.?

Internet of Tardiness: Microsoft puts on a brave face as IoT boat prepares to set sail

Headley_Grange Silver badge

Missed the Boat

There's also an opportunity to learn from the first phase of the IoT and build something better. Maybe give guarantees about not bricking your kit or removing core functionality after a couple of years to "nudge" users into buying new kit. Or perhaps develop good security standards. How about a standard interface that ordinary users can use to secure their devices, networks and data without needing a degree in computer science.

UK takes a step closer to domestic launches as Skyrora fires up Skylark-L

Headley_Grange Silver badge

All aboard.....

......the Skylark.


New Zealand releases Bluetooth-free COVID-19 tracing app

Headley_Grange Silver badge

One Last Push and it's Over

It doesn't end until we have herd immunity or a vaccine and it becomes another annual flu, albeit one with a higher mortality.

Let's assume that herd immunity for this virus needs at least 60% of the population to have survived it and that all those who survive carry some immunity. Last week the Grauniad reported the rate of new infections as 148,000 infections in the prior two weeks - call it 10k per day. So, if we maintain that rate of infection it will take 66e6*.6/10e3=3960 days to infect 60% of the population. That's ten years assuming lockdown remains as it is now. OK - it's a back of the envelope calculation based on incomplete data, but it shows what we might be up against.

Even if we accepted ten times the infection rate and the impact that it would have on the NHS it could still take a year to get to anything approaching herd immunity. So, we're probably in some sort of lockdown with social distancing for a while yet until we get a vaccine.

What we need today is testing and tracking so that we can identify people who aren't at risk so they can go about their lives and, more importantly, we can quickly track and trace new outbreaks, lock them down specifically and - most importantly - protect the most vulnerable by knowing where the risk is. I see it as the difference between a cruise missile and carpet bombing. Reading the papers and watching the news, the most frustrating thing for me is that I still don't really understand why we still seem to have such limited testing capacity.

Usual warnings - I Am Not an Epidemiologist, other opinions are availaible and mine might be a bit skewed from being on my own for too long and only having myself to argue with.

Magecart malware merrily sipped card details, evaded security scans on UK e-tailer Páramo for almost 8 months

Headley_Grange Silver badge

Re: I had no idea they had an online shop...

I love it. I use it for cycling and hiking. Its the most breathable kit I've got and I've never got wet wearing it - even after long, wet days out in the Lakes and Scotland. Only downside is that it's a bit heavy, although it can double up as a fleece. They also make law-of-physics defying tee-shirts that either keep you warm or cool simply by turning them inside out. I was sceptical, but the bloke in the shop told me I could bring it back any time in the next 6 months if it didn't work; I've still got it and it works - the only downside being that it gets stinky very quickly.

Luckily I bought my stuff from the shop cos, as you say, it's expensive and it's nice to get a good fit.



Biting the hand that feeds IT © 1998–2020