Posts by Doctor Syntax 40557 publicly visible posts • joined 16 Jun 2014
"If you voted Tory you voted for this regardless if you knew it or not."
I think it's been HO policy for a long time and they usually manage to have Home Secs go native. In general common sense in the rest of the govt held them back. We now have the misfortune to have an ex-Home Sec as PM, first time in a long time. It could be worse - think what happened to the economy last time we had an ex-Chancellor as PM.
I have a Hotmail A/C which is mostly used for people I expect to be spammers (hello Tickemaster) or in situations where it's likely to be harvested. It frequently gets a few emails sending me "invoices". My son may have to go the the US later this year. I may let him have the password for it and hope they try to download and open a few of those nasties. I'd just have to move them from Junk to Inbox...
you're meant to be "tech" people (whatever the hell that means this day of the week) or sysadmins etc
It might have escaped your notice but there are now several people who aren't network admins, sysadmins, DBAs or whatever who actually have internet connections to their homes.
In fact there are a lot of them.If IPv6 is ever going to be rolled out it's got to work, work well and work securely for all these people as soon as they lift their router/firewall/whatever-naming-hair-you-want-to-split out of its cardboard box. When I read comments about how any competent sysadmin should be able to set up IPv6 routing I know this issue isn't being addressed and a successful roll-out is just receding into the distance.
"This is a really naive attitude and it is exactly this attitude (and ignorance) that makes the IPv6 transition so difficult."
What makes the transition so difficult is an almost will-full refusal to look at the the problems it causes on the ground.
"This is not a problem with IPv6, but instead with your network topology. Put them on a VLAN that doesn't route to the Internet, or use a firewall to prevent traffic to/from them."
Right. Tell me how Joe Soap, who can't put his webcam on the net without getting it bounced into a botnet within minutes is going to accomplish all that. Because that's the core problem.
"No, I'm pretty sure that most people do want their stuff on the internet."
More likely people want the internet on their stuff but not necessarily the other way around. They want to connect their laptop, desktop, tablet, phone etc to the net. What they don't want is Joe Random on the net connecting to the above. It's a one way thing.
A smaller set of stuff doesn't get connected either way - my printer and NAS don't need to see the net, nor do they need to be visible from outside.
Then there's another class of stuff that some folk do want on the net: their Nest, their webcam etc. And just look at the problems that's causing for everyone else; most of us would be happier if none of that had got on the net. It's been a big illustration of the problems that happen when Joe Random can connect to their stuff.
The first case has been handled well by IPv4 & domestic routers for a long time and a part of that is that NAT ensures that the individual device can't be directly addressed from the wider net. At the same time the services behind the router/firewall/whatever can talk to each other; I can print from my laptop or exchange files with my NAS. Somebody in another comment mentioned NAT breaking end-to-end routing. That's just what these use cases need.
It's these first use cases that need to be addressed simply by IPv6. Being told that address randomisation answers users' concerns by preventing being tracked is a failure to understand the issue. My printer isn't going to be tracked anyway but what I don't want is someone coming across my printer on its current randomised address and either dropping a load of stuff to be printed just because they can or taking advantage of a zero-day to enrol it into a botnet.
"Is it just me or does Linus tend to have a lot of process problems"
It's not just you as others seem to come to the same conclusion. It's a consequence of your looking at the exceptions, not the rule. Consider the situation:
- He has a huge number of contributors
- He's probably never met most of them
- He never recruited any of them
- He doesn't employ any of them nor work for a company that employs them
- He doesn't provide any annual assessments of them
- He doesn't recommend pay levels
- He can't fire them
If you were in that position and responsible for a project of such magnitude what management tools would you have to hand and what process problems might you experience?
@anthonyhegedus
I think there's something in common in all these. People need an OS to just work and just keep working. They want it to be secure - and that includes not being snooped on by the vendor
The claimed rationale behind W10 actually fits the first of these: rolling updates to accommodate new H/W, fix bugs and occasionally meet new requirements and standards in IT.
What's not good is the implementation The initial release should have been fit for purpose and updates should have maintained this status. There is plenty of evidence that that isn't so.
The idea of giving feedback from users about performance as an aid to this is reasonable. Again the implementation isn't; if I have a KDE application crash, for instance, I can choose to have it send a crash report, if I'm using Debian I can choose to let my installation participate in popcon. And then there's the appalling privacy policy of W10.
It seems as if MS marketing needs to get right back to basics: find out what the market wants and needs from an OS and then tell the business to produce that. The alternative function of telling the market that what it wants and needs is the particular crock the business has actually produced is going to work less and less well.
Nevertheless the astroturfers will probably be along here any time now to tell us how wonderful it is and downvote anyone who says otherwise.
"those nutties still on XP"
Let's way you have a big piece of kit, something expensive and medical, something expensive and industrial - whatever. That kit is an integral part of whatever your employer does. It would cost hundreds of thousands or upwards of whatever currency units you work in to replace and there's no money in CAPEX for several years. It's controlled by a PC using proprietary S/W and protocols connecting PC and machine together. That proprietary S/W only runs on XP, or is only certified to run on XP and regulatory considerations mean you have to follow the certification.
Are you a nutty if you (a) continue to run on XP, (b) scrap a hugely expensive piece of kit and discontinue the service it provided or (c) consider users in this situation who continue running XP to be nutties?
I know how I'd answer that question.
Here's the real rub: running R Services in SQL Server 2016 is running analysis on your transactional databases. That's your live database, your R code is running inside your production database, eating the CPU cycles and disk access, slowing down your expensive SQL server.
You could use a second server to run R, but then you've got the potential network bottleneck of moving the data back and forth between the machines.
That's only one of the problems. The data inside a transactional database is not designed for analysis; it's likely to be dirty, inconsistent and full of errors.
Let me second Joe's comment about dirty data.
Apart from that, you can always restore your transactional DB backup to your analytical server. That way you get real data and test the restore procedures at the same time. There may, of course, be other issues with this - such as data protection - but the objection as quoted really doesn't stand up.
However:
1. Is this PDF a draft or a final document? Even at a glance the number of bad page breaks suggests that nobody has proof-read it. On a more detailed reading there are places where the wording could be significantly improved. A particularly egregious example is A CISP may choose to declare only specific of its cloud infrastructure services as adhering to the Code Requirements.
2. The code provides regulation of the location of data processing to be within the EEA. It doesn't address data sovereignty fully. If the CISP is owned by a non-EEA entity it might find itself subject to the sorts of demands as we see in the Microsoft and Google email access cases in the US. There needs to be a requirement for something like the Microsoft/DT trustee arrangement or the DC being operated by a wholly EEA company under franchise from the foreign business.
3. There's provision for self-certification. This needs to be restricted. For instance I use a small data registrar & hosting business for my personal email; it might be unreasonable to expect such a business to be economically audited by a 3rd party. The Microsofts & AWSs should be, especially when data mining is also part of their business.
4. The code states that security of the guest OS is solely the customer's responsibility. The customer should be responsible for not letting in malware or whatever but if the OS is initially installed by the CISP from their own build or profile they should have a responsibility for ensuring that that install is clean.
Would it also be too much to ask that data controllers, the CISPs' customers, have a similar code of conduct including an undertaking to only use CISPs who abide by this code of conduct?
"Startups simply don't want to engage on the important things because they think they know it all."
This fits nicely alongside a comment in the article:
"The defence also permits startups to take their eye off the ball a bit as they pour scarce resources into urgent priorities."
It's yet another lesson we can learn from "Yes Minister": important and urgent aren't the same thing. Stuff that's important has to be done. There's a lot of stuff that might be urgent but it should only take priority if it's also important If your job is looking after other people's data then making sure you have effective backups is very important indeed; it's a ball that you can't take your eye off.
"I saw many poorly defined interfaces that did not logically separate various aspects of the requirements."
I have to say, though that the worst instance I saw of that was back in the '80s. It gave all of a customer's users access to all parts of the application irrespective of their responsibilities and all too often the functionality needed for one user screen was associated with another. Most of the 9 months I spent with that firm before bailing were taken up with starting to sort that out.
"But the big one. It's not FIPS compliant."
Bearing in mind that FIPS has previously approved a broken by design NSA-promoted algorithm I'm not sure whether this is automatically a bad thing de facto, just de jure.
(Why did I initially type FIBS? Is my sub-conscious trying to tell me something?)
"the law will not apply to either US criminals (except as punishment if caught)"
That's the case across all laws and criminals. Not having a relevant law simply means no punishment and no criminals, it just means no bar on people carrying out actions which would be a crime were there a law to define one.
"Suppose some software or IoT device was identified as being a major problem, and had to be stopped, disabled, etc. How effective would a product recall be?"
Did you read the article about the botnet on a University campus? If so you'll recall that they scanned for these devices (and fixed them by updating the passwords). So it can be done. Probably the most efficient way would be to impose the requirement on ISPs to scan their own estate, at least for devices visible through firewalls; they're not going to do it voluntarily but then they wouldn't be given the option.
"Real time software is engineering that just happens to have a logic component implemented in software. ...Contrary to popular belief it is really easy to make reliable real-time code and its also easy to prevent it from being corrupted."
Why not implement it in hardware with an ASIC? Presumably in order to be able to make maintenance changes later. And that way lies a risk. The initial design might be well written reliable code but all too often maintenance is seen as a not very interesting job that gets given to juniors and gradually your original well written reliable code becomes badly structured not very reliable code.
"If your employer has a legally mandated requirement to confidentiality or customer privacy they will get hit by the violation you have just created"
Is it so hard to work out that if the employer is sending an employee to a rogue state such as the US with company provided electronics then they'll provide suitably clean kit?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
