* Posts by NileH

6 publicly visible posts • joined 16 Apr 2014

Snowden shouldn't be extradited to US if he testifies about NSA spying, says Swiss gov

NileH

Re: direct flight

You underestimate how supine NATO and EU states are when confronted by a demand from the USA; safe-conduct assurances mean nothing if the State Department demands that the plane be ordered to land.

It's not just a risk that an executive decision to award Safe Conduct might be rescinded, or given in bad faith: I can easily see a personal assurance from a small, weak state's President, Prime Minister and Minister of Justice being ignored by the Foreign Office or the Defence Ministry - and that matters if the Defence Ministry runs the 'civil' air traffic control system.

Snowden's best bet is to hitch a ride with an oligarch's tax advisers on a private jet to Zurich.

FAA: All systems GO for Virgin Galactic space plane to launch from US

NileH

Re: Comparison with SpaceX

Virgin Galactic is a suborbital 'hop' - Alan Sheppard in 1961 did much the same - and far, far short of boost neeeded to make orbit.

However, VG is a space *plane*: both modules take off and land from a runway, and land for re-use.

The Space Shuttle never really delivered that - the tank wasn't recoverable, the boosters only marginally so, and the Orbiter required a major refit and refurbishment between flights.

I think that Virgin Galactic's rocket engines - on both the lifter and the actual space ship - will end up with a shorter engine life than they expected: refiring rocket motors is not a great idea, they operate right at the limits of the materials, but they'll probably do better than the shuttle.

Their heat shielding has much less work to do than the Shuttle tiles, and I don't think it'll be a major expense.

Your point about the SR-71 'Blackbird' is an interesting one: the J58 engines were limited by turbine inlet temperature and by tailpipe temperature. In theory, the inlet temperature isn't all that far off the stagnation temperature for *any* turbine in a supersonic airflow, and better turbine blades won't make anyimprovement; in practice, the J-58 is a turbine-assisted ramjet, with the majority of airflow going to the afterburner at Mach 3, and is rumoured to be capable of running with the turbines closed off completely at higher speeds. The limiting factor for that, in the J-58, is early-1960's metallurgy; and we now have alloys and ceramic components that perform far, far better.

The existence of a proven Mach 3+ engine is a thought to bear in mind if Reaction Jets and the Sabre project ever get their hydrogen-fuelled dual-cycle engine into an airframe for use as a hypersonic airliner; although their proposed 'Son-of-Hotol' spaceplane will develop thrust at altitudes which would starve the J-58 of oxygen and, when running on internally-supplied oxidiser, it's a genuine space motor.

Cisco: Hey, IT depts. You're all malware hosts

NileH

Anyone who thinks that IT security is a priority should take a look at the job adverts dotted around the content you're reading right now.

If you've got the Technojobs ad, it'll reflect the current contents of the page - IT security - and it'll have three or four 'Information Security Analyst' vacancies at £35-45k, and one or two security consultant or senior manager roles at £65-75k.

That's OK for IT, but not exactly stellar. It's *way* less than the banks are paying programmers who write the security vulnerabilities, and it doen't sound like the pay rate for doing something particularly difficult, or critical to the company's success.

And Cisco? It's nice that they've woken up to the commercial case for security. But I doubt that the firmware and embedded systems in their hardware is anywhere near secure, and I am certain that every single router on sale today, from every company, everywhere, has a backdoor waiting to be discovered.

AOL Mail locks down email servers to deal with spam tsunami

NileH

AOL... It's the Model-T Ford of the Internet age: the vehicle that worked, and got the whole of America on the highway.

...Good enough to get the masses mobile, but you wouldn't call it 'good' today.

Systems meltdown plunges US immigration courts into pen-and-paper stone age

NileH

Our tinfoil-hatted commentator is amusing, but he has *some* worthwhile points about solar storms:

http://en.wikipedia.org/wiki/Carrington_Event

http://en.wikipedia.org/wiki/March_1989_geomagnetic_storm

Short version: satellites will be fried, widespread power cuts will happen, and some systems attached to twisted-copper pair communications will be disrupted - possibly knocked down to 'restart from backups'.

Put it in the file marked 'This will happen and we should have contingencies in place'. You know, like the earthquake we are certain to get in California: it's out there, it's real, we've got stress measurements on the fault systems in the rocks, and we know it'll be big. But we don't know how big, and we don't know when; and human nature is such that we treat this as 'don't know when means *never*, and I won't do anything about it'.

Is this relevant to government incompetence and outsourcing? Well, yes: we'll get a lesson, sometime, that abrupt disruption gets the headlines, and natural disasters get things done... Much more so than rolling screwups like this one, which - in aggregate - cause far more trouble than the disasters in the headlines.

Hackers attempt to BLACKMAIL plastic surgeons

NileH

The Data Protection Act imposes a legal obligation to keep personal data secure...

But there's very little guidance on how secure.

Partly, that's a good idea: detailed guidance would go out of date very quickly, and this law dates from 1998. So phrases like 'appropriate to the sensitivity of the data' and 'best practice' and 'reasonable precautions' are necessary.

But I think it's time to start grading the data:

● 'Private' - identifying data, names and addresses.

● 'Confidential' - personal conversations and correspondence, purchasing habits, etc.

● 'Under legal privilege'

● 'Places individual at risk of violence'

● 'Places individual at an increased risk of fraud'

● 'Would immediately allow transfers of funds and assets'

● 'Medical information'

● 'Child Protection'

I'm sure that you could think of others: but you wouldn't want to flag up any individual as having information of interest to blackmailers - say, a juvenile arrest for prostitution and subsequent referral to social services - as that 'flag' would be a magnet for criminals and journalists. And, in these times, for officials of the state.

What would the flags do? Well, we'd need general security standards; starting with a minimum standard for private data specifying 'Encrypted data store', 'No passwords ever stored or sent in clear text' and 'Secure sessions'.

Any information at a higher level than 'private' would need a security review of the host system every two years; and the ICO might consider issuing security alerts for high-profile exploits that require confirmation - 'yes, we've patched that' - within ten working days from the registered owner.

The most sensitive data stores would need a yearly audit, to published standards, and a record of patches - with pen-test results - for all security alerts and vulns listed by, er... let me think... some public body that doesn't yet exist. There's probably a group within the Home Office that does this internally for the Civil Service - like the sysadmins at every bank - but I'm not aware that there is a state-sponsored *public* service, in any country.

That's a gap in the law, and an obvious case for the statutory provision of a service, rather than everyone relying on purchasing a service from competing private enterprises.

...There is, of course, a gap between what *should* happen, and what actually does.

The legal framework? This would probably be enacted as 'enabling legislation', in which regulations are 'Laid before Parliament' by the minister - in practice, it's handled by a regulatory agency that maintains and updates a book of regulations having statutory force. Look up the HSE and the Control of Substances Hazardous to Health regulations as the best example of this process.

The Information Commissioner's Office *may* actually have the power to do this already - I'd be grateful if someone here is legally qualified to offer an opinion on that.

Useful Link: The Information Commissioner's Office:

http://ico.org.uk/for_organisations/data_protection

That's the statutory body enforcing the Data Protection Act