Posts by Doctor Syntax 40413 publicly visible posts • joined 16 Jun 2014
"Been in this situation before, and someone above me decided that they would attend the KPMG IT audit, without letting me know, until after the auditors had been in. Said person simply lied throughout it."
What sort of auditor would simply see one person instead of insisting on checking with a number of other members of staff? (Answers on a postcard)
You're quite right. It's rapidly getting the the stage where the general public realises that basic internet access security requires 3 things: anti-virus, noscript and an adblocker. As soon as the adblocker becomes universal it's game over for the entire advertising chain. They need to tackle malvertising urgently if they hope to survive. I'm surprised Google haven't done something about this already although as soon as they do, hoping that adblockers will whitelist them, the rest of the industry will make the usual monopoly complaints while ignoring the fact that it was their own arrogant sloppiness that brought the situation about.
"Give us ad-masking instead"
I don't understand the downvotes. This is the best all-round solution. The website gets paid. The user doesn't get pissed off. The ad networks also get paid. The advertiser? Well, as they haven't succeeded in pissing off the user they haven't lost potential or real customers and their direct costs are no more than they would have been had they paid to lose those customers.
"It all looked quite normal to him."
That was the problem. It could all look quite normal but unless you knew the area you couldn't be sure. I remember driving along some country roads with a couple of SOCOs who started getting quite nervous. Seeing that these were roads I'd happily driven along quite often taking the wife & kids out at weekends I started to worry. In the end I decided it was just that they were from the other side of Belfast & didn't know where they were.
"I remember hanging out the back of a Mini (45 years ago) banging the fuel pump - was on the Marylebone Rd in London - in rush hour."
A bit earlier than that I had a field trip in N Ireland. I had the hired van with all the kit in it but no heater. A few others were supposed to be following in the departmental Mini. After a very long while they got there. Having spent a few miles periodically driving over the roadside verges to jolt the pump into operation they'd given in and taken it into a garage to get it fixed. Whilst it was up on the lift they could see where lumps of the cooling fins were missing from the sump. That would be where we'd driven it up another mountain a few weeks earlier.
Not Australia but Italy. I had a contract to write some reporting S/W for my client's industrial control system running in their client's factory in Italy. The development was in my client's office in England but I had to go out to install it.
Once I got there I couldn't get through a run of the reports without random crashes. On reboot fsck kept leaving files in lost+found containing random fragments of memory contents. The end-user client didn't want me to leave until it was seen to run and it was still crashing when I should have left - and I was running out of Lira. I'd also had a call from an agent to see a new client on the following Monday with a view to starting contract on Tuesday. Finally the suite ran & so did I. I was told the consequent hardware call identified a bad memory stick; maybe without the extra S/W running the machine never used that area of memory.
"my customers were as happy as Larry- I was well chuffed.
My manager wasn't happy - because we weren't running running around like blue-arsed flies"
It's outputs that matter, not inputs. Politicians reminding us about how much they (they? - we!!) spend on whatever are amongst the worst for failing to grasp this simple fact.
No, the fault of HR. It's all too simple to assume that everyone they recruit has been trained in the basics by someone else. Their induction procedures should cover the basics of data protection including misuse of cc: and make breaches a disciplinary matter. But given the fact that in this case someone then sent out an attempt to recall and in doing so did exactly the same thing makes you wonder about the way they go about recruiting in the first place.
"Maybe I'm remembering through rose tinted glasses but the UK endured an active 20 year bombing campaign with less restrictions on our liberty"
Not really although it was NI which took the brunt. However the response there was internment without trial which was rather counter-productive. Spine or not, oh for one of our representatives to show an ability to learn from past mistakes.
Before they went 0845 a local travel agent had a phone number similar to ours and we'd get the occasional wrong number call intended for them.
Now suppose someone rightly or wrongly suspected of being of interest made one of those when he was wanting to book a flight to visit his granny in Pakistan/go to a jihad training camp/take his kids to Disney. Should I then have become of interest? And what would that have done to my SC clearance?
That's the trouble with meta-data. Not only does it not specifically identify a person as opposed to an address or whatever, it doesn't even tell you why the communication was made or even if it was completed correctly.
"and I would say I have nothing to hide"
You almost certainly do have something to hide and at least some of it you will be contractually bound to hide: login credentials to any internet banking you use, internet merchants you buy from or internet services you use. I doubt anyone who's tried to justify their actions with the "nothing to hide" line has actually lived up to their words & published such information about themselves.
"Perhaps a better solution would be to make it easier for them to get targeted powers to record communications."
Not easier, but properly regulated. A sign-off by a senior officer or a politician is not proper regulation. Neither is a system which does not require justification for the sign-off. Nor a system which doesn't incorporate and use feedback to check that requests were well-targeted and not just fishing expeditions.
It's not unusual to find criminals who think they're brighter than they are but this seems to be an outstanding example.
OTOH am I alone in being worried by the idea of "a web portal which provides access to criminal intelligence and other highly privileged information for law enforcement officials" which can be accessed by a bit of social engineering?
"I don't believe that Microsoft are deliberately snooping actual user data for malicious intent, in any case."
Assuming that to be true then why are their T&Cs written in such a way as to grant themselves the right to all the user's log-in credentials and transactions? It would have been quite easy to specify that it was only the user's credentials and transactions with Microsoft. Are we simply looking at sloppy drafting here? Or are they covering themselves against bugs that wouldn't be able to discriminate between what they need to see and what they don't?
The flaw in the argument is the assumption that the 10,000 instances have a server array to themselves whilst they're running. What's more likely is that rather than have a big server farm with 1,000 spare servers sitting around you have 10,000 servers all active running 9 VMs each or 5,000 running 8 and the 10,000 VMs just get spun up as additional jobs in each server.
'Cloud customers should also be aware that they may not be able to control where data is stored and that sub-contracting arrangements may exist without them "initially realising", it said.
The draft guidance outlines ... and ensure regulators have effective access to data.
...
One of the recommendations the FCA made was for financial services companies to determine whether their cloud contracts are governed by UK law and subject to UK court jurisdiction. It said that even if it is not those cloud customers must ensure that they, their auditor and the FCA have "effective access" to its data as well as the cloud provider's "business premises".'
Given the premise in the first paragraph the other points seem likely to be difficult to achieve. In particular there'd be a need to ensure other court jurisdictions (other than higher EU courts) don't try to push their noses in and that other organisations don't have access to the data.
'It said companies need to have an "exit plan" that is "understood, documented and regularly rehearsed" which allows it to come out of outsourcing arrangements "without undue disruption to their provision of services, or their compliance with the regulatory regime".'
And one that will still work when the cloud operator's administrators walk in?
"We asked the TalkTalk boss what she had made of Virgin Media's chief Tom Mockridge recently coming out in support of Openreach remaining wedded to BT."
Was that really the best question you could have asked her? How about "Shouldn't the next head of a telecoms company like Openreach be someone with an engineering backgorund rather than another banker?".
" It needs to be baked into the mail protocols so that encryption is the default. It would need to be phased in in a backwards compatible manner
You've already got that. SMTP aleady supports the STARTTLS verb"
But that's only encryption in transit. AIUI what Eugene was looking for was PGP to encrypt the message end-to-end so it would only be readable by its intended recipient. And, of course, there would also be the possibility of signing it to verify the sender.
The impediments to this are (a) if your correspondents aren't set up to use it there's no point setting it up for yourself so almost nobody uses it and (b) as Pascal says, it needs an infrastructure for the public keys.
As I see it the solution for that would be to revise the protocol to build in message encryption rather than making it an add-on. It would need to be rolled out in stages so that in the interim stage new versions of clients would prompt users to set up their key-pair and make use of keys where both ends had them set up but after a given date email to a user who didn't have a key would require specific user approval followed by an end stage where unencrypted email wouldn't be supported.
I don't think it's a matter for Google alone. It needs to be baked into the mail protocols so that encryption is the default. It would need to be phased in in a backwards compatible manner but at some point the existing SMTP would be deprecated and any lagging clients & servers would find themselves shut out.
What Google needs to do is start pushing RFCs for this. Except I'm not sure Google would be the best party for this. They're likely to want something that would end up with plain text on their servers so they can scan it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
