Incomplete requirements definition + delusional planning timescales + inadequate testing + big bang deployment = FUBAR.
That's without the "It's Oracle, double your budget" factor.
21 publicly visible posts • joined 8 Aug 2017
Oh dear, MS seem to have forgotten that IT professionals (and amateurs for that matter) deeply resent being told what to do and how to do it. Guided, advised, suggested? all fine, but TOLD? Oh dear me no, that will elicit the in-built "I'll find a way to do the opposite, I'll avoid your products like the plague, and a hex on your house" response.
If they were using fingerprints for user verification then yes only the first one counts. You enrole and verify the person once, hash (encrypt) the fingerprint and then each time you authenticate an individual it reads the fingerprint, hashes it and compares it with the stored fingerprint, so yes the read and stored it once and then just read and compared after that and wouldn't have had to keep the subsequent verification images........unless of course they needed an audit trail for security purposes.....
Perhaps the Universities IT team should attend its own course - FdSc Computing Technologies (Networks and Cybersecurity). The woeful state of cyber security in the UK in both the private and public sector is akin to letting toddlers loose with flamethrowers. There should be independent penetration tests of any system with approved risk treatment plans before it is permitted to go live with mandatory criminal charges when problems like this arise and negligence is proven.
It is simply not right that people should be able to throw allegations of racism around with no basis in fact yet walk away Scott free when these claims are found to be false. There should be consequences where these allegations are found to be false and maybe that would separate the troublemakers from the legitimate claimants, for example the claimant should be personally made to pay ALL legal costs and compensation for defamation if the claim fails.
SolarWinds own security advisor Ian Thornton-Trump warned the management in 2017 but they didn't listen so he quit. They put profit before anything else and in the process screwed over all their customers who trusted them. Their reputation is in tatters, the trust is gone and the lawsuits will start rolling in. If there's any justice in the world the management will be stripped of their assets and jailed as a message to everyone out there to take security seriously!
A purchase of that size would surely have merited an independent audit of the company paid for by the buyer, in the same way the buyer pays for a structural survey of a house they intend to buy. HPs own CFO stated that she thought that the offer was far too high and not in the best interests of the company. HP even based their bid on 11X annual earnings rather than the industry norm of 3X. The alarm bells should have been ringing load and clear. Not only should the buyer beware, but a fool and their money are soon parted!
Ever heard of data aggregation? Put all those little inconsequential nuggets together and pretty soon you have a digital profile good enough when stolen or "lost" to fuck up your life. EVERY piece of private data held by government deserves to be handled securely. To paraphrase, look after the little stuff and the big stuff takes care of itself.
In principle you're absolutely right, it makes no sense. However, in practice the Home Office couldn't run a bun fight in a bakery and expecting them to be able to establish and run a central IT system that would or could support all police forces is not credible.As for seetting policy, all they ever do is set policy which is like letting a 12 year old child perform brain surgery. If the individual forces were to surrender their IT budgets to the Home Office they would receive a much worse service at a vastly greater cost. Just look at what the Public Accounts Committee has to say about any of the large scale IT projects that the Home Office has under way.
Just because you're paranoid, it doesn't mean they aren't trying to get you! What this boils down to is who do you you trust least? If you buy American stuff, you can bet the Yanks are spying on you, if you buy Chinese then the Chinese are spying on you and so it goes on. the big difference is that the UK and USA have strategic intelligence gathering alliances and share similar cultures and world views. Not so China and Russia and North Korea, these countries are the biggest threat to us and should be least trusted. What deranged and naive lunatic would put "enemy" equipment at the heart of the UK's telecomms network?
This would be the same NHS digital that presided over the Wannacry Clusterphuq that affected 45 NHS organisations including at least 81 out of 236 trusts across England plus a further 603 primary care and other NHS organisations including 595 GP practices would it? Well they obviously couldn't find their own @rses with both hands and a mirror on a stick, so should NOT be making this decision, the security services should be responsible for ensuring the data is secure. As it stands I may as well put my own health records up for sale and get a couple of quid for them because sure as the sun sets in the evening these records WILL be compromised and sold to the highest bidder.
It's unforgivable that banks do not enforce two factor authentication when customers access their services comprising something the customer has (e.g. mobile phone / token / card reader) and something the customer knows (e.g. password / PIN) so that even if one factor is compromised the customer is still protected.
It's also unforgivable that the fines levied by the financial authorities on companies that lose customer data are simply kept by those authorities rather than re-invested in those companies to fix the security problems that allowed those companies to lose the data in the first place. The bigger the data loss = the bigger the fine = the bigger the investment in fixing it.
Of course the Chinese are spying on us, they are our enemies! Why don't GCHQ start with the precautionary principle? The principle implies that there is a social responsibility to protect the public from exposure to harm, when there is insufficient evidence to show that something is safe. These protections can be relaxed only if further scientific findings emerge that provide sound evidence that no harm will result.
The biggest UK victim of the WannaCry outbreak was the NHS, when last I heard the NHS was a Government Department so the Governments first task should be punishing itself for not complying with its own rules. Ah, but the reason for non-compliance was under-investment in IT by...you guessed it, the Government. So the government intends to punish itself for not complying with its own rules by fining itself a substantial sum which will leave itself with even less budget to spend on the deficient IT systems that caused the problems in the first place. This will make them more vulnerable to future attacks which will result in even heftier fines leaving them with less cash to fix the problems making them more vulnerable.......................