Slashdot Mirror


User: mpe

mpe's activity in the archive.

Stories
0
Comments
14,499
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 14,499

  1. Re:Basic Encryption? on Privacy Breach In Canadian Passport Application Site · · Score: 1

    I think the problem doesn't even go as far as encryption.

    Encryption probably wouldn't help here. Since the people involved probably don't have the first clue how to use it effectivly.

    From what I understand, it seems like they were using incremented integers as session codes, instead of using big randomly generated strings. Just doing this will make you system a lot more secure.

    As well as rather more scalable.

  2. Re:Why are state computing projects always like th on Privacy Breach In Canadian Passport Application Site · · Score: 1

    In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing.

    At least in those days MP wern't afraid to stand up and ask "Why have we paid Mr Babbage enough money for a couple of warship and ended up with a useless pile of cogs."

    Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone?

    At least Babbage had the excuse that he was trying to do something beyond "state of the art". I don't recally even the "eighties brick" phones being that heavy. Though a not too well known reason for "embedded journalists" is ensure that a reliable communication system is available.

    The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.

    Except that the people making the decisions don't have the first clue. i.e. if you actually gave them the task of "rocket science" you'd probably end up with a 3 litre bottle containing 1 litre of water and 2 litres of compressed air. (With the bottle costing several times it's weight in gold and both fluids costing several thousand pounds per ml.)

    Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation.

    Often these contractors appear to be holding companies so everything ends up being sub contracted (badly).

    If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,

    In order to stand any chance of getting such a contract there is a complex and expensive (6-7 figure) bidding process. This excludes the vast majority of companies from even getting their foot in the door, it also means that something in the order of 5 million pounds is likely be added to the bill just to cover the bidding costs. The result is you get a few contractors who's specialty is producing bids for government contracts.

  3. Re:Wow on Privacy Breach In Canadian Passport Application Site · · Score: 1

    Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth,

    But probably far less than they cost the British taxpayers.

    $100,000 for a book about dumb blondes

    Wonder if there's a book about dumb politicans. Maybe they could be persuaded to all dye their hair blonde :)

    Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can.

    Replace "Canadian" with "just about any".

    Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts.

    Probably because they have the ability to put together the right sort of "bid", which has little to do with (except possibly mutual exclusivity) being able to actually deliver something useful on time and on budget.

  4. Re:Server Side Scripting == Security on Privacy Breach In Canadian Passport Application Site · · Score: 1

    ...and the idea that 3 and 4 are separate and distinct is probably what caused this whole problem in the first place.

    Especially if the person deciding how things were split up didn't know what they were doing and/or the group to put things together was under resourced.

  5. Re:Wow on Privacy Breach In Canadian Passport Application Site · · Score: 1

    Which is exactly why most developers are not be hired to build large applications containing huge amounts of sensitive customer data.
    I make a living out of building exactly these kind of applications for major international banks and I simply wouldn't get hired if I didn't know about the above.


    Thing is that it's generally possible for customers to change their bank without having to change everything else. When it comes to changing your government things are a lot more tricky. Generally moving is a requirement.

    The developers should be ashamed of themselves for such a massive lapse, this really is security 101. Equally ashamed should be the people who decided not to bother with running proper penetration testing and security evaluation on such an application.

    What are the odds that this was oursourced to some contractor who's only skill was being able to make the correct form of "bid" and/or bribe the right people. Whilst subcontracting the actual IT piecemeal. Assume also that none of the people actually making decisions know the first thing about IT and the subcontractors also have the concern of making sure they actually get paid (even though what they actually get is a small fraction of whatever the main contractor charged).

  6. Re:Wow on Privacy Breach In Canadian Passport Application Site · · Score: 1

    I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.

    It depends on the country. IIRC there are countries which have lists of approved names, which of course only apply to citizens.
    Another issue is where translating someone's name into another langauge e.g. Arabic to English is a one to many operation. As well as all the common IT issues of assuming names cannot be more than X characters long, only contain ASCII characters, cannot contain spaces (or more than one space), etc, etc.

  7. Re:Wow on Privacy Breach In Canadian Passport Application Site · · Score: 1

    This is a simple and fundamental error and I'm amazed that the 'security technique' made it into production on such a major site. Doesn't ANYONE know what they're doing. Geez, this is Web Security 101.

    We are talking government IT here. The Canadian government appears to be caught in a "race" with the US and British Governments to make the most possible mistakes when it comes to the security of their IT systems... (No doubt the Aussies will be joining in soon, now that they have got an election out of the way.)

    A lot of sites were vulnerable to this sort of thing in 1995 ... If you're going to make URLs user or session specific you need very long random-looking strings.

    Also once the transaction has ended, either by the final "submit" or timeout, the data should no longer exist so far as the webserver is concerned.

  8. Re:Bad summary on Chinese Moon Photo Doctored, Crater Moved · · Score: 1

    "Doctored" suggests deliberate fiddling with the data to mislead.
    It seems here that this is actually just a result of a vanilla screw-up.


    e.g. the released picture is the result of several images being manually "stiched together".

  9. Re:Why it's not just a matter of signs on British Village Requests Removal From GPS Maps · · Score: 1

    Hmmm, who is responsible if a vehicle runs over a kid? Maybe the kid, depending on circumstances, but more likely THE DRIVER, and their insurance company.

    In the UK it's the case that on any public road (including motorways) pedestrians have right of way over all other traffic. That is irrespective of if the pedestrian is a child, an idiot, drunk, etc. N.B. The concept of "jaywalking" simply dosn't exist in the UK.

  10. Re:3 x 0 = 0 on BBC Rules That Wi-Fi Radiation Findings Were Wrong · · Score: 1

    "Extraordinary claims require extraordinary evidence" applies to all claims, including those that handily advance socialist causes.

    At least this should be the case. In practice where the claims in question are politically correct this frequently isn't the case. (Though often is expected of politcially incorrect skeptics, even when they are simply pointing out the lack of extraordinary evidence, even a lack of much evidence at all.)

  11. Re:Scaremongering? on BBC Rules That Wi-Fi Radiation Findings Were Wrong · · Score: 1

    Actually, no. Quite the contrary; there's about a half-dozen cranks who say that, yet who get a quite astonishing amount of media attention for their pains.

    It's also likely that these "cranks" go out of their way to get such media attention. When actual scientists don't, because they are either too busy doing science or no that they can't explain things in a way that journalists with understand/consider for broadcast.

  12. Re:I have a dream! on BBC Rules That Wi-Fi Radiation Findings Were Wrong · · Score: 1

    Gamma rays are a form of EM radiation... so they are related (though given that they have a much higher energy I agree that it's not that helpful to compare them in this instance).

    They share properties with other forms of EM radiation. This is highly relevent if you want to use gamma rays to kill a cancer with minimal harm to surrounding tissues.

  13. Re:"Radiation" on BBC Rules That Wi-Fi Radiation Findings Were Wrong · · Score: 1

    Radiation was just set up as a boogeyman because it's invisible and really easy to be scared of.

    A sizable part of the output of an incandescent lamp is both "radiation" and invisible too. Which was the original poster's point. That many people don't understand that the term "radiation" applies to a lot of things...

  14. Re:Can't these people do maths?! on BBC Rules That Wi-Fi Radiation Findings Were Wrong · · Score: 1

    During WWII, both British and American radar operators would get warm by standing in front of their radar beams.

    IIRC this was where the idea of using microwaves to cook food.

  15. Re:Can't these people do maths?! on BBC Rules That Wi-Fi Radiation Findings Were Wrong · · Score: 1

    I have two friends that worked on radar vessels in the Navy, and both lost their nads to Cancer.

    A warship radar is several orders of magnitude more powerful than any cell phone or wi-fi system. Any comparison just isn't that meaningful.

  16. Re:Can't these people do maths?! on BBC Rules That Wi-Fi Radiation Findings Were Wrong · · Score: 1

    Um, not anywhere on planet earth. Typical output power from the final amplifier stage of an 800MHz cell amplifier is nowhere above 25-30w at the very most. 1900MHz CDMA cells average between 4w and 15w max output at those frequencies. If you can provide data on any cell tower with final amplifier output in even the 100W range let-alone 1000W, I'd love to see it. ...

    Maybe someone got confused between the power consumption and the level of RF power emitted. (Or between cell sites and broadcast stations, which are not uncommon to find located together.)

  17. Re:A new low has been acheived here on Slashdot... on MPAA Forced To Take Down University Toolkit · · Score: 1

    If there was no copyright law there would be no perceived need to monitor the traffic.

    No reason for the MPAA to be monitoring traffic on other people's networks. There are plenty of good reasons for network admins (especially of large and complex networks) to considering monitoring traffic.

  18. Re:"Simple email" on MPAA Forced To Take Down University Toolkit · · Score: 1

    Yes, and if instead he sued the MPAA and won damages in court, he'd be validating the MPAA tactic of suing individual users for posting copyrighted movies for damages.

    How often to the MPAA actually sue people? It's also unlikely to be hard to find out how many downloads took place. The fact that the MPAA effectivly put out a "press release" about what they were doing dosn't help their case either.

  19. Re:Except in one scenario on MPAA Forced To Take Down University Toolkit · · Score: 1

    As long as they changed them, even the slightest bit, they're required to distribute (or offer / provide a method for users to obtain) the complete sources to the modified components -- specifically not diffs

    Either the modified source or the original source together with diffs is ok, just the diffs isn't.

    or they're in violation of the GPL.

    Which means any distribution they do is a copyright violation unless they have an an alternative permission from all relevent copyright holders.
    Since they got their software taken down they self evidently didn't. Thus in order to fight movie piracy they enguaged in software piracy. Which weakens any case they may want to bring to court in future due to "unclean hands".

  20. Re:Why am I unsurprised by this? on Secret Mailing List Rocks Wikipedia · · Score: 4, Insightful

    To get people to do moderation work unpaid, you have to offer them something. That something is described above -a small amount of power and the feeling of being in an in-group and privy to secret knowledge.

    It's more the case that people who specifically seek power are also those best kept away from it.

    Depressingly, what I conclude from this is that the only real answer is to pay people and have competition. Payment offers rewards to people who do not care about power or exclusivity.

    Except that it dosn't, people being paid can still care a great deal about power and exclusivity.

  21. Re:No clone wars on Dinosaur Fossil Found With Preserved Soft Tissue · · Score: 2, Insightful

    There's no DNA; the fossilization process was fast enough to fossilize soft tissue. It's not organic material.

    It is a very useful find however. Since it enables techniques such as working out muscles from their attachment points to the bones to be refined. As well as examination of such tissues can show how these extinct animals are related to ones which exist now.

  22. Re:Aha! on Firefox Security Head Says Microsoft Obscures OS Holes · · Score: 2, Insightful

    Yes, as long as it is the Adam Smith variety of free market. Once you get monopolies, the invisible hand goes *poof* and you no longer have a free market.

    Also once this happens it is difficult for a free market to re-assert itself.

    I personally believe we could throw out 999 out of 1000 laws and regulations and have a happier healthier economy and society. For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants; that's how much I distrust regulation and how it distorts the free market.

    Sometimes such regulation is actually used to protect the interests of established businesses in a market, far more than any intent of protecting customers.

  23. Re:Well Duh! on Firefox Security Head Says Microsoft Obscures OS Holes · · Score: 1

    The idea of the company is to make money, not to make happy customers.

    Without customers there is no way a company is going to make any money. Happy customers tends to mean more money, through repeat business and positive word of mouth; unhappy customers tends to mean less money, due to negative word of mouth. Of course this only works when there is actual competition...

  24. Re:Whole section of the report not covered on Firefox Security Head Says Microsoft Obscures OS Holes · · Score: 1

    Besides, it's not as easy as "you shouldn't be using old versions". Some third parties develop software targeted specifically at a given version of IE. If they won't fix their software when a new version comes out (I'm looking at you Tridion, amongst many, many others) then you have the choice to either replace that software or stay with the old version of IE.

    It isn't that easy to have multiple versions of MSIE on one Windows machine either. As well as the utter stupidity of software which insists that the browser it wants is set as the default browser because the programmer couldn't be bothered to write a tiny piece of code.

    Replacing may be prohibitive in terms of cost, even if you upgrade to the vendor's latest version.

    Assuming there is a suitable replacement. It's perfectly possible that the later version of the whatever is unsuitable for your needs.

  25. Re:Whole section of the report not covered on Firefox Security Head Says Microsoft Obscures OS Holes · · Score: 1

    Since you don't pay for FireFox, there is really no reason not to upgrade.

    An upgrade may break an extension/addon. Though the Open Source nature of the software means that such things tend to get fixed PDQ.

    With MS you have to pay for EVERY new version which is released.

    Typically you don't. IIRC Windows XP originally shipped with IE5. At least in terms of money. The problem is more along the lines that upgrading MSIE tends to come bundled with all sorts of updates to Windows. Whereas Firefox tends to keep itself well organised and in a few places.