Posts by Doctor Syntax

Re: Unpopular opinion time...

"But Yahoo are gagged"

Actually they do have an option. They have the option that MS took with email on the Irish server, the option that Apple took. Being prepared to say publicly "we won't do that" and being prepared to go to court to justify that could have earned them some respect which would have helped offset the reputational damage of the data breach. Instead they've had two missteps leaking out. The breach and going along with the scanning now serve to reinforce each other in the public's mind and the fact that they apparently weren't going to admit anything until word leaked out only makes things worse.

Re: How will they demonstrate historic loss?

"The courts will need proper proof of loss, not extravagant assertions."

I'd guess they hope to avoid this. Make extravagant assertions but offer to settle for a much smaller amount if it doesn't go to court.

Re: Wot! No rear facing Radar?

"I prefer Motorways with always on speed cameras"

So you prefer the drivers around you to concentrate their attention on one small aspect of road safety at the expense of watching what's happening around them?

Re: Open Reach Split

"Whilst separating pension assets and liabilities is not a trivial taslk BT managed it many years ago when they sold their original mobile business."

Actually they didn't sell it. It was split out. BT shareholders received an O2 share for each, now devalues, BT share they owned. It was these shares that Telefonica then bought from the then shareholders.

Whether this was a good idea is questionable given that BT has since paid to buy back into the mobile business.

I'm also not sure how well the pension worked out given that anyone working for BT Mobile who retired before the split is now being paid a pension from the BT scheme.

Re: Pensions ...

"As soon as interest rates finally start to go up"

But in whose lifetime?

Re: Pensions ...

"And take responsability for missmanaging the pension funds?"

See previous comments about how pension funds actually work.

Re: Pensions ...

"I reckon they could afford to pay a little more than £250m in the later years of their recovery plan"

Here's a little exercise for you. You are in charge of BT's finances. Your have £1bn available. You have claims both for investing in infrastructure and payments to the pension fund. If you pay that £1bn into the pension fund how much do you have left over for investment?

Re: Pension scheme.

"So, their argument is, that because they can't run a pension scheme properly, they should be allowed to monopolise the market to pay for their incompetence?"

As per another comment, the pension scheme is run by a separate, specialist company as is normal. The trustees represent BT and employees.

The deficit is a partly result of the Treasury/IR/HMRC screwing pension schemes over the years (Exhibit A: Gordon Brown's ditching tax relief on dividend income for pension funds; clearly a tax on the future as seen from the 1990s and now we are in that future. Exhibit B: the tax-man's suspicion that pension funds* are a vehicle for secreting profits leading to enforced contribution "holidays" when the fund gets in surplus in economic good times, in turn leading to deficits in bad times because of the missed contributions; we've had a lot of those bad times lately. Exhibit C: low interest rates and QE cutting the income from bonds used to pay pensions; IOW more bad times).

The deficit might have been made worse by the cutting of headcount over the years. There are now fewer contributing members but many surviving ex-members who are receiving or will be due to receive pensions.

The consequence is that BT is making extra payments to try to get the fund back into balance. That's money that can't be invested in infrastructure.

But don't let's have facts getting in the way of a good rant.

*The tax-man doesn't have to worry about the funding of his pension. That's essentially a Ponzi scheme.

Re: Best practices like remediation coaching and eLearning

"They are also running a devops security roadshow tour at this very moment"

What a remarkable coincidence. My flabber is utterly ghasted.

Re: Over egging the pudding maybe

"Just because an application CONTAINS a component with a vulnerability does NOT mean that the bug is exploitable in the application. It is very very frequent that applications will include a jar-file for a very specific purpose, pass a very restrictive set of inputs to the code in question and exercise a very small fraction of the included code."

If you don't know the bug's there and what it is you've no way of knowing that your very restrictive set of inputs passed for your very specific purpose won't exercise the small fraction of code that includes the bug.

Re: DevSecOps ? We're really going there ?

'I think we should probably actually just talk about it as "DevOps."'

I think we should just talk about the good old-fashioned maintenance phase. The long-lasting part of software's life into which it's launched by the development phase.

Re: Biased?

"Two years to fix that little number."

Let's look at that a little more closely.

As far as I can make out from wonkypedia the code with the bug was released in March 2012. It was discovered independantly by at least two lots of researchers in mid-March and the beginning of April 2014. It was disclosed to the developers in early April. How did they discover it? By examining the open source code. Had it been closed source it wouldn't have been discovered let alone disclosed. It was announced to the public and a fix released on the 7th of April.

In other words, from disclosure to fix took about a week. By my calculation that's about 1% of the time you allege. The two years was the time it took to discover. Had it been closed source that time would have been somewhere between longer and never.

"If you're not *paid* to go searching for problems, assuming you actually have the skill and know-how, how often do you do so?"

And even if you're paid, as the discoverers were, how do you do so when you can't review the closed source?

But, hey, don't let facts and details get in the way of a good rant.

Re: Levels of blame...

"Also APIs change over time - consequently the application also needs to change."

Wrong way round.

APIs might grow but should not change or remove existing functionality therefore the application should not need to change except to take advantage of such extended functionality

Why offer and API if you don't intend it to be used?

Why use it if isn't stable?

By offering an API a responsible developer is making an implicit offer that it will not change. Unfortunately there are irresponsible developers and/or maintainers out there but an API which fails to maintain backwards compatibility deserves to get a bad reputation. Developers, and their users, have better things to do than keep chasing changes made by other developers with twitchy fingers.

Re: Levels of blame...

'Behavioural dependencies can be very subtle, no amount of unit/integration testing will cover them all (100% is not enough, people will depend on officially "undefined" results).'

Such people deserve a good smack on the head from each of the users on which they've inflicted their code.

One of the many good points discussed in TMMM was whether a written spec or a working example should be taken as the working standard. The example given was the 360 H/W where programmers came to rely on the data left in some registers after an operation where the contents of those particular registers was undefined in the written spec. It then tied the designers to maintain that particular behaviour in future generations of the H/W whether they wanted to or not.

Unit tests give a third alternative. Publish the unit tests of a library. If the functionality of the library is added to or bugs fixed more unit tests can be added but no test should be changed or removed*. That guarantees backwards compatibility, it gives users a set of examples to use. And, importantly, any behaviour which isn't covered by the tests cannot be relied upon. Any developer who assumes some behaviour not covered in the tests does so at their own risk.

*If the need to change or remove some functionality arises it's time to start out under a new name or at the very least, a new major version number so that the old version can still be made available for applications needing the old functionality.

Re: Levels of blame...

"The closest we get is things like Javascript libraries and XML DOM's where you can instruct a browser to run off and download the latest JQuery or use a particular version of the Google web fonts or whatever, and it tries its best to do so. And that works quite well, to be honest. Millions of website rely on it."

You think that's a good idea? The application now depends on a component downloaded on the fly form a source where neither the website developer nor user has any control unless, as a use, you run NoScript. The newly downloaded component could have been updated so that it no longer supports the required functionality, has become buggy or has been out-and-out converted into malware. Or, as in an earlier comment, suddenly been made unavailable because of a spat between the developer, the site hosting it for download and, in that particular case, action over a trademarked name. And the situation cascades. NoScript users are familiar with the situation that allowing one address suddenly brings in requests to allow a whole lot more.

What you describe as working quite well is actually far less regulated than a distro's curated repository.

Re: Trust is earned

Just that. And governments everywhere are doing the exact opposite of what they need to do to earn it. How long is it going to take for them to realise this?

First earn trust by accepting that past behaviour is wrong and stopping it. That means more than having a tribunal tell you that you were wrong in the past because you were misusing legislation. That idea of "wrong" can be fixed by continuing to do the same under different legislation. It wasn't wrong because of the legislative framework, it was just wrong. So TPTB need to recognise that, publicly acknowledge it, apologise, and stop it.

Then start afresh. Make the data protection principles the basis of all handling of personal data. Share data only with specific informed consent. Give feedback to data subjects as to when and how data is shared. Make it a condition that when data is shared under consent it cannot be further shared without new specific informed consent. If this is breached each data subject should be entitled to a payment sufficiently large to make such breaches unprofitable with damages where the data subject has suffered actual loss as a consequence (e.g. medical history passed to an insurance company that then raises rates).

"but people only have 2 feet, therefore we need more people or we need them to buy more shoes."

The only consequence of having two feet is that shoes are bought in pairs. The relationship between numbers of feet and numbers of shoes is that the latter is an ever increasing integer multiple of the former.

Re: Simple

"Will automation result in other jobs opening up for these people, once their taxi/truck has become completely autonomous?"

Yes, operating the tow trucks to rescue all the autonomous HGVs that have become stuck having been satnaved into routes which were totally unsuitable.

Re: Err

"Thanks to the wonders of feminism women have less leisure time than ever before."

Really?

I grew up in the late '40s-early-'50s in a house that had no electricity. Doing the family wash occupied at least a full day of my mother's time once a week. Clothes had to be washed in a tub which had to be filled up by bucket. They had to be wrung dry by a heavy hand-cranked mangle. In the absence of modern fabrics they all had to be ironed - without the help of an electric iron. But perhaps you count all that as leisure.

Re: Fallacy

"Most of the workers in those industries were unskilled and when the coal mine/steel mill/factory closed there weren't any new jobs in the area that they were qualified for and they weren't able to re-train for anything else."

It was the lack of new jobs that was the real problem. The old industries closed because of cheaper overseas competition. The early C19th mechanisation of those industries also made old skills obsolete but replaced old jobs with many new ones. The challenge governments face now is to recreate that situation.

Re: Fallacy

"If your skill set is no longer needed in your profession because the job has been automated, there may well still be human work to be done in the form operating and monitoring the new automated equipment but this is not part of your skill set and you are now out of a job."

This was the argument being made in my area about a century ago when one of the cloth making processes was mechanised. In fact the population in the area grew hugely in the following decades as employment in the textile industry soared. Those new recruits didn't arrive with the appropriate skills, they had to learn them to adapt from previous trades just as the Luddites would have had to do.

Re: Errrm

"But there are many more cars now than there were horse carts then"

If you see early films of London the streets were just as crowded as they are now but with horse drawn traffic. I suppose, however, that London itself is bigger.

Re: Errrm

"I must admit I gave up reading the article after that example as it was so bad."

Given that the operator was referred to as "she" the obvious corollary was missed: she will simply buy more shoes.

Re: I've chosen to not use those services

"Surely even the Merkins wouldn't expect to legally get MS to raid your personal email server."

They might expect MS to raid your email client if it's running on W10.

Re: users don't control where data resides?

"Yes, you work in IT ... d'oh! Joe Public cannot."

Not true. For one thing most ISPs offer en email service. Of course that's not ideal either as it makes flitting between ISPs more inconvenient than having a separate email provider. It takes a minimal effort to find a 3rd party provider as soon as you get over the idea that you might have to pay for such a service.