* Posts by JimBob01

54 posts • joined 23 Feb 2014

Page:

Talent shortage? Maybe it's your automated hiring system, lack of investment in training

JimBob01

Re: An alternative approach:

Dunno about whether anyone would have the "wit" to write that.

I would be more interested in whether anyone has the honesty to actually follow that process?

...rather than ensure all applications go through at least one stage of arbitrary buzzword filtering

Apple takes another swing at Epic, says Unreal Engine could be a 'trojan horse' threatening security

JimBob01

Re: "Apple would face incalculable harm"

"Appl makes it astonishingly obnoxious to even download free things without a credit card number on file."

Care to elaborate on your claim? I found it pretty simple to create an Store account with no payment method ... perfect for downloading those free things...

Apple to hand out limited-edition iPhones among 1337 h4x0rs because it wants more bug-hunters

JimBob01

Cognitive Bias?

I’d bet that Apple already employ many people for product security purposes but any employee is open to the many cognitive biases just because they are an employee.

Handing low level access to “independents” is a way of reducing the role of cognitive bias in security assessments, basically getting input from another set of eyes.

An obvious weakness in this approach is that you have to trust the people (you give low level access to) that they will report any interesting findings and not keep it to themselves, eg would the FBI report they had found a useful backdoor?

Minister slams 5G coronavirus conspiracy theories as 'dangerous nonsense' after phone towers torched in UK

JimBob01

Re: Correlation

While you are absolutely correct, the mis-quote is more well known/used by people of all political persuasions.

I guess this is one of the consequences of living in a post-truth reality.

From Gmail to Gfail: Google's G-Suite topples over for unlucky netizens, rights itself

JimBob01

Re: Clouds sometime rain

“ If you are going to complain about it then go ahead - but complaining just illustrates that you don't understand the world.”

WT-absolute-F!?

Dunno about you but I live in a world where large cloud companies constantly bang on about how much more reliable they are than using your own equipment.

For this reason, a PC not booting is not news worthy whereas a mega-cloud service being borked is.

Hypochondriacs – are your eyes all blurry? It's just YouTube trying to cut video-stream quality worldwide amid the coronavirus pandemic

JimBob01

Huh?

“Broadband ISPs have been quick to claim they have the capacity to handle everyone's video streams”

But wait, I thought that Netflix et al were overloading the Internet and should be paying a premium because of that?

Come on ISPs, make up your mind!

Total Inability To Service User Pulls: GitHub wobbles with a good old Thursday TITSUP

JimBob01

Re: If you store your project code on an online repository...

“Whatever the marketing lizards say, there is no such thing as a 24/7/365 service anywhere.”

Who would want a service that is guaranteed to be offline one day every 4 years? I’m quite happy with plain old 24/7.

It's Terpin time: Bloke who was SIM jacked twice by Bitcoin thieves gets green light to sue telco for millions

JimBob01

Do you outsource your security?

The use of phones to ‘secure’ important, personal information has become widespread without any concern for fact that phone companies do not have strict and consistent rules about such things as SIM swapping - Particularly as this practice is considered a handy feature by many who would, no doubt, baulk at any reduction in this convenience.

I have heard the "large orgs do technical security so much better than we ever could" mantra so many times but there never seems to be any consideration of the increased social engineering surface that a large organisation must have to manage huge numbers of anonymous clients. Also, as in this case it seems, a large organisation is much less well equiped to deal with rogue employees who are, again because of org size, pretty anonymous AND able to subvert any security protocols put in place.

Maybe the new mantra should always be that "convenience and security are opposite ends of a scale, as one increases the other must decrease". You must prioritise what is most important. Anyone who claims different is ignorant or selling snake oil.

Uncle Sam tells F-35B allies they'll have to fly the things a lot more if they want to help out around South China Sea

JimBob01

MVP?

Too many posts where people are (deliberately?) mis-representing what MVP is SUPPOSED to be…

“Viable” is supposed to mean that it works.

“Minimum” is supposed to relate to the richness or paucity of features.

Obvioulsy, some teams/management don’t get that either but it seems, if there is “adherence to Agile religions” then, they must be using it properly.

You live where you live ... and ex-SAP boss Bill McDermott lives in a house like this

JimBob01

What is this article?

It only vaguely has a tech angle and seems to be mainly motivated by jealousy.

Ok, a senior tech manager has more money than taste but is that newsworthy?

IT contractor has £240k bill torn up after IR35 win against UK taxman

JimBob01

Re: he probably deserved it

Erm do you mean the Duke of Westminster or Earl Grosvenor?

Though inheritance tax is another out of control process at HMRC. It was originally brought in to cover large estates and was referred to as the Mansion Tax for a reason. Now, if someone leaves you a property in London you have inherited a mansion! It also seems that the threshold of this tax has not followed the index. And, as with all taxes, it is the people at the low end of the threshold that end up paying a disproportionate tax rate as they cannot afford the “smart” acountants.

As for HMRC lack of understanding of their own processes, tax legislation is written in consultation with (by) the large accountancy firms that, in no way possible, have a conflict of interest. I mean is it really possible that these consultants write in loop holes that can then be sold as expertise to their corporate clients?

JimBob01

Re: I cannot understand why HMRC pursues contractors so much.

I would suggest that the way Starbucks operates is closer to evasion than avoidance.

Also, if Starbucks UK has never operated profitably why has it not been wound up as a non-viable business?

Airbus A350 software bug forces airlines to turn planes off and on every 149 hours

JimBob01

Re: Why is there a choice?

hmm… imagine you are waiting to board your plane when an announcement is made

“There will be a short delay to boarding as the technician carries out some maintenance. We appreciate your understanding and hope to continue boarding as quickly as possible”

Wait 20 minutes…

“I have an update on the delay to boarding. It seems the technician has bricked the plane!”

I would guess that the patching only becomes mandatory at the next planned service of the plane so that the process can be properly planned. Up until that point, cold rebooting every 100 hours should be sufficient.

It's happening, tech contractors: UK.gov is pushing IR35 off-payroll rules to private sector in Finance Bill

JimBob01

Re: The simple answer ...

"As such, it's not enforced anything. It's proper taxation for the category that you fraudulently claimed not to be finally being applied to you."

The interesting thing is that according to you, "you" being accused of behaving fraudulently because "you" seem to be is the same as "you" actually being guilty. That seems a dangerous road to go down...

"And a client waiver will do nothing. That's like getting a waiver from your employer that you don't have to pay tax. It doesn't work like that."

You know that contractors work under contracts right? And under contract law, any change to a contract MUST be agreed by both parties else the contract may be unilaterally terminated?

Maybe the solution for any contractor is to add a clause to the their contracts that states that, if the position is considered to be outside IR35 and then HMRC suddenly decides that this contract is actually covered by IR35, a 40% rate increase will be activated?

JimBob01

Re: Ignoring the Electorate?

In most developed democracies, a referendum to make major constitutional change requires a representative majority ( >50% of the electorate), or even a super majority (usually 60-75% of electorate). Leaving the EU, and all it associated costs, should be classed as major constitutional change so why was, at least, a representative majority not enforced?

Parliament gave the people a NON-BINDING referendum on whether the populous thought being part of the EU was a good or bad thing. This is nothing more than an opinion poll and so positive and negative options were provided.

The Government overrode Parliament and made the poll BINDING. This decision had severe consequences, aside from undermining parliamentary democracy.

1. Once binding, it should have been a one horse race - "Do you want to change the constitution?"

2. ONLY "Leave" votes should have been counted

3. The decision to leave the EU should have only been taken if (at least) >50% of the electorate voted to do so.

The shit storm the UK is now in should never have happened if democracy had been respected.

"4 We can no longer blame Brussels. This is perhaps the most important point of all. If we left the EU, we would end this sterile debate, and we would have to recognise that most of our problems are not caused by “Bwussels”, but by chronic British short-termism, inadequate management, sloth, low skills, a culture of easy gratification and under-investment in both human and physical capital and infrastructure."

- Boris Johnson (apparently a good reason to the leave the EU...)

Source: https://www.telegraph.co.uk/news/politics/10052775/We-must-be-ready-to-leave-the-EU-if-we-dont-get-what-we-want.html

"In a 52-48 referendum this would be unfinished business by a long way."

- Nigel Farage (pre-referendum ...now post-referendum a 2nd referendum is undemocratic?)

Source: https://www.bbc.com/news/uk-politics-eu-referendum-36306681

JimBob01

... It's the 30% ruling...

https://www.belastingdienst.nl/wps/wcm/connect/bldcontenten/belastingdienst/individuals/living_and_working/working_in_another_country_temporarily/you_are_coming_to_work_in_the_netherlands/30_facility_for_incoming_employees/

Whose cloud is it anyway? Apple sinks $30m a month into rival Amazon's AWS – report

JimBob01

Re: Hmm...

"I'd think that it makes sense to leverage something like AWS rather than pay vast amounts to build and run your own infrastructure in this particular case.”

I would say that, in this case, the opposite is true. $300m+ a year can buy you an awful lot of your own infrastructure. Cloud services do not make a loss so, with a bill that big, significant savings are probably available from going in-house.

…And allows you to avoid using your competitors’ platforms too - avoiding a potentially major risk.

However, when rolling out new services, the great elasticity of current cloud providers can help you quickly produce a fast scaling application and, if the need arises, assess what sized datacentres you would need if you considered bringing your apps in-house in the future.

Defense against the Darknet, or how to accessorize to defeat video surveillance

JimBob01

Re: Defense against the Darknet

I think the war was won well before www.

US English has been used for the majority of "English as a second language” courses for a very long time. Maybe this is why that dialect has acheieved such widespread use since the explosion of the Inet?

We've read the Mueller report. Here's what you need to know: ██ ██ ███ ███████ █████ ███ ██ █████ ████████ █████

JimBob01

Re: Do any of the redactions specify...

""Whataboutism"? Did you just make that up? Do you mean "precedent”?”

https://en.wikipedia.org/wiki/Whataboutism

“…first appearance…1970s"

Keep up with the times ;-)

JimBob01

Re: The Mueller report was one big nothingburger

"The far left does itself no favours, some are even calling Bernie right wing! I mean WTF?!”

Given that the US political spectrum goes from “far right” to “centre right” (what the UK manage to contain in a single party), I would say that calling Bernie right wing isn’t that far from the truth. What the UK would term “liberal” would likely map to “communist” in the US.

Facebook is not going to Like this: Brit watchdog proposes crackdown on hoovering up kids' info

JimBob01

How to really poke FB in the eye

How about changing data laws to make the data collector responsible for any misuse of said data, either by themselves or any party they pass it on to?

Irrespective of whether the misuser obtains the data legally/consensually or not.

That should focus a lot of minds on data security

Google Pay tells Euro users it has ditched UK for Ireland ahead of Brexit

JimBob01

Re: For Google, Brexit makes Eire a golden opportunity

Pre-Brexit the EMA was based in London and big Pharma has a significant interest in being close to this particular organisation.

http://www.pharmtech.com/ema-faces-brexit-challenges

Interestingly, I was talking to a slave trader in AMS a year ago and he was talking about the great opportunities in Pharma, given the EMA has now moved to the Netherlands (currently in Amsterdam). https://www.ema.europa.eu/en/about-us/contacts-european-medicines-agency

Paper mountain, hidden Brexit: How'd you say immigration control would work?

JimBob01

Re: Re: Parliamentary negligence

Of course that would be silly but let’s make the analogy more accurate shall we?

"What if your favourite team lost a single tie, football match 1-1 on away goals?"

Is there a reason why FIFA only makes away goals count when there are home AND away legs?

JimBob01

Re: Re: Dr. Paul, Parliamentary negligence

What you seem to have missed is that the referendum was informational and not legally binding.

What it demonstrated was that the country was effectively split down the middle about EU membership.

The bit you seem to have ignored is that any weighting of results should favour maintaining the status quo, ie unless a demostrable majority of the electorate desire change then change should not happen. Just in case you are not clear, Leave is the change in this case.

"It matters not if the margin was 5, 5k or 5m votes, it was a referendum, and folk voted as they pleased, that's how a democracy functions, for a given 'value' of democracy of course…”

Actually it matters a great deal what the margin of victory is. In this case, the country is being subjected to the will of 40% of the electorate. If Leave had received 5m more votes then it would have exceeded 50% of the electorate and demonstrated a clear "will of the people”.

And for those expecting the EU to crumble, I live in NL and Geert Wilders is not getting much of an audience these days - especially compared to the run up to the Brexit vote.

Australia's ABC suspends presenter over 'Wi-Fi is dangerous' claims

JimBob01

Re: Indeed

She is called Dr because she has a doctorate not because she is a medic

https://en.wikipedia.org/wiki/Doctorate

Think PhD...

Prominent Brit law firm instructed to block Brexit Article 50 trigger

JimBob01

I asked a cat about his views on Brexit...

He suggested that the UK should repeatedly ask to leave.

Once the door was open, they should just sit and stare at it...

Shakes on a plane: How dangerous is turbulence?

JimBob01

Oh FFS people!

It’s spelled “Schiphol", which literally translates as “ship hollow” or more practically “harbour”. So the main airport in NL is basically called “Harbour Airport” (Luchthaven Schiphol) :-D

JimBob01

Re: reminds me of...

This whole fuel idea was shown on Tomorrows World. They started by demonstrating that kerosene is hard to ignite by turning a blow torch on a dish of the stuff. They then did the same with an atomised spray to show how easily it burnt then.

The invention was an additive that reacted to violent movement, eg a crash, by turning the kerosene form a liquid to a jelly. The idea being that “solid” kerosene wouldn’t burn. The catalyst near the engine would disable the gelling mechanism.

In the test, a remote control plane was supposed to crash land on a runway that contained 4 obstacles designed to rip the wings (fuel tanks) apart. The pilot made a small error on landing and one of these obstacles ripped through an engine causing a flash fire. The additive did its job and the flash fire quickly subsided even though the destroyed engine led to more fuel than expected being available to the fire. Unfortunately, the flash fire was enough to get some of the luggage smouldering and a few minutes later a secondary fire started that eventually burnt out the plane. The test was deemed a failure.

Investigatory Powers Bill: As supported by world's most controlling men

JimBob01

So Mr Howard...

…is this what you were talking about when you accused the ECJ of interfering in the UK’s ability to defend itself?

Confused by crypto? Here's what that password hashing stuff means in English

JimBob01

Re: Pinning.

"If bent certs from trusted CA's is a real risk”

A major issue is the transparency of “Trusted CAs”. Who decides which CAs make the list?

MitMing is very common in larger orgs but requires installing the cert on all user machines (twice if FF is available). If you are on the trusted CA list then you can easily create a certificate to match * that no browser will bat an eyelid at.

Wonder how many trusted CAs are fronts for 3+ letter agencies, eg looking at my Keychain ...anyone really trust “DoD Root CA 2”, “Federal Common Policy CA” or the Taiwanese “Government Root Certification Authority” (also in FF)?

Home Office is cruising for a lawsuit over police use of face recog tech

JimBob01

Re: "Biometrics Commissioner" ?

“...to govern the retention and use of DNA samples, DNA profiles and fingerprints by the police in England and Wales.”

So your face cannot be used as a biometric?

Maybe someone should tell the passport office?

And all those border inspectors?

Easter Islanders didn't commit 'ecocide' after all, says archaeologist

JimBob01

Re: Incorrect book, and deeper evidence

Are you unaware that all Orlowski’s works are opinion pieces?

The rather inflammatory sub-heading indicates his opinion on this subject I think.

Superfish 2.0: Dell ships laptops, PCs with huge internet security hole

JimBob01

Spying?

If you are really worried about spies intercepting your traffic then take a look at the looooonnngggg list of trusted roots. How many of them do you recognise? How many of the recognised providers have also been ‘required’ to provide valid certificates to TLAs? How many of those roots are actually owned by TLAs?

EU urged to ignore net neutrality delusions, choose science instead

JimBob01

Re: What I want

“...Such a practice is unacceptable; you should not be able to charge both ends..."

Ever sent/received a wire transfer?

Regarding the article, it appears to be a line of straw men while conveniently avoiding ever mentioning the possibility that ISPs could act directly against the interests of their customers.

BBC shuts off iPlayer to UK VPNs, cutting access to overseas fans

JimBob01

Re: Foot, meet high kinetic energy lead dispensing device

"This is impossible for the following reasons:…”

So how is it possible that I have BBC1-4, 1 & 2 HD and Entertainment as part of my cable package …in the Netherlands? And yes, I was able to watch all the BBC generated coverage of Wimbledon that I desired.

It would seem that there appears to be a fairly simple solution to all this geographical licensing mumbo jumbo after all.

VMware to chomp up Boxer, says chief techie

JimBob01

Re: Boxer

So I wasn’t the only one then...

Dry those eyes, ad blockers are unlikely to kill the internet

JimBob01

Re: @werdsmith - People who use adblockers...

"I'd ask you to be kinder to leaflet delivery people. They are paid for the number of leaflets that they deliver and because of the time it takes to deliver that number of leaflets, they are effectively working below minimum wage. Each "no leaflets" message they see costs them more time and is one less drop they can make.”

Are you suggesting that they are observed at every single door? How else would a “paid per drop” scheme work? I would assume they are paid to deliver to specific area and provided with a bundle (and reward) based on the approx number of letterboxs - actual delivery just being assumed.

Many moons ago I had a job delivery free papers and that is how it worked then - used to end up with large piles of undelivered newsprint to dispose of as more and more people realised they could complain about unsolicited papers - and that was in the days before recyclng infrastructure was a thing.

Half-secure not good enough for Chrome users says Google

JimBob01

What is checked?

Is this a straight mixed content check?

Does the check fail if the https implementation is poor, eg SHA1 cert, cert issued by SHA1 cert, PFS not available, etc

Does it check if encrypted content is traversing a 3rd-party CDN that is MiTM’ing some/all of the encrypted traffic?

What does the green padlock actually mean?

And is a site that gets a green padlock actually secure?

And on a side note - Why does Google think it fair to down-rank a site that dosn’t use https even when all data transferred is public domain, eg news sites?

Big biz bosses bellow at Euro politicians over safe harbor smackdown

JimBob01

More fool you?

"This invalidation constitutes a serious disruption for the thousands of companies that have relied on the framework for commercial data transfers between the EU and the United States,”

Maybe, rather than relying on an obviously dodgy ‘framework', they should have taken real action, ie stop dealing with US service providers, when the whole incompatible data protection legislation issue was identified?

External vs internal: Why hybrid cloud is the way to go

JimBob01

VPN to cloud = security?

I really don’t understand how this works. Isn’t the main point of VPN that you are connecting two points of your own infrastructure over an untrusted network. It appears to be claimed that cloud providers are implicitly trusted partners.

Alternatively, you could tunnel to each OS instance but that could get very busy when you, at least, double the number of tunnels for redundancy …and then you remember that you have multiple sites that need connectivity...

Phone-fondling docs, nurses sling patient info around willy-nilly

JimBob01

Re: Is is really that important?

And of course …if you have nothing to hide then you have nothing to fear, right?

If you absolutely must do a ‘private cloud’ thing, here's how

JimBob01

Re: Vanilla cloud

Totally been there so many times.

Your gadget batteries endanger planes, says Boeing

JimBob01

Re: Planes interiors should be redesigned for the XXI century

Sounds like you are asking for the “luggage at hand” idea that was supposedly implemented on the Il-86 & L-1011 aircraft

Crap crypto crackdown coming as FBI boss testifies to US Congress

JimBob01

Why am I reminded of this?

https://www.youtube.com/watch?v=BKorP55Aqvg

Secure web? That'll cost you, thanks to Mozilla's HTTPS plan

JimBob01

HTTPS is way broken so why bother?

How many root CAs are just some 3-letter agency? Plus, isn’t TLS compromised anyway?

How many businesses run their own CA’s so they can MITM all traffic leaving the corp network?

How many sites use CDNs for HTTPS, where the CDN is decrypting everything, eg https://www.cloudflare.com/ssl?

Given the routine disruptions to encryption in the millennial Internet, how different is the level of real security delivered by HTTPS and that of the TSA?

CloudFlare: You get SSL, and you get SSL, EVERYBODY GETS SSL!

JimBob01

What are you protecting?

So few people seem to understand how TLS (SSL now being consigned to history) works. The Cloudflare diagrams make it all look so easy but they do not highlight the fact that they are MITMing ALL the traffic - because they have to, to check if the requested content (or some of it) is already in the cache.

If you are actually tranferring data then you should not be handing all this data, in plaint text, to a 3rd party as you are breaking the implicit agreement with your users that data has remained encrypted end-to-end. Given that data transfers don’t get any benefit from a CDN, there is a fairly obvious solution but sometimes people really do need the obvious pushed in their face (some over and over).

Only vaguely off topic but anyone know why Google is going to start ranking http lower than https when broadcast-only sites, eg news, have obsolutely no need for encryption (Guardian & Telegraph redirect 443->80)? Especially now that HTTPS has been broken by the spooks and likely soon by all the other ne’er-do-wells...

HTTP-Yes! Google boosts SSL-encrypted sites in search results

JimBob01

The SSL trust model is utterly broken.

Let’s start with the CDN problem. If you are a large online presence, eg Google, Facebook, then you have your own CDN and all is well. BUT most online presence is channelled through a 3rd party CDN, eg Cloudflare, Akamai. The SSL trust model is understood by many to mean that there is end-to-end encryption between you and the organisation that you are communicating with. Instead the CDN is decrypting and inspecting all the traffic before deciding whether to forward the request to the origin or not - this is MITM as the CDN is transparent to the vast majority of users.

Next, let’s consider when a browser alerts a user to a fraudulent certificate. This alert only happens if the issuer of the certificate does not have a valid trust relationship with an 'installed root CA'. There will be no alert if the certificate for www.facebook.com has been issued by Digicert Inc (as my browser currently reports) or, say, Comodo. I.e. your browser isn’t normally checking the actual authenticity of the certificate, just that it has been signed by any 'trusted CA’ (and has not been revoked).

So who are all these organisations in this list and can every single one be trusted to maintain security (ala Diginotar) or even be a real certificate authority? If Snowden is to be believed then many of the entries in the list are governments or surveillance groups and if you are on the list then MITM becomes almost trivial.

Until this situation is fixed then HTTPS ensures that the transport is encrypted but offers no gaurantee that the two end-points are what you the client believe them to be so using this as a criterion for URL ‘goodness’ is fundamentally flawed - you are paying your $10 (or more) just to get a better ranking in Google and some large organisations obviously don’t see the point.

1. https://www.theguardian.com - 443 gives 302 to 80. (Until recently, this give a certificate error, xxx.fastly.net, ignoring proceed to a 404)

2. https://www.telegraph.co.uk - 443 gives a cetificate error, xxx.akamai.net, ignoring gives a 301 back to 80

Comcast exec says wired broadband customers should pay-as-they-go

JimBob01

Paying for what you use is perfectly fair...

Delivering what you claim to be selling is also fair.

How about a PAYG scheme that mirrors domestic energy supply? I don't have to decide how much electricity or gas to buy in advance for a month, I just pay for what I actually used. Capping is just metering arranged to the detriment of the user - who will inevitably over-pay to avoid being 'cut off'.

A scheme fair for the consumer would be that they pay 95th percentile of actual bandwidth over a month (another way of defining data). Allow the customer to set a bandwidth cap if they want and/or allow the customer to pre-pay (at a small discount) if they so desire. Strangly, this is how we pay for access at our co-location.

The whole Comcast/Netflix smokescreen is such bollocks. Netflix pays for its bandwidth, customers pay for their bandwidth so the transport cost end-2-end would appear to have been paid. If an ISP over-sells it available bandwidth and then finds people actual want to use what they paid for then the blame lies entirely at the feet of that ISP. Time for a class action?

LA air traffic meltdown: System simply 'RAN OUT OF MEMORY'

JimBob01

Re: altitude overflow?

"Fairly sure that flight plans for the Grand Canyon tourist flights would be filed with negative altitude above sea level…."

Are you saying the Colorado River flows uphill...

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2022