Posts by The Other Steve

@Jason Croghan

".. does no one else see this as a Malware creators wet dream??"

No. Most malware (decent malware at least) relies on reverse engineering of the binary code which provides the implementation of some function. The API (Application Programming Interface) only defines the interfaces to those functions.

In essence, an API document set (and the related header files used by application developers) provides a set of definitions of data structures, function names and return types and parameters which constitute the interface to these functions. Publishing the API does not reveal the details of the implementation of the functions.

It is not equivalent to publishing the source code of the underlying functions, so in order to (for instance) discover a buffer overflow in some function that will allow arbitrary code to be inserted into some handy place and then executed still requires that the malware author work at the binary level.

Even knowing the size of the buffer to be passed into a function (a common piece of info in API documentation) doesn't necessarily help the malicious of intent, since until you're looking at the disassembly, and have fully grokked the location of all the variables on the stack and/or heap, you don't know weather the function does any checks on buffer size, or where your data will end up if you overrun the buffer size the function expects. (Other methods of arbitrary code execution are available of course)

I'm pretty sure I haven't explained that very well, but basically, the answer is no because you still don't actually have the implementation source code. TBH even where the source is available, you're still going to need to be looking at a screen full of assembly and stack frames before you can code a successful exploit.

Cluestick acumin (again, might as well define a macro for this comment)

Once more with feeling, despite your pathetic pedantry w/r/t IEEE 8011.x protocols implying that you have permission, your persistent belief that people ought not be held responsible for intruding upon poorly secured systems, and your absolutely awful analogies and attempts to apply utterly irrelevant areas of the law (I'm looking at you, whoever mentioned trespass again), using someone else's connection without their permission is an offence under Section 1 of the Computer Misuse Act 1990, possibly even section 2 if the actual theft of resources (bandwidth) is taken into account.

All your plaintive whining about how it isn't a crime is not changing this piece of legislation one jot.

In reverse order :

Trespass law, not relevant in the least no matter how many times people insist that it should be. Specific legislation exists which governs unauthorised access to computer systems. See CMA.

"If it's insecure, it's OK", wrong. See CMA. You will not find any mention in the definition of offences that requires any level of security on behalf the system. Oh, and pull your head out of your arse.

"802.x gave me permission". Wrong. See CMA. Just sending the packet is causing the computer to perform an operation, basically, you are committing an offence just by asking. I don't care to speculate on the morality or otherwise of this, but just read the sodding Act. In any case, the details of the protocol are also irrelevant to the definition of an offence.

The only things relevant are as follows : 1) As far as the owner of the system is concerned, you are not an authorised user. 2) You know this (or can be reasonably expected to figure it out for yourself unless you're a retard, this counts even if you're a twisty pedantic little git who thinks he can get off by being clever) 3) you cause the system to perform any function.

You can whine and be pedantic about it all day long but it doesn't change the law. A law that the freeloader/cheerleader crew obviously (still) haven't even bothered to read, let alone comprehend, so, once again, here is the CMA.

http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

Go away and read it. And don't pitch any more stupid "but it ISN'T a crime, it ISN'T, its just not fair!!!" tantrums until you have.

I make no case for or against the morality, fairness or whatever of this legislation, but clearly rather a lot of you need to read and understand it so that you can be clear on what is and what isn't an offence before you start flaming off that activity X is not a crime when it's clearly defined as an offence. Knowing this stuff is important if you want to be an IT professional when you grow up. In the event that you are already either grown up or an IT professional, then shame on you.

And for the "the police should have better thing to do" crowd,

1) it is in fact entirely possible that the police in Berwick didn't have anything ELSE to do, let alone anything better Berwick is a small town with a poulation of ~25k, many of them pensioners. As far as small Northumbrian towns go, Berwick is quite wholesome.

2) Remember this the next time you want to criticise the police for not responding in a timely fashion (or at all) to one of your own complaints. "Sorry sir, we can't come out for your vehicle being vandalised, that might prevent us from responding to something we think is more important."

@Gobhicks

I certainly don’t care what happens after I'm dead. Because I'll be dead. It won't be happening to me, will it ?

Duh!

I'm sure you think that this is an appalling attitude, but look at it this way, quite a lot of the people who are alive now will still be alive when I'm dead. If we all just worry about the time period when we're alive, then the overlap should take care of us.

And further to the whole tech as multiplier thang, if technology can continue to provide us with longer lifespans, as it is doing now, then the picture gets even rosier.

Long lifespans are also handy for, yep, you guessed it, exploring space !

As for leaving the "Old World" in a sorry state, I'm not at all sure how you come to this conclusion. Since the whole issue under debate is that the earth cannot sustain it's population indefinitely, how is it that removing some of the population elsewhere (and probably being able to ship extra resources back FROM there) is going to make things worse ? I can only assume that you're one of those idiots who thinks that as son as we sort out the whole exploration thing, then all the rich folk (the ones with al the capital) will bugger off and leave the rest of us to starve ?

Unlikely I reckon (as well as demonstrating a world view that can't see past capital based economics), but if so, so what ? After all we are talking about the survival of a species, so does it matter which of us survives to populate the universe with our progeny ? Or do you only care about yourself, and/or your nearest and dearest ?

Penguin, cos it's cuddly, and you're a hippy. Hippies like penguins.

Hypocrisy, paranoia, cluelessness, and yet...

Hmm, OK, It's OK for the US to supply IT kit to China. Like say Cisco, selling all them the it they use to run the Great Firewall, a clear cut case of the US aiding oppression, or all those copies of MS Windows and so on and so so forth, but it's not OK for the Chinese to take a commercial interest in one US networking company ?

I detect the sweetly sick scent of US trade hypocrisy here.

Paranoia, well, the US isn't actually at war with China, nor is it likely to be. They have to much in common, both are oppressive regimes who like to torture people and spy on their own citizens, both have pseudo capitalist economic frameworks that favour a small ruling elite while forcing the masses into effective slavery, etc, etc. If it wasn't for the Yank's irrational fear of the god damned Godless Commies, they'd be best buds, for sure.

Lets break the cluelessness down then, Firstly, if you're relying on a single vendor IDS solution (or just IDS appliances of any sort) for the security of your infrastructure, if you think that security comes in a magic box that you can just plug in and forget about, then you're already fucked. If your network is set up such that compromising such boxes is enough to FUBAR all your security measures, ditto. If you have failed to understand the concept of defence in depth to such an extent then the Chinese are the least of your worries, your "national security infrastructure" is already home to vast numbers of sKript Kiddies and bot-herders. Oh wait...

In addition to that, for a systematic compromise of kit at the silicone or software level, the controlling interest would have to have not just financial but operational control of 3Com such that they could corrupt the entire manufacturing process. Perhaps I'm naively optimistic, but I rather suspect that 3Com's employees would notice a bunch of ChiComs running about their production environment and fiddling with things. Add to that what ought to be a fairly rigorous QA process (just for the fact that they manufacture security critical kit, never mind the government contracts) and it seems a bit unlikely that such a large scale compromise could be accomplished without anyone noticing.

Still, I can see how selling a US company to a venture firm run by a former Red Army officer would make the average dumb yank apoplectic with rage, since they still seem to think of "communism" as some kind of awful communicable disease.

Anyway, the whole idea is dodgy isn't it, I mean it's not like there are any former US forces types working for VCs is it ? What ? There are ? Lots of them ? Oh well, that's that argument down the pisser then eh ?

In all fairness though, if I were the US military industrial complex, I'm fairly sure I'd react the same way, since 'difficult' is not the same as 'impossible', and the easiest (and cheapest) way to mitigate the risk is simply not to let the deal go ahead, so fair play to them really.

@MarmiteToast

"Banks fight it out with each other in a competitive market. "

It used to, until it became a national asset. That means that it belongs to us. And since we are now the only shareholder, I rather think that we ought to be able to to take a peek, don't you ?

Besides which, it would be easy for individual FOI requests to be turned down on the grounds that they violate an existing confidentiality covenant or reveal commercially sensitive information. Happens all the time already.

A blanket ban means that Brown et al now have their own private bank, paid for by us, which they can play with in secret. Hopefully the way NR is about to butcher up its headcount will bring forth a few whistleblowers.

Black helicopter, because champagne socialist oppressive regime+private bank+supEr seKret == conspiracy theories. Oh BTW did I mention that NR quietly offer a number of offshore banking facilities ? Like NR Guernsey ? Primarily for UK non domiciled residents ? Make of that what you will.

This does not affect your statutory rights.

Interestingly (and if IIRC from my law classes at school many moons ago) it is not possible for any contract to remove or modify a consumer's statutory rights as laid sown in the Sale Of Goods Act (SOGA) and the Sale Of Goods and Services Act (SOGASA) and possibly other legislation that I can't remember just at the moment.

These include things like the ability to return goods and get a refund if they are defective or if they are "unfit for purpose" (e.g. you buy product X to fulfil function Y and it turns out not to be able to do so to your satisfaction). From the general tone of the comments on El Reg whenever the Beast Of Redmond is mentioned, I guess many folks feel that both of these conditions apply).

Retailers in general try quite hard to avoid allowing consumers their rights (seemingly restrictive return policies, etc), and they mostly get away with it because consumers are generally ignorant of the relevant statute law, which is why we have Trading Standards and the OFT.

There are also, as someone mentioned, rules governing how contracts can be structured, I can't remember what they are in any great detail, a google of "construction of contracts" with a UK filter should help the curious, but IIRC their must be something called "valid consideration". This is quite complicated, but basically means that contracts must provide something of worth to both parties in order to be valid, I think.

I've no idea how this would apply to a EULA, but I can imagine it would do for at least a few clauses.

"There was only one very specific exclusion which was for bus & train tickets that have details on the back."

Well remembered that man. In fact, ISTR that the actual judgement goes further than that and allows, under certain circumstances, for Ts&Cs to be merely 'available', e.g as long you can (at least in theory) get hold of a copy to read before you purchase, then they are valid. I haven't got a rail ticket handy, but I believe they have something like "issued under the terms of the conditions of carriage" written on them. The conditions of carriage are (in theory) available from the operator.

I really can't remember the circumstances of the case, so I don't know if this could be applied to shrinkwrap licences on software.

Either way, I'm pretty sure that an impartial UK legal beagle could render most of the MS EULA invalid with a bit of effort.

But imagine the consequences if MS (et al) are made liable for defects, you think Office is expensive now ? Wait until you have to purchase it with the price of a perpetual liability insurance policy added.

As an aside, I wonder how copyright law applies to the EULA itself ? I've worked for a number of ISVs who just cut 'n' pasted EULA.txt

@Chris W / AC / Cliff Stanford

"Let me get this straight, this agency left the door open and the ex-nanny decided to take advantage of the system so she's the guilty party. "

Erm, yes, guilty of an offence under section 1 of the Computer Misuse Act 1990 as previously quoted. An offence to which she plead guilty.

"I leave my wifi router open and someone decides to take advantage of my setup and you're saying I'm the guilty party."

Erm, no, I think you have me mixed up with someone else.

"It's one or the other. Either the misuser is guilty or the owner of the system is."

Go back, follow the link, read the act. The security or otherwise of the system to which unauthorised access is sought is irrelevant in the definition of an offence. If a system is totally unsecured, unauthorised usage is still a breach of section 1. OK ? So the 'misuser' commits an offence in any case.

Weather or not the the owner of the system is guilty of some other offence, such as a breach of the DPA is a separate issue, and indeed a separate set of legal proceedings in which the owner may indeed be found guilty. So you see, you actually *can* have it both ways.

If you feel strongly that the company should be prosecuted, make a complaint to the ICO, but don't hold your breath waiting for them to do anything about it. If you feel that ICO's inability to do anything useful is a terrible injustice, lobby your MP, with similar caveats.

Feel free to live in your script kiddie utopia where it's OK to mess with people's systems if they didn't secure them properly, by all means, but do so knowing that the law disagrees with you very strongly indeed.

@AC :

"It does not follow, unless specifically stated, i.e. if authorization was given it would have to be revoked, termination of employment alone would not guarantee it."

Common sense dictates otherwise. You can be as pedantic about it as you like, but you'll find that the default is employee == authorised, non employee != authorised.

@ Cliff

"Doesn't really compare with my six months suspended sentence and a £20k fine, does it."

No, it doesn't, but then you were convicted of an 'unlawful interception' offence under RIPA, (for the purposes of blackmail, IIRC) so it wouldn't, would it.

Oh, honestly!

I mean, its like every time I think I've managed to get my head around just how fucked up, stupid, and wilfully ignorant people can be if they really put their minds to it, something like this comes along and I'm right back to where I started.

I guess Einstein was right, human stupidity really /is/ infinite.

Alien, because that's what these ignorant, interfering hippies are like to me.

Broken

As since version 2.0, this doesn't work :

class PostController < ApplicationController

scaffold :link

end

Because there's no dynamic scaffolding in newer versions. So if you are using Ruby 2.0 or higher, all the tutorials you read will fail.

When you run the generator, select 'scaffold' rather than model, and type your "Link url:string description:text" into the "Model Name" box. This will generate a controller for you called links_controller.rb (and lots of other files)

Then Right click the project node again and click select Migrate Database > To Current Version. This will create the relevant database table and ruby scripts.

Additionally, routes.rb is under Configuration, not Configuration/Environments as stated, and you don't need to edit it, the scaffold generator did that for you. The url is now ...localhost.../links, although you can always type "Post" in the scaffold generation to change this back.

To add the tags field, right click the Database Migrations node, select Generate, then type "NewTagsField tags:string", OK, (this generates your 002_new_tags_field.rb) and then do the DB mIgrate thing again.

At this point you must either add code, or just regenerate your scaffold using "Link url:string description:text tags:string".

A quick tip for newcomers to the Netbeans IDE, get into the habit of running your project by right clicking the project node and selecting 'Run', because pressing the big green play button will not always run the current project. Netbeans has a few gotchas, but it's worth sticking with it. (Eclipse makes me want to set my own hair on fire.)

I fell heavily into the trap of version differences when I started getting into rails (last week), and it's a shame to see El Reg propagating the misery. Next time, Pan, maybe you could make sure that your tutorial will work on the latest version of the software you're talking about, since this is likely to be the version that newcomers will have installed.

In fairness though, 2.0 was only released in December, and the lack of backwards compatibility is catching a lot of people out.

Parents - EOF

If you feel that some video game has harmed your child, guess what ? It's your own stupid fault for letting them play it, or in many cases, buying it for them in the first fucking place.

I just don't think the "parents don't understand the system" argument holds water. Games that are not suitable for your little ones have a great big red circle on them with the number 18 in the middle and further content warnings on the box. As far as I can see, the only change that needs to be made is is to include these in braille in case the parent/guardian in question actually /is/ blind. *

Parents need to stop bleating and start taking responsibility for the effect of their actions (or lack thereof) on their own children.

So yes, won't /somebody/ please think of the children. How about their parents for a change ?

* OK, OK, I missed out stupid people, I suppose we have to cater for them as well, so fine. Move all the rated games into a single section in the shops, train the cashiers to spew some line every time someone buys one. You can program this into the EPOS just like age checks for certain items at supermarkets :

"Since this game is rated 18, it may contain scenes of swearing, arse raping, stabbing, mutilation, ho slapping, theft, terrorism, murder, or genocide.

As such, by buying the game you hearby agree to waive the right to whine about it's effect on Timmys fragile little mind if, at a later date, as seems likely with a parent as stupid as you, he does something irredeemably stupid or vicious and attempts, following your shining example, to avoid taking any responsibility for his own actions by blaming it on said game.

Do you still wish to proceed with the purchase ?"

WTF ?

"...officials seem not to know where she got the pass or to whom it had been issued in the first place"

Every security pass I've ever carried has had two things in common, they all bore a picture of my face, and my name. Sometimes more, but never less.

This seems to suggest that despite all the TWaT hysteria that our 'representatives' foist upon us, those within parliament still don't really believe the threat sufficiently to implement even the basics of a door entry system such as one might find in any mid size corporation.

I mean seriously, even if this is something like the temporary blank 'contractor' pass you get issued when you get to work and realise you left your key card in your other pants, someone would have had to enter the card in the system originally, abd to set the timeout.

Unless these idiots genuinely just turn out piles of the damn things and leave them in a basket at the security desk for anyone who wants to take a handful.

I refuse completely (foolish, I know) to believe that anyone could truly be that incompetent by accident. This absolutely stinks of MPs rigging the system for their own convenience.

Another instance of them exempting themselves from the checks and balances they seek to impose on the rest of us ?

Paris, because even she's not that stupid.

@AC w/r/t "Fritz Chip"

A name I hadn't heard, but which turns out refer to the Trusted Platform Module (TPM). It seems to me that this makes some of your assertions questionable (IMHO)

Quick whistlestop, the TPM provides three (count them) sets of functionality : Public key crypto functions (RSA, SHA-1, HMAC) , trusted boot, and initialisation and management.

Since the user (and there are GPL'd linux drivers available for the module) may define exactly what configuration is to be 'trusted', there is nothing on the 'Fritz' * chip to prevent me from booting linux, starting a VM, attaching a debugger and using this environment to host another OS.

Additionally, I can provide my VM with a virtual TPM (e.g. one in software) http://www.usenix.org/events/sec06/tech/full_papers/berger/berger_html/vtpm06.html

The utility of this is debatable, but the point is that I can set up an environment with a TPM enabled OS running in an environment that I control completely, including the internals of the TPM. (Whats that ? Newer OSs detect when they're virtualised ? That's an old, old arms race.)

There is NO way for the TPM to reject an OS, a system configuration, or a piece of hardware because it isn't certified by a third party, none, zip, zilch, nada, bugger all.

From the horses mouth :

https://www.trustedcomputinggroup.org/faq/TPMFAQ/

"Can the Trusted Platform Module control what software runs?

No. There is no ability to do this."

"Does TCG require that software be certified to run on a TCG-enabled platform?

The TCG design does not have any requirement that software be “certified” in order to use it."

Really, it just doesn't work like that. (Cue hysterical freetards shouting that TPM, and trusted computing in general are evil and that the sky is falling, t'aint so, increase Ritalin and drink less coffee)

Is it possible that you are getting the TPM mixed up with Microsoft's NGSCB (Next Generation Secured Computing Base), formerly known as Palladium, and which relies on a superset of the TPM hardware functionality, including things like Memory Curtaining, and which is indeed far more genuinely sinister ? Or maybe Intel TXT ? Or just possibly something else entirely ?

* Apparently, after US Senator Ernest Frederick "Fritz" Hollings, a sock puppet for the RIAA/MPAA and their pigopolist friends who lobbied, unsuccessfully, for a number of draconian anti copying measures which, had they been passed, would have made US consumer electronics manufacturers even less competitive with their Chinese, Malaysian, &c brethren than they are already. One of which was to include the TPM chip in all media devices. Presumably either he, or indeed the MPAA/RIAA had either misinterpreted the functions of the TPM, or had bought into MSFTs much more Machiavellian Palladium vision.

Apologies in advance

"me and my mate had been watching the stars in a field."

Really, does he take a keen interest in uranus ?

Mines the long one with the poacher pockets full of stuff stolen from the scrapyard and the grass stains on it, ta.

Aceeeeeed

Clearly the CIA still have a huge stash of LSD left over from their mind control experimentation days and are dispensing it freely at their strategy meetings.

Hmm, actually, that would explain lots of things.

A small number of crucial cases ?

Would these be, by any chance, the ones where there is not one shred of evidence to indicate that a "suspect" has been involved with actual acts terror, nor even their planning or commissioning on anything other than a fantasy basis ?

Step forward officer Kearny with his little tape machine and a recording of a phone call in which the suspect says "Do you know what mate, some days I really could blow that fucking parliament up, bunch of useless tossers so they are, and all you'd need would be [some unlikely explosive concoction from the Anarchists Cookbook] and a rigged motor." *

And suddenly, it's fifteen years in prison.

Or the ones where there's no evidence (q.v. previous), and step forward some RIPA enabled plod with a list of websites and google searches that include things like "TATP", "Fission Bomb", "Dirty Bomb" and the like. *

Those kinds of cases ? Those kinds of cases where the government seeks to lock people away indefinitely just for knowing or talking about things ? Hey hax0r fans, look! Curiosity really IS a crime, now.

Because if so, they can take their intercept evidence and stick it where the customs officer pokes his marigolds.

OTOH I understand that there are going to be cases where intercept or surveillance evidence really is going to be the *only* kind of evidence available against some very nasty people. after all, there's no need for a cell facilitator to ever touch, let alone, possess, anything incriminating. All he has to do is put people in contact with each other, give the orders, and communicate with his own handlers.

Assuming that such people exist, fine, lets see the video and the stills, lets here the phone calls and the conversations, and then lets put them in prison until they rot.

But for some reason, I just don't trust the current gov/spook/cop gestalt to get it that way around

I would guess (complete guess, no relevant background) that such people are probably more valuable to the spooks while they are still at large, having access to multiple nodes of the network, which, if they are arrested, will (if the terror bods are sufficiently savvy) be disbanded, replaced, moved, or otherwise reorganised to hide the nodes and the links between them. Well, that's how I'd do it, anyway ,from both sides.

* I'm sure many people have had this conversation, and even more sure that it's been had a lot more often recently, and yet parliament is notably undamaged.

** Such as, say, any journalist or curious individual who likes to research the stories behind the headlines might reasonably be expected to make.

Probably not in first but ...

BWAHAHAHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHHAHAAAAAAA

MS-PL

Ah yes that's the one that grants "a non-exclusive, worldwide, royalty-free copyright license to reproduce its contribution, prepare derivative works of its contribution, and distribute its contribution or any derivative works that you create."

Which as far as I can see means that MS can take your contribution, include it in their commercial products, thus enhancing their value, and then sell them for squillions of dollars *.

Great, work for MS without all the tedious hassles of having to go to Redmond, sit in team meetings, have chairs slung at you by the lunatic Ballmer , or, erm, getting a salary. Oh hang on...

* Of course, you're free to try and compete with them, and as any fule kno, if you're an ISVs who releases a product that's already integrated into Windows/VS/Office or whatever, people will beat a path to your door with great big sacks bursting with cash. Wait, no, erm, that's not... oh.

Oh FFS

Minutes of the Select Committee on Government IT Projects :

Chairman : "Could the Minister from the Department of the Bleedin' Obvious give his opinion on how we can reduce the appalling costs and failure rate of our IT projects."

MotBO : "Well, from the point of view of my department, it seems that since a small number of suppliers, in particular EDS, appear to be involved in all the failures, and have a consistently poor track record on completion and functionality delivered, it would probably be sensible if we, you know, considered that perhaps they aren't up to the job. Probably we should refine our tender process and very seriously consider looking at other suppliers."

Chairman : "I'm sorry, I don't understand."

MotBO : <sighs> "Let me simplify that for you, our tendering process sucks. EDS are not corporately competent to bid for these systems properly, never mind deliver them. Hows that ?"

Chairman : "Still not quite on board with you there, sorry."

MotBO : <grits teeth, clenches fists> "Listen, you fat useless idiot..."

Chairman : <calls the honourable gentleman to order, a brief scuffle ensues> "Well, I don't see that we're making much progress here today, I call this meeting to a close. Who's for a great big expensed lunch ?"

@Dave

"then you can safely conclude that this poll was performed during working hours."

I actually inhabit that mythical utopian nirvana of working from home *, and have done for almost three years now, and I'm not on the TPS list, despite having registered several times, and I can vouchsafe that no pollsters AT ALL have phoned me, ever. There's something suspicious about that. **

OTOH I usually don't have the TV on during the day, and when I do, the volume is turned down. In case any hippies are reading this, I should point out that my desk faces away from the TV, rendering this a total waste of energy, and I only do it so that your children will have to wander hungry over the barren, plastic bag strewn earth in the dystopian future.

* Yes, this really means that I don't have to wear pants if I don't want to.

** OK, not really. But when I used to work in a 'proper' office, (e.g. one where pants were compulsory) I used to get mithered all the time by people phoning up with annoying surveys.

DotBO

As folk have already mentioned, it only seems obvious. It seems obvious to the IT staff, and very probably to their managers.

The real problem occurs when said manager goes to the Finance Director and says : "I need an additional 25k in my budget next year so we can send ten of our staff on three day courses."

And the FD replies with something along the lines of :"AAHAHAHAHAHHAHAHAHAAAA."

In big orgs with internal markets and cost centres and all that jazz, I've seen it even worse. In a multinational with USD 26 Billion turnover, developers were unable even to obtain technical books. They weren't authorised to spend anything, and nor were their team leaders. And even if they had been, they would have had to charge back to the 'client', because there was literally no budget (outside of headcount) for the dev team.

The departmental higher ups wouldn't order books either, because "If we do it once, we'll have to do it for everyone". Well Duh! At the same time, this org regularly fed it's visiting external clients a buffet that included caviar. Yes, you read that right. From the cube farm where the dev team sat, they could quite literally sit and watch through the glass wall as the directors and their high value clients stuffed their faces with caviar in the meeting rooms. But somehow these same people couldn''t pony up a few quid for a few decent manuals. Try, if you will, to imagine that as a motivator. * This may seem hard to credit, so I have to reiterate that they really did buy shed loads of caviar, which staff were able to verify because after these meetings were finished, the leavings would be placed in a staff common area for people to pick over. How thoughtful.

I blame the metrics personally, most places don't know how to measure what IT does.

There's no direct bottom line number for the bean counters to grasp. And that's about the only thing they care about. Lets say your dev team work unpaid overtime for two months and deliver a really good system that makes your sales team 50% more efficient. Where does that number go on the spreadsheet ? Under "Sales", obviously.

Bonuses all round for the sales droids, on top of their generous commission, and the IT team get bought a pint out of their managers pocket. w00t!

There is a solution to this, also sponsored by the DotBO, and also so "obvious" that no one ever actually bothers to do it, which is to measure user experience (quarterly, or oftener, survey which you will have to design very carefully) and follow this up with frequent, formalised contact with stakeholders from your user base.

Every time I've implemented this, the result is a steady increase in the overall figure for "user satisfaction" or whatever you want to call it. (Seriously, you'll score points just for asking). It hasn't, yet, resulted in what the IT people always fear when you suggest this to them, e.g a crowd of angry users wielding pitchforks and a huge backlash against the IT function. Yet. But let's face it, if your org is likely to go that way anyway, you really NEED to be doing this.

In addition, you get to go the FD and say things like "Deparment X is going to want to implement a [some kind of system] next year" (remember you know this because you've been talking to them about their future plans and likely requirements), "we don't currently have the skills in house to do that, so as part of the project budget there will be a requirement for training in [some system]"

And this works, because you have also communicated this need to whoever goes into bat for Dept X, and who is now your best buddy, and will therefore push for the budget to be allocated because it's now her pet project, and she doesn't want her critical path being b0rked.

Of course it's not always quite as easy as I'm making out, but at least it gives you a metric that actually means something, and a stack of numbers which you can make pretty charts and powerpoints from, these are always helpful when dealing with bean counter types. You also build meaningful relationships and channels of communication with the people who matter most. Your users.

As an extra bonus, you get to write the process up using all the buzzwords that pointy hairs like, "empowerment", "ownership", "buy in" and all that bollocks. You can probably even get away with using "leveraging" and "synergies", possibly even in the same sentence.

While I'm busy pontificating, a handy hint for IT management types is that most decent IT folk (not the paper tigers, I suspect) are actually quite good at educating themselves. But you need to give them time to do it. Fridays are good for this, especially Friday afternoons when everyone would otherwise be slacking off and posting lengthy flames to El Reg in any case. Make every friday, or every other friday or whatever you can spare (rotate people if you have to) a Skills Development and R&D day, and watch your team's productivity go sky high.

Getting this past your next layer of pointy hairs will be the single most politically difficult task you will ever face, though. You may well have to settle for less, or something a little more flexible. That's OK.

* In case you're wondering, every single developer in that department applied for voluntary redundancy in oh, about the second round of "rightsizing". None of them were granted it. All their jobs were subsequently offshored to an Indian contractor. Nice.

@Jason Ellis

London pays for the rest of the UK does it ? How's that then ?

According to the ONS, the UK population in 2007 was 60,587,000, while the population of London was 7,172,091. That's just under 12%.

Given that, it would seem that in order to support your hypothesis, every citizen in London would have to be paying squillions of quid each in tax*. I have the misfortune to have to visit London often, and given that it seems to have an above average stock of scruffy, ill educated layabouts, I find this fairly hard to credit.

Perhaps if your population were actually up to the task of getting their cheeky cokerney arses out of bed in the mornings, earning a few quid, and actually paying some taxes, your city wouldn't be such a filthy, piss stinking, congested scum hole.

Probably still be full of twats though.

PPOSTFU

*Can't find a figure for UK GDP just at the moment, my google-fu is weak today.

Key/Value pairs

According to the google bumf MapReduce "processes a key/value pair to generate a set of intermediate key/value pairs, and a reduce function that merges all intermediate values associated with the same intermediate key."

I'm to hungover to unpack that properly, but it sounds like exactly what an RDBMS does (q.v Codd 1970).

At least, what an RDBMS does to a properly normalised dataset anyway. So for my money, there is a valid case for comparing the two.

<misty pointless reminiscence>

I recently spent about seven years working with (amongst many and various other things) various "SQL engines" and fairly humongous datasets and I don't think I ever saw a properly normalised dataset, it seems to be something that people have difficulty with. In fact, if I cast my mind back to the halcyon days of university, ISTR that most of my fellow CS students had difficulty wrapping their heads around the normalisation process.

Mind you, in all fairness, many of them were utter fuckwits in any case.

</misty pointless reminiscence>

Paris, because I'm badly hungover and talking bollocks, and this must be what she feels like most of the time, only richer.

1 in 10 ?

If they think that having only one in ten of their calls being a complete waste of time and resources is bad, they've obviously never worked in IT support !

@David Harper - further to "urban (IT) legends"

Ah David. David, David, David. What is to be done with the self styled "geeks" who persist in propagating this evil meme ? A solid thwack with a clue stick is really the only answer.

If you spend about five minutes actually researching the history of ARPAnet, you will find that this is manifestly not true. For some reason though, the myth persists.

So much so that Charles Herzfeld, ARPA Director at the time ARPAnet was developed, is on record specifically refuting the notion that it was in any way designed to survive a nuclear strike.

http://inventors.about.com/library/inventors/bl_Charles_Herzfeld.htm

" ...The ARPAnet was not started to create a Command and Control System that would survive a nuclear attack, as many now claim. To build such a system was clearly a major military need, but it was not ARPA's mission to do this; in fact, we would have been severely criticized had we tried. Rather, the ARPAnet came out of our frustration that there were only a limited number of large, powerful research computers in the country, and that many research investigators who should have access to them were geographically separated from them..."

As for the internet as it is today, I don't much rate your chances of still being able to download Natalie Portman nip slip vids from youtube in the event of a nuclear strike.

There are several good books about the development of ARPANET and the subsequent growth of packet networking that evolved into the internet as we know it today. I politely suggest that you read at least one of them before you make yourself look daft in a public forum. Oh, wait...

(Black chopper (fnar!) because this story is obviously just spook propaganda)

Personal 'favourite'

Many moons ago I was working on a now happily defunct public sector financial management app when we we began to get reports of the following (fatal) error from windows 95/98. "Unknown error 5000001".

WTF ?

If it's unknown, how the fsck does it have a number ? What are the other 5000000 'unknown' errors ???

This was of course our brutal introduction to the hideous painful world known as DLL Hell.

From the other side, I often use fairly humorous error messages in code I've worked on, many times including the word "b0rk". If the user is looking at an error message, the least you can do is try to stimulate their sense of humour before they pick up the phone.

Caveat Emptor (or, always read the small print)

As I have commented repeatedly, Comcast (and other ISPs) Ts&Cs are very, very clear on these issues.

If you didn't read them before purchasing the product, whose fault is that ? Yours, you stupid freetards.

OOOOOOOOOO LAAAAAAAAAAAAAAAAAA

No Alacrity, it's not just you.

Sigh

Clean water, medicine, doctors, food, decent infrastructure, pencils, paper, calculators,, textbooks, teachers.

All cost money. Money, which in the most part is lent or donated by developed nations. Money which is then given straight back to the developed world via the purchase of OLPC units.

These important things are being sacrificed to the ideology of some bunch of space cadets who still, despite all the evidence to the contrary, believe that "wiring the world" will somehow make everything much better. Fail.

@Cheerleaders :

Textbooks go out of date ? Maybe your 1000 page .NET doorstop does, but the fundamentals don't change. Basic math and physics haven't changed much. Calculus is still calculus. And even tech wise, my copies of Knuth, Aho and Deitel are still just as useful as when they were first printed. And they don't need electricity and a functioning AP to remain useful.

We should forgive the system having bugs ? No. Not the kind of bugs that show up so easily. The kind of bugs that suggest a "Hey it compiles! Lets ship it!" attitude to quality control. Not when we expect poor nations to sacrifice their limited resources to shore up this misguided clusterfuck. Not when they then have to channel more of those resources in a no doubt never ending spiral of support issues.

It should just have worked. It doesn't. Fail.

Ignoring things like standard file system and storage metaphors in favour of some poorly thought out "visionary" GUI just goes to show that this project has never been about anything other than Negroponte and his fellow space cadets' egos.

Here's hoping the project dies soon, and developing nations are able to actually develop instead of being browbeaten into buying useless plastic tat from us. We should be truly ashamed that this has happened at all.

Yeah, but...

While I agree that anyone whose use of a mobile while driving endangers others should be prosecuted, why do we need a particular law ? Surely we have plenty of other laws that would cover this if they were being properly enforced ?

Driving without Due Care and attention should be enough to cover all manner of twattish behaviour behind the wheel, using a phone, fiddling with the radio, swatting at your unruly brats in the back seat, applying makeup, lighting cigs, reading the paper, having your stereo turned up so loud that people inside the houses you are passing can hear it, and so on and so forth.

If this law is not being enforced, what chance for a new, far more specific one ?

As for a few of the other issues :

The main reason there aren't more traffic cops is probably because the standard of driving in this country is so piss poor that we would need to build lots more prisons.

There is to a 'rabid' drivers lobby. These are the people who think being fined for breaking the law is a 'stealth tax', by extension so is a fine for public urination, littering or vandalism. Motorists aren't persecuted, they just offend a lot. Deal.

As a cyclist, I have to say that anyone riding while talking on a phone is a twat, since you really do need both hands to be properly in control, this is particularly so at low speed when the vehicle is at it's least stable due to lack of forward momentum. Also, your steering is seriously affected by the position of your head and upper body. I fully expect some dickwad from the likewise rabid cycling lobby to contradict this.

As for getting your toes run over in the city centre by cyclists, you may want to make sure you aren't walking somewhere that's actually a designated cycle route, you'd be surprised where you local authority think it's a good idea to put these. Look out for post card sized blue signs on widely separated lamp posts. There's one here runs the length of the only fully pedestrianised street in the city, which (being the actual High Street), is also the busiest, most pedestrian choked we have. Unfortunately, the alternative is a dual carriageway leading to a three lane, four exit monster roundabout*.

If you're sure this isn't the case, get a boot in on the idiots from me.

*personally, I enjoy the cut and thrust manoeuvring, thrilling near death experiences and incompetent driver apoplexy that comes with maintaining proper lane discipline round such a beast in a world full of people who can't see you and/or don't care if they run you over, but it isn't to everyone's taste.

Oh FFS

Someone at the NHS should be shot for even allowing this to go to become a serious issue, never mind putting it to a reality TV style 'public vote'.

You can't teach anatomy or sexual health without showing pictures of todgers and the like.

If there really are people who would be offended by this, then tough shit, they deserve to be offended. In fact they deserve to be pilloried and ridiculed, pointed and laughed at in the street, and followed around by naked dwarf smurf impersonators until they are cured of their hallucinations of a Victorian morality that never existed in the first place.

Idiots.

(Paris, because she knows the score on this issue)

Stupid, pointless, ... or is it ?

Stupid and pointless for two reasons. Firstly because it's just another example of the incumbent administration's predilection for announcing new legislation as a panacea for every problem they experience, even when it's clear that existing legislation has not been enforced.

This is especially relevant with data protection issues, the MP who forced the FOIA exclusion for MPs business because some of his constituents data was released in error for instance. In that case, had the existing DP regs been followed, there would have been no data breach.

Everyone who's worked for an org that handles large amounts of personal data knows that the DPA is given lip service at best, and that's being fairly generous. In the case of the HMRC data, the same appears to be true. Had the existing legislation (or possibly even the departments own guidelines) been followed, or even taken seriously, there would have been no problem. But it wasn't.

Proposing new legislation when existing legislation is not being enforced is a waste of everyone's time and money.

Secondly, the threat of a prison sentence is likely to ensure that the next time this happens we simply won't hear about it, or if we do, it will be impossible to find anyone who was responsible. Civil Servants (especially senior ones) are notorious for avoiding blame and responsibility, upon this foundation are successful CS careers built . You can bet that they'll muddy the waters even further in order to cover their own asses.

Of course, a cynical person could easily conclude that encouraging silence about ,and cover ups of, politically damaging incidents is the intended outcome of such an announcement.