Re: Scuttlebutt in the tech community on twitter is that it's a BGP issue.
Starting to get corroboration of this in the media.
https://www.nytimes.com/2021/10/04/technology/facebook-down.html
45 publicly visible posts • joined 10 Dec 2010
Allegedly they stopped advertising their BGP routes for reasons unknown atm. They can't get in remotely to fix it because they can't route to the network.
Add to this the security system that controls access to the building needed depends on their LDAP servers, which are inaccessible, so they have also locked themselves out physically.
Internal Comms are down because the corporate comms solution is FB Messenger and WhatsApp so no-one can talk to anyone else easily to come up with a solution.
This could take a while.
No so much Resurrection as Resuscitation.
In the dim and distant past I did a stint as a support bod at a large London investment bank.
As part of their BC/DR processes we were scheduled to come in over a weekend to carry out a controlled power down of the data center under simulated outage conditions. Building power isolated, Switch to generator power, fail over to the remote DC somewhere in Hertfordshire, onto battery backup (they had an entire sub-basement full of lead acid battery's on heavy duty racking) and then gracefully power everything down before bringing building power back online, recovering the DC and re-connecting to the remote DC to resync everything.
All went well with the shut down, UPS took the load as the building power was cut. Generators came on line and ran for an hour before being shut down again and leaving the building on battery power while we ran through the shutdown routine for the DC.
The problem came when we started powering the kit back up. Most of the servers came back just fine
but the rows of cabinets containing a couple of hundred IBM PS/2's performing non-essential (i.e. not trading floor related) tasks remained ominously quiet. Turned out the last time they were shut down was 3 years previously during the last test, and 90% of them had failed to boot due to stiction. Cue myself and 2 other support staff armed with rubber mallets from the FM stores working our way up and down the aisles, pulling servers from the cabinets, opening the cases, whacking the drives a couple of times and replacing them back in the racks to see if they would boot. We got them all back eventually but it was a lot more overtime than had been planned for.
Meanwhile we find out that as part of the roll out of the changes in the Public Sector the Civil Service Head of People (Not a creepy title at all) was suggesting to Public Sector managers in a letter to departments that they should consider shopping contractors who left the Public Sector as a result of the changes, to HMRC.
Copy of the Letter here - NHS Wales Website.
https://lnkd.in/gNNgreZ
Relevant paragraph on page 6.
"Hiring managers must discuss the contractor’s intention to stay with them. Permanent conversion or longer-term extensions to contracts beyond April may be attractive to some, offering role security. Hiring managers must also make it clear that by remaining in the public sector and having their tax affairs managed through payroll makes them compliant with the off-payroll rules. If it appears they are choosing to go and work in the private sector to simply maintain ‘outside of IR35 status’ you could consider informing HMRC, who may take action to investigate the contractor’s tax affairs further. "
The currency markets aren't the problem here.
In order to use Cryptocurrency to actually buy or sell things you have to have bought them with fiat currency at some point, unless you are in the fortunate position to have mined them yourself, but that puts you in the extreme minority.
In the real world fiat currency, from an individual point of view, is very, very stable - Venezualan hyper inflation etc being edge cases. If you buy something for £X today then you should be able to buy the same thing for £X tomorrow, sales, discounts etc not withstanding. Real world prices are largely unaffected by the currency markets, and when they are the effects are minimal, a few percentage points either way at most and most of the time these fluctuations are absorbed by manufacturers and vendors in order to retain customers.
If you buy cryptocurrency for £X today and then buy the same amount tomorrow, X is going to have a markedly different value and you will get a different quantity of cryptocurrency for your fiat currency. This means that the effective price you pay for a thing with Cryptocurrency will vary dramatically based on the fiat value of the cryptocurrency at the time you acquired it. This matters because in order to realize the value of your cryptocurrency you either have to convert it into tangible assets or back into fiat currency directly.
If you buy £5000 of Bitcoins today and tomorrow you use that to buy Gold then there is a good chance you will get less gold for your Bitcoins than you would if you had just bought it with £5000 in fiat. Of course there is also a chance that you will get more than £5000 of gold, but that's the gamble with cryptocurrency, it's all speculation driven by a very volatile market that is open to manipulation by individuals or groups of individuals with the ability to execute very large transactions.
Until the real world value of Cryptocoins against assets becomes protected from the speculative value and achieves real stability they will remain an investment tool rather than a day to day currency.
Maybe try reading the report. In particular the selection of witness statements here. Inclusing a Locum social worker and jobbing IT freelancers. We are not talking about high net worth individuals or celebrities.
https://publications.parliament.uk/pa/ld201719/ldselect/ldeconaf/242/24217.htm#_idTextAnchor122
You have also completely misunderstood the legislation. These were employment agencies signing up workers and paying them through these schemes, not the workers own companies, assuring them that HMRC are aware of them and that they had been approved by legal experts.
HMRC have been aware of these schemes for over a decade and they had been declared under the HMRC DOTAS process. HMRC chose not to do anything about them. They are now not chasing the scheme providers, but the individuals who were signed up to them, many of them unaware of the arrangements or accepting the claims of the scheme providers.
This is no different to the Govt. deciding to raise income tax by a penny, backdating it 10 years and then demanding that everyone pay the extra tax, despite the fact that thay had paid everything they were supposed to at the time and charging interest and penalties on top. With no means of appeal.
"As for actual data processing, Article 6 provides for the lawful processing of data where "processing is necessary in order to protect the vital interests of the data subject or of another natural person"."
On a technical note re. the article Article 6, Para(1(c)) does set out the use of Vital Interests however this needs to be read in conjunction with the relevant recital, in this case Recital 46.
https://gdpr-info.eu/art-6-gdpr/
https://gdpr-info.eu/recitals/no-46/
This clarifies that Vital Interests should only be used where no other Legitimate Basis can be relied on and processing " is necessary to protect an interest which is essential for the life of the data subject or that of another natural person" such as "humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters."
The intent for Vital Interests is that it should only be used in life saving situations where no other form of consent or other basis is available. In this case that would be difficult to prove.
Article 5(e) is the applicable reference here as you point out.
https://gdpr-info.eu/art-5-gdpr/
"Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; "
It also includes archiving in the public interest, scientific, historical or statistical research.
Since the purposes for which is was collected was to prove legitimate and lawful arrival in the UK for the data subjects an their dependants then keeping records for 75 Years or longer would be perfectly reasonable.
What makes you think they are not "messing" anyway?
If you are on the web and are of even a passing interest to the security services then this has been done to you already, they just haven't told you what they found. In this case they will tell you, and how to fix it, but only if you are a Public Sector body.
The service is essentially the same as you would get if you paid a professional testing company to do an external scan of your services, it's just been automated a bit and made available to Public Sector organisations for free. Along the lines of the Qualys SSLLabs service but with extra advice and guidance on how to fix whats found.
If you're looking for an excuse to break out the tinfoil headgear, this isn't it.
@h3nb45h3r
It's not your phone that anyone would be interested in.
What about journalists working in repressive regimes, human rights activists trying to prosecute those in authority, whistleblowers in authoritarian governments.
Any of these and more could have their lives and work compromised by those in authority who want to shut them up by getting "evidence" from their phones.
I doubt the company selling these devices will be particularly fussy about who they sell them to. You may not have much to worry about but many many others will as a result of this.
Re: Sick Pay
What we are talking about here is not Statutory Sick Pay that you get when signed of sick longer term but getting paid for the odd days here and there that you ring in sick for.
A permie off for a couple of days with the flu or a dodgy belly will still get paid. A contractor doing the same won't be. No workee, no payee.
No, Corporation Tax is on profits, not turnover.
So take out:
VAT,
Salaries,
Pension contributions
Costs
That leaves taxable profits on which 20% is paid.
What's left after that is profit available to the business for reinvestment or disbursal as dividends to shareholders.
Dividends attract a minimum 7.5% tax for receipts over £5000 at the basic rate, rising to 32.5% at the higher rate.
The dividend tax allowance was abolished 2 years ago so corp0ration tax paid can no longer be counted against income tax. In effect it gets taxed twice.
Where did you get that information from? If you didn't collect it directly from the individuals then you are not the data controller and you don't need to worry about consent. That's down to the Customer who provided it to you. In that scenario you are the Data Processor. You sill need to be complaint but the rules are slightly different.
Even if you are the controller you don't automatically need consent, that's just one of the possible criteria for the Lawful Basis for processing. You do need to work with those customers at a business level to ensure that they pass on the appropriate privacy notices to their employees that explain why you are holding their data an what you intend to do with it. You also need to be able to respond to SAR's from them and delete data under RtbF.
The first thing you should be doing is getting the Lawyers to give you a view on your status as Controller or Processor for the different data sets you hold (assuming you know what they are). Everything else follow from that.
Whats going on is that Transmission was specifically targeted by the scammers in the knowledge that it is widely used around the world. Exactly how they managed it remains to be seen, but fundamentally they set out to break into the distribution of Transmission and upload a malware infected version signed with an revoked but otherwise legitimate looking developer certificate.
You can put the tinfoil hat away. There is no great conspiracy here. Just a particularly cunning exploit of a popular application by scammers looking to make money.
We have Bitlocker with a boot password here, however many users simply hibernate their laptops instead of shutting them down as the startup process is so slow.
Would this work if a stolen device had been put into hibernation, even with a boot password?
Yes it is. However, as others have commented, the real issue here is not that the OWA service was used to gain access to domain credentials, but how the offending DLL was installed on the server in the first place, and how the server config was manpulated to load the malicous DLL in place of the legitimate one. That was the cause of the breach, everythng else was the effect.
No they don't.
In the Public Sector there are rules that say if you are in a contract for more than 6 months, paying more than £200 per day then you have to provide evidence to the client that your Tax and NI payments are compliant with IR35, either inside or outside.
If you work in the same general location (whether in the Public or Private sectors) for more than 2 years then you can no-longer claim travel and subsistance costs. Location is very broad, so 12 months with one London Client followed by 18 Months with another London Client would be caught by this rule (30 months in one location). If the commute doesnt fundamentally change (Next Client is in Leeds for example) then the rule applies.
Other than that there are no restrictions on how long you can contract with the same client, nor is length of engagement an indicator of your status under IR35.
There is such a service in place.
FCO Services ( the services division of the Foreign Office) provides and supports a formally Accredited application services platform that includes Office 265, delivered via the PSN and Internet specifically for use with material that may need delivering to out of the way places and embassies in countries that may be somewhat less than respectful of our National Security. Or simply for handling more sensitive material at home.
No, a vehicle of interest is one that has been reported stolen has previously been associated with criminal activity, or is connected to a known or wanted individual. There is no link between the ANPR database and the DVLA systems for tracking registration, MOT etc. If a vehicle is stopped these can be manually checked or they can be checked if a vehicle is reported for other reasons.
You might want to have a read of this then.
https://www.police.uk/information-and-advice/automatic-number-plate-recognition/
"How it works
As a vehicle passes an ANPR camera, its registration number is read and instantly checked against database records of vehicles of interest. Police officers can intercept and stop a vehicle, check it for evidence and, where necessary, make arrests. A record for all vehicles passing by a camera is stored, including those for vehicles that are not known to be of interest at the time of the read that may in appropriate circumstances be accessed for investigative purposes. The use of ANPR in this way has proved to be important in the detection of many offences, including locating stolen vehicles, tackling uninsured vehicle use and solving cases of terrorism, major and organised crime. It also allows officers’ attention to be drawn to offending vehicles whilst allowing law abiding drivers to go about their business unhindered."
The 2007 attacks on Estonia were in 2007. That's 8 years ago now, and since then there has been no similar incidents affacting that country. Lessons were learned from those attacks, not just in Estonia but accross NATO. Estonia now hosts the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). In the last 8 years Estonia's digital society has survived and prospered, it has not resulted in the loss of services or other disruption.
ANPR in the UK only provides information on vehicles that are already flagged as being "of interest" to the Police. If they stop a vehicle that is not already on the system they have to request a specific check be carried out before they can take action. This means multiple calls to DVLA, Insurance Companies and others. The Estonian System is real time, see the number plate, check the records, take action.
Estonia didnt start with a clean slate, they started from the same position as most other European governments, including the UK. What they did was deliver what UK politicians have been promising and failing on for years. To take the disparate government systems and integrate them in such a way that data exchange becomes a practical and realistic proposition. There was no rip and prelace process, they used middleware technology and services to allow them to communicate in a meaningful way as well as delivering brand new services such as the e-ID system. It worked becasue they had clear principles from the outset and they stuck to them.
All of this is possible, what it takes is political vision and the will to follow it through. Having a proper understanding of delivering public IT systems and being able to properly run procurement and contracts would help as well. Sadly successive UK governments seem to be unable to do any of these things.
It's about the contracts and procurement processes.
Govt. procurement is simply not up to scratch when going up against the big suppliers. Their commercial and contracts people are far more experienced and far better at negotiating contracts that the civil servants are. This is why you end up paying for decommissioned sites because no-one thought to put in a clause to the contract that meant you didn't have to pay for stuff you didn't use any more.
It's the same across the board. Look at the excesses of MoD spending caused by badly drafted contracts. Or spending on NHS supply contracts rather than IT.
Those pointing out how smart they were about renewing early etc are missing the point. The old system worked very well and had done so for number of years. Even if you left it to the last minute it was one of the few Gvt. services that could be relied on to work when you needed it.
Whatever the fucktards at GDS did, they broke what was previously a perfectly good service.
Except they aren't.
Rule one only applies when your customer can go elsewhere. Like it or not, there are no practical alternatives for enterprise class operations who want to maintain continuity for their desktop environments. Despite all the discussion about porting to Linux or use of VM's or compatibility modes etc, in practical terms these are as much if not more work to implement in the current timescales than going down the MS upgrade path.
Realistically, if you wanted to get of the Windows merry-go-round you should have started planning the jump 5 years ago when MS extended the end of life to 2014. You'd be about ready by now if you had.
As far as MS are concerned in this, Rule One can go screw itself.
You can whinge all you like about whether MS is right or not to do this, it doesn't change the fact that they are doing it. They told the world they were going to do it, gave the world an extra FOUR YEARS to deal with it and now everyone is getting all upset that they are actually doing what they said they were going to do 12 years ago.
The numbers of XP desktops out there, still in daily production use indicates that the IT world has had it's head up it's collective arse the whole time.
Whinging about it and claiming the customer is always right is just the verbal equivalent of ramming it that bit further up there, when push comes to shove you're still going to end up eating shit.
This isn't embarrassing for MS at all.
They announced end of life of XP in 2002. 12 Years ago. They refreshed the date in 2008, 6 years ago. The only people this is embarrassing for are the ones who have sat on their hands for over a decade and done nothing to plan for the change.
2002 - Windows XP EOL announced as 2010
2008 - Windows XP EOL extended to 2014
2009 - Windows 7 released
2011 - Windows 8 released.
2014 - Windows XP EOL.
So EOL on XP was announced 7 years before Windows 7 was released and Win8 hadn't even been announced. Windows 7 has been available for 5 years and Windows 8 (for all it's issues) has been available for 3 years.
So again, how exactly is it embarrassing for MS that end customers haven't pulled their heads out of their arses and done something about it in spite of having 12 years to plan for it?
The "problem" comes down to one of risk management. What is the risk to the assets involved versus what access to those assets is worth to the organisation and what it would cost them should they be compromised.
Once you have an understanding of the risks and costs you can start to look at mitigating those risks and the cost of mitigation versus value of the assets and the benefit of allowing mobile access.
In technology terms the solutions are already out there, the question is; do they provide a sufficient reduction in risk to justify the expenditure against the business benefit?
This isn't a case of opportunist hackers this is serious organised crime getting involved.
It works because anyone can apply for a carbon trading account subject to some basic, but it seems easily faked, background checks.
The mechanism is that they will compromise a legitimate trading account and transfer the carbon certificates to one or more compromised accounts or companies in another countries. Most have been in the former eastern block countries. They end up in a dummy which is then used to sell the certificates on the open spot market and the resulting cash siphoned off.
Because the only identification on the certificates is the serial number, and the only way to check ownership is to go back to the original issuing body and follow the trail of trades associated with those certificates traders assume that ownership is proof of legitimacy. Once the certificates have been stolen the thieves disappear with the cash. The whole issue is compounded by the fact that in a number of jurisdictions there is no requirement for the purchaser to return goods when they are shown to have been stolen.
By the time the whole mess is sorted out, ownership proved and the trades traced the perpetrators are long gone.
the carbon trading market is a reality. What is also a reality is the laughable levels of security in place around what is a multi-million Euro market.
Account security it limited to a pre-generated user ID and passwords on a 90 day expiry. No tokens, no additional verification of identity, just a simple account that lets you trade millions of carbon certificates. Apart from a rather perfunctory plea not to answer phishing emails there is no further advice on the registry website on securing the accounts or managing access.
For something this valuable ( Holcim Romania lost something in the region of 20M Euro ) you'd think they could put in some decent security or at least offer advice to their account holders.
Same glass but fill with crushed ice first.
Brown or Green booze in first ( Tia Maria, Kahlua / Midori, Creme de Menth)
Baileys
Curaco
Black Vodka
The Ice makes it easier to layer up the drinks and adds some texture to the whole thing.
Slice of Lemon for the sun and a straw. Then drink. Carefully.