Posts by Matthew Brasier 40 publicly visible posts • joined 7 Jan 2014
As an author I can tell you no-one is getting super rich in the publishing chain. There are many people involved in writing, editng, typesetting, producing, printing and distributing a book, and they all need to make a living. While I agree the current system isn't working well, the answer is not "arrest the people doing the job in the way current laws let them", and nor is it "let people have all this work for free".
Much as I want Qwant, Brave, Duck-duck-go, etc to be viable alternatives to google, they still mostly don't provide useful results. Or at least it feels like searching on Altavsita used to. I am worried that the reason google (while worse than it used to be) returns more relevant results than its competitors is precisely the kind of user tracking and analysis that make the competing products attractive. (I.e. if I google knows enough about who I am to know if I search for Camel documentation I mean the apache project, not the humped animal - something the above search engines all fail spectacularly at).
Unfortunately "frankly unlikely" is not good a good enough margin of error for filling an aluminum tube full of people, hurling it through the air, then trying to land it precisely on a 40ft wide strip of tarmac in dense fog with a 40kt crosswind.
This is the kind of argument that normally appears before someone tells you that Web3 will solve everything. Early web technologies such as PKI, web servers, email, etc envisaged high levels of decentralization, with everyone running their own web server, managing their PKI trust chains, etc. People don't want that. Cryptocurrencies and NFTs are already showing us that if you leave end-users to control their own security permissions they get scammed left, right and center. Giving people even more fine-grained permissions and asking them to take responsibility for managing that themselves is a recipe for disaster.
Many years ago I attended a session by my local Astronomy society where one of the scientists from SOFIA presented. Its a fascinating bit of kit and did some great work, but is somewhat hindered by NASA aircraft being legally registered as military aircraft, preventing it from flying over or near countries that are unfriendly with the USA.
HTTP (not HTTPS) is a stateless protocol, the server has no way of knowing that a request relates to a previous request other than if the browser sends some data (which is the cookie) to alert the server to the fact that you have communicated before. There is no reliable way for the server to see the real IP address of the client because any kind of load balancer or HTTP proxy will mean that the "source" of the HTTP connection is the LB or proxy. There is a workaround to put the source IP address in as a header, but that can be faked as easily as the cookie.
With HTTPS it gets a bit easier for the server. HTTPS has the concept of a session (the duration for which the session keys negotiated are valid) and because only the originating server should know about the session key the server can be fairly sure that the client is the one that originally logged in. The HTTP session (unless you are using client auth) doesn't know anything about who you logged in as though, because the HTTPS session is established before you log in. Most modern HTTP servers will connect the HTTP session cookie with the HTTPS connection, which makes it a lot easier for the server to ensure the session is aligned to only one (HTTPS) connection, but this functionality can break in some scenarios (such as if you want to allow a user to log in using FORM authentication if client-cert authentication failed), or when using certain SSO providers.
TLDR; Because plain HTTP is stateless, its easy to steal HTTP session cookies, HTTPS can sometimes make this easier because you can tie the HTTP Session cookie to an HTTPS session.
The larger an organization is the more likely it has a wide range of software, much of which will have come from mergers and acquisitions, or from departments or operating companies selecting their own solutions. For large companies like Microsoft the answer to the question "does your company use product X" is almost always going to be yes, as it only needs one small team to be using it.
This is why I pay very little attention to logo slides in vendor presentations. You will regularly see the same large companies cited as clients of 3 or more software vendors in the same industry because different teams select different products.
Going back to the point about helicopters crashing in residential areas. Cars, motorbikes, etc all crash in residential areas more often and cause a lot more injuries and fatalities. I assume you are in favour of banning these much more dangerous vehicles (for which very little training is required to operate them compared to a helicopter) first?
The sensitivity required to identify the heat signature as that of a person, identify that person as distinct from other persons and track them for a period of time, while maintaining an evidential quality recording suitable for use in later proceedings. We aren't talking about hobby equipment that mostly does the job. We are talking about equipment that can provide evidence for use in a court.
Several years ago I went on my honeymoon to Australia, and as my wife and I are keen scuba divers, we took full sets of SCUBA equipment with us. My regulators are pretty expensive and I didn't want to trust life-maintaining equipment to airline baggage handlers so I kept mine in my hand luggage. The security staff at both Birmingham (UK) and Dubai (stop over) found the long rubber tubes with large metal attachments to be very suspicious and I was subjected to long delays at security at both airports while they performed every test they had and consulted with ever-growing chains of management. Luckily SCUBA regulators are a common sight for the security staff at all the Australian airports and they didn't even ask me to open the bag.
Venus probes tend to have a very short lived lifespan, and it has a much less hospitable environment for radio signals. Simply put, for the same cost as getting a little data from venus, you can get a lot of data from mars. However it is starting to get to the point where a little data from venus offers more unique insights than "yet more data from mars".
600ft is too low for primary air traffic service radars. Radar installations are placed on high ground and look upwards, there is too much "noise" near the ground for them to be any use. They are intended to assist in deconflicting and dispatching search and rescue for aircraft, and laws generally prohibit aircraft flying below 500ft other than during take off or landing. The radar at the local airport I fly from (or did when such things were possible) can't see aircraft below about 1400ft. As such a drone flying at 600ft is literally under the radar.
The point is that it is protected when the institution becomes unstable. It is underwritten by the government financial services compensation scheme. If the bank goes bust you will eventually get your money back from the government. Although that may take some time it is better than losing it altogether.
As a software developer, I generally try and pay other software developers for their work whenever I get an opportunity. I have used Ubuntu on WSL for quite some time now, it is significantly more convenient than firing up a whole virtual machine when all I want to do is fire off a few commands using SSH or the AWS CLI. However distros running on WSL often have a few bugs, and a distro specifically targeting WSL sounds like something I am happy to pay for, especially given its the cost of two beers.
I don't like having "The device that stops be getting lost if the weather gets really bad" and "The device I would use to communicate with emergency services if I become lost" being the same device.
I can see how for navigating towns or driving, a phone can do the job (although I still use a dedicated GPS for driving) but for walking, a dedicated GPS is a very sensible investment.
Its not really the collecting of the technical and admin contacts that is the issue, it is the publishing of them in the whois database. If they were collected by the registrar, and kept private by the registrar except in the case of a court order or other legal mechanism (as nominet is doing with .co.uk addresses) there isn't an issue - the registrar has the data that it needs to perform its contract, and can provide that information where there is a legal basis to do so.
The issue is that while ICANN claims to operate in the interests of the domain registrars, its main objective here is to ensure that IP lawyers can continue to use the whois database to identify where domains may sound vaguely similar to a well-known brand, and then charge the well-known band thousands of pounds to hound the owner of the domain until they give it up.
It is true that their income comes from selling advertising space, but the value of that advertising space is created because it targets individuals based on their gathered personal information. If I am an advertiser, I am going to pay considerably more for an advert on a page of someone who fits my target demographic and has had conversations about my products with their friends, than for an advert on a page of a random individual.
We have a number of customers that do their own dependency scans for CVE vulnerabilities using the OWASP dependency checker plugin, it finds vulnerabilities all the time, but having a vulnerability in a library does not mean the application is subject the that vulnerability. It may be in part of a library that is not used, or it may only be exploitable under a specific set of circumstances which will never occur in the application.
Even if you are exposed to a vulnerability, it is often in a 2nd or 3rd tier dependency and you are dependent on the frameworks you are using updating their dependencies, rather than it being anything you can fix yourself.
The key thing is to be aware of what vulnerabilities you are exposed to, and have mitigations in place (or be prepared to accept the risk), it is not feasible to aim for zero reported CVE vulnerabilities.
It isn't completely out of your control, there are a number of things you can do to control costs in a cloud environment, from picking the right technologies in the right places, applying limits etc. This is broadly what "cloud architecture" is about (the drawing a cloud on a bit of paper with arrows going in and out of it is to real cloud architecture, what "Enterprise architecture" was to real systems architecture). Most cloud vendor architecture certifications recognize this, and focus on cost control (along with security) as one of the key pillars of architecting a system.
Every time a customer of mine says they do devops I ask the developers how they are getting on with being paged at 4am to support the system. They always look horrified and tell me they don't have pagers because the operations team do that. They aren't happy when I say they aren't doing DevOps then - a key feedback look of DevOps is that developers feel the pain of operational support, resulting in them putting in more effort to make sure that issues are properly resolved and the system is reliable and stable.
I agree with the poster above that the key issue is that the camera can provide a record of what happens. If we make the assumption that the majority of police are not outright psychopaths, we can probably assume that the situations in which they use force are ones that they believe at the time it is justified. There are quite a few reasons (from psychological "tunnel vision" syndromes through to plain racist beliefs) that can cause a police officers interpretation of the situation to be incorrect, but it is unlikely that in the kinds of events being considered, for the majority of officers, that wearing a camera is going to change their interpretation of the situation (they feel that they or the public are in imminent serious danger).
What a camera can do, when reviewed in hindsight, is provide information as to what kinds of situations are often mis-understood, which could be essential in having targeted training and assistance to ensure that officers better interpret similar situations in the future.
My father, who was a pretty well respected geologist, was one of the few non-americans to work with NASA moon rocks. They are indeed very protective of them, mostly because the cost of obtaining them was very high, and they are one of the few sources of "uncontaminated" geological samples from the moon. There are plenty of "moon rocks" in the form of lunar meteorites (parts of the moon that got smashed off in impacts and found their way to earth) but these have been lying around on earth for many years, and so are contaminated.
Part of the value comes from the fact that geological experiments are often destructive - they involve dissolving bits of rock in acid etc - so the rock gets used up over time, and there are no current plans to realistically obtain any more.
NASA also definately do have "agents" of various types. Having attended the launch of the curiosity rover, they also had what could be described as a small military, who were responsible for enforcing the exclusion zone around the rocket before and during take-off.
That should be fine though, the proposal isn't talking about getting rid of the ability to create dialogues, its talking about getting rid of the ability to create dialogues that you must interact with before you can do anything else.
You can still pop up a dialogue asking if the user wants to save what they were working on, you just can't force the user to interact with it.
The stuff about not making purchasing decisionso etc is oracles standard legal disclaimer they put on any product or slide that talks about roadmaps or future versions. It's not really slapping them down in an addendum, it's boilerplate text.
That being said the future of products acquired by oracle is never very clear.
The fact that EA accounts are regularly compromised does not indicate that EA have been hacked, it indicates that people who play EA games have weak security.
My experience is that often people set weak passwords on accounts that aren't thought to be important (it's just a game) and then forget to update them when they later add payment details to the account for in-game purchases etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
