* Posts by Anonymous Curd

44 publicly visible posts • joined 19 Sep 2015

Microsoft releases Server 2016, complete with commercial Docker engine

Anonymous Curd

Re: Relevant

"...surely it would be simpler/cheaper to spin up a debian/centos server... "

Only if you're looking at the list price for the license. If you're a windows shop and you're suddenly asking your admins to learn a whole new platform and ecosystem, things get expensive quickly. In any case the correct comparison is MS Server vs RHEL, which end up about the same cost unit-wise. Very, very few enterprises run Debian or CentOS because TANSTAAFL.

More to the point this is a Docker engine for Windows. It's designed for running Windows apps on Windows hosts. The two worlds don't mix. Yet. This kind of thing is catnip for C# devs. All they're really lacking is a modern resource manager/orchestration tier in the same vein as Kubernetes/Mesos.

A particular highlight is for JVM devs, who can now realistically target containerised apps onto either windows or linux.

Pass the 'Milk' to make code run four times faster, say MIT boffins

Anonymous Curd

SQL is one area you wouldn't need this. Because tables are typed and statements declarative, you know exactly what size your data are and where in the data structures they live. As a result this was solved decades ago with columnar data and vectorised execution. Proper data systems don't need to muck about with cache black magic to skip over boring data - it has been re-organised on ingest to ensure it's never even read off disk.

Stripped and ready to go: Enterprise Java MicroProfile lands

Anonymous Curd

Interesting, but three years too late. Spring Boot owns this space for Java houses, and Play in Scala world. JVM land is done with monolithic specs from lock-in-happy vendors.

JDK 9 release delayed another four months

Anonymous Curd

To be fair, if you've got that much ram why *not* use it?

Non-doms pay 10 times more in income tax than average taxpayer group

Anonymous Curd
Thumb Down

Re: What price credibility?

"I guess this is "normal" behaviour for Pinsent Masons"

A little bit of work in google news will turn up a set of these articles, exclusively from Pinsent Masons and mostly in the right wing end of the press, appearing on average about every 3 months or so.

Suspiciously closely aligned to that mad end-of-quarter period all sales people know and love...

"They pay 10 times more tax than the average taxpayer. But isn't their income vastly more than 10 times the average?.."

Unless you're HMRC this is almost impossible to determine, and they're effectively banned from publishing their analysis on this (see also: economic impact of immigration). However, third-party analyses are available online (the short answer is yes). The complicating factor is that many non-doms are genuinely non-domiciled. High but unremarkable incomes, genuinely based overseas. Given the inherently complex nature of these persons' affairs, decoupling not-that-dodgy non-doms from media barons and russian oligarchs who are just taking the piss is really impossible. This is what enables bastions of the establishment like Pinsent Mason's to get away with publishing this kind of twaddle without falling afoul of ethics rules. They are, of course, the best kind of correct. Technically correct.

Oracle happy to let Apache Foundation adopt NetBeans

Anonymous Curd

A chief data officer worried about anyone still using Java? Cripes.

Apple: Crisis? What innovation crisis? BTW, you like our toothbrush?

Anonymous Curd

Re: Just.... no

The ability to listen to music or take a call with a headset while charging would be nice.

Universal Credit: 'One dole to rule 'em all' on verge of recovery – report

Anonymous Curd

More like the banishment of GDS to the proverbial wilderness.

UK govt digi-chief confirms he is standing down after ... 9 months

Anonymous Curd

I for one will be quite happy to see the back of GDS. No single organisation has caused more damage to UK.gov IT for years. They had a particular talent for strolling into a project, telling everyone they'd done it all wrong, forcing the Cabinet Office to push the reset button and fucking off to leave everyone else to pick up the pieces while they swanned about writing blogs on the right way to manage your sticky notes.

Wonderful idea, terrible execution.

Why Agile is like flossing and regular sex

Anonymous Curd

""I think from a tactics perspective, Agile is increasingly a 'solved problem'," said Forrester's Jeffrey Hammond when asked to demonstrate how completely industry misunderstands the core concepts of agile."


UK employers still reluctant to hire recent CompSci grads

Anonymous Curd

Re: Interesting...

"Sigh ... admittedly I graduated ~10 years ago from a "top-5" CS department, but what you are describing was semester 1 year 1. :("

Very much so. I'm about six years out of uni now, and year one contained a lovely joined up curriculum where you implemented a basic RISC CPU in verilog, implemented a basic JVM on top of it in assembly, then implemented basic programmes on top of it in Java to prove it worked (to an automated test spec you wrote in real java, obviously). All couched in a broader curriculum of formal logic, computer architecture, computer engineering and software engineering principles, plus the usual waste-of-time group project. And modules on databases, networking and machine learning, because, you know, real degree. (The chip on my shoulder, it is large.)

Most of the candidates I'm looking at (all at 2.1 or First class) would maybe have done one or two of those things as a final third year project. Much more likely they'd have spent three years doing game- or web-centric projects in useless frameworks like Unity or, worse, JavaScript. It is very hard to un-teach that kind of indoctrination. That's what we're talking about when we say there's a skills gap. They're weak on the theory and very weak on the practicalities of real software engineering in a business situation.

Now, I'm not saying everyone should learn everything I did. After all, I recognise that I did go to a top university for CS and did very well at it indeed. However when you've got chaps (and, unfortunately, it is still invariably chaps) coming out of Russell Group unis who fall down on fundamental questions like "Explain the characteristics of a B-tree and where/why it is commonly used" or asking them to draw the three-value logic truth table there are serious issues with what they're being taught.

Anonymous Curd

I've spent a fair chunk of the last two years interviewing junior level candidates for engineering positions. The unfortunate fact is that most CompSci degrees in the UK are barely worthy of the name. With the exception of the top-level universities, most of the curricula seem to amount to nothing more than glorified web programming tutorials. At least your social studies grad will have churned out twenty or thirty 2,000-word essays, so you can have confidence in their communication skills.

Replacement IT at 'high risk'. Squeaky bum time for UK tax folk

Anonymous Curd

Re: A recruiter called me 2 months about jobs there..

Well you've got the obligatory 9am stand up meeting. This will of course run until 1030, because it's actually a sit down round a whiteboard while your project manager drones on about re-aligning plans to the new, completely incompatible requirements that emerged overnight (again), but you know, it's agile at least right?

After that you'll probably pop off to get a coffee, have a chat. Back at your screen for 11 in time to catch up with the twenty-odd emails you've accrued that morning. Hardly any of them relevant to your terms of reference, but they do need sorting!

At which point, well, frankly, it's time for lunch.

If you're very, very lucky, you might get a whole hour or two in the afternoon hands-to-keyboard actually building the thing you're being paid to build, but far more likely you're going to be spending that time hands-to-keyboard writing up lengthy low-level design documentation or support guides that no one is ever going to read for the product that will never get deployed, or putting together a powerpoint deck to explain to the client why their earlier decisions have all gone wrong (taking great effort to avoid the words "so", "you" and "told", of course), or on a twenty-person conference call about the next terrible decision coming down the pipeline.

Another round of coffee, just in time for you to sit down and write up your daily progress report for the programme management and the client, before they go home at four to see the kids. They've been in since 0730, you see, take their word for it.

Before you know it it's half five and your day's hours are all used up. Can't be seen in the office after hours - the IR35 regs get very antsy about behaving like a permanent employee, so off to the pub six or seven hundred quid richer, ready to do it all again tomorrow.

Anonymous Curd

Re: A recruiter called me 2 months about jobs there..

Aspire is crawling with contractors. It's the kind of place where contracts just keep going and going and going and going and goin...

I spent about 2 years there and all the freelancers were as-good-as permies, but working 9 months a year for 3 times the money. Great gig if you don't mind, you know, never actually delivering anything.

Oracle says it is 'committed' to Java EE 8 – amid claims it quietly axed future development

Anonymous Curd

Berjillions of companies paying berjillions of pounds for WebLogic servers.

Insane, yes, but they're still there.

From Watson Jr to Watson AI: IBM's changed, and Papa Watson wouldn't approve

Anonymous Curd

Watson is illustrative of how far the company has fallen. Watson, once upon a time, was the Jeopardy-destroying supercomputer, an incredible research achievement. Now it's nothing but a shared brand name for a dozen unrelated and overlapping second-tier technologies acquired across the last ten years.

I work in data & analytics for one of IBM's biggest partners in Europe. I've had more presales briefs and insider training on "Watson" than I care to remember, and I couldn't for the life of me explain to you exactly what it is or what it does.

I am increasingly of the belief that's it's fundamentally just a scheme to wrangle free tickets to Wimbledon, the F1 and the Rugby World Cup by sticking their sports into shit adverts for them all to feel good about.

Fedora 24 is here. Go ahead – dive in

Anonymous Curd

Re: "screenshots are problematic"

So, like buying a Ferrari then?

EU wants open science publication by 2020

Anonymous Curd

Re: on the results of publicly funded research

You're right. I did mean to put "funded" in there somewhere too. Point still stands. Even in the rare cases the people commissioning the research aren't already publicly funded (a research council, for example) or are re-distributing at least public funding (most charities), it's going to be very hard to argue the public sector didn't fund at least some of the research given its pervasiveness across the sector.

Anonymous Curd

Re: on the results of publicly funded research

Research where a component of the funding is public. Given that the overwhelming majority of european universities and research institutions are publicly owned and operated, this amounts to all european research, unless the people commissioning the research want to defray the costs of running the buildings/support staff etc. Which could still happen.

Don't tell the Cabinet Office: HMRC is building its own online ID system

Anonymous Curd

Re: May I just say...

That's just the hand waving to get it through CabO. Rest assured it'll end up doing individuals too. HMRC have a long, long history of doing identity verification and authentication for important reasons. Something like five hundred billion of them at last count. Verify was first supposed to be live in late 2013, then early 2014, then 2015 and so on and so forth. The fundamental problem is GDS have no idea what they're doing. Even stripping the solution back from its all-singing, all-dancing original design to the current simple API over Experian that it is now, they've consistently failed to deliver anything even remotely functional.

I've personally delivered products for HMRC with 9 figure yield business cases that have had to sit on a shelf waiting for Verify to come about, and then long since moved on. This should have happened years ago.

Salesforce claims 'record' quarter record at Oracle and SAP's expense

Anonymous Curd

Re: Isn't it ironic

The alternatives *are* Oracle or SAP. Sure, you can technically run either of those in the cloud, but the licensing models are still the same as they were on-prem (i.e. impenetrable black magic) and more importantly their interfaces are still the same old JSP-looking junk they've been for the last 15 years.

Watch it again: SpaceX's boomerang rocket lands on robo-sea-barge

Anonymous Curd

It won't be long until this is positively boring.

And that is excellent.

Central gov spent £6.3bn on IT. Nearly half handed to just 3 suppliers

Anonymous Curd

Re: going overseas

"The tax system was similarly done entirely abroad."

Telford might be a pretty unusual place, but describing it as "entirely abroad" is stretching it, given it's all of 30 miles from, er... Birmingham.

Jenkins 2.0, where the devil have you been?

Anonymous Curd

Yeah, used to be Bamboo did one thing and one thing only, but it's come on leaps and bounds in the last couple of years. For the last year or so I've exclusively preferred it over Jenkins. Getting Jenkins to do a pretty standard batch of steps (maven build, test, publish, integration test, quality report, optionally promote version + deploy with status dashboard & access control) is an absolute pain in the arse. Hopefully this fixes that.

Remain in the EU and help me snoop on the world, says Theresa May

Anonymous Curd

Re: Salt mine will not be enough

It's also a condition of the Good Friday Agreement. Untangling that mess would make Brexit look like a summer's evening stroll.

Hortonworks CEO tells El Reg: 'Clearly there's a lot of work to do'

Anonymous Curd

Re: What are they doing wrong?

"What are they doing wrong?"

Their products aren't as good and they're a market follower, not a leader.

- They're two years behind Cloudera on governance and security (they only *just* announced plans for a proper data lineage tool) [which is also why they don't have any major public sector deployments]

- They ignored Spark in favour of Tez, which precisely no one uses

- They've gone, and continue to go, all-in on Hive for SQL-on-Hadoop in the face of really exciting, innovative work from the likes of Splice Machine, Phoenix and the Kudu project.

etc. etc.

If it weren't for the fact they end up costing about half as much in licensing vs cloudera and literally give away their professional services they'd be used by no one except open source ultra-purists.

Carving up the IT contract behind £500bn of annual tax collection is a very risky move

Anonymous Curd

"...they can't just offer any old salary and benefits package to a prospective employee..."

Not if they're employed as civil servants, no. However HMRC have formed a limited company (RCDTS) to employ the people they're taking from Aspire through the not-quite-TUPE process. This means they can pay whatever they like.

Unfortunately they still have to go to CabO to get everything signed off, so the salaries aren't *that* much better than civil service standard, and the pension terms are pretty crap.

Given that the guys they really want (the people who've been doing this for 15-20 years and know complex+critical systems like PAYE/RTI and VAT inside and out) are all on their third TUPE and have managed to wrangle both good private sector salaries and public sector-esque terms + pensions, the uptake has been unsurprisingly low.

The vast majority of people who've taken the deal are junior staffers who were underpaid by Cap/FJS et al anyway (think sub-£20k). The logical consequence of this is either they're going to have to bring in the experienced bods as time hire contractors at extortionate day rates or they're just going to have to bring in the incumbent suppliers anyway. This is currently being labelled the "co-sourcing" option; same staff, same suppliers, but the paperwork will be shuffled so that HMRC will take delivery responsibility*.

*Judging whether HMRC have the capability to deliver after 20 years with no in-house IT whatsoever is an exercise left to the reader.

How NoSQL graph databases still usurp relational dynasties

Anonymous Curd

Re: Yes but no but

"It is, however, pretty easy to encode them in relational databases (e.g. two tables, one of nodes, and one of edges). Directions are also easy to express."

That's great, but it's a complete anti-pattern. You've effectively created a write-only graph store.

Take a gander back at the article, for example.

"but writing a SQL statement that will find all my friends' friends that are two nodes away should always cause a program a severe migraine..."

Finding nodes 2 hops away isn't too complex a sql query, just two joins really. What about 3 hops? Well, we're suddenly into N+1 territory, and it's swiftly downhill from there. Heaven help you if you want to do something actually Graph-y and iterative like PageRank.

The point of a graph store isn't to store something an RDBMS can't. There isn't any such thing. Throw enough link tables and type tables and joins at a problem and you can model anything. The point is to support efficient, expressive querying of that data in a way an RDBMS will really, really struggle with. That's the point of NoSQL stores in general.

That's also why you find there are two distinct graph technologies. You've got those concerned with storing graphs and doing rapid retrieval of small subsets (like Neo, Titan etc.), and you've got those models concerned with doing bulk analysis of a whole graph, usually based on Pregel.

One area where graph systems are hammering RDBMS in enterprise land at the minute is MDM/DQ platforms. Dig under the hood of the latest offerings from any of the big boys there and you'll find their traditional RDBMS backends have been torn out for hipster graph backends. They're just better for that kind of any-entity-to-any-entity model, and that is often what we're dealing with in real life with real data.

Hortonworks fires up Centrica contract: Gassy client to probe users' usage

Anonymous Curd

Re: "the largest live operational HDP cluster"

Biggest supported HDP deployment *in the UK*. There are bigger HDP clusters from UK-centric clients, but they usually site them where energy is cheaper and networking better, or entirely on AWS.

There are plenty of bigger CDH customers in the UK, due to their near-total dominance of the public sector and banking. HDP doesn't get a look in there because its security/audit/management suites are naff.

NASA discovers black hole here on Earth – in its software budget

Anonymous Curd

Why not just buy the bloody code then?

Gov to take axe to big IT contracts soon, will hand chunks to SMEs

Anonymous Curd

Picking on Aspire? Hah, that's probably one of the most effective IT contracts in government. Sure you're paying £500 to Fujitsu to move a desktop to the other side of your office, but it carries at least £500bn of transactions for about 0.2% of that as annual spend. It's also not *that* monolithic - there's six companies in it. Not the one to pick on, particularly given the decommissioning strategy actually involves HMRC setting up a wholly owned private corporation to hold the TUPE'd staff. This enables them to pay them private sector rates without all the bother of public sector bidding/FOI.

This happens every other year. More SMEs. More Agility. Great. Wonderful.

Until the contracts get involved.

SMEs don't have the ability to loss-lead, so won't bid for the less glamorous nuts and bolts work. Likewise they can't flex and take the hit to crunch on at-risk Project A to keep the customer happy across Projects B, C, D and E. SMEs don't have the resources to spend £20-30k a pop preparing the CabO-mandated RFI/RFP forms, which often run to thousands of pages of detailed responses, assuming they're even an existing supplier (if not, add another few hundred to register as a supplier). SMEs don't have a bottomless pit of insurance backing them, so can't be awarded anything bigger than a few million quid or a couple of years. SMEs stop being SMEs the second they start scaling to meet the demands of a growing contract (assuming they even can scale). SMEs don't have 10-20+ years of "proven delivery experience" to meet the CabO due diligence requirements. SMEs aren't List X, so usually need a bigger parent company to act as Prime whatever happens.

Perhaps most fundamentally, the really good SMEs, the ones people are thinking of when this kind of stuff is bandied around, won't work for a public sector rate.

I would love for public sector contracts to be smaller, more easily governed and delivered by smart, focused teams of experts. Unfortunately the commercial and contractual reality precludes that entirely. Until that changes, all that will happen is a changing of hats, with shell companies set up to host a bid from a major SI with a handful of token SMEs in a 90/10 workshare. Which is what happens anyway - we just call them contractors.

Microsoft SQL Server for Linux is a brilliant and logical idea

Anonymous Curd

Re: Why

That's somewhat like saying eating 6,000 calories a day isn't going to make you fat because, hey, look at Michael Phelps, he was pretty ripped, right?

Most businesses are not Google, like most people are not Michael Phelps. They are not the blueprint to follow, unless you happen to have a stable of thousands of world-leading engineers on hand to solve your problems. You've only got to look at the hundreds of fantastic contributions to MySQL and MariaDB from Google engineers (and their market-transforming white papers on bigtable, dremel etc.) to see the amount of effort they've put into countering the aforementioned Fun Behaviour.

As for vanilla postgres being more powerful than MS SQL? Good as 9.5 is (and it IS good) outside of a few, niche areas (hello, PostGIS), that really isn't the case. The feature list of current MS SQL is seriously impressive. AD integration, row-level security, multi-site/hybrid cloud replication, in-database parallelised R execution, in memory, columnar layouts, OLAP and OLTP. Doing all of that under one license under one management suite is seriously impressive. That's why this has caused a buzz. If you're looking over the fence from Oracle land, where each of those features is Yet Another License (if it's even possible), the grass probably looks very, very green.

Anonymous Curd

Re: Why

You are, of course, absolutely right. I'm personally a big fan of Enterprise DB (apart from the silly name). I think I'm biased in this because I work in a large consultancy, but it's often a hard sell. If you're even looking at EDB you've probably made two decisions

1. You want an RDBMS, but not Oracle

2. You want Enterprisey features and commercial support

Unless you've *also* made the decision that you really like Open Source software (which is still rare; accounting departments consider making purchasing decisions on ideology a sacking offence), EDB is principally competing with MS SQL (see another comment on this page about Postgres drawing mainly from MS SQL users, though sometimes the likes of Greenplum come into the mix too). The way things usually go at that point include some variations on a common theme:

1. Massive discounts on MS SQL because you're inevitably already an Exchange/AD/Office/Windows customer

2. Free professional services to grease the skids

3. A gentle nudge in the direction of the differences in scale between global Goliath MS, and relatively minor player EDB.

4. Oh, did we mention you get the reporting, ETL, management and development suites as part of the license too?

5. If all else fails point out it is ridiculously cheap when you do it right on Azure (hint: use the blob storage)

I've seen this happen loads of times now as people shift loads off their rapidly obsoleting multimillion pound/dollar/euro Teradata/Oracle installations. IBM try a similar play, but it usually falls flat because of the distinct air of Naff around their current products.

And now they can throw platform-agnosticity (is that even a word?) into the marketing mix. I strongly, strongly suspect if it wasn't for the enormous sunk costs in Apex/OBIEE etc., Oracle customers would be flocking to MS about now. We've already seen it from Teradata.

Anonymous Curd

Re: Why

Why not Maria or My? They're a couple of steps off toy databases, as far as serious database work is concerned. I'd happily run an ORM-mediated web service off one, but anything beyond that and you're going to run into Fun Behaviour. Like being able to execute ambiguous SQL (e.g. mismatch between aggregates and group by) with unpredictable results, or the lack of functionality that is critical for any analytical application, like window functions.

Why not postgres? That's a much tougher question, because postgres is absolutely outstanding in almost every respect. Rock solid, performant dependable, predictable, exceptionally well documented. It shares a common core with a range of high quality commercial engines. Unfortunately, until very recently, doing Enterprisey stuff like high availability and clustering was Unnecessarily Hard. A good example of this is replication, which pre-9.4 usually required some hideous homebrewed witchcraft involving triggers. This is something the commercial products do out of the box. This feature disparity is lessening over time, but there's still a few areas where it's lacking for serious use, like a good/standardised columnar layout, or easy high availability.

The big killer for most shops is that commercial support is slim to non-existent. If your database is running transactions or business critical analytics, it's a really hard sell to get an organisation to run without having the Big Red Panic Button to push.

I would genuinely love for this not to be the case. Outside of RDBMS (where I, happily, normally work) the data landscape is absolutely dominated by open source tech, and that is fantastic. Unfortunately, the hard reality is in the vast majority of use cases open source RDBMS platforms are not able to meet the expectations of most businesses.

That said, I don't think this is as big a deal as the author. It certainly is in terms of a retreat for Windows in the datacentre, but running MS SQL usually means also running SSIS and SPSS and the rest of the MS data apps suite, which of course are all Windows clients, and of course come part and parcel of your SQL Server license. It's a carrot to maintain windows on the business workstation.

Microsoft has made SQL Server for Linux. Repeat, Microsoft has made SQL Server 2016 for Linux

Anonymous Curd

e2e encryption, data masking, in-database R scripts, in memory tech, OLAP, OLTP, cheap as muck on Azure.

If you were in the market for a proprietary RDBMS, why would anyone, today, seriously consider DB2, Oracle, Teradata etc?

Failed school intranet project spent AU$1.4m on launch party before crashing and burning

Anonymous Curd

A $1.4M party?

I've been in consultancy for a while now, and even I must say, morals aside, bravo for the absolute testicles to try (and get away with) that one.

Spark man Zaharia on 2.0 and why it's 'not that important' to upstage MapReduce

Anonymous Curd

Re: so last month's spark API's are obsolete already?

No, DataSet and DataFrame are distinct APIs, and neither obsoleted the RDD API.

RDD is the low-level, nuts and bolts API, working directly on collections of objects, for when the other higher level APIs just don't do what you want.

DataFrames are what they say on the tin, with the trade-off that your data must be tabular and you lose some interaction patterns (e.g. lambdas) and compile-time type safety, but get easy performance gains (i.e. transparent optimisation) for common query patterns, and easy data handling in many use cases.

DataSets are the compromise between the two. You get the type safety and low level Object-oriented handling of RDDs with the expressiveness and optimisation of DataFrames.

And yes, 2.0 will change those APIs. Because Spark uses Semantic Versioning. That's what 2.0 means. In return DataSets, which are supremely useful, will stop being experimental.

Teradataaaaargghh! How to go from years in the black right into the red

Anonymous Curd

Seven figure outlays on big branded kit and an eighteen month exercise building The One True Schema or a slow start and five figures to your cloud provider of choice with no lock in. Poor old Teradata. Is there any way for them to change that perception in today's market?

Open source plugin aims to defeat link rot

Anonymous Curd

Re: More shitty animated GIFs

Half a megabyte and flashing. Bravo subeds.

Devs complain GitHub's become slow to fix bugs, is easily gamed

Anonymous Curd

"Where does the sense of entitlement come from?"

Paying for accounts, probably.

Compared to Atlassian, Github Support has been terrible in recent years, and substantial new features few and far between.

HPE's London boozer dubbed the 'Hewlett You Inn?'

Anonymous Curd

Re: Is the company bar a European thing?

UK services organisations run on beer. Often that beer will be served on site, because we're billed by the day and there's no way we're coming back to the office from client site after 5pm for an internal meeting unless we're getting lubed up for nowt. That requires a license, even if no money changes hands.

They may also have a bona fide cash bar. Still not that unusual in certain employers.

Whisper this, but Java deserialisation vulnerability affects more libraries

Anonymous Curd

Re: I wonder what sort of mind set is behind this

In many areas of the modern Java ecosystem (and others) it's as-good-as standard practice now. Thrift, protobuf and Avro all have as many advantages as on-disk serialised data as they do in memory or over the wire. There's nothing fundamentally wrong with it.

Storing serialised data is also a red herring. If you read through the (excellent) detailed analysis on FoxGlove you'll see there's a strong focus on attacking over the wire. The obvious reason is because that's way easier to attack than something in memory or on disk.

The other reasons are also responsible for why this is such an absolute pain in the arse to fix:

- commons-* cruft is all over the place, despite it being widely acknowledged as Generally Terrible Code

- It is especially all over the place in big, monolithic enterprise apps

- These enterprise apps tend not to be the best citizens in terms of general security; for example they might have auth and encryption on your http interface, but leave all the binary management interfaces (speaking their internal protocols only) wide open to anyone.

- These enterprise apps also tend to (as do most apps, to a lesser extent) bundle up the vulnerable dependency in ways that make it painful to fix. In that foxglove article you'll see the apache commons libraries have been re-namespaced from org.apache.commons.. to com.bea.core.apache.commons. This is an artefact of Java's archaic package management; it's common practise in big apps to just move classes that are likely to clash, giving you total control. This makes them nigh-on impossible to fix. You can't just swap out a jar, you've got to repackage their jar to fix the issue and hope you matched their scheme.

Volkswagen used software to CHEAT on AIR POLLUTION tests, alleges US gov

Anonymous Curd

Sounds exactly like the measures smartphones manufacturers were putting in to hoodwink benchmarks.