Posts by gumbril 22 publicly visible posts • joined 6 Jul 2014
> We have concluded through our investigations that this data breach was a deliberate act by an individual, and not a breakdown of the robust internal controls we have in place.
Which utter moron wrote this. What are internal controls for, if not for this kind of thing. Deliberate act by an internal is threat number one, so they either broke down, or they are not robust.
Here I sit in The Netherlands, we have a system called, er..., DigiID.
It works fine, going to a government website, use an app on your phone and jump through minimal hoops, and you are logged in.
You need that particular phone where the application is registered (something you have) and a pin code (something you know) and hey presto 2FA.
Really don't understand the difficulty, it's relatively straightforward to operate. There are probably some edge case - so someone in your household could request a digi id for you if they know enough details, but it's been in place for years and no-one is screaming.
I never liked key man clauses, the problem I found is that the good people may want to develop - that's how they got good in the first place, and if you have someone locked in, they can in the end just jump ship from that company if required, but they'll also be annoyed.
I find it better to make your place somewhere that the good people want to work at, they may be outsourced, but regular visits (with goodies) pre-covid, interesting work where possible (so first refusal on projects), positive feedback, smashing out with a cc as long as your arm, moving them onshore, all sorts of things, and some long conversations with the Delivery Manager offshore so they understand they play ball on the longer objectives, we won't be looking to beat the crap out of them should something dumb happen short term, which it invariably does, a lot.
Some free tools work, depends on the nature of the attack and the like. Done properly the encryption is pretty much unbreakable in next x billion years. Where it's not done properly, or somehow the bad actors have been infiltrated, then yes, it maybe possible.
Of course, some decent capabilities in place before hand to be able to quickly restore everything, would have been a better answer.
Don't believe it's an issue.
As of 1980, the longest cost-effective distance for direct-current transmission was determined to be 7,000 km (4,300 mi). For alternating current it was 4,000 km (2,500 mi), though all transmission lines in use today are substantially shorter than this.[16]
https://en.wikipedia.org/wiki/Electric_power_transmission#Losses
That reminds me - about 30 years ago, our music teacher sent us to the library to copy a sheet of music. We had the phrase "One copy for the purposes of private study" drilled into us". I seem to remember it all went a bit Pete Tong when I was sent to get a copy for everyone in the class, thus triggering the guardian of the photocopier "It's one copy for private study, it's just there's a lot of us", followed not long after by a Music Teacher vs Librarian show down, which is a little bit uncomfortable, as they we're not very good at showing down. I put it down to lack of experience. I think technology would have made the librarian happier - "Computer says No" is a lot easier than "Thou shalt not pass". Music Teacher won IIRC
Pretty disappointing that someone who is clearly incompetent on a subject should wax lyrical on said subject. It's bad enough he is incompetent, but worse when he does have self awareness .
The system as is, is that if you shown to be negligent you don't get recompensed. This would be things like writing down you password or PIN, or sharing it. Of course the banks, with there usual bias to self interest manage to pin that on anything they can, or just by default apply it and wait for the complaint to whatever ombudsman looks at it, reading before it's report as 70% at RBS is not refunded?
Apart from that wrinkle, that's a reasonably fair system, if you leave a wad of cash out, and someone nicks it, that's your lookout. But what where you do take reasonable precautions, it should not. Now a question is, what's reasonable to the average folk. Make everyone sign up for two factor authentication for email, stop them using windows, training in how not to get phished? Maybe a safe banking certificate awarded after some CBT training?
But anyway doesn't matter, right now, because that 30% is the main motivation for the banks to systemically improve their security. The people who can, if they choose, employ analysts, designers and developers and the rest required to provide reasonably friendly, secure service. They are going on-line because it's cheaper for them, they make it secure, because its cheaper for them.
But no, this idiot want to make the security of THEIR SERVICE irrelevant to THEIR BOTTOM LINE. How not to motivate a bank. 101. Would HSBC cough for free pin pass cards, or sign up to VISA secure question if they didn't think it would save them money?
Oh what's that, Life Support 1.3 has has a problem, what, it's crashing. Oh hang on, we'll get right on that, our normal test cycle is 4 months. What, people are dying? Blimey, we'll we can try and knock it out immediately, but we won't be able to test it, and Geoff, the release guy is on holiday, but I think he left some notes around here.
Yep, if your customer is out there, the great unwashed, this I think this is it.
It made me laugh - as I'm working on a side project - for myself, and I can't get features how I want them. I knocked something up last night, released it (jenkins - chef in about 5 minutes), try it for a while, and realise what doesn't quite work how I want in practise. And I'm the customer, for myself. What chance does marketing have when the customer doesn't/can't know.
Argh. Another meaningless DevOps article. Taking obviousness and applying it to DevOps and calling it a article. Sheesh.
Ok, How about this metric. Is you customer satisfied? If you've reduced cost of release by 98%. Great. But was that your cost or your customers? Was that a product they are interested in? Was that their priority? DO THEY CARE?
What you do, is go to the customer and ask them, and that's your metric. And, if more numbers happen to help them understand what a great job your doing, to make them happier then fantastic, if not don't. If your saving your own cost, which is sensible, don't confuse it with making your customer happy.
The rest, internal metrics are for yourself. Based on hopefully a continuous strategy of improvements to your systems and processes (which may or may not include DevOps). They may be interesting as the how you did it, but the what is customer satisfaction.
Number of mentions in this article of customer? 0
I don't think he is, or at least if he is, then it's because Apple is not giving the obvious defence. That being "We can't", instead they are saying "We shouldn't". Maybe after "We shouldn't" is ruled on they come out with "We can't"
Now it maybe Apple wan't to blow the "We shouldn't" debate open, which is happening, good, but I'd have thought that Apple would have to bring all their objections to the table in one go, court's tend to get miffed if things are left out, which you knew at the time, are relevant, and are only released piecemeal.
Don't get this.
DevOps is an example of one of many processes that can be applied in the event of a fire, if it happens to be the way your work, but how does that make DevOps different, special, unique?
As much as I dislike twitter, they are as much as part of the same process, communicate is pretty important to.. during the event (and actually if your doing it right - before - "Hey Customer, When/if this happens, don't panic, this is what's we're going to be doing.. and this is how long it will take, and this is when you get an update and this is the role that will be doing the update, so communicate that to your management and give them the impression you are in control.")
I mean having an up to date out of office telephone list of your IT department is probably more important.
And, in any 'Fire' the biggest uncertainty is finding out what happened. If your doing it right you don't need to find out "Hey Bob, what happened?" - "I dunno, we failed over to our other location, we'll get someone looking at it now, it's still a P2 as we've lost some redundancy" If you're not, then you need to get on that phone list and start calling, to get the people to figure it out what to fix, and if it's code, what's that -10% of the time, then you need to get them to figure a fix - and then, finally you call upon automated delivery. Whoopee, so if at that point they say - it'll take 3 days to release - cause it's not DevOps? Not likely.
Frankly, spontaneous code issues, that cause a fire, are relatively rare. Unless we're talking releases. And that's should be covered by engineers pre-booked, and rollback procedures.
TL;DR If DevOps is core in your 'fire' safety procedure, you're more Dev than Ops, and you certainly don't know enough to plan tackling it.
To paraphrase Donald Rumsfeld - you can have the right people, and no process and it can work, you have the right process and the wrong people, it won't. Waterfall? Agile? DevOps? You start out with highly motivated teams, working together, passionate, and guess what - good things happen. Marketing gimboids and booksellers get on board, and suddenly it's a pancea, but if you've got shit people, shit will happen. And it's not about culture, it's about competence. Management, Customer and Engineering all need it to manage entropy/debt. Christ - just get a good team, and let them choose the framework for delivery, and whatever they choose will include CI
Irritated by this article, as it's headline hinges on whether google has 'broke UK and EURO public interest laws'. Frankly it's more of a pub discussion without some sort of reference (how about a nice link to exactly what laws have been broken), or who exactly claims it, that can indicate that they have the knowledge to make the assertion.
Because on this side of the pub, we think Google does not have any sort of statutory duty to make information available to the public. It chooses to as part of the service it provides, under Terms & Conditions.
"Freedom of expression to read those articles" - for example Article 10 - Freedom of expression - talks about receiving information without interference from public bodies, but nothing that would appear to match this by a long shot.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
