a balanced response by Intel
This seems sensible and pragmatic, just wish I was as clever as KK and could earn squillions by promising not to reveal flaws / exploits that I had discovered ;-)
PH is flawed and has revealed, did she earn squillions?
189 publicly visible posts • joined 4 Jul 2007
Well said Debra Bowen in your objective criticism of the egregious implementations of e-voting technology being foisted on the people of the US.
Sad, though, that Debra B then muddies the water by making the analogy with the weight of the body of evidence about climate change.
The planet's climate has always changed, but not all implementers of technology with evidential requirements have been as wicked, lazy, stupid, venal and obscurantist as Diebold et al have been.
Debra B's next job should now be to ensure that the ballot for the dog-catcher and the garbage contractor are on separate pieces of paper than that for the District Attorney. I recall a Robert Heinlein story ("Friday", I think) in which the US had 'balkanised' and the Independent Republic of California was in a constant state of voting on something every day.
leads to bottom-up design
Some credit needs to go to GD for getting stuck in with the troops and listening to / working with the end user
Wonder when UK DE&S (pork barrel admin central and useless at even doing that correctly) will get out of the way & let this sort of pragmatism to arise here??
aaah well...
There are a number of 'white hats' or 'ethical hackers' already in existence. DV clearance is not a pre-requisite. The clearance a person needs is driven by the sensitivity of the data that they are required to work with. DV is only necessary to access TOP SECRET. A v v small proportion of all Gumment data is TS.
The extant 'white hats' or 'ethical hackers' are called Health Check penetration testers.
It is ALREADY HMG POLICY TODAY that ALL Infomation Systems for 'official purposes' are subjected to a Health Check penetration test.
This guff from O'Donnel is just ignorant polictician twaddle as noted by so many previous commenters on this story
As I have previously opined, the problem is four-fold and the technical aspect of the "four pillars of stupidty" is actually the easiest to solve. HC pen testing does not and cannot change the culture in HMG departments. Hence the "where's the IT?" logo.
No politician will EVER get their head around telling it strictly like it is.
N.B. this is only a UK problem since Oyster is a copy of the MIFARE first touted for Rotterdam.
Philips subsidiary that developed the technology took a gamble (a trade of cost versus correctness) they KNEW the flaw would be present in the product as released. Full disclosure is the sort of public slap-down these kind of people deserve.
Paris revels in full and frank disclosure (can't believe I am the 1st with that gag in this thread)
Good Friday fun! From biiter personal experience, it was really scary having to prowl the aisles of my local Somerfield in person ;-)
Where Joe wrote: "some observers scratching their heads about what exactly had gone wrong", I though surely Sainsbury's know all about eggs and wouldn't put all of theirs in one basket. I certainly, from a business continuity perspective, would counsel separate data centres for 'warehousing' and 'customer records'.
It seems to me that "standards" are for the most part codifications of accepted "best practice". Back in the day, Whitworth & British Association screw threads were "standards" - in the British Empire! Now nuts & bolts made to those specifications would be pieces in a (tedious) museum.
Standards do NOT say "you MUST adopt", standards DO say "you can achieve interoperability if you adhere"
The choice of with whom you desire interoperability seems to be yours to make, or at least debate with people over. Clearly, that two standards compete on a given topic of technology is merely a recognition of (open!) competition.
I have examined my options on document formats and I ask people with whom I wish to be interoperable to do so without locking ourselves into a closed and opaque implementation.
You seem to have misread my rant about the 4 pillars of ignorance. My imagination runs riot when I try to think if the worst HMG can do; especially as they work to blur the crucial distinction between security and liberty.
I am not discounting possibilities that this 'theft' and the recent abandonment of paperwork are drip feed to sensitize the proles into believing that restrictions on our liberty are the only countermeasure in this Information Age. Back to the abandoned paperwork: marked TOP SECRET yet Mark Urban at the Beeb read them and said "not much to see here"
A) Mark Urban has been 'got at' & was told to say that - OR
B) Yet another aspect of procedural failing in HMG, 'everything in this department is TS'. Applying inappropriate markings is as bad as applying no markings.
I am an optimist & I will prefer B)
Meanwhile, back to work designing thin client security architectures for HMG that look after the data by design on the server no matter how good the user was in stupidity class (loving the Citrix over 3G idea)
1. Cultural
2. Technical
3. Procedural
4. Personal
Culturally, the first UK government failing is that they misunderstand data. They truly believe that 'official' information belongs to THEM. This means to include that information about YOU, once held by ANY HMG department it is 'official' and belongs to HMG and that it relates to, or refers to, you is now irrelevant. The second cultural failing is they seem unable to distinguish between 'policy' (see 3) and putting policy into practice (see 4). The third cultural failing is a lingering belief that security-by-obscurity works. (Contrast the Canadian Security Policy (available on the www), the opening sentence of which says something along the lines of: "The CSP exists to safeguard the security and welbeing of Canadians" with the opening CHAPTER of the UK equivalent (that I will not name but will let you know is NOT available on the www), which woffles on and on (you need to take my word on this, most of you) about 'official information' without bothering to defnie what 'official' actually means or ever mentioning 'people').
Technically, the UK government failing is that they think abandoning an encrypted laptop in a tapas bar (or similar) is not the same as abandoning a piece of paper on the 10:42 Waterloo to Strawberry Hill (or similar). Narrowly, they are correct, the failing is misunderstanding the public perception. The crypto on la Blears machine will be deemed to 'downgrade' SECRET to RESTRICTED. That the machine is at RESTRICTED means our Minister should have, as a bare minimum, PUT IT AWAY, in a locked filing cabinet would probably suffice.
Procedually, the UK government failing is that they have all sorts of policy in place, but it is not effectively pursued. You would not want all the HMG 'policy' printed in hard copy on A4 to land on your head - it would HURT. The policy requires frequent audits, checks, balances, awareness refreshers &c to be conducted. Sady, reality at the coal face is that lip service is paid to 'policy'.
The personal failing is that significantly less than 1% seem to actually CARE.
I am sure LP is aware of EuroMALE and that it is probably way more cheap than Watchkeeper. It will be for PRECISELY this reason that the beloved MoD will continue to buy Watchkeeper. They truly believe that as long as they throw more of our money at projects "they thought of" the country gets a "better" solution.
The DPA 98 works like this.
You are not aware of just how many different bits of gumment have information about you
This is good (in gumment eyes)
Should you get uppity and ask a bit of gumment to show you what they think they know about you, the revelation is not free
A civil servant who is angling for early retirement in any case is given a piece of paper with the information about you on it and given strict instructions about which train upon which to abandon the paper
The "breach" is timed to occur on a really bad news day for the gumment as oil goes to 160 bucks a barrel
The civil servant gets his early retirement and a golden goodbye that helps to buy that cottage near Llandudno
You are not aware of just how many different bits of gumment have information about you
The status quo has been maintained; this is good
the Q shows that some of these Merkin airborne filling stations had to be modified to refuel the Blackbird; the fuel was so waxy it needed preheating in order to get it down the spout to the receiving spy plane.
Only saw a Blackbird live once - for about 10 seconds - landed at St Mawgan (Newquay airport as the grockles now call it) and taxied into a hangar sharpish - breathtakingly wonderfully gorgeous
All of these are valid counterpoints to the DARPA 'droid warware tech demo, all of which I am sure DARPA are well aware.
This does not detract from the achievement to-date, I think Kai H's scepticism is a tad strong.
I would like to think DARPA / RayColl / others will move forward to more realistic scenarios, especially the progressively increasing damage / unpredictable drag situation. Shooting the model with (scale!) AA would also provide that fine combo of entertainment and information.
... ooh dear!
think b4 u leap, there, Stu:
"take a normal unencrypted NTFS volume with some files on it and set some heavy user access permissions to prevent users seeing them. Take it out of the PC and install it into another one, then..."
kinda depends on just exactly HOW those heavy, heavy user permissions are deployed in your forest, don't it?
try that stunt at my place, Stu - then gasp in awe as precisely the same permissions are applied ;-)
When the man from DARPA dazzled by the glint in the eye of the boffins prattles on about exploiting low Reynolds number motion, how low is he thinking? Paris Hilton swimming (purity of water not stated) exhibits Re of approx 4 x 10^6, whereas a spermatozoon (location of swimming not specified) notches up approx 1x10^-2
Seems to me that technology of allowing IPv6 to grow organically provides the path of lesser resistance.
Although the notion of asking all the 'big' IP users (in both senses!) to hand back all their numbers and NAT at the boundary (as they surely do already) has some sort of emotional appeal (just the idea that ALL_OF_IBM having only, say, 32 IP numbers by which it is publicly known would be neat), the concommitant administrative repercussions would be endless. So, clearly, this is the solution the (b)ureaucrats should be pursuing! Jobs for life!! They are biting off their noses to spite their faces in making plans to impose v6
I usually praise, but Lewis P has let himself down on this one; his anti-escort bias is clear.
I do not agree with the contention that the correct aircraft is all that is needed for the new carriers to provide organic self-defence. The purpose of an a/c is to take the aeroplanes somewhere else in order to do something else, not to carry aeroplanes around to defend itself! As far as I am aware, the Joint Combat Aircraft (UK name for JSF, we cannot - by doctrine! - call it the same name, the aeroplanes that these new floating airfields will bear around the place) has no look-down-shoot-down capability against a supersonic sea-skimming missile; whereas the highly-capable PAAMS on T45 (including somewhat North of two thirds by contract value UK content - btw) of course can despatch such a menace as SSSM.
OBTW: wtf is FCS?
LP confusing his US and UK (again)?
FCS is the US 'network-centric warfare' Future Combat System. I think our Defence correspondent might have been trying to refer to FRES, which is the UK Future Rapid Effects System (which will exhibit network enabled capability, but not NCW).
Now THERE is the REAL money-wasting pork-barrel defence procurement story, Lewis!!
Go look at competitions, with no rules, between 3 different off-the-shlef vehicles with no published result - all overseen by a 'procurement consultancy' with 0 track record in defence - there's THE story, Lewis!!!
The regulator now calls itself 'PhonepayPlus'!??!?!?!?!?!?
WTF in the name of all that is halfways sensible is that all about????
TWFKAI* would have made more sense than this
The state of the country become more than somewhat dismal when a regulator (intent: to hold to account the activities of profiteering corporations on behalf of the people) truly believes that changing its name to a misleading collection of letters is more important than fulfilling its function
* The Watchdog Formerly Known As ICSTIS
I'm emigrating to somewhere with minimal gumment - any suggestions?
are there yet one googol (or more) web sites?
has the most-used web searcher collected that quantity?
As to other brand names entering common parlance, I think but am not sure, that use with the initial letter in lower case is permitted and not an offence, use of the capital initial is inferred as intent to mean the original enterprise
When I altavista for GOOGLE all the results I get seem to be about Google
So any website that uses an url of the form <whatever>google should not be asked to cease and desist, but <whatever>Google could be so asked...
I am surprised that Lewis Page did not mention these in passing. As I understand it, in UK military doctrine, the Grand Strategy are the aims and ambitions of the politicians, Strategy is set by the senior commanders that describes the military activity intended to achieve the (military part of) GS. Tactics are what are employed by the commanders on the ground (air, land, space) to deliver the senior commander's intent. The ROE are set by the politicians (in general terms) and are refined into military orders in Strategy.
The ROE are set such that acts of delivering military effect can (i.e. 'should') only occur towards achieving Strategy; failure to follow ROE is the 'war crime'.
I think the current UK military would find it difficult to define ROE that would adequately be able to control a weapon such as the direct 'thought->shoot' type
Units are not really required when the report uses a ratio to express the relationship.
deciBels are ratiomeric and work both up and down, the article could have geekily stated:
"roughly 12dB quieter than conventional" or even:
"-12dB quieter than ~"
but given that the indicated reduction is only an estimate, a resort to deciBels seems ludicrous.
this is just utterly abysmal and horrific
the only legitimate word in the expansion of OOXML is 'office'
it is bif12 (binary interchange format, 12th attempt to get it right)
it is proprietary
it is closed
it is NOT XML
adoption of a proprieatry, closed, not XML data format as an 'open', 'XML' *standard* is just SO WRONG wrong wrong
If you agree, please, please register your complaint with BSI by email at cservices@bsi-global.com - TODAY!!!
"serious cultural issues in failing to deal with private data properly"
From the bureaucrat POV it is "official" data - because they have it in their control, ergo the DPA does not apply to them.
The DPA "only" applies to us - the plebs - who, for some ridiculous reason beyond the wit of the bureaucrats to comprehend, actually think we have a "right" to peek at "official" information - how very dare we!
PH avatar cos we don't need to apply to anybody to sneak a peak at her private things.
eh??
I am not sure that you can equate <involved the introduction of a new process of "checking out" temporary IDs and passwords> with <part of the hack was conducted by hijacking an unsecured 'Temp' account>
There will be many 'realname' accounts on the 0wnd system. So there need to be many 'pseudo name' accounts (as secured as was, or better) on the recovered system. Essentially, the user community has been provided with new (albeit short-lived) credentials.
<isnt that what a decent proxy firewall is designed to prevent? >
erm, yes and no
a decent, well-configured and managed proxy fw is indicated
?IT stamp as I am not sure there is any IT competence displayed by the Merkins on this one
Pah! HARVARD partitioned data side from program side.
"Harvard architecture is a computer architecture with physically separate storage and signal pathways for instructions and data. The term originated from the Harvard Mark I relay-based computer, which stored instructions on punched tape (24 bits wide) and data in electro-mechanical counters (23 digits wide). These early machines had limited data storage, entirely contained within the data processing unit, and provided no access to the instruction storage as data, making loading and modifying programs an entirely offline process."
"The von Neumann architecture is a computer design model that uses a processing unit and a single separate storage structure to hold both instructions and data."
Harvard architecture processors are available, e.g. SHARC - they are somewhat optimised for hard-real-time numerical calculations (e.g. SONAR and RADAR signal processing) rather than general purpose computing. There is no port of Vista to a Harvard processor in the offing AFAIK.
Peter G wrote:
"The OS always has to be able to find this information, so has pointers that can themselves be found (paging tables with known base addresses etc.) "
I think what Kenny M was noting is that the pointers point to:
the_same_place_for_all_instances_per_OS_every_session;
whereas, is it not feasible to write kernel code for these pointers to point to:
someplace_(pseudorandomly)determined_at_boot_time?
This - IMHO - is not "an extra level of abstraction", rather it is a measure of obfuscation that is applied per instance, per session.
The kernel code could still be published, open source being lovely and all that, and the combinatorial limitation of the chosen implementation of "(pseudorandomly)" could even be explicitly stated in comments for those to busy or lazy to independently derive it. The <bold> point </bold> being that the range of possibilities generated (pseudorandomly) being just sufficiently high enough to deter the determined yet time-limited exploiter ("you've got three minutes left before the user returns to his desk, Ethan Hawke") from attempting this escapade.
However, for the majority of people with Firewire connectors on their machines, I recommend a small does of two part epoxy adhesive (e.g. "Araldite") as opposed to "super glue", such a cyanoacrylate adhesive may not set
Professor Anderson heads up a very able bunch of researchers and their work into the inadequacy of technical information security implementations is very important. Professor Anderson is morally outraged by the attitude and approach taken by The Man to security and the use of technology to move the point of risk assessment downstream to us, the individuals (Wayland S & others previous). The approach of the banks to suspected fraud of 'litigate (against the defrauded) rather than investigate (the weakness of their implementations)' is indefensible and needs to be vigorously and rigorously challenged. Professor Anderson wants to motivate public opinion to support his outrage and rebel against The Man; unfortunately, he tends to the hysterical and hype and I am not convinced that this approach engenders the necessary gravitas.
Consequently, the Man (APACS in this case), feel they can counter with the ludicrous fobbing-off that "difficult to undertake and not currently economically viable" exemplifies.
By the way: included in the 'Newsnight' article was the simple statement from CESG (the relevant bit of GCHQ); "We have not evaluated the terminal device that you mention" in response to questiopn posed by BBC journalist.
Fact is: there exists NO PIN Entry Device that has been subjected to a public domain (i.e. Common Criteria) evaluation. APACS (& other bank card consortia) run their own (closed) 'evaluations'.
1) that oil storage depot did go off rather large and only a teeny proportion of the of the oil stored there had made an optimum stoichiometric mix
2) my informal studies of group dynamics over the years (not those in terror nutter groupings) lead me to think that two opinions start to form in any group larger than 5 or 6; likelyhood that one-of-ten is an informer seems quite good to me
(much as it pains me to write this): second comment, first point holds.
Indeed, the gumment *should* have included clauses about absolute probity and correctness and completeness of conduct in the areas of risk management, information management and auditing; compliance to regs is a legislative mandate already in place.
or has the acronym been updated?
the 'taped-off' area seems relatively unused, has a v low permanent population and is mostly west of track from areas of oggin that are easily accessible by USN surface craft; should be a really good test of SM-3 capability
(for once): good luck Yanquees