Re: On the contrary, it's up to the police to prove it WAS you, if the shit hits the fan.
paying for the solictor to argue this point with the police, will cost more than your computer.
291 posts • joined 24 Nov 2010
In the near future EA moves into car sales, and applies it's Sim City logic.......
You must come to your local distributor every morning to collect your car, no you can't use it at home with out talking to our sales rep first.
Yes you bought a car for you to use, but you must share it's usage with any randomly selected number of other road users, and tow all their crap as well, even if you have a poor performance figure as a result. If your car has already gone in the morning, then you'll just have to wait until one comes free, some time.
When we at our sole discretion choose to no longer support cars, your vehicle will imediately disable and become useless, regardless of how much money you spent with us.
....er... what do you mean we are not complying with the Sale of Goods Act, Unfair Contract Terms directive, etc., , (all other consumer protection legislation), etc......,
"How about they just let self drive cars in and take the control away from the easily distracted humans......"
Unfortunately whilst a seemingly good idea, the practical exprience from airline operations, is that when things get complicated (baring in mind air travel is a less "cluttered" environment), the computer goes "i cant cope", and dunps the autopilot back to the humans, the human then panics, over what is a straight forward flying problem, readily resolved if your go "back to basics", and makes a series of bad decisions, resulting in them crashing a perfectly servicable airbus into the south atlantic.
This is fairly similar to a lot of CFIT (Controlled Flight Into Terrain) factors.
A rigourous study was publised in the journal Acident Analisys and Provention, by Samuel G. Charlton "Driving while conversing: Cell phones that distract and passengers who react".
Pretty much proves the extent of impairment caused by mobile phone conversations. There has been similar research carried out by the insurance industry, which had similar findings.
Bottom line, driving solo, best chance of surving the unexpected, and not taking others with you, driving on the phone, is an accident looking for somewhere to happen.
"Obama picked Biden as his VP. So McCain figured that he needed to pick a total idiot, too."
It is possible that the Secret Service are advising canidates about potential VP's, remember that even an insane person would not have shot Bush senior when president, as they would have got Dan as the president.
Having a VP that nobody would want as the preseident seems like a good life insurance policy if you are the president.
John McCain's big goal over the years has been to reform political funding, something that would have been impossible with a VP from the usual bought and paid for stooges found in most US political offices. (for example senators willing to try and kick off a trade war with the EU, because their banana growing funders had lost a crop to bad weather, and wanted protection from caribean imports)
That left a really thin field to choose a VP from, Palin was probably the least worst choice, unless he wanted to ditch any possibility of reforming political funding if he won the vote.
It should be noted that as the losing candidate, he did actually manage to get more votes (60m), than several previous presidents (for example junior Bush had 50m in 2000)
"He did for the same reason why he didn't get elected. He is bat shit crazy and far too impulsive when he shouldn't be."
Yes, has insane ideas like senators and congressmen should work for the voters, not big corp cheque books
That the US should not use torture, introduced a law on that very point
His crazy ideas on reforming US political funding, is the reason the republican party machine spent more effort keeping him off the ticket in previous elections, than they did on trying to keep the democrats out of office.
He could only be considered crazy, as being the last sane US politician.
(A) the comment was about the general waste of space of all politcal parties MP's, basically they pickup a big pay check, and then largely don't bother turning up (just try and get MP attendance records on an FOI!)
(B) As somebody capable of doing a CBA, yes I can make the government more cost effective, over and above sacking half of MP and saving millions that way. You can save billions by scrapping all the voter-grubbing red-tape inducing complications found on the books.
e.g. under the last administration housing benefit cost £21bn, the current Clown of downing street made a great fuss of this, what he failed to do was check and understand the figures. i.e. multiply the average payment by the number of claimants, and oh look approx £7bn payments, £14bn in admin, possibly due to the war and peace tome that a claimant has to fill in, and some poor sod has to read through.
We have DWP forms that ask if you are a "share fisherman", it's not even vote grubing for this century!
"As to the numbers in parliament; they have to sit on committees, meet voters at constituency surgeries"
you would need to be running over 50 committees simultanously to account for the other 600+ mp's
yes there are a small number of MP's who do their job, but you could easily go to 260 MP's and not notice the difference, except maybe the expenses bill.
the US has roughly 760 congressmen for 350m people, we have 650+ for 70m, see proof the UK public sector is ineffecient and lacks productivity.
The surgeries are suppose to be on the days they are not in parliment, hence why the house officially sits for 3.5 days per week, and MP's have more "holidays" than teachers.
I would also note you have no way to get rid of a moonlighting MP, for example off on a reality TV show, instead of representing her constituants, but that's peanuts compared to one MP who tried a case as a barrister at the old bailey whilst still a siting MP, one of his clients wasn't getting their money's worth of his time, and I bet it wasn't the one coughing up thousands a day from the dock.
What we need is a "none of the above" box on the ballot.
With that i predict turnout climbing over 80%, with "none of the above" being the clear winner.
I happen to be fortunate that for the last several election's I've had an MP worth voting for, that regular turns up to work for his constituants (not lobbying firms, etc.), asks well thought through and researched questions both in the house and on committee, and holds regular surgerys, despite his current ill health, damn shame about the other 600+ NON-bench warmers.
If the met had not under taken a massive overtime generating scheme, and kettled the protesters in parliment square, would there have been less than 11 arrests?
Apart from the 1 item reported of criminal damage/theft of flag, how many of the rests where caused by trying to prevent free movement of people express their freedom of expression?
Pick a random moment and switch on BBC parliment, count the number of MPs in the chamber discussing legislation that will effect every single voter in the country.
it's usually 2 to 3 dozen, and the other 600+ are not in comittee.
We now have more ministers than when we ran 2/3rds of the planet, rough 1 in 10 MPs is a minister or shadow.
So yes, cull them, and tell the remaining half that unless they stop moonlighting on their £6k/day directorships/consulting/etc. jobs, they'll go the same way as well.
Interesting who much money is being put into quantum computing by organisation with ties to the likes of GCHQ and the NSA
Also the introduction of 3D IC's will make some dent on the processing power.
We also have the pure maths mob finding better ways of cracking keys.
I would observe that GCHQ sat on Public Key Cryptography for over a decade before it was "discovered" by RSA, hence one could wonder at what else they are sat on.
and the compression alogrythm is different to a second layer of encryption how?
compression is predictable, hence how you decompress.
If you are looking to make known format files more difficult to decrypt, then you need to have a random length of salt at the front and back, as a starting point, and work out from there.
You also need to factor on that the data in system to system comms is inherently predictable in most cases, for example the claims number for an insurance claim follows a set pattern, there are some business operations where looking at a file reference number, at any one of a couple of hundred operators, I can identify exactly which software they are using for administration.
"A 514 bit key would require 22 months to crack and so on, a 522 bit key would require 5632 months (over 450 years)."
The RC4 encryption system relies on pairs of primary numbers, which do not necesisarily double as th key length doubles.
You also need to factor in Moore's Law, the RSA-155 crack used single threaded CPU's at 200mhz - 300mhz, a modern cheap pc is quad cored at 3ghz+, and today we would not use a CPU, we would use a graphics card which is roughly an order of magnituded better at crunching numbers, and also follows moore's law.
The process used in brute force of a key also tends to use a lot of hard disk space, so the move to SSD's, would also make a significant dent on time (i.e. typical HDD 10ms access, SSD 0.1ms access)
The paper on the crack of 768 bit encyption can be found here eprint.iacr.org/2010/006.pdf, from back in 2009
the relevant bit of the summary is...
"Our computation required more than10^20 operations. With the equivalent of almost 2000 years of computing on a single core 2.2GHz AMD Opteron, on the order of 2^67 instructions were carried out. The overall effort is sufficiently low that even for short-term protection of data of little value, 768-bit RSA moduli can no longer be recommended. This conclusion is the opposite of the one arrived at on , which is based on a hypothetical factoring effort of six months on 100 000 workstations, i.e., about two orders of magnitude more than we spent"
note not GPU compute cycles, which is the way to go for this type of crack.
Pairs on enigma was a possible reason for the allies not shuting down the german weather (wetter) station on spitzbergen.
As nice reliable germans sent the wetter report first thing in the morning.
Two E's and two T's in the opening of the message. A predicatable known plain text decrypt.
Given how predicatable XML files are in their start, how many people are transmtting encrypted XML?
the UK government was quite happy to supply second hand enigma after the war, with out mentioning we had cracked it. So NSA backdoors are not really a new idea.
Why was the electronic computer invented, to crack encryption systems!
Encryption is a time and effort based method of making it tough for the other side to read, it is not a truly secure system.
Ignore the end of the universe time quotes from people like the FBI in how long it takes to crack an encryption, they are usually asking for bigger budgets when they make those statements.
In real life, the crack time for an RSA-155 (512 bit) message was 5.5 months, using a couple of hundred PC, and a server with a lot of memory, for 1999, i.e. 4gb.
(a) PC's have got a lot faster since then
(b) the more compute cycles (resources) you throw at it, the quicker it breaks
(c) the NSA has a LOT of compute cycles to throw at things, even the average 3rd world banana republic has more compute power than a 1999 research team.
So when wanting to secure something, think how long the data is sensitive, and plan accordingly.
The Chipmunk was fully aerobatic, even if you had to burn altitude for speed to do loops, built like a tank, and the AEF at abingdon used controlled air space, hence the only thing in the box when doing aerobatics was you, unless your heard the controller shouting at somebody. The plane would also automatically adopt a workable glide angle if you lost the engine (joy's of 1946 hand designed aircraft)
Unfortunately these days, the training is done in uncontrolled airspace, which in the Benson to Abingdon area, gets as busy as the M25 on bank holiday monday, not an environment conducive to reducing the risk of mid-air collisions, hence recent fatalities, compounded by the fact the Tutor is the same colour as a cloud (despite comments from RAF EFTS during procurement)
the tutor's canopy release was never tested for the speeds achieved in aerobatic manuvers, so even if you did remember the escape procedure, no garauntee their would be a hole to go through.
Given the alleged offence was unauthorised access, unauth modification, and conspiracy to commit furtjer offences (the back doors), that is the text book S1,S2,S3 offences under the Computer Misuse Act 1990.
Why does the DA want to prosecute?, rather than phone the met, and ask for them to enforce UK law against a UK citizen, and sends us the evidence collected on the victims systems.
Unless the DA thinks that a US vistor geting his pockets picked in London means he should stand trial in the US!
"I get the feeling you're mixing up a moral compass with basic patriotism. They are not the same thing in a universal human sense."
If you believe in the values that your country has stood for, for hundreds of years, patriotism is a moral choice.
If you do something for your country and your people, because you believe that to be right, that is a moral choice and patriotic.
The problem comes when you consider peoples patriotic actions agianst personal definitions of good and evil, rather than the actors perspective.
for example, nobody could question that Adolf Hitler and Victor Quisling both acted on what they thought was in the national intrerest for their people, the fact that Adolf was responsible for many horrendous acts, doesn't change where he started from, and Quisling from most peoples prespective, betrayed his country (Norway) doing what he thought was right. (you wil see him sometimes described as the patriotic traitor)
The same can be said of Pierre Laval's partcipation in the Vichy government.
When you are recruiting people to work in national security, you should looking for people who will protect their country as a moral choice, rather than a pay packet, that makes patriotism a subset of moral choice. The down side is if the current people in charge have other agendas, because that patriotism, makes for people who are willing to "go down in flames" to do what is right for their country, rather than their government and pay masters.
I'm sure if we put a few philosophy profs. in a room they could argue about the linkage between patriotism and moral choice for a few decades
"These leaks are failures of vetting, and failures of need-to-know policies."
More likely a cause is that a number of the programmes lack justification, legally and morally, and therefore good people are willing to risk thier careers and lives to blow the whistle on things that they believe >their< country should not be doing.
Most whistle blowers on military, and especially intel, activities do it knowing that they are going to be paying for that choice for the rest of their lives.
The government can pass all the laws it wants, but people have their own personal moral compass.
Bletchly was kept secret because it was presenting staff with a very black and white moral choice. This included captured members of the Polish cipher bureau taking the secret to their grave.
What the NSA and GCHQ are currently operating, covers many shades of gray.
If you want the secrets to be kept, then they must have a moral justification for the staff working on them, no quantity of law or threats is going to keep the lid on, as somebody will sooner or later stand up an act on what they believe is right,, resulting in the programme being exposed..
This leaves the NSA and GCHQ with basically two options, (1) recruit only people with a very loose moral compass (a bad security risk with forgein intel agencies for subversion), (2) restrict their operations to what can morally be justified, and ensure the absolute need for that programme be explained and justified to the people working on it.
"I don't think the regulators have any idea what they're up against"
- I think this has been proven many times in the last 10 years
"If they passed a law requiring these firms to calculate their positions after every block of trades, it might alleviate some volatility, as it would force them to stop trading and wait for any delayed confirms."
-yes they would have to stop their casino operations, and go back to being a boring old fashioned financial instution that facilitates the raising of capital for economic growth, rather than being a gambling operation, not generating or contribruting to the real economy
If you want to know why after such spectacular screw ups in the gambling halls of wall street and the square mile in the last decade, that these operations are not being clamped down on by the regulators, take a look at your elected representatives funding and election support services, and the revolving door (more like a hgh speed turbine these days) between politicians®ulators and top jobs in the banks, etc.
Yes, the mainframe days, when a 30 minute outage in one year, resulted in the head of IT having to write to the board to explain what had gone wrong, and how he was going to prevent it in future.
Average down time per server these days?, now that the technology has "matured"!
"model office"/integration and UA testing concepts have not changed in the last few decades, it is just they are skipped over, for a more "agile" delivery and business operation.
Note "agile" in this context is how the consultants and board room fad surfers use it, not agile system development and delivery done properly.
"Other shops strictly followed proper programming, testing and change control procedures even though that raised short term costs, and the managers and workers there accepted that as normal industry practice."
As I keep telling operational managers, it is Cost - >RISK< - Benefit Analisys.
To many decision takers, forget to factor in the risk costs.
Therefore the argument to, it will take another month of testing and £200k, is this is cheap by comparision to a 10% chance of losing half our customers after a screw up, and a 5% chance of being out of business
This also occurs in equipment procurement, for example the Grob Tutor was asked for in black and yellow high viz paint by the head of RAF EFTS, turned down because it would add £500/aircraft in extra fuel over the life cycle of the aircraft. 2 mid air collisions later, 3 destroyed Grobs, 6 dead including one newly qualified (£3m+ training cost) later, that £500/aircraft looks remarkably cheap.
Something things are not hindsight, it was just a blindlingly obvious risk before the event, skipped over because somebody wanted short term cost savings (on which their bonus was probably based)
The "law enforcement agency" will still be that universal failure called the ICO.
Therefore there will be no investigations, and any action caused by a member of the public making an informed complaint with evidence, will cease the moment the ICO calls the perp organisations, with the question "are you breaking the DPA", and the perps say "of course not". Case closed, "no breach" says ICO.
UK military (old days) probably
UK military (today) possibly
US military (last 100 years) no chance
If you are a USAF colonel who points out that the troop carrier being tested, is not fit for purpose, needs real testing, and major re-work to make safe, first you get sent to Alaska, then you are volunteered for retirement. (i.e. Colonel Burton and the Bradley programme)
Due to it not being a vote winning subject, the UK actually ended up with two very good pieces of legislation.
Computer Misuese Act 1990 and Data Protection Act 1998.
The are clear, coherent, and without to many contradictions of other laws (e.g. the Planning Acts where not catered for with DPA98 and contradict each other over public registers)
The only problem is enforcement.
The ICO thinks it should only process complaints and self referals, and do no investigations, hence the complete lack of action over the Universal Job Match website, which provides crooks with a free identity theft facilitation service, paid for by the UK tax payers.
Most police officers have never heard of CMA90, and if you ask the question of a senior "cyber crime" police officer what can a company do if a former employee deletes all your customer records, you get a response of;
long pause, uh.........criminal damge
rather than violations Sections 1, 2 & 3 CMA90, on conviction upto 6 months and a £5k fine.
If the new unit can claw back the ground lost with the disalution of the old NHTCU, then I will be very happy, I will be even happier if they get an appropriate number of resources, rather than a token number of bodies, just so the minister can say he's doing something.
or Sony BMG for their estimated 75k* years worth of crimimal offences under CMA90, for their rootkit loading "music" CD
UK has no statute of limitations, so it's still good if the police want to do their job eventually
* - 1 dodgy CD - 150k sales at 6 months each for unauthorised modification of a computer (S3/CMA90)
you could argue for S2 (unauthorised access) as well, but it would be down to the judge and briefs arguing whether the the punter not knowing the rootkit was there vs them voluntarily putting it in their computer to listen to the music they bought
Innocent until proven guilty, it’s only been in use for the last 800 years, what part of the clearly defined legal process did the “jumped up little Hitler” in the CoL plod miss on his basic training?
The job of the police is to (1) investigate and (2) enforce the law, two different jobs at different stages of the legal process, It is the job of the courts to act as the judiciary. i.e. possible crime detected, evidence taken to court, law enforcement action authorised by independent judge, police assist court enforcement when needed.
If any member of the police force thinks that they are allowed to act also as judge and jury, they should be thrown out for having some seriously dangerous delusions, and are therefore mentally unfit for the job.
How much money can we make with this (A), how much will it cost to fix (B), how much will WE lose (C)
IF A - (B + C) > Zero Then we define this system as secure
This may not be the percieved standard private citizens, or technologist may use, but it is the one most large corporates uses (including on safety critical systems)
Since US inteligence services have been caught giving US companies assisatnce, I would be very nevrous putting commercial data on kit that they can rift through and give to their buddies, whether this is officially sanctioned or via the "old boys" network.
For example one can imagine a theoretical situation where that certain information held by BP may be useful to Haliburton in pursuing legal action to the detrement of BP, Haliburton has strong ties to the DC machinery, it would therfore be prudent to expected that leaks will happen.
450 VM is not a small it operation, even if your company only has a few employees, anything over the 200 mark puts you into the medium category (i.e. one UK £330m/pa cashflow organisation I know had around 270 machines and 4k+ employees, although they could have condensed that if they planned a bit better, and had less "budget code bun fights")
The other issue is around the ROI calculations, many organisations do not match like for like, very frequently by accident and not design, and very few even consider the risk management implications. IaaS and SaaS have real effects to the corporate risk profile, and frequently the Risk Manager is not even informed let alone consulted when a mission critical chunk of the business is bet on somebody elses kit.
As a PM I have used IaaS and SaaS on occasion, for example a useful but non-mission critcal web system that I (and the network and security managers) did seriously not wnat inside our network perimeter (if i'm loading this kit on to a comercial cloud to ensure it is a barge pole away, just think about what unsavoury characters might be doing with malice afore throught!)
My point was that like all tools invented for IT, they have their uses, it's why it was invented in the first place what really annoys me, is that every time a new tool comes out it gets presented as the only and absolute solution to all IT needs.
yet again the magic bean salesman states our magic bullet one size fits all solution is the answer to all your needs!
Economies of Scale?.. if you're a small company, yes AWS is probably going to be a better bang per buck than DIY, but I seriously doubt Amazon can buy tins cheaper than any other large company.
No company that I have seen has put on it's annual report words to the effect that, "by the way chaps, if our cloud provider does an Enron or Lehman's, we are out of business the day after, and your shares will be worth less than marconi stock"
Which kind of shows that the senior managers responsible for taking these decisions in publically listed companies have either (a) decided to deliberately aviod making the appropriate corporate risk statements, or (b) have no bloody clue as to what they are signing for, but the vendor supplied spread sheet and PPT looks good for my next quaterly bonus.
will smell just as crap
Any centralised ID system is inherrently at risk of insider breaches, as the quantity and value of personal data held in a single location make it profitable for crooks, terrorists, et al to get somebody on the inside, either by plant, or by blackmail and bribery.
Given the number of police officers charged for selling PNC, etc. data to NewsCorp has previously demonstrated.
Regardless of whether they did the job themselves or intimidated a 3rd party into doing it, the criminal damage charge should stick, just the same as you can be charged for assult without actually touching a person.
In addition to the Crminal damage charge, it then becomes interesting under our Terrorism legislation, as anybody who undertakes criminal damage, or the threat of criminal damage, for the purpose of political, religous or idealogical goals is a terrorist.
So whether this action was polictically motivated, or was genuinely done for a valid legal reasons, with appropriate judical authority, given law is a idealogical construct, we now have terrorists running GCHQ!
Just in case the DA has forgoten, a company is a legal entity, the same as a person is a legal entity.
If the legal entity ceases to exist, how can it be held in contempt of court?
If the court order was against the company, contempt of court charges are just as irational as having a trial with a dead person as the defendant (something that still happens in russia!)
""This is not just a criminal breach of the Data Protection Act, but it also led to a police investigation of alleged domestic abuse being dropped,"
A failed police prosecution is not the reason the DPA needs to be updated, the point is that sensitive personal data was leaked that could have led to somebody being physically harmed or killed.
In my personal opinion, the victim would have a good case against the probation service for the mental harm the disclosure did actual cause, and if the local council had to re-house the victim, then they should be sending the bill to the probation service (again a good argument for a civil case), rather than expecting the council tax payer to pick up the bill to make somebody safe.
The military brass tends to have selective memory, i.e we know our ECM systems on an excerise will screw the fishermen's GPS system....
...we just seem to forget that when it comes to buying guidance systems, because obviously any enemy will of course be stupid and have no access to technology that can be bought at maplin (or local equivlent)
The GPS adapters go for around $27000 per bomb, so roughly quater mil per aircraft per mission.
But they work really well on training ranges, when showing the minister and press how accurate your bombing is.
Bottom line is that if it relies on an emission for targeting, it can be spoofed or jammed, the trick is to use something that is really difficult for the other side to screw with. GPS is not that technology.
Red Neck proves $100 device with 12v battery beats GPS signals, as used in all those "precision" GPS muntions that the UK MOD and US DOD have been buying.
I mean it's not like jamming radio guided bombing was something they could have predicted, given that 7 decades ago the RAF buggered up the german radio guided bombing system, the day after they first used it, and the germans where using big transmitters in france to do it, not that weak GPS signals from space.
SB1386 seems to have worked in the states, with companies uping their security, to get out of writing to all their customers to say they screwed up.
It has been proposed in several corners that we should have the same, a point reinforced by the fact that the ICO does not actively investigate, even the stuff that has been directly reported to them by members of the public.
Joe Public>ICO. "organisation X is mishandling my personal data, as defined by these rules in DPA98"
"and I have attached the evidence that their doing it"
ICO>Org X. "are you complying with the data protection act?"
Org X>ICO "certainly"
ICO>Joe Public "Org X have not breached the DPA, case closed"
Biting the hand that feeds IT © 1998–2021