In a good world, Google Apps would collaborate with OOo, and we'd get OOo with use anywhere functionality. You can use it stand alone, or when away from the office/home/computer you can use your data via web based tools.
So in other words, would this mean that Google should open up the API for its remote file system where Google Docs stores things? (Or does Google already allow this? I haven't been following these things lately.) Then the OpenOffice folks could add a driver for saving/loading to Google's servers... and Google Docs supports OASIS formats.
It'd probably open Google's storage up to being abused, but they could probably run some heuristics on stored data to check that the documents people store are actually documents.
I had a Nigerian colleague once and he told me you get nothing done in Nigeria without paying the right people. So actually this is not news (and certainly not a story;):) ), but normal business practice.
It reminds me a lot of the service industry in places where there are heavy tipping cultures. What starts as a way for people to express gratitude for good service has often become an expectation from all sides to avoid getting crappy service. Eventually people in the service industry never get paid well because they're expected to get the rest of their salary from customers, and the customers know they'll get treated badly if they don't fork out extra money.
It's exactly the same pattern as corruption, anyway: employees don't get paid enough to live on, because there's an expectation from all sides that they'll blackmail it out of the people they deal with directly.
I haven't been to Nigeria but it sounds similar to a variety of other places. Once people are poor enough and the government is corrupt enough, bribery becomes acceptable and the whole thing is self-fuelling.
Jobs where bribes are likely become highly sought after. People won't get paid much in those positions because employers already know that they'll make up the rest from bribes, and people who bribe them accept it because they'd just as happily take a similar job and do the same thing if they could, since they can't do anything to change it.
I'm not 100% sure that avoiding doing business in highly corrupt countries is the complete way to go. In some ways it seems that influence from businesses used to less corrupt environments is what might finally change things. Exactly how much a company like Microsoft should play by Nigeria's rules is a difficult question -- it's also at their own risk, because if they're not careful, another corrupt official could come and screw them over or extract more and more money from them for a random reason at any time. As long as corruption continues to exist, though, it'll always be a gamble trying to promote something like Free Software in a country like Nigeria.
From my perspective at my own work (where we tend to write smallish apps from time to time that are usually based on DotNet), I'd guess that if we were writing software that needed to generate documents that'd open in MS Office, the fastest and easiest way to do so at the moment is probably to use the OOXML SDK (yuck).
If there's something similar for ODF, we'd definitely at least look at it, especially if it ended up being easier to work with. With Microsoft at least claiming they'll support ODF with MS Office, it might easily be enough to go with, without even requiring OOXML support at all... especially since ODF is supported by a much wider range of apps than just Microsoft Office. At the very least (if I was writing it), I'd make a special effort to keep things flexible and make it as easy as possible to switch between SDKs and generate ODF documents if and when they were wanted.
You can travel fairly easily around Europe and visit any number of different countries by just driving or taking the train. On this continent, we have the United States, Mexico and Canada. That's it. Those you can get to easily enough, but international travel is significantly more costly. Most of us just can't afford it, much as we would like to.
I do think it's a lot to do with wanting to go somewhere. I've grown up in New Zealand which is a small country (~4 million people) about as far from everywhere else in the world as it's possible to get. The average salary is probably at best half the average of most places in the USA once you do the conversions. This is fine if you're staying here because cost-of-living tends to be less, but it makes travelling hard.
All of that aside, it's very common for young people here to go overseas for a year or two, either as soon as they leave school or after they graduate. It's usually to Europe because there's a perception of so much variation in such a small space, but I've known people who've gone all over the place, and there's a lot of support for helping people to figure out where they're going, how to get there and how to support themselves.
Money's usually an issue, but we're fortunate enough that NZ has arrangements with other countries to let young people have working holiday visas under certain conditions, and people will often make the money in the country they're planning to spend it while they see the place. Some people will leave here without much more than a return ticket and enough money for the first few weeks while job-hunting. We also get lots of people from European countries visiting NZ, as well as the occasional Americans. And then after a year or three of travelling around and seeing places, people tend to come back home and they tend to be better for it. Some people stay where they are because they like it more.
If you don't grow up in a culture where it's normal for people to simply figure out how to get out of the place they started, though, I can see why it'd be difficult.
Exactly, it's a pointless thing to talk about, unless it's a joke, because nobody really knows what it means or how we'll know for sure if any given year actually is the year of Linux on the desktop. It is just a catchy thing to say, but it seems to get a lot of attention all the same as if there's some kind of substance to it.
I don't personally care about it that much -- I use a linux-based OS for my desktop and my laptop. It works nicely for me and that's enough for me. Does that make it the "year of Linux on the desktop"? (Probably not.) What about if a million kids in a poor country with a corrupt government use some kind of linux-based distro on cheap laptops? Some people might say 'yes' especially if they live or work in one of those countries. Does it mean that 80% of hardware companies need to be shipping and supporting usable linux drivers with their hardware, and do the drivers have to be open source? Do 50% of OEMs need to be installing linux-based distros on their systems? If so, do the installed distros have to be 100% compatable with the hardware? Will it be the "year of Linux on the desktop" when everyone's using 100% open formats and open driver specs, making it much easier for people to switch their desktop OS even if they choose not to?
If and when people talk about it seriously (which seems to happen a lot on Slashdot and elsewhere), they should really be doing it with some specific definitions in mind, because otherwise it's just meaningless waffle. If there's an interest in being serious about it, then people should give it some clear metrics with a standardised citeable definition that can be measured so we'll actually know if it's been achieved. It might be that things get to that point and people still aren't happy, in which case there will be a new goal to chase after. The post I responded to earlier was funny because it is a joke, even though a lot of people still don't seem to see it that way.
I know you're joking, but there will never be a Year of the Linux Desktop until there's a clear definition of what it actually means. If it's not measurable, there's nothing to aim for and it'll forever just be a joke.
That's harsh. I've seen the business change it's mind to the point that all that was kept was the project name (and wonder why it couldn't be delivered on time). I've also seen changes driven by legislation or changing business conditions that could not have been predicted.
I agree, but it does sound as if the submitter's feeling some kind of responsibility for decisions that were made... as if re-using or coding from scratch might have actually made a difference. The only way you could have known that from the start is if you knew enough detail from the start. Perhaps it could have been possible to probe for more, or maybe it wasn't there.
I've been involved in a project which had some complicated statistical uses. The customer expressed them in terms we could understand (as developers) and we communicated back exactly what we were doing. Because it was pretty new stuff, though, they really only figured out half way through that quite a radical change was needed which had a severe effect on our beautiful architecture and introduced all kinds of complications for working with the existing code-base.
It could easily just be a communication issue with saying "too bad" to the customer, and giving them the choice of the original requirements, or scutlling 75% of the work to start again. (And then would it happen all over again?) What's really important, though, is both that they understand the detail of exactly why this has to happen, and that they're helped to provide useful and more-likely-correct information the second time around. For us, neither was an option and we ended up just putting in a couple of icky hacks which make the code less maintainable and probably less memory/speed efficient than it could otherwise be, and the customer was accepting of this.
Rather than asking whether it's better to re-use or not to re-use, it sounds to me as if the submitter should be asking about whether it would have made sense to spend more time gathering requirements at the beginning or not. There's not really enough information provided to determine this, however.
Why is it that whenever something like this gets *found*, the person doing the finding always understands what's on it? If any of my typical pub going friends and relatives found this the chances of them realising what is on it is pretty slim, and it would most likely get formated.
I partly agree and the headline's sensationalist. The fact that a memory stick with 12 million usernames and passwords temporarily went missing doesn't mean that it was used to steal those people's data. Server records would almost certainly prove that only a fraction of those accounts had even been accessed during the time that the memory stick was missing.
I think the larger problem here is an administrational problem. During the time that the memory stick was missing, there's no way to tell that someone didn't make a copy of the data to use later.
To stay secure, the service would have to reset the passwords of all 12 million accounts, and figure out some reliable way of getting people their new password. (Maybe it's okay to email it or maybe not -- I don't know enough about the service.) At the very least, it'd be necessary to confirm that the person logging in is the correct person next time they log in. ie. Ask them about date of birth, mother's maiden name, or whatever's necessary, and then force them to change their password once they're verified.
It was a private company, Atos Origin, which lost the data.
...and the only reason we're even hearing about it is because a government organisation is suffering the consequences. Rather than often hearing about how governments make this kind of mistake, I'd really like to get a much better idea of how prevalent it is in the corporate world. The unfortunate thing is that there's not much of a mechanism in place to prevent it from being swept under the rug in these cases.
I'd be interested to know whose decision it was to store this data on a memory stick at all, as well as why the passwords were ever stored anywhere (as opposed to a hash of the passwords). My guess is that it was the private company, although you could argue that the government organisation should still be monitoring how its contractors carry out their business.
I currently work for a government department (not US or UK) and we're very security conscious about the data we handle exactly because we know there would be so much scrutiny if and when anything happens. (This may partly be due to certain local legislation which requires government organisations to be relatively open with how they work.) Private companies don't fall under the same microscope.
As always, the only thing you can do is keep your software updated, don't run programs or code you don't trust, don't let people on your system that you don't trust to keep the system clean, and hope for the best.
I'd add regular backups of important data to that list.
When I use the package system, it's wonderful. And when something that I actually need or want actually *is* on another website, then Ubuntu turns into a pain in the ass for me. I'm looking at you, Songbird!
I agree to a point with Ubuntu, which is why I stopped using it after 3-4 months and switched back to Debian, which has a much bigger archive. Maybe with Debian you need to put a little more initial effort into getting some aspects of the system running well, though.
With Debian I've found that if something's open sourced, it'll nearly always be in the Debian archive and installation (complete with dependencies) is very easy. If it's not open sourced, it's usually no more difficult than what I'd experience on at work all day in Windows, for which package management is very fragmented because everything's so proprietary and vendors are so protective of letting anyone do anything like re-package their product to work better with others.
I can't seem to find Songbird in the debian archive, though. I'd be interested to know why.
So part of the spec requires my webserver to go *fetch and parse your personal web page* to see if it has a <link rel="openid.server"/> tag in it to meet the spec?
If Microsoft or Google or Sourceforge or LiveJournal or whatever authentication provider you happen to use suddenly decides they don't want to be in the authentication business any more, you could potentially find yourself locked out of your accounts on any number of websites and services for which you were using it.
A way around this is to provide a delegate. eg. If and when I use OpenID, I use my own website as my login. The page served up from that URL has a couple of Meta tags which points to my authentication provider and specifies my username with that provider. When I log into something, I'll (eventually) be redirected to that authentication provider and asked for my password. If the provider decides to shut down, I can switch to another one, and change where the delegate on my website points.
I still find it concerning for anything important, at least to the extent that I understand OpenID, which isn't too deep (so if anyone wants to correct me or elaborate on this stuff I'm definitely interested. Having my own delegate system means that I have to keep that website up and available for as long as I want to access all my OpenID-connected accounts. This costs money, and it also requires various skills. I can probably do this for the forseeable future, but most people couldn't either for financial reasons or because they don't have the skills.
Also from a security perspective, if someone happens to hack my website and changes the delegate info to point at an authentication provider of their choosing (to which they can authenticate), they'd potentially get access to all my OpenID-connected accounts... never mind that a rogue employee working at the authentication provider could also potentially log into lots of people's accounts all over the place.
I'll use my OpenID for convenient posting of comments on people's blogs and the like, but in its current state I wouldn't really want to use it for something important like my banking information, or anything else involving money or important info. I know enough about IT to know that I don't trust my own ability as a security expert, for one thing.
But how is that different from working on proprietary software? Working on proprietary software earns a paycheck.
This is true to a point but I think it misses a large amount of software that falls in-between.
I don't work on open source software as my day-job, but it's not because my employer is particularly attached to closed source ideals. It's because it's unlikely that anyone except my employer would be interested in the software I'm writing. Nobody's asked for our source code, but if they did (and it wasn't too much hassle to provide) then I think they'd probably get it... and they'd probably be allowed to release it as OSS if they actually wanted to. Similarly, we occasionally ask other organisations for the code they produced to do something, and they're usually happy to give it to us.
As another response to your post pointed out, many large companies do contribute to Open Source Software for one reason or another... either because it enhances their business and experience for their customers, or just because they want to add an improvement for their own reasons, and contributing back to the project is the easiest way to get it done.
How many software development jobs are in the shrink-wrapped closed source market, anyway, as opposed to people who are hired to write specialist software for their employer (or a customer) to use?
Probably in the long term, assuming OpenID becomes popular, it might come down to browser makers to specifically recognise OpenID, and do things like let the user specify who their OpenID provider is so that it can make it really obvious when the user's logging into the correct place. eg. If the browser doesn't start flashing its borders bright pink when the user visits their claimid.com login page, the user might suspect that they're giving their credentials to the wrong website.
Even the American slave wasn't always toiling endlessly in the fields until the slavemasters came out to whip them in for their gruel. Some of them had great report with their masters and were included on the decisions of the day -- were they free? Certainly not. But neither were they treated like dogs (some were, just not all).
I see what you're saying but I don't think this is a great analogy. Most dogs aren't whipped and beaten into submission either, but are treated quite well by their owners -- they just lack the ultimate freedom to make the biggest decisions about their lives, and as dogs they're generally expected to be blindly loyal.
I'd suggest that maybe most or all slaves are treated like dogs for exactly this reason, with the catch that it is/was probably legal to treat them much worse than dogs are typically treated if a slave's owner desired for some reason.
If I had to guess, the way the ballot is organized in terms of candidate ordering probably makes it easy or possible to look like you're pressing the right area, but the boxes and/or your perception of the boxes' location isn't perfectly aligned with the touch sensing elements.
Whether this was the actual problem here or not, are touch screens and other similar input devices really suitable for something like this?
I've often heard them touted as being brilliant from a usability perspective because they let someone interact directly with the presented information (in a sense) instead of having to go through a separate device somewhere.
On the other hand, although I haven't worked with them much, anecdotally I've usually found them to be occasionally inaccurate, uncalibrated or clumsy in their current state -- especially for people who aren't used to using them.
Perhaps they're acceptable for something like an information booth, where the mis-interpretation of a user's clumsy fingers won't be critical, but voting machines? If voting must be completely digital (and I'm not convinced this is necessary), perhaps the input device needs to remain less fancy and more reliable. Surely it'd be possible to rig something up with large numbered physical buttons and then tell people to press the button that corresponds with their preferred candidate's position in a list. (If you want to make it less biased, randomise the order of the list before showing it to the voter.)
I'm not completely against the idea but I've always been stumped with how to implement it technically. ie. How do you do this without either:
centralising email into a corporate-controlled structure? (ie. We'd lose the open protocols and methods for sending to people), or
Requiring that everyone who wants to send/receive emails set up their own financial payment/bank account system of some description.
ISPs could probably help by collecting and making payments on behalf of their subscribers, but it still increases the barriers of entry to email for people who have legitimate uses.
Would you want it in the file system, though? I'd have thought it'd make more sense to have the meta data stored somewhere else and just have something to go and purge things every so often, or otherwise move them out of the way if you're the kind of person who doesn't like purging. We do this kind of thing on a much larger scale with our document management system at my work, although it's a well documented process where the Document Management people will go through and delete certain information every so often depending on where it's been filed and what the legal/policy requirements are for certain kinds of info to be kept around.
It would be kind of cool to be able to sort by some kind of expiration date, or automatically hide stuff that's passed such a date (but be able to get it back if it's really needed).
See, that's the point where I stopped caring. This guy is too stupid to own a computer, let alone run a record label.
That seems harsh considering the guy is a musician rather than an IT professional. Maybe he's a bit naive and he'll learn from this. Making personal backups (and designing a good system for it) is something that most people tend to learn after a bad experience rather than something people just do... especially if they don't spend their lives working with computers.
Under normal circumstances you'd at least expect that the ISP would have a decent, reliable storage system with proper backups. They probably do have backups. The fact that they're now with-holding his data because of paranoia about ridiculously designed copyright laws was probably unexpected, at least by an ordinary person.
Hopefully he now does learn to keep his own personal backups, and he'll also learn to never use that host again.
Given that the goal of of democracy is to create a government subordinate to and responsible to the people, government secrecy is anti-democratic
If the work of a government involves the management of people's personal/private information, then I think some secrecy is justified. (eg. Tax departments probably hold a lot of information about individuals that shouldn't be distributed to everyone.) It also makes sense for some parts of government to keep information secret if its release might compromise safety of people, and ideally only for the duration of time that this is an issue. (eg. Police investigations, and yeah I'm sure there is the occasional national security thing that justifies this.)
The problem is really that lazily designed governments tend to lean towards habits of making things secret by default because it's easier than having to make them open. Once you're in the habit of having secrets it's difficult to re-design ways of doing things to make them less secret, but still keep it safe. If you want an idea of a government with a reasonably open design, take a look at this Australian journalist's blog post about the New Zealand Government's Official Information Act. (Transparency International rates NZ as first equal with Denmark and Sweden in its 2008 corruption perception's index.)
Anyone in New Zealand can request any information they like from a government department, and the department is legally obligated to respond with the information within a set time-frame. The only exceptions are if the request wasn't specific enough (or would require unreasonable amounts of work), if privacy or national security might be unreasonably compromised, if the department doesn't have the info (in which case they have to try to transfer it to somewhere that does) and a few other things which are clearly defined. If anything is with-held, the department has to explain why in the context of the relevant section of the law.
If the person who made a request isn't satisfied, they can complain to an independent ombudsman who has complete power to investigate and see any information that's being withheld, then make a judgement. The consequence is that nearly any sizeable government department has entire sections of people whose primary job is to receive requests for information, distribute them to people who can answer them, and make sure they get answered on time. Being too badly organised isn't an acceptable excuse for not responding in the legally defined timeframe, so librarians get employed to make sure that all information gets properly catalogued as soon as it's produced, to make it efficient and quick to find if and when it's requested, and that relevant information doesn't get missed. (Otherwise the department could get in trouble later on if there's an investigation.) Often it's easier to just be in the habit of producing information and reports that can easily be made public, and publishing it before people ask for it, then help people find it if they continue to ask.
If there aren't proper checks and balances within the government, there's nothing to make sure that an agency is doing what it's supposed to do when it's being secret. That's where the biggest problem is because there's no reason to justify why the public should trust the government, and trust should be everything in a democratically elected government. Even if you don't get the government you voted for, you should be able to trust that the government you get is doing what it's doing above board and as openly as possible. You should also be able to be sure that elected politicians aren't directly interfering with the rest of the workings of government except in ways that are clearly visible and above board, and I think that's where the USA and several other countries have serious p
If you have nothing to hide then you have nothing to worry about.
Er, would you say the same if they were intending to legislate compulsory random searches of body cavities?
Just because you don't consider it an invasion of your privacy that the government wants to sift through your personal email doesn't necessarily mean that other people don't.
Why just random instead of compulsory hand recounts? The main advantage of electronic counts, imho, is that they provide an instant result, which for some reason seems to be in demand these days. (Perhaps if it was too instant people wouldn't be interested, because it wouldn't make for as interesting and drawn-out television.) That shouldn't outweigh the extra trust that comes from voters being able to actually see the votes get counted.
Slashdot Mirror
So in other words, would this mean that Google should open up the API for its remote file system where Google Docs stores things? (Or does Google already allow this? I haven't been following these things lately.) Then the OpenOffice folks could add a driver for saving/loading to Google's servers... and Google Docs supports OASIS formats.
It'd probably open Google's storage up to being abused, but they could probably run some heuristics on stored data to check that the documents people store are actually documents.
It reminds me a lot of the service industry in places where there are heavy tipping cultures. What starts as a way for people to express gratitude for good service has often become an expectation from all sides to avoid getting crappy service. Eventually people in the service industry never get paid well because they're expected to get the rest of their salary from customers, and the customers know they'll get treated badly if they don't fork out extra money.
It's exactly the same pattern as corruption, anyway: employees don't get paid enough to live on, because there's an expectation from all sides that they'll blackmail it out of the people they deal with directly.
I haven't been to Nigeria but it sounds similar to a variety of other places. Once people are poor enough and the government is corrupt enough, bribery becomes acceptable and the whole thing is self-fuelling.
Jobs where bribes are likely become highly sought after. People won't get paid much in those positions because employers already know that they'll make up the rest from bribes, and people who bribe them accept it because they'd just as happily take a similar job and do the same thing if they could, since they can't do anything to change it.
I'm not 100% sure that avoiding doing business in highly corrupt countries is the complete way to go. In some ways it seems that influence from businesses used to less corrupt environments is what might finally change things. Exactly how much a company like Microsoft should play by Nigeria's rules is a difficult question -- it's also at their own risk, because if they're not careful, another corrupt official could come and screw them over or extract more and more money from them for a random reason at any time. As long as corruption continues to exist, though, it'll always be a gamble trying to promote something like Free Software in a country like Nigeria.
From my perspective at my own work (where we tend to write smallish apps from time to time that are usually based on DotNet), I'd guess that if we were writing software that needed to generate documents that'd open in MS Office, the fastest and easiest way to do so at the moment is probably to use the OOXML SDK (yuck).
If there's something similar for ODF, we'd definitely at least look at it, especially if it ended up being easier to work with. With Microsoft at least claiming they'll support ODF with MS Office, it might easily be enough to go with, without even requiring OOXML support at all... especially since ODF is supported by a much wider range of apps than just Microsoft Office. At the very least (if I was writing it), I'd make a special effort to keep things flexible and make it as easy as possible to switch between SDKs and generate ODF documents if and when they were wanted.
I do think it's a lot to do with wanting to go somewhere. I've grown up in New Zealand which is a small country (~4 million people) about as far from everywhere else in the world as it's possible to get. The average salary is probably at best half the average of most places in the USA once you do the conversions. This is fine if you're staying here because cost-of-living tends to be less, but it makes travelling hard.
All of that aside, it's very common for young people here to go overseas for a year or two, either as soon as they leave school or after they graduate. It's usually to Europe because there's a perception of so much variation in such a small space, but I've known people who've gone all over the place, and there's a lot of support for helping people to figure out where they're going, how to get there and how to support themselves.
Money's usually an issue, but we're fortunate enough that NZ has arrangements with other countries to let young people have working holiday visas under certain conditions, and people will often make the money in the country they're planning to spend it while they see the place. Some people will leave here without much more than a return ticket and enough money for the first few weeks while job-hunting. We also get lots of people from European countries visiting NZ, as well as the occasional Americans. And then after a year or three of travelling around and seeing places, people tend to come back home and they tend to be better for it. Some people stay where they are because they like it more.
If you don't grow up in a culture where it's normal for people to simply figure out how to get out of the place they started, though, I can see why it'd be difficult.
Exactly, it's a pointless thing to talk about, unless it's a joke, because nobody really knows what it means or how we'll know for sure if any given year actually is the year of Linux on the desktop. It is just a catchy thing to say, but it seems to get a lot of attention all the same as if there's some kind of substance to it.
I don't personally care about it that much -- I use a linux-based OS for my desktop and my laptop. It works nicely for me and that's enough for me. Does that make it the "year of Linux on the desktop"? (Probably not.) What about if a million kids in a poor country with a corrupt government use some kind of linux-based distro on cheap laptops? Some people might say 'yes' especially if they live or work in one of those countries. Does it mean that 80% of hardware companies need to be shipping and supporting usable linux drivers with their hardware, and do the drivers have to be open source? Do 50% of OEMs need to be installing linux-based distros on their systems? If so, do the installed distros have to be 100% compatable with the hardware? Will it be the "year of Linux on the desktop" when everyone's using 100% open formats and open driver specs, making it much easier for people to switch their desktop OS even if they choose not to?
If and when people talk about it seriously (which seems to happen a lot on Slashdot and elsewhere), they should really be doing it with some specific definitions in mind, because otherwise it's just meaningless waffle. If there's an interest in being serious about it, then people should give it some clear metrics with a standardised citeable definition that can be measured so we'll actually know if it's been achieved. It might be that things get to that point and people still aren't happy, in which case there will be a new goal to chase after. The post I responded to earlier was funny because it is a joke, even though a lot of people still don't seem to see it that way.
I know you're joking, but there will never be a Year of the Linux Desktop until there's a clear definition of what it actually means. If it's not measurable, there's nothing to aim for and it'll forever just be a joke.
I agree, but it does sound as if the submitter's feeling some kind of responsibility for decisions that were made... as if re-using or coding from scratch might have actually made a difference. The only way you could have known that from the start is if you knew enough detail from the start. Perhaps it could have been possible to probe for more, or maybe it wasn't there.
I've been involved in a project which had some complicated statistical uses. The customer expressed them in terms we could understand (as developers) and we communicated back exactly what we were doing. Because it was pretty new stuff, though, they really only figured out half way through that quite a radical change was needed which had a severe effect on our beautiful architecture and introduced all kinds of complications for working with the existing code-base.
It could easily just be a communication issue with saying "too bad" to the customer, and giving them the choice of the original requirements, or scutlling 75% of the work to start again. (And then would it happen all over again?) What's really important, though, is both that they understand the detail of exactly why this has to happen, and that they're helped to provide useful and more-likely-correct information the second time around. For us, neither was an option and we ended up just putting in a couple of icky hacks which make the code less maintainable and probably less memory/speed efficient than it could otherwise be, and the customer was accepting of this.
Rather than asking whether it's better to re-use or not to re-use, it sounds to me as if the submitter should be asking about whether it would have made sense to spend more time gathering requirements at the beginning or not. There's not really enough information provided to determine this, however.
I partly agree and the headline's sensationalist. The fact that a memory stick with 12 million usernames and passwords temporarily went missing doesn't mean that it was used to steal those people's data. Server records would almost certainly prove that only a fraction of those accounts had even been accessed during the time that the memory stick was missing.
I think the larger problem here is an administrational problem. During the time that the memory stick was missing, there's no way to tell that someone didn't make a copy of the data to use later.
To stay secure, the service would have to reset the passwords of all 12 million accounts, and figure out some reliable way of getting people their new password. (Maybe it's okay to email it or maybe not -- I don't know enough about the service.) At the very least, it'd be necessary to confirm that the person logging in is the correct person next time they log in. ie. Ask them about date of birth, mother's maiden name, or whatever's necessary, and then force them to change their password once they're verified.
...and the only reason we're even hearing about it is because a government organisation is suffering the consequences. Rather than often hearing about how governments make this kind of mistake, I'd really like to get a much better idea of how prevalent it is in the corporate world. The unfortunate thing is that there's not much of a mechanism in place to prevent it from being swept under the rug in these cases.
I'd be interested to know whose decision it was to store this data on a memory stick at all, as well as why the passwords were ever stored anywhere (as opposed to a hash of the passwords). My guess is that it was the private company, although you could argue that the government organisation should still be monitoring how its contractors carry out their business.
I currently work for a government department (not US or UK) and we're very security conscious about the data we handle exactly because we know there would be so much scrutiny if and when anything happens. (This may partly be due to certain local legislation which requires government organisations to be relatively open with how they work.) Private companies don't fall under the same microscope.
I'd add regular backups of important data to that list.
I agree to a point with Ubuntu, which is why I stopped using it after 3-4 months and switched back to Debian, which has a much bigger archive. Maybe with Debian you need to put a little more initial effort into getting some aspects of the system running well, though.
With Debian I've found that if something's open sourced, it'll nearly always be in the Debian archive and installation (complete with dependencies) is very easy. If it's not open sourced, it's usually no more difficult than what I'd experience on at work all day in Windows, for which package management is very fragmented because everything's so proprietary and vendors are so protective of letting anyone do anything like re-package their product to work better with others.
I can't seem to find Songbird in the debian archive, though. I'd be interested to know why.
Yeah, pretty much. It's described here.
One of the highly rated posts in the previous discussion pointed out that having a URL as your login essentially puts you in the hands of whoever owns that URL.
If Microsoft or Google or Sourceforge or LiveJournal or whatever authentication provider you happen to use suddenly decides they don't want to be in the authentication business any more, you could potentially find yourself locked out of your accounts on any number of websites and services for which you were using it.
A way around this is to provide a delegate. eg. If and when I use OpenID, I use my own website as my login. The page served up from that URL has a couple of Meta tags which points to my authentication provider and specifies my username with that provider. When I log into something, I'll (eventually) be redirected to that authentication provider and asked for my password. If the provider decides to shut down, I can switch to another one, and change where the delegate on my website points.
I still find it concerning for anything important, at least to the extent that I understand OpenID, which isn't too deep (so if anyone wants to correct me or elaborate on this stuff I'm definitely interested. Having my own delegate system means that I have to keep that website up and available for as long as I want to access all my OpenID-connected accounts. This costs money, and it also requires various skills. I can probably do this for the forseeable future, but most people couldn't either for financial reasons or because they don't have the skills.
Also from a security perspective, if someone happens to hack my website and changes the delegate info to point at an authentication provider of their choosing (to which they can authenticate), they'd potentially get access to all my OpenID-connected accounts... never mind that a rogue employee working at the authentication provider could also potentially log into lots of people's accounts all over the place.
I'll use my OpenID for convenient posting of comments on people's blogs and the like, but in its current state I wouldn't really want to use it for something important like my banking information, or anything else involving money or important info. I know enough about IT to know that I don't trust my own ability as a security expert, for one thing.
This is true to a point but I think it misses a large amount of software that falls in-between.
I don't work on open source software as my day-job, but it's not because my employer is particularly attached to closed source ideals. It's because it's unlikely that anyone except my employer would be interested in the software I'm writing. Nobody's asked for our source code, but if they did (and it wasn't too much hassle to provide) then I think they'd probably get it... and they'd probably be allowed to release it as OSS if they actually wanted to. Similarly, we occasionally ask other organisations for the code they produced to do something, and they're usually happy to give it to us.
As another response to your post pointed out, many large companies do contribute to Open Source Software for one reason or another... either because it enhances their business and experience for their customers, or just because they want to add an improvement for their own reasons, and contributing back to the project is the easiest way to get it done.
How many software development jobs are in the shrink-wrapped closed source market, anyway, as opposed to people who are hired to write specialist software for their employer (or a customer) to use?
This won't solve the problem but the OpenID Community Wiki has a page documenting different ways in which phishing might occur, a well as a collection of recommendations.
Probably in the long term, assuming OpenID becomes popular, it might come down to browser makers to specifically recognise OpenID, and do things like let the user specify who their OpenID provider is so that it can make it really obvious when the user's logging into the correct place. eg. If the browser doesn't start flashing its borders bright pink when the user visits their claimid.com login page, the user might suspect that they're giving their credentials to the wrong website.
I see what you're saying but I don't think this is a great analogy. Most dogs aren't whipped and beaten into submission either, but are treated quite well by their owners -- they just lack the ultimate freedom to make the biggest decisions about their lives, and as dogs they're generally expected to be blindly loyal.
I'd suggest that maybe most or all slaves are treated like dogs for exactly this reason, with the catch that it is/was probably legal to treat them much worse than dogs are typically treated if a slave's owner desired for some reason.
They worked without pay from me, too, but they still created.
Whether this was the actual problem here or not, are touch screens and other similar input devices really suitable for something like this?
I've often heard them touted as being brilliant from a usability perspective because they let someone interact directly with the presented information (in a sense) instead of having to go through a separate device somewhere. On the other hand, although I haven't worked with them much, anecdotally I've usually found them to be occasionally inaccurate, uncalibrated or clumsy in their current state -- especially for people who aren't used to using them.
Perhaps they're acceptable for something like an information booth, where the mis-interpretation of a user's clumsy fingers won't be critical, but voting machines? If voting must be completely digital (and I'm not convinced this is necessary), perhaps the input device needs to remain less fancy and more reliable. Surely it'd be possible to rig something up with large numbered physical buttons and then tell people to press the button that corresponds with their preferred candidate's position in a list. (If you want to make it less biased, randomise the order of the list before showing it to the voter.)
I'm not completely against the idea but I've always been stumped with how to implement it technically. ie. How do you do this without either:
ISPs could probably help by collecting and making payments on behalf of their subscribers, but it still increases the barriers of entry to email for people who have legitimate uses.
Would you want it in the file system, though? I'd have thought it'd make more sense to have the meta data stored somewhere else and just have something to go and purge things every so often, or otherwise move them out of the way if you're the kind of person who doesn't like purging. We do this kind of thing on a much larger scale with our document management system at my work, although it's a well documented process where the Document Management people will go through and delete certain information every so often depending on where it's been filed and what the legal/policy requirements are for certain kinds of info to be kept around.
It would be kind of cool to be able to sort by some kind of expiration date, or automatically hide stuff that's passed such a date (but be able to get it back if it's really needed).
That seems harsh considering the guy is a musician rather than an IT professional. Maybe he's a bit naive and he'll learn from this. Making personal backups (and designing a good system for it) is something that most people tend to learn after a bad experience rather than something people just do... especially if they don't spend their lives working with computers.
Under normal circumstances you'd at least expect that the ISP would have a decent, reliable storage system with proper backups. They probably do have backups. The fact that they're now with-holding his data because of paranoia about ridiculously designed copyright laws was probably unexpected, at least by an ordinary person.
Hopefully he now does learn to keep his own personal backups, and he'll also learn to never use that host again.
If the work of a government involves the management of people's personal/private information, then I think some secrecy is justified. (eg. Tax departments probably hold a lot of information about individuals that shouldn't be distributed to everyone.) It also makes sense for some parts of government to keep information secret if its release might compromise safety of people, and ideally only for the duration of time that this is an issue. (eg. Police investigations, and yeah I'm sure there is the occasional national security thing that justifies this.)
The problem is really that lazily designed governments tend to lean towards habits of making things secret by default because it's easier than having to make them open. Once you're in the habit of having secrets it's difficult to re-design ways of doing things to make them less secret, but still keep it safe. If you want an idea of a government with a reasonably open design, take a look at this Australian journalist's blog post about the New Zealand Government's Official Information Act. (Transparency International rates NZ as first equal with Denmark and Sweden in its 2008 corruption perception's index.)
Anyone in New Zealand can request any information they like from a government department, and the department is legally obligated to respond with the information within a set time-frame. The only exceptions are if the request wasn't specific enough (or would require unreasonable amounts of work), if privacy or national security might be unreasonably compromised, if the department doesn't have the info (in which case they have to try to transfer it to somewhere that does) and a few other things which are clearly defined. If anything is with-held, the department has to explain why in the context of the relevant section of the law.
If the person who made a request isn't satisfied, they can complain to an independent ombudsman who has complete power to investigate and see any information that's being withheld, then make a judgement. The consequence is that nearly any sizeable government department has entire sections of people whose primary job is to receive requests for information, distribute them to people who can answer them, and make sure they get answered on time. Being too badly organised isn't an acceptable excuse for not responding in the legally defined timeframe, so librarians get employed to make sure that all information gets properly catalogued as soon as it's produced, to make it efficient and quick to find if and when it's requested, and that relevant information doesn't get missed. (Otherwise the department could get in trouble later on if there's an investigation.) Often it's easier to just be in the habit of producing information and reports that can easily be made public, and publishing it before people ask for it, then help people find it if they continue to ask.
If there aren't proper checks and balances within the government, there's nothing to make sure that an agency is doing what it's supposed to do when it's being secret. That's where the biggest problem is because there's no reason to justify why the public should trust the government, and trust should be everything in a democratically elected government. Even if you don't get the government you voted for, you should be able to trust that the government you get is doing what it's doing above board and as openly as possible. You should also be able to be sure that elected politicians aren't directly interfering with the rest of the workings of government except in ways that are clearly visible and above board, and I think that's where the USA and several other countries have serious p
Er, would you say the same if they were intending to legislate compulsory random searches of body cavities?
Just because you don't consider it an invasion of your privacy that the government wants to sift through your personal email doesn't necessarily mean that other people don't.
Why just random instead of compulsory hand recounts? The main advantage of electronic counts, imho, is that they provide an instant result, which for some reason seems to be in demand these days. (Perhaps if it was too instant people wouldn't be interested, because it wouldn't make for as interesting and drawn-out television.) That shouldn't outweigh the extra trust that comes from voters being able to actually see the votes get counted.