* Posts by SGJ

35 posts • joined 25 Nov 2015

Open standard but not open access: Schematron author complains about ISO paywall

SGJ

Free the standards

The true measure of a standard’s value should be the extent to which it has been adopted not the amount ISO can charge for it. For large organisations the cost of purchasing a standard isn’t a deterrent but for small organisations it definitely is.

For example, the ideas in the dozen or so standards in the ISO/IEC 27000 information security management system family would surely be of more benefit out in the real world than behind a paywall for up to CHF 178 each.

Academic papers are slowly moving to an open access model (faster in some disciplines than others) and standards should do the same.

Ryuk ransomware recovery cost us $8.1m and counting, says Baltimore school authority

SGJ

Re: Erm

Almost certainly the only way IT could persuade the Pointy-haired Bosses to spend the money. Give it a few years and new financial pressures and the budget will be cut again!

And that's yet another UK education body under attack from ransomware: Servers, email, phones yanked offline

SGJ

Some of the educational software I've seen has been so poorly written that it is impossible to "make it secure". For example, requiring local admin rights. Schools should be putting pressure on educational software providers rather than their IT staff!

FreeBSD 13.0 to ship without WireGuard support as dev steps in to fix 'grave issues' with initial implementation

SGJ

Re: @CheesyTheClown - I was about to

We've known about the problems caused by buffer overflows for at least 50 years and yet a simple search of the CVE list for "buffer overflow" returns over 11,000 hits out of a total of 150,000 CVE records. Programming paradigms to reduce or eliminate this basic problem are neither "new" or "exotic" and have well researched - it's about time we started using them.

EncroChat hack case: RAM, bam... what? Data in transit is data at rest, rules UK Court of Appeal

SGJ

The fact that *unencrypted* messages were obtained rather than the encrypted versions that were sent off to or obtained from the network makes me think the Court of Appeal got this right. The unencrypted message must be stored in RAM in order for them to be encrypted or decrypted. The message in transit would be the encrypted version.

How do we combat mass global misinformation? How about making the internet a little harder to use

SGJ

I'm not sure that the ease of searching is the problem. I've just typed "accuracy of pcr tests" into DuckDuckGo (my first choice of search engine) and, in the first three results (ignoring adverts) I got https://www.cochrane.org/news/how-accurate-are-routine-laboratory-tests-diagnosis-covid-19 which is a source of high quality data.

The problem is, I think, that people aren't taught how to evaluate information presented to them i.e. what makes Cochrane a better source than most others for information on PCR tests. Epistemology, the philosophy of knowledge, should be a compulsory part of every child's education.

Five years after US promised crackdown on ticket-snaffling bots, the first prosecutions are in... and are a slap on the wrist

SGJ

Re: They got caught

I used to be the IT Manager of a sporting venue in the UK where demand for tickets exceeded supply. We used a lottery process for ticket sales. People could apply for tickets online up to a published deadline. After the deadline we would run an automated lottery which selected applications at random. This also gave time to review application to spot scalpers. This is a much fairer system than the first-come first-served system and I don't understand why it isn't more widely used.

Brexit freezes 81,000 UK-registered .eu domains – and you've all got three months to get them back

SGJ

Re: The English are maybe traditionally too pragmatic

Setting up free ports would never be allowed in the UK? Really?

There are around 80 free zones within the EU. Until 2012 there were five free ports within the UK, until the UK government allowed the domestic laws that set up those ports to expire.

SGJ

Re: Is it the EU Court of Justice that has jurisprudence?

There is a difference between EU Directives and EU Regulations:

Regulations are legal acts that apply automatically and uniformly to all EU countries as soon as they enter into force, without needing to be transposed into national law. They are binding in their entirety on all EU countries.

Directives require EU countries to achieve a certain result, but leave them free to choose how to do so. EU countries must adopt measures to incorporate them into national law (transpose) in order to achieve the objectives set by the directive. National authorities must communicate these measures to the European Commission.

Marriott fined £0.05 for each of the 339 million hotel guests whose data crooks were stealing for four years

SGJ

Re: Can someone please explain what the connection is between these two things?

Fixed penalty offences are, as the name suggests, fixed so pleading poverty won't get you a reduced penalty if you break the speed limit. However, financial circumstances are taken into account with fines. The Sentencing Council guidelines say:

"The amount of a fine must reflect the seriousness of the offence (Criminal Justice Act (“CJA”) 2003, s.164(2).

The court must also take into account the financial circumstances of the offender; this applies whether it has the effect of increasing or reducing the fine (CJA 2003, ss.164(3) and 164(4))."

The maximum penalty notice (not fine) the ICO may issue is linked to a companies global turnover and, since Covid-19 will have affected Marriot's turnover, the penalty notice takes this into account. The ICO has updated it's Regulatory Action Policy to take account of Covid-19 and this now includes

"As set out in the Regulatory Action Policy, before issuing fines we consider the economic impact and affordability. In current circumstances, this is likely to continue to mean the level of fineswill be reduced."

A decades-old lesson on not inserting Excel where it doesn't belong

SGJ

Re: Is my memory failing..

There is a standard describing CSV files - RFC 4180 - but of course most systems do their own thing.

Go has a CSV package in it's standard library (https://golang.org/pkg/encoding/csv/) if you want to have a play.

Excel Hell: It's not just blame for pandemic pandemonium being spread between the sheets

SGJ

I have seen spreadsheets so opaque it was impossible to figure out what they were doing. No naming of ranges or cells, no documentation, links between Excel files, no understanding of relative and absolute addressing, columns in which all cells contain expressions - except for some 'special' cases.....

It is possible for a competent developer to produce a good spreadsheet except a competent programmer wouldn't be using a spreadsheet in the first place.

SGJ

Re: VBA Security Security Security Security... I can't hear you!!!

Take a look at http://www.eusprig.org/horror-stories.htm and then tell me how secure a spreadsheet is.

SGJ

Maybe 'something quick' was required in the first few days of Track & Trace. Maybe. As I have seen many times in my 40 years of working in IT (first as a developer and then IT management) the 'something quick' became 'the way we do it'. There is simply no excuse for still using a spreadsheet for such an important task months later.

SGJ

Re: What should I use instead

What should a non programmer use instead of Excel? They should use a programmer (or learn to program).

SGJ

Re: Relax...

Ditto. I hadn't come across Google/Open refine before - it looks v. interesting

Former antivirus baron John McAfee collared, faces extradition to America on tax evasion, securities allegations

SGJ

Re: My question is...

...as can UK citizens for some offences. e.g. Section 4 of the Computer Misuse Act 1990 see https://www.legislation.gov.uk/ukpga/1990/18/section/4

Anti-5G-vaxx pressure group sues Zuckerberg, Facebook, fact checkers for daring to suggest it might be wrong

SGJ

Re: @SGJ @Mark 85 Tossing their toys about

Yes, the law could be changed -the law can always be changed. But as things stand Section 230 of the CDA and precedent mean that Facebook and other platforms will not lose immunity for third party posts for editorial actions and that has been the case since 1996.

SGJ

Re: @Mark 85 Tossing their toys about

The idea that FB and similar platforms enjoy "safe harbor" only if they don't censor material published by third parties is based on a misunderstanding of section 230 of the Communications Decency Act passed in 1996.

Sen. Ron Wyden (D-Ore.) and Rep. Christopher Cox (R-Calif.) drafted section 230 in response to cases like the 1995 Prodigy* suit which held that Prodigy made themselves liable because, unlike a book shop, they exercised editorial control. Section 230 of the CDA removed this threat.

Facebook (and Twitter etc) will *not* lose the immunity afforded by section 230 for material posted by third parties if they censor or edit that material.

* see https://h2o.law.harvard.edu/cases/4540

What happens when holes perfect for spyware are found in the engine room of millions of Qualcomm-based phones? Let's find out

SGJ

Re: urged mobile device users to apply software updates when available

I'm still using a six year old iPhone 5s and it last received a security update, ios 12.4.8, in the last week. Something to bear in mind if, like me, you don't want to replace your phone every 12 to 18 months...

This week of never-ending security updates continue. Now Apple emits dozens of fixes for iOS, macOS, etc

SGJ

"It's a rough week to be overseeing a company's network security. Someone get them a drink or pizza."

Surely that "or" should be an "and"?

Rewriting the checklists: 50 years since Apollo 13 reported it 'had a problem' – and boffins saved the day

SGJ

Episode 7, the final episode, of season 2 of "13 Minutes to the Moon" has been delayed because the presenter, Kevin Fong, is also a consultant anaesthetist at UCL Hospitals and anaesthetic lead for Major Incident Planning and he is currently otherwise engaged...

The European Commission digital strategy wants to, er, take back control of citizens' data

SGJ

The link to the European strategy for data actually points to the AI paper. The correct URL is https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf

Big fat doubt hovers over UK.gov's Making Tax Digital, customs declaration IT projects

SGJ

The Report is definitely in the Red category (if only I could see it)

I tried to read the report but, as I am colour blind (along with up to 10% of men) I found it impossible to distinguish between the amber/amber green colours and the red/green colours. I'd rate the report "Red" if only I could read it.

Scientist, war hero and gay icon Alan Turing is new face of the £50 note

SGJ

On Computable Numbers, with an Application to the Entscheidungsproblem

"Turing developed the theory that underpins all modern computers while working at the National Physical Laboratory and later at the University of Manchester."

Turing's seminal paper 'On Computable Numbers, with an Application to the Entscheidungsproblem', which showed that his "universal computing machine" could, in theory, perform any mathematical computation, was wriiten in 1936 long before he worked at either the NPL or Manchester.

UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt

SGJ

£183 million sounds a lot...

... but it works out at only £366 per card (or the price of a couple of aircraft?)

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

SGJ

Re: Not paying the ICO is NOT the problem

I complained about my local MP who had admitted on Twitter that she regularly shared login details to her office systems with everybody, including office interns, and received a very prompt reply!

Which scientist should be on the new £50 note? El Reg weighs in – and you should vote, too

SGJ

Re: Eric Laithwaite

Unfortunately Laithwaite believed that the behaviour of gyroscopes violated the law of conservation of energy! According to the Royal Institution web site he "appears to have used various engineering approximations in his calculations on the behaviour or gyroscopes and when told by professional mathematicians that once the calculations were done rigorously there was no discrepancy, refused to believe them."

The affair harmed his career considerably – he left his position at the Royal Institution and was never elected to the Fellowship of the Royal Society.

Perhaps not the best role model to have on a £50 note.

SGJ

Re: One problem with this

I think you mean a Big Mac, not a Mars bar. See https://www.economist.com/news/2018/07/11/the-big-mac-index

Workplace services-flinger Sodexo pulls Engage website after division hit by malware smackdown

SGJ

Misleading headline

Whilst Sodexo Engage may be "a specialist in employee and consumer engagement" the headline is highly misleading. Sodexo, the parent company, is actually one of the largest multi-national comanies there is with over 420,000 employees and revenue running into the billions of Euros.

Ever used an airport lounge printer? You probably don't know how blabby they can be

SGJ

Not every document I print is confidential! Sure the point is that you should be able to print a non-confidential document to a public printer without revealing unecessary infomation about the device you are using.

Leeds hospital launches campaign to 'axe the fax'

SGJ

I do some work for a local football club and during a recent audit of their telephone lines queried the presence of a fax machine which had been used twice in the last three months. I was told that having a fax machine was a Football League requirment as certain documents had to be faxed (plus multiple copies sent by post)!

The glorious uncertainty: Backup world is having a GDPR moment

SGJ

Technically difficult "is not going to wash"

If the ICO is now of the view that compliance being technically difficult "is not going to wash" isn't it about time she acted against the Home Office's refusal to remove mug shots of innocent people from Police Databases?

see https://www.theregister.co.uk/2017/02/25/custody_images_review/

£60m, five years late... Tag criminal tagging as a 'catastrophic waste' of taxpayers' cash

SGJ

Only six months late...

The NAO report on which this story was based was published in July 2017, so El Reg is only six months late in reporting it...

See https://www.nao.org.uk/wp-content/uploads/2017/07/The-new-generation-electronic-monitoring-programme.pdf for the full gory details

Cyber-terror: How real is the threat? Squirrels are more of a danger

SGJ

Cyber Security at Civil Nuclear Facilities Understanding the Risks

A recent report from Chatham House is an interesting but scary read.

https://www.chathamhouse.org/sites/files/chathamhouse/field/field_document/20151005CyberSecurityNuclearBaylonBruntLivingstone.pdf

Findings, based on research which included interviews with industry practitioners, include the following gems:

"... nuclear plants may lack preparedness for a large-scale cyber security emergency, particularly if one were to occur outside normal working hours."

"A large-scale cyber security emergency occurring at night could be particularly dangerous."

"Often, nuclear facilities will have undocumented connections to the internet (i.e. connections of which the plant managers or owner-operators are unaware); these too can provide potential pathways through which malware can infect a nuclear facility."

"... network diagrams of nuclear facilities that map out existing connections are frequently incorrect; there are often a number of additional connections that have not been documented."

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021