Posts by despairing citizen

Get another example of Political Risks offshore

This is another example of the kinds of political risks you get by offshoring, that the consultants always seem to forget to mention.

i.e. the country has a history of relgious and political violiance that can distrupt operations.

Amatuer testing times

Where systems have to be tested with live feeds, you isolate the system in such a way that the usual output is blocked, (not exactly rocket science)

Was doing this back in 1998 to test what happened to large financial systems (mutli-Bn) when they thought they where working in 2015, 2025, 2035, which meant we where adjusting the inputs as well.

Would suggest that the various stock exchanges set down minimum standards for testing, and revoke the connections of any outfit that does not meet them, much the same way as PCI DSS does security standards.

£125m, Ah, and the rest .............

£125m is an exceedingly low figure, and even a "bag of a fag packet" analisys by a BA would show that their indemnity costs are like to be double that.

Now add on the costs of customers walking (given recent survey RBS/FailWest/StillNotWorkUlster), and deduct that from the revenue stream.

The cost of managers being hauled up in front of the Irish government to answer questions (the ClownServatives, LibDumbs and LieBour parties don't see an issue with 25% of the UK ability to bank being offlined)

Brand damage is going to cost vast quantities of advertising budget and account managers time convinsing customer to rely on our banking systems.

personally I would be amazed if the damage is less than £300m, and would be unsurprised if it was north of £600m

So that half the IT team in scotland saving (approx £10m over 3 years), looks real good (sic)

If I was a majority share holder in the bank, I would start by firing the entire executive board, and the NEDs on the Audit committee, and appoint a brand new board with job one being to stablise the administrative systems of the bank, and job 2 to review the sign off of Risk on the downsize, outsource and offshore programmes, with a view to sacking on grounds of competance, or reassigning to less demanding roles.

Still missing the DR/BC plan?

Lots of talk about change management preventing the problems, which is always a good approach, but RBS is suppose to have a BC/DR plan.

In this day and age it should be unacceptable for a major bank to lose mission critical capabilities for more than 24 hours.

So where was the BC/DR plan that says this part of the system has been "nuked", (in this case by operator error rather than the data centre burning down), this is how we restore it?

Interesting Statement

"The issue is not a rootkit. The Uplay application has never included a rootkit."

Noted the above part of the statement, and that it was not "We/Ubisoft don't use rootkits"

Given that rootkits, installed without the expressed informed consent of the computer owner, would be a criminal offence (CMA90)

Iceberg - and not a Lettuce

Wish I could say I was (a) surprised or (b) it's rare....but I can't

Other examples include several Licence consultation systems used by the police, local authorities, et al to vet and exchange information on whether a person or site/shop/pub (e.g. Tesco) is suitable to be licensed (e.g. sell alcohol, etc.), and the web sites run the login on HTTP in the clear across the internet.

Think you can have fun ordering 120 iceberg's for someone, just imagine the fun you can have accessing a regulatory system pretending you're a police inspector!

Six of one, Half Dozen of the other

The guy does make several good points, and over the last 30 years I have seen IT specialists doing some of the things he describes.

However Business Managers these days are just as bad. (Previously they knew they knew nothing about IT, until the internet came, now they only know enough to not realise how little they know)*

So;

(1) Their is no such thing as an IT Project, they are Business Projects with larger or smaller technical components. (i.e. the corporate network is not the network managers personal fiefdom, it's there to make the company money)

(2)Your ability to post on Twitter, and build an access database to manage your stamp collection, does not qualify you to advise the company's best DBA on how to design a system with 15m records and 14k concurrent users. (this is a very common in my client facing roles, and I do my best to screen the local IT from the worst of these brain waves from the business managers (esp. Marketing))

*For every rule there is an exception, I have had one marketing manager on a project who could have done quite well in IT, and came up with several good ideas.

Mission Critical Kit vs Bonus Culture

With core infrastructure of large companies (RBS payment processing, 02 Telephony), it should not be possible to nuke the system, a suffcient amount of money and resources can easily render this possible.

Unfortunately the senior managers whoose bonus is based on cutting easily visible costs, and quite frankly have naff all ability at risk management, will cut these services to get their bonus, and if they are still around when the risk occurs, (a) they probably won't lose their job, and will (b) keep their bonus, despite how much money they have just lost their company(*)

This is why Barclay/Libor is a side show, it's being hanfled by the regulators, what needs serious consideration by parliment is the amount of the UK economy that is bet on technology services, that is not robust, and does not have an adequate BC/DR plan. RBS took out around a 25% of the abilitty of the UK to transact business, it is not unusual from other firms (e.g. 02) in it's approach to IT.

The modern economy needs legislation, that makes your IT and BC/DR as well audited as your accounts, shareholders and business partners should be able to read your company report, and see if they want to do business with you.

Cunning Clue

The cunning clue that the proposed powers are wanted for something other than the stated purpose, is that every week the "reason" changes, starts as "needed to combat terrorism", and then mutates is way through the 4 horsemen of the computer appocolypse.

It just like watching a child who wants something, "I need it to do my school" work, when actual what they want it for is to play games, and every time you ask, the stated reason mutates.

The only thing is that the children are usually more creative and inteligent in their creation of excuses than the ministerial dummies front this.

Military (UN)Inteligence demo'd again

From the uninteligent service.....

"If people take greater efforts at anonymisation, it could become a problem... but I'm satisfied by the techniques being developed. Many workarounds can be defeated... we are not proposing this law on the grounds that it will provide 100 per cent coverage of the communications data in this country."

Means the following.....

"If people take greater efforts at anonymisation, it could become a problem."

where people = criminals with a higher IQ than the idiots proposing this

"provide 100 per cent coverage of the communications data in this country.",

except for people defined as above, therefore, 100% coverage of honest law abding citizens, which can then be used for mud slinging by AC at the Cabinet Office when the civil servant proves the government is lying, or sold to NewsCorp by bent coppers.

And all for a mere £2Bn, if it runs to budget, so make that £6Bn to £8Bn in real life.

Best Value does not equal Cheapest

The procurement process for the public sector requires you to get "best value". A lot of people (including suppliers) have taken this to mean cheapest, it is not.

For a patient record system (or any other public sector system betting life and limb), quality of system, ease of use/training (less staff mistakes), and projected levels of support from the supplier (i.e. do they forget you after you sign the cheque, likely to be bankrupt, etc.), should all score higher than the initial contract costs.

You also need to watch for the little sods (sorry suppliers), putting in low ball initial signing costs, and then loading it up for renewals and support services. (for example on year 2 of the contract, they get to pick a large random number and call it a liscense fee increase)

Nice idea - shame about the details

This is one of those ideas that is good in threory, but fails in the real world.

1. Assumes the comms survives the crash

2. Assumes the cell net works in the area you're in (try getting a mobile reception in rurual river valley)

3. Assumes the system can get a GPS signal (big buildings in cities, tunnels, etc,)

4. People will assume the auto call went out, and hence not call it in themselves

5. Defects and Faults causing false-positives, or not calling when they should

Yes it could in theory save a life, I can think of two examples where it would have, but personally I think the above down sides would actually create a net negative, be having ambulances responding to wrong locations, and people relying on system that has ceased to function.

so 10 out 10 for a good idea, minus a few hundred for practicalities

Non-Jamming/Spoofing NAV system = Inertial NAV

Inertial Nav has been around for years, yes you can screw the set up(*), but there is very little an opponent can do subsequently to screw with it.

(*) - see FAA Harrier Pilot of ZA176 for why he had to land on a container ship, much to the financial happiness of the container crew ($1m+ in salvage)

The problem is not dumb terrorists, it dumb MPs, and their "advisors"

The Home Sectary is a politician, hence there is an expectation of an inability to do anything other than run mouth without thinking (see Francis Maud, panic the nation and endanger life knee jerker earlier this year)

However the idiots are suppose to have Sir Humprey clones advising them to stop the grossly stupidity ideas. Unfortunately the ACPO, et al seem to lack brain cells and the ability for critical thinking as well.

This act will DECREASE public safety, by diverting £2bn of assests to fund a boondogle rather than fund real intel and surveilance activities.

It will have police officers running down suprious leads, rather than focusing on real crime.

The terrorists will keel over laughing every time they clone someones identity (where do the thugs get most of their money, ah, ID and online fraud!) and use it to get a mobile phone, then ring all the numbers they know are blown, and watch the headless chickens of state security run around shooting electricians on tube stations, and pulling a SWAT on 60 year old grannies.

Winston Churchil once said the best argument against democracy is a 5 minute conversation with the average voter.

Today he is wrong, it's a 5 minute sound bite from the average MP.

Where to start

So no clear ownership of the data management process

Hired "fred in a shed" to carry out work involving S2/DPA98 data

Didn't write a proper contract (therefore probably no transfer of liability and duties with the drives)

Did anybody check that the end party has the appropriate procedures and equipment to dispose of the drives?, do they have the appropriate professional indemnity cover?

There are a lot of people in the NHS with the word "manager" in their job title, yet to meet many people in the NHS that I would call a Manager.

Corporate Suicide

HDDs are a dead tech, still some twiching in the corpse, but the writing on the wall is that they will be fully replaced by SSD's once the price-capacity-performance mark hits critical mass.

If you are a HDD manufacturer, the only life extending option is to make your old tech HDD as competative as possible versus SSDs, whilst you get your company into a new market. This is NOT acheived by having over inflated prices, which will only make business make the jump to SSD storage that much faster.

For further details on brilliance in management decision making, please consult with the board (former) of Kodak or Marconi

New Definition of Informed Consent at Reg and BBC

"If you continue to use the site, we'll assume you're happy to accept the cookies anyway."

Reg and BBC obviously have a new definition of informed consent!

The relevant item from the ICO guide;

"The Regulations require that users or subscribers consent. Directive 95/46/EC (the Data Protection Directive on which the UK Data Protection Act 1998 (the DPA) is based) defines ‘the data subject’s consent’ as:

‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.

Consent must involve some form of communication where the individual knowingly indicates "

their acceptance."

Not no action = consent

BUZZZ, TRY AGAIN!

Optimisim?

"The Information Commissioner's Office (ICO) wants public sector bodies that have made their websites comply with EU cookie regulations to share their knowledge with others."

Okay, now find me a public sector website that >fully< complies with the directive!

For further details on the quality of US Gov security standards

please see wikileaks

Computer Misuse Act 1990

Has anybody ever tried explaining to a senior police officer what is covered by CMA90.

Given the police and cps are barely aware the law exists, let alone enforce it, why should any business in the UK take a blind bit of notice of some government lacky getting sound bytes.

If the government are serious, then (a) update DPA98 to require disclosure, could be done in 48 hrs if they want.

Personally I think we should go the californian way, mandate discolsure, and update the companies act to require PLC's to include a IT risk statement in it's annual report. Then see how seriously the board take security.

Real use of monitoring system

This is to enable the prime ministers press secetary to dig for dirt when a citizen or civil servant has the audacity to point out when the prime minister is telling lies (e.g. the WMD report, and the mud slinging from an AC close to the prime minister)

Now instead of having to hunt for mud and rumours, they will be able to access all at the touch of a button, and possibly sell it to their form boss and staff at places like NewsCorp.

Given the existing surveilance powers have worked adequately well since 7/7, as demonstrated by the fact that the only victim of a terrorist related incident in england was a law abiding citizen killed by the Met screwing up, I see no logical argument or evidance for more powers.

Prior Art Anybody

I remember having to use touch screens on laserdisk based training back in the early '90s.

The gesture stuff is blindingly obvious to anybody that see a touch screen.

I'm sure there is earlier research on this from the '80s (my memory not so good these days!).

So how did he get a patent for something that was obvious and prior art?

at least it makes a change to the US prat office handing out patents to apple for blindingly obvious and prior art material.