Posts by Mike 137 3531 publicly visible posts • joined 10 Sep 2009
"Road tax should be based on how much it costs for maintain the roads"
In the UK, "road tax" (Vehicle Excise Duty) goes into the common tax pool -- it's not (and hasn't been for ages) dedicated to road maintenance. So the zero duty for EVs is merely a nudge to drive take up plus a nod to the "green agenda" (which is why older ICE cars get charged more).
"the parts of gov.uk I use - mostly HMRC and DVLA - are refreshingly free from any third party scrips "
Take a look at the (NHS templated) web site of your local GP surgery. You'll probably be surprised. See also a 2019 report on how widespread this is on sensitive web sites across Europe.
It's clearly in the interests of hardware vendors to promote the use of the latest changes in technologies as it perpetuates sales. It's less clear why software developers follow suit with such alacrity. Good engineering practice dictates that the simplest and most universally applicable solution to any problem is usually the best for the customer. But instead we are constantly forced to "upgrade" to carry on doing the jobs we were perfectly able to do yesterday. For example, I've encountered several business-significant web services that refuse to run on Win7 even in the same browser they run happily on in Win10. There seems to be no good reason for this, except possibly for the CV of the dev ("look, I'm at the bleeding edge"). But it's a bloody nuisance for the customer.
"the criminal crew got into Change Healthcare's network via pilfered credentials for a tech system that permits remote access to its network"
As a really basic protection, any remote access for technical management should always use connection source validation and out of band generated one-time credentials so they're useless to an adversary. This is so fundamental! It amazes me that any business fails to implement it. Unless of course this breach really resulted from compromise of an already authenticated current session, which is a whole different issue. And then of course there's the question of whether the network segregation was adequate.
But as Major General Jonathan Shaw, late head of cyber security at the UK MoD famously stated “...about 80 per cent of our cyber problems are caused by what I call poor cyber hygiene.”
"The solution was to break the code into sections, tweak them so they still functioned as a whole, and store them in different places in the FDS."
A colleague and I used this approach in the very early eighties, to upgrade ROM-based applications for Acorn computers (fitting 4k EPROMs). We looked for unused spaces, or spaces that could be released by simplifying existing code, that were long enough for a few new instructions plus a jump in and out, and broke the new code into fragments to fit.
Nice that the technique hasn't been forgotten in this age of coding while ignoring the hardware.
"Two problems: AI is very resource-intensive and this risks joining cybercurrency in the business of boiling the oceans in an exponential megawatt orgy. The other is that there is no way to win, as AI spam develops the equivalent of antibiotic immunity. "
There's a third problem: given the ruthless nature of online commerce, such automation would almost certainly become weaponised to kill off competition.
In response to the attack Charles Clancy, Chief Technology Officer of MITRE stated:
"First, we need to advance secure by design principles. Hardware and software needs to be secure right out of the box.
Second, we need to operationalize secure supply chains by taking advantage of the software bill of materials ecosystem to understand the threats in our upstream software systems.
Third, we should deploy zero trust architectures, not just multi-factor authentication, but also micro-segmentation of our networks.
Fourth, we need to adopt adversary engagement as a routine part of cyber defense. It can provide not only detection, but also deterrence to our adversaries. Adversaries are advancing new threats and new techniques"
IMO the first three are absolutely essential and long overdue basics for infosec given the current threat landscape. The fourth I'm not so sure about, depending on what it means in practice. If it means maintaining up to the minute intelligence, that's also basic and long overdue, but 'engagement' has me a bit worried if it implies active counterattack (as some folks do seem keen on).
M$ has had an effective stranglehold over most organisations on the planet for decades now (not just over governments, although of course governments think they're more important than businesses).
Particularly now they're driving businesses into the "cloud", they can turn off your IT in many ways, intentional or accidental -- from rescinding licenses to driving incompatible 'upgrades' that kill your computers. But it's not just an M$ issue. The IT vendor community as a whole has long forgotten that it's there to provide a service to users rather than just to make take money.
Using byte signatures? How utterly primitive! Yet another reason why we should no longer trust passive anti-malware tools. The only reasonably safe approach today is dynamic testing in a sandboxed proxy.
However, some malware has for a long time been able to detect whether it's running native or in a VM, so it's time this was addressed by better design of said proxies. In order to protect adequately, the tools used by the defence must be better than those used by the aggressor, but sadly the opposite is still frequently the case.
"Star Trek also gives us a few examples of where AI warfare may lead"
However there remain vast bumbers of purely human ways to initiate and wage war without the need for "AI". It's a sad fact that some war or other has been waged somewhere on this planet continuously for a very long time, mostly using old fashioned technologies such as sharp things and bullets.
Ultimately, we'll have autonomous fighters on both sides -- expensive machines destroying expensive machines. A 1966 episode of Star Trek (A taste of Armageddon) presented a more cost effective solution -- simulated battles fought entirely on computers. The only snag was that the notional casualties on both sides were obliged to report to disintegrators as soon as the battles were over.
Unfortunately, for all the automation, war still primarily consists of human attrition one way or another until one side gives up.
'"We take the privacy of information in our care very seriously. At this time, there is no evidence that any of your information has been, or will be, misused. ..."
Why doesn't someone make a million selling a rubber stamp carrying this text? Preferably suitable for printing on toilet paper as this is really just a bum cover.
No evidence of harm is not evidence of no harm. And do they have a crystal ball to see into the future? In any case it's probably impossible to find out as any evidence of a connection between this breach and any subsequent fraud on some individual will be really tenuous.
'a Meta spokesperson said: "Last year, the Court of Justice of the European Union ruled that the subscriptions model is a legally valid way for companies to seek people's consent" '
THe ECJ didn't rule on this -- it was an obiter dictum -- efectively a passing comment -- that any alternative to ads must be 'necessary' and the fee must be 'appropriate. The statement did not thererfore have the force of law to grant anyone the right to seek implied consent via a paywall. The ECJ has now apparently ruled to the contrary.
"How does anyone find this an effective way to sell .... anything"
The advertisers have been told it is by the brokers, there's no real way for an individual advertiser to confirm or refute this, and everyone is terrified of not advertising enough given the competition. In fact, particularly given the general inept approach to advert 'personalisation', it's not at all effective except for the brokers, who sit in the middle taking fees whether it really works or not.
But what site hosts fail to recognise that anyone using an ad blocker wouldn't respond to adverts anyway even if they were presented.
There's also the crucial issue of data retention. All these multi-bit per cell devices use an essentially analogue data detection method -- QLC has to be able to discriminate 16 discrete voltage levels per cell. So the inevitable effects of charge leakage (albeit slow) will eventually be felt. The more 'bits per cell' the sooner that will happen because the differences between the bit levels are smaller, and 'error correction' can only do so much. Furthermore, the higher the device capacity the greater the chance that some leakage related data corruption will occur, simply because the target is bigger, so we're sacrificing reliability for convenience yet again.
"to kill a large number of something, or to reduce something severely:"
That's because English dictionaries (unlike the French) are descriptive, not prescriptive. So they reflect ignorant misuse of words once the misuse has become sufficiently prevalent. Unfortunately, the general tendency of such misuse is that numerous useful words with precise meanings lose that precision -- witness the common use of "impact" for any influence of anything on anything else. I got so fed up with that a while back that a spent about half an hour looking up alternatives, and found over 60 with nuanced meanings, that could replace "impact" and actually convey more information about how something actually affected something else.
"it's possible to use the credentials inside the Chirp Android app to effectively masquerade as the developer"
So the dev hard coded their test credentials into the app and they were left in when it was passed for release. Two absolutely idiotic mistakes. If it's representative of the level of understanding of, and attention to, security in the dev community (and I fear it is) we're doomed, we're DOOMED.
"I'm convinced that real intelligence comes from the fact that we are physical entities interacting with the physical environment around us"
Yes. As Bob Ornstein stated almost 40 years ago "the brain is primarily a body controller", which is why the classic 'living brain in a vat of goop' is purely the stuff of the movies. It couldn't operate.
Primarily because the real function of 'education' is to achieve high exam pass rates (thereby justifying the function in political terms). This is achieved most economically by stuffing students with facts to be regurgitated into multiple choice exams. Exercising creativity is disruptive as it's an individual behaviour that necessarily distracts from the planned action of stuffing facts into the mass, so it's disapproved of. I remember being reprimanded by the tutor on a degree level 'experiment' session for asking how and why the experiment would work -- we were supposed to just follow the instructions and have it work without caring why. So the marks were for no more than 'following instructions'.
The results of this approach to 'education' are now showing very clearly -- a majority of folks who never enquire spontaneously into anything or act autonomously without being prompted at each step. And this is the population from which our future engineers, technologists and social leaders will be drawn.
"Rather than trying to replicate humans with some kind of general-purpose artificial intelligence, Gill thinks we should look to the past to see what sort of systems we should be building."
The big concern is why it's taken so long for someone to say this in public. I would have thought it rather obvious that tools should be designed to fulfil requirements rather than being created blindly and then hunting for uses.
This is far from a new phenomenon. Read this 2019 report to see how embedded it has become even in within the geographical scope of the GDPR.
"I still haven't seen a good case for moving to “The Cloud”"
There are two good cases I know of:
[1] if your business has fluctuating resource demand, a service that offers dynamic allocation can be cheaper and more effective than equipping for the expected maximum locally (this was the primary original selling point for 'cloud')
[2] if you run an international organisation, a centralised cloud based provision can be cheaper and easier to manage than multiple on-prem data centres on different continents.
For the average national scale or smaller business, there's no real advantage in the long run. The illusion that being in the 'cloud' eliminates the need for local IT (and particularly infosec) staff is just that -- an illusion. And the bills keep coming in -- miss a payment and your business stops.
@b0llchit "carefully integrate possible solutions into any existing processes"
With full recognition of and agreement with your footnote, in my experience many local govt. processes (both manual and extant 'electronic') are so badly designed that the first step should be to improve them as they stand, before migrating them to any new tech solution. But that never gets into the project plan so we finish up at best with shiny new implementations of inadequate processes.
I'm amazed they even have a "security arm" as their general level of tech maintenance is in my experience appalling. Booking into an Accor hotel in a European capital on a business trip for a week a few years back, I found that the telephone and the wireless comms were dead and the kettle was burnt out. Reported immediately, but none were fixed by the end of my stay.
"2. someone opens then wrong email attachment and/or link"
Technology can largely protect against that too, if you take the trouble (I've done it -- over a decade back). Email attachments from outside the enterprise should be actively AV scanned (e.g. by a sandboxed executor proxy) and any that can't be scanned should be dropped. Active links in emails that do not exactly match their text representation should never reach the desktop, all links in external emails and all web pages should be actively tested by a comparable proxy before delivery to the desktop. Our common reliance on the end user who is "the weak link" makes no sense at all. They're the last folks to have the expertise to make decisions about what is a legitimate or malicious link or content -- even we as security "experts" would have a hard job to do that consistently, particularly if tested under pressure of carrying out another unrelated job at the same time.
To become even reasonably secure we've got to move on from "someone to blame" to there being nothing much to blame anyone for, and a lot of that can be accomplished using appropriate technologies.
What isn't clear (and probably never will be) is whether the council was actively targeted or merely feel victim of a scatter gun attack because its "security" wasn't adequate. I strongly suspect the latter, as was the case when the UK NHS fell foul of NotPetya. The biggest mistake we currently make is to assume that security is a technology problem. Almost all the big breaches that have been sufficiently reported to judge have been fundamentally down to sloppy management and poor decision-making. Out of interest, that's also been the root cause of the large number of near misses (and indeed some accidents) involving Western nuclear weaponry1, so it's not an IT problem -- it's a cultural one.
1: Eric Schlosser, Command and Control, USA, the Penguin Press 2013 [ISBN 987-1-59420-227-8]
.
From the CSRB report (page 6) "Cloud service providers (CSPs) do not always register and publicly disclose common vulnerabilities and exposures (CVEs) in their cloud infrastructure when mitigating those vulnerabilities does not require customer action.82 This lack of disclosure, which is counter to accepted norms for cybersecurity more generally, makes it difficult for CSP customers to understand the risks posed by their reliance on potentially vulnerable cloud infrastructure."
'Customer flying blind' seems to be becoming the universal vendor approach as systems get ever more complex and thus more vulnerable.
"We recruited participants for our study through Prolific between December 2023 and February 2024, under the criteria that they were 18+ years old and located in the US. [...] The reference category is a Human-Human debate carried by a Male, aged 18-24, White, with a High School education, Employed for wages, Democrat."
While not immediately obvious what the overall spread around the reference category was due to the number of parameters, some of which are interdependent (see fig D4 in paper), the population of subjects is clearly not universally representative, so the study is only really valid for the population in question.
Apart from which, in an age of increasing verbal incoherence ("sort of like y'no") even on the part of supposed experts presenting on the media, the common level of persuasiveness is so low it would be hard for it to exceed that of a machine generating the most statistically likely word stream.
"an electric vehicle has a use in my life , large data centers less"
Except that your electric vehicle chats with its mothership all the time you're driving and that service is probably hosted in some large data centre. Without that connection, your electric vehicle may well either not work or have its performance downgraded. Every damn thing from your car to your toothbrush is now effectively dependent on large data centres, so they actually matter a lot to all of us while the "everything online" madness persists.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
