Posts by Mk4

Everyone is the administrator now!

I did a short stint at a car maker about 20 years ago (the one shortly to leave Swindon...) where the IT director had directed that no-one was to have administrator rights given to their normal user account as this was insecure, which to be fair is quite correct. However, there were about 100 developers working there. It was really not practical (time, people and knowledge all being in short supply) to think that these devs would be able to provide the list of granular rights and permissions they needed for every project, and anyway the necessary rights and permissions changed fairly frequently.

The IT director said that the devs should submit their request for whatever they wanted to do to the IT support team and they would do what needed to be done. Asking a bunch of basic IT support bods to do developery things just made messes and the overall problem was then even worse as these messes had to be cleaned up. The devs were under massive pressure all the time to release working things and the upshot of this situation was that in the end about 100% of the developers knew the domain admin UID and password. This ensured that all changes on all systems were totally untraceable to whomever had actually made them. Something I pointed out and advised that it would be better to give the devs local admin rights on all servers, then at least we could track those changes against individuals and the devs couldn't bugger up the AD. Did they pay any attention? No, of course not. They changed the domain admin password, which fixed the problem for possibly a whole hour.

What a nightmare that place was. They also used a Windows PC to do a nightly FTP transfer from a mainframe in the Netherlands, and the downloaded files would periodically and unpredictably be unusable. This mystery had been around for ages before I was asked to take a look and quickly found that they did not know that an EBCDIC to ASCII conversion was taking place during the transfer and even more quickly found that the default conversion in the FTP client was not quite right.

As so often the case...

The actions of the USA, their companies and organizations throw into sharp relief the benefits of being a Josette and Joe Public living in Europe, where things are run a little differently. Sure there are problems, but overall Europe is a cut above everywhere else on earth right now as a place to live.

Is it just me or has on-call gone quite a long way downhill in the last months?

I used to get a laugh or a giggle on a Friday but these days it just seems like "sexed up" very average stories of stuff that happens in IT.

Is there anybody out there?

I did the same thing, accidentally shutting down the file and print server for the London HQ of AT&T (this was a very long time ago, so I feel safe enough naming the company) at 14:30ish on a Thursday afternoon. I was not sure I had really hit "shutdown" until I saw all the lights go off on the server. Starting up was a slow process - the disk arrays spun up their drives sequentially and the whole thing was offline for 5-10 minutes.

We had all the big wigs in the building, the hundreds of staff etc. but there was not a single call logged. SMB mounts on clients would only have noticed if they tried to r/w while the server was down and obviously also no-one tried to print anything (or just tried it again 5 minutes later and it worked).

Not a truly impressive story I will admit, but in those minutes before I could check that everything was back online I was convinced I was going to get the sack. :-)

The US security services and law enforcement have never shown much respect for due process

I can imagine that US authorities will try to stretch the boundaries of the CLOUD act. They have the foot in the door - now they will try to lever it open. I can imagine that they will try to put pressure on MS US to get data held by MS EU in any way they can.

Time to bin the EPO and create a replacement

I think it's clear that the EPO is horribly injured and should be humanely euthanised.

Like people on a poorly led open source project, if the staff in the EPO were given the option to move to a new organisation I imagine they would take it.

I can see the talk in capitals around Europe being along the lines of "well, whatever we do let's not setup another supranational organisation like the EPO".

Battistelli is an unbeliveable c**t. The fact that the EPO has had this happen should make the states who are participating in this circus of scary clowns change the f**king rules by which this most important institution is run.

FFS - this isn't the dark ages and the EPO is not some kind of fiefdom to be abused at will.

Shadow IT accronym

"ShIT". Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha!!!!!! "Shit!" Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha!!!!!!! Ach! Feck, I've given myself a hernia.

Oh sod off

Go and read a few decent journals. Every now and again someone leaves USB sticks in a car park in a university (where all the clever and educated people are) and lo and behold... most people plug them in. Really? This is news?

Security as a domain of human activity needs to secure my and everyone else's normal behaviour, not make me contort my behaviour into some twisted version of itself. You don't build a building with doors and then act surprised when people try to use them. If a door should not be used it is either not in the building design in the first place or it is locked. Then idiots like me don't have to be given a list of doors that are there but that we must not use. This is not a perfect analogy, but then that's the nature of analogies.

Really?

I am from the UK and expat but unlike you I have spent more than 10 years in one developed country, not bouncing around many of them. I speak and understand the language (not natve level but my job is in English). I have now spent enough time here (just) to somewhat disentangle the national persona and stereotypes from individual people's personalities and get used to a host of ideosyncratic ideas and behaviour.

Before you write off the rest of the non-US world,think about how much time you spent in each place compared to the time you spent in the US growing up and normalizing your viewpoint with the rest of the US people around you.

I think the reason you didn't feel you belonged is that you didn't belong. When you do, you do.

opt-in, opt-out is missing the point

PNGuinn is being facetious but there is one point made that really important - it's personal data (my data and your data). It should be the property of the people it comes from, then many problems with questions about data access in the NHS and many other places become vastly simplified. Imagine the personal data is the property (in law) of the people it relates to. If someone wants a copy then it's equivalent to asking to borrow someone's property - if someone doesn't provide that permission then it's a criminal offence (like TWOCing) if they take it anyway.

Sure, this leads to a great deal of work to manage permission, but that's the same in many other spheres of human activity. Having a simple and clear principle to work from, that everyone can easily understand (not like DPA or GDPR) prevents a huge amount of discussion and interpretation (leading to massive variation across systems and industries). Not to mention pissing 8 million quid up the wall.

Personal data needs to be personal property

I've made this point a few times on El Reg comments sections. The problem is the starting point in all disputes regarding personal data, it is dealt with in the same way as all other kinds of data, but personal data is special. The Seagate employees are having to show that seagate was at fault, it is a similar story in all situations where personal data is deleted, given away, stolen, not available for discovery, etc..

Data relating to individuals should be the legal property of those individuals. It should be created, copied, modified, accessed and destroyed in the same legal framework as would physical goods.

There can be other legal provisions to make execs responsible for the proper treatment of personal data, but the starting point would be for Seagate as a corporation to be facing a criminal investigation for the loss of the personal property (of thousands of staff) that it held in trust.

Is this just a puff piece for Sec Consult?

There isn't any information showing that crims "hate him for it". Do they? How do you know?

There is a proper place for puffery posing as journalism and it's in those horrible spamfomercials that go to my work email address pretty regularly. Don't just recycle a report about this security conflab and pass it off as news.

I'd be interested in a properly researched piece with multiple unrelated examples of how this kind of defence is denting global crime. Is opening bank accounts really that hard? Where is the evidence.

Go and get some stats from Europol, Interpol, FBI, whoever, and work it out.

How to know when a corp. has pinched your code?

Frivolous cases aside, could the court order an independent and private review of proprietary code to compare it with the open source code it's supposed to have pinched from? Hang on a minute! I might be wrong but it's just possible this could be automated! :-D

The letter argues for the full implementation of the GDPR

Currently the differences between laws in EU member states mean thought has to be put into what needs to be done in different EU countries. With GDPR there is going to be greater parity between states, yes - I know it's not goint to exactly the same everywhere but a huge improvement on today when you, for example, compare Ireland and the UK. Ever had a chat with LinkedIn (located in Ireland) about your personal data expecting the same data protection rights as we have in the UK? I have and they don't exist (respectively).

If you want to have data moving freely between corporations in the EU then common rules seems to be a good idea. The GDPR will also make Europe the place to put your data if you want more than hollow words protecting your rights to this (your) data. Creating a strong regulatory framework for personal data is much the same as having strong regulations for accountancy and housing property ownership. Trustworthy regimes promote commercial activity. This will promote the growth of the digital economy in the EU, not hinder it.

BTW - Safe Harbour was not the predecessor of the GDPR. Directive EC/95/46 was. Enacted as, for example, the Data Protection Act in UK, Wet Bescherming Persongegevens (WBP) in NL and the "Pointless Piece of Paper" (PPP) in Ireland. Safe harbour was a self-certification scheme run by the US Department of Commerce so that US entities could pretend to provide the same level of personal data protection as we have in the EU. It was, frankly, bollocks from day one and the Snowdon revelations had nothing to do with that. Killing it has been a step forward.

I actually stopped caring about media about a year ago

Great - flash this, "spinning rust" that, compression, dedupe, blah, blah, blah. I really don't care any more. What I want is the major attributes of the storage presented to the user able to be independently modified without effecting any of the other attributes. On the fly. Using an automation interface. Performance (IOPS and MB/s), availability, protection level (data redundancy), versions (snapshots) frequency and retention, locking data with guaranteed integrity, encrypting data, off-site copy of data, off-line copy of data, geo-distribution of data, access permissions, metadata creation/modification, etc., etc. All of them, no exceptions and no mealy mouthed marketing bollocks.

Compare and contrast with compute. If we were having this discussion about compute it would be about the number of CPU cores, memory technology and bus speeds. The dicussions on compute are actually about containers vs. H/W virtualisation, devops, continuous integration, etc. It is time storage got out of the stone age and joined the rest of the world. Discuss.

... so, before we close the meeting. To maximize the sales potential we need you to make a version for men. When can we have that?

Bloody humans. Who the hell am I supposed to call?

A great mind in action

"before being software-defined becomes too vacuous a term to be useful", and then you thought about it and decided it's already too late - 9th June "let's kill SDS" article. :-)

Is this really what you think about storage?

Hi Dave,

You might have noticed that Samsung is making 3D NAND chips right now, and Toshiba and SanDisk are joint funding a 3D NAND fab in Japan. Martin Fink (HP CTO) has recently said that memristor DIMMs will be launched in 2016 and be in full production by 2018. So I would say that 3D NAND just won. If there was ever a race between them. Which there certainly hasn't been for at least a year.

BTW - NAND in it's current design is page access memory and memristor seems to be word (byte) access so can replace main memory. So they aren't really competing for the same use anyway - one is a disk replacement and the other is non-volatile main memory.

You should be interested in this stuff. For example a switch to non-volatile main memory will allow complete change in the way data is used. Think ccNUMA but accross a whole data centre (or wider).

It is a hugely interesting time in the world of storage at the moment. Articles like this do a massive disservice to a vibrant and fascinating area of IT, and one that should be supported by this esteemed organ.

Cheers

Mark