Why even bother with a bomb, if you can take remote control of thousands of already occupied vehicles anyway?
I wish this was just some sort of distasteful joke, but unfortunately the combination of increasing reliance on computers and horrific lack of awareness of (and/or caring about) security by auto manufacturers is starting to make that kind of attack look like a credible threat.
I wish that were true, but based on the figures I'm familiar with in the UK, I fear you're being optimistic.
For example, the government health R&D budget here in the UK is around 1.5B pounds per annum. As another relevant figure, Cancer Research UK had an income of just over half a billion pounds last year; CRUK is our main umbrella body for cancer research today, which in turn funds university research projects and so on.
I don't know exactly how much we spend on all the questionable security and "anti-terrorism" activities, because of course the government doesn't disclose exactly what they are or how they're funded. However, to pick an example we do know about, the cost for implementing the Internet monitoring required for the "Snooper's Charter" has been estimated at around 1B pounds, and IIRC that was primarily for the equipment over an initial ten-year period and doesn't include the running costs. So, that measure alone probably costs a significant fraction of the total cancer R&D budget.
Another telling example is our road safety funding, which is only a few million pounds per year. That is a drop in the ocean compared to funding on security matters, even though we lose thousands of people every year on our roads and many of the deaths and injuries are avoidable.
I don't know exactly what the analogous figures are for other places such as the US, but looking at the general pattern it still seems fair to say that disproportionate amounts of time and money are being spent on the "war on terror" that could surely be put to more constructive uses elsewhere.
Perhaps the most important thing, though, isn't the time and money spent by governments on these different issues. The government speaks with the loudest voice in any country, and when political leaders and the associated media commentators speak, they can shift public attention. If our leaders used that influence to direct more mind share to positive issues and wasted less precious public attention on fear-mongering, I think we'd be a lot better off in many ways.
The best alternative, IMHO, is a combination of principled leadership and education.
We could start by not doing the bad guys' job for them, for example by using scary words like "terrorist" to describe these people. Just call them what they are: murderers, cowards, bullies who think might means right. Every school child used to know that these things are unacceptable, and that the way to beat cowards and bullies is to stand up to them. When did our political leaders and influential media commentators and, for that matter, teachers forget that?
Likewise, you don't beat someone who wants to change your way of life through force or the threat of force by... changing your way of life. Every time someone gets delayed at airport security or monitored online or stopped and searched by a police officer in the street, every drop of taxpayers' money that funds those activities, every law that enables them, is one more feather in the cap of the people who want to change our way of life for their own purposes. Yes, some pragmatism is needed because we live in the real world, but we should never give up those freedoms lightly and never more than is demonstrably justified.
We could also try putting terrorism in perspective through better public education. As a matter of fact, the worst terrorist incident in recent history was 9/11 in the US, killing nearly 3,000 people and of course injuring many more and causing massive damage to property. That was 15 years ago. All the "terrorist attacks" since then combined still don't reach the same total. Meanwhile, almost as many people die on US roads every month as died due to the 9/11 attacks. There are more than 10,000 homicides using guns alone in the US each year. If you look at a much more damaging cause of death, say cancer, that claims around half a million people too early in the US alone each year, and of course has profound impacts on their lives and those of their friends and families and carers until that point. In the big picture, terrorism simply isn't that big a danger, and there is little indication that it ever was or is likely to become so any time soon.
And yet, we don't see the time and money and political resources diverted to researching improved cancer treatments, or safer road designs, or identifying those who need psychiatric help before they hit breaking point, that we see diverted to the so-called war on terror, despite the dramatically better results we might reasonably expect to achieve in terms of saving lives, improving quality of life, and keeping property safe. IMHO, that is a failure of leadership, pure and simple.
In short, I think the best alternative is very clear: stop the political and media fear-mongering around terrorism and the hypothetical bogeyman, stop all the intrusions and harassment and day-to-day costs of ineffective or excessive security, divert all that attention and all those resources to more constructive purposes like improving education or healthcare or infrastructure instead, and make sure the resulting benefits are visible for all to see.
The cameras and microphones are not what actually matters, so much as the objectives of the controlling entity.
The trouble is, it's remarkably difficult to identify all possible future objectives of anyone controlling data, and at the risk of Godwinning the thread albeit on an entirely legitimate basis, we know all too well what can happen when the objectives change over time.
You might be interested Liberty's video on communications surveillance. It shows, quite effectively IMHO, that once normal people are actually aware of intrusive surveillance, they really aren't happy about it at all. You could make very similar arguments about AV surveillance and recording in public spaces.
We really need to stop and question what privacy actually means in the 21st century, with the capabilities of modern technology. We should be asking why what we used to call privacy was important, and what the modern equivalent is, and how and why we might want to protect it for the same reasons.
Otherwise, you get people who can't see a difference between someone just passing someone else anonymously in the street for a few seconds and someone being monitored 24/7 whenever they are on any public street, identified by correlating the video feed with other biometric data sources, recorded in a readily searchable format for further correlation with other data sources, so that the resulting data may be analysed by unknown parties for unknown purposes at any future time, without any meaningful form of accountability or regulation applying to the much larger and more powerful organisation(s) doing the monitoring.
I just got back from visiting Germany, and I promise you there are still plenty of people there and throughout Europe who are acutely aware of the difference between those two scenarios. Unfortunately, the generations with living memory of the potential results are leaving us all too quickly, and the younger generations are in danger of not learning from history and being doomed to repeat it.
That argument is right up there with "If you have nothing to hide, you have nothing to fear."
Freedom of movement is a basic necessity of a civilised society. By attaching riders -- sure, you have freedom of movement, but only if you consent at metaphorical and/or literal gunpoint to some other undesired behaviour -- you are undermining that freedom as surely as if you just locked someone up in the first place.
Reliable 5:1 success stories are very difficult to find.
True enough, though they are still much easier to find than 50:1 success stories.
Many businesses with sound business models, good people, and in the right place at the right time fail.
That seems rather pessimistic. Certainly many businesses fail, but a great deal of the time when they do, it is precisely because one of the elements you just mentioned was missing. A business that really has found product-market fit, has good people running it, and has access to the resources it needs for those people to exploit that fit is basically a money-printing machine.
I suspect the issue for VCs is simply that by the time you're looking at a series A, you probably already have a good idea of whether all of those things are true. For an investor looking for spectacular returns, the window might already be closed by the time founders/angels know they're onto a good thing and the interesting questions are how good and how soon. Better to look for something you believe could be spectacular while there is still an element of risk to keep the price down, particularly if you can find a time when a big cash injection would dramatically improve the odds of success.
Given that I've been working in this field on and off for multiple decades, I'm reasonably sure I understand one of the most basic principles, thanks. And yes, I would agree with your example there.
Since posting earlier, I'm wondering whether I just parsed Trongy's post differently to how it was meant. If the intended point was that there exist systems that rely on secrecy but are not examples of security through obscurity, I would have agreed with that, too.
I agree with your examples, but I think your first sentence is inconsistent. If a system becomes trivially easy to compromise only once a secret is revealed then self-evidently that system does rely on secrecy for its security.
If you're talking about VC-level investment, that model makes economic sense.
Of course, if you find one 50:1 hit and 99 total losers instead, you're toast.
Even if you find one 50:1 hit and only back 9 losers, you're still no better off than someone who consistently backs modest 5:1 success stories. It always surprises me that we don't see more successful investors using this sort of strategy, given that by the time you're closing VC funding rounds your business isn't likely to be some random six-month-old start-up any more. Maybe those investors just aren't as high profile as the big VCs.
"Security through obscurity" is a term of art, a quick way of referring to a useful concept that anyone who works in the field understands. That meaning is surely also what the OP was referring in their post. Perhaps you weren't familiar with it, but every professional or academic working on IT security will be.
Security through obscurity is not a particularly successful technique and never has been, as you can tell from the vast number of published exploits against systems that were not actually secure based on vulnerabilities that were discovered despite their obscurity.
By the way, the point of private keys isn't (just) that they are longer than passwords, though that is a significant practical benefit. Authentication using public-private key pairs is also asymmetric: someone possessing the public key can verify that someone they are talking to, for example someone requesting SSH access to a server, is in possession of the corresponding private key without the private key ever being disclosed. This is qualitatively different to typical password-based authentication, where someone logging in to the server does actually send their full password to the server's SSH daemon (encrypted, obviously), even if further processing is then based on some derived hash value.
The term "security through obscurity" normally refers to the method being secret, not to secret information used to authenticate an actor within the system. More specifically, it normally refers to relying on the method being secret to make discovery of a vulnerability more difficult, rather than actually fixing the vulnerability. Clearly this is bad if an adversary becomes aware of that vulnerability anyway.
But... But... Browser plugins are evil, and we must do away with them and move everything into the browser itself to be safe! The Internets keep telling me so.
It was a while ago that I last looked at Drupal specifically, but as I recall it wasn't extending the content types that was the issue, it was being able to build almost anything interesting on top of that data. I can't remember all the details now, but so many things that should have been simple programming tasks or database queries wound up needing awkward code and/or a lot more of it because of the overheads of integrating with the CMS framework, marshalling the data around different components in the system, and sometimes less than ideal design decisions in the framework itself.
In the end, we took a decision to write off the work in Drupal and rewrote that entire project as a straight-up programming and web development job. We had the whole thing up and in production in probably 1/3 of the time we'd spent fighting Drupal by that point, so since we had been about 3/4 of the way through the job using Drupal, the switch approximately paid for itself by the time the system went live.
Now, to be fair, Drupal and the other heavy CMSes have developed significantly since that time. I assume it wouldn't be as painful now, and I know some of the things that caused us a lot of trouble with co-ordinating different extras before are built in these days. However, the improvements in productivity would need to be off the charts to make it worthwhile, IME. Like any framework-based development, you can often get faster results and easier maintenance as long as what you want to do fits within the capabilities and conventions of that framework, but you can pay a heavy and often prohibitive price if you need to do anything significantly outside the normal scope.
The challenge for systems like Drupal is that they are also squeezed at the bottom end, for basic to moderately complicated CMS requirements, by the likes of WordPress. They're squeezed at the top end, for more customised content and data processing needs like the system I'm thinking of, because it's so easy to throw together a simple CMS-style front-end and supporting database these days and then a full programming language is so much more powerful for any specialised data manipulation. Even with the more recent developments, I'm not sure how much space is left in between where a heavyweight CMS is going to be a good choice.
I see this argument a lot, as with any build-or-buy kind of decision, but I'm not sure it's always true with something like a CMS. You basically have a scale, from something you install and configure that requires little or no programming at one end to developing a bespoke system at the other, and working at either end of that scale has significant pros and cons.
The first end is the space dominated by WordPress today. You can install WP (or get hosting that already has it), throw a template and maybe a plugin or two on there, and start writing. As long as your needs are straightforward, this will probably work OK.
The other end needs some real programming and enough control over your servers/hosting to install whatever software you want to use. However, there are so many libraries and toolkits available today that you can write a basic CMS with all the essential features in a matter of hours, and then the sky is the limit for flexibility and customisation.
What I don't really understand is people who opt for the space in the middle if they have access to those basic programming and sysadmin skills. I've looked into more heavyweight CMS tools like Drupal in the past, but as soon as I wanted to do something beyond the basics, it became awkward to fit everything into the CMS's model for storing and rendering the content and doing so often required programming and database skills anyway. These tools lacked the speed and ease of use of WP, and they also lacked the flexibility of a custom system, and they offered little apparent advantage in any of those respects over the alternatives.
The only time I could imagine it making sense to use this sort of heavyweight CMS tool was if you needed something much more complicated than you could reasonably achieve with WP and a few plugins, but you really didn't have access to the programming or sysadmin skills needed to go bespoke. Even then, unless the big CMSes have become dramatically better lately, it's hard to imagine you wouldn't get better results by bringing someone on board for a few days to get the job done if that was an option.
In Accounting, most computer hardware has a 2-3 year depreciation for a reason.
And that reason is mostly that 20 years ago the useful working lifetime for a PC before either a significant hardware failure or a cost-effective major upgrade actually was around 3 years.
However, that hasn't been true for at least a decade, with increasing reliability of hardware and reducing real world benefits to upgrading so often unless your hardware did already fail. I don't work with any accountants who would assume such a short lifetime for depreciation purposes today.
For what it's worth, I think the problem is often that our lawmakers try to be too specific when legislating in technical fields that (inevitably) most of them don't fully understand. I think sometimes they would do better to write laws that clearly establish the intended principle, and leave applying that principle under specific circumstances to the courts. The trouble is that when they try to get too specific, they wind up creating loopholes, which may then be exploited by lawyers acting for the very people or organisations those laws were intended to restrict.
In some areas, sticking to simpler laws about principles also potentially allows the law to adapt to a changing world more effectively, particularly in fast-moving fields like technology. As I've mentioned previously, I think the problem with a lot of our privacy and data protection laws today is that they were written for a time when collecting a single data point was the big concern, and the focus was on limiting how much data could be collected at that point or how it could be used. Today, with advances in technology, there are also risks to privacy from collecting lots of little data points and then analysing them together, but typically our existing data protection frameworks don't contain any safeguards to protect people from that sort of danger. If you started from more fundamental principles about why privacy is considered important enough to protect in the first place, rather than focussing on specific aspects of collecting, using and sharing personal data, it might be easier to look at new situations and behaviours and decide whether those behaviours are basically fair and reasonable things to do or whether they are in danger of crossing a line and need a closer look.
The thing is, while I've heard the kind of argument you make there before and it looks reasonable on the face of it, ultimately that entire argument is based on the idea that individuals can freely collect personal information about other individuals they know. Obviously it would be both undesirable and impractical to require every individual to register as a data controller and document every kind of personal data they ever came across about their friends or professional contacts, so whatever sort of implicit permission is involved it must be given or the whole legal foundation becomes silly. But then there's nothing to say explicitly where that permission does or doesn't end, and that creates huge grey areas in the kind of situation we're talking about.
To me, it seems obviously counter to the spirit of the data protection rules that large data harvesting organisations can entice someone who is being trusted with someone else's personal data in that way to hand over that data, often on terms that aren't fully understood, for purposes that aren't fully described, and quite possibly without even the knowledge of the actual data subject. There really ought to be some absolutely clear rules, with meaningful penalties for violation, about organisations collecting personal data from people about third parties, including both reasonable disclosure requirements to the people providing that data and hard limits beyond which the actual data subjects must give their explicit consent and no-one else can give it for them.
The difficulty with this is that some of these large data-harvesting organisations can now do so much with even tiny data points, because of the scale they operate at and the number of connected data points they have access to, that I'm starting to think any processing of data about third parties should be limited to temporary analysis for some specific purpose (such as checking whether any of the friends in your address book are already on a social network you're joining) with no permanent storage of data specifically about anyone else, and with a requirement that no processing is done in regard to any data incidentally collected about third parties, such as a friend who appears in a holiday photo you upload. It's the scale and co-ordination of all these modern systems that poses the biggest threats to privacy these days, but our laws data from a time when it was assumed the individual data points were what mattered.
I'm not so sure. Housing is one of those issues that isn't quite big enough to sway elections yet, but it's painful for a lot of people in the UK at the moment, and the government has essentially been propping up house prices by artificially limiting the market for years. Now they've backed themselves into a corner, because so many older voters have houses and possibly second buy-to-let houses that they want to keep the values up, but younger generations are already completely priced out of the market in some places. As more of those younger people become active voters, it's going to become more difficult for the government to continue propping up the relatively well-off property owners anyway, and supporting this sort of obviously creepy move is just a needless political risk from their point of view.
[T]hey're providing a credit score. This is a regulated industry by the FCA, and they're not registered as a financial services company with the FCA for this purpose.
Interesting. That looks like a credible way to go after them if they pursue this, independent of the general data protection rules.
From a non-financial aspect in terms of the DPA, the DPA states that an organisation cannot capture more data than is necessary for the purposes of their business.
Indeed, but in this case if the purpose is to evaluate the prospective tenant's trustworthiness based on their social media activity and they've given their explicit consent for that to happen, it seems optimistic to assume the DPA prohibits such activity. This feels like something you'd need a court case to determine with certainty.
No individual can ever give permission to a company to harvest another individual's data in this way.
I'd like to think that was the case, and as I read the law it always seemed to be. However, it makes me wonder how social media apps get away with harvesting their users' entire phone/address books, services like Google Mail get away with scanning mails sent to one of their users by another party who doesn't know Google is involved, and so on. Plenty of big IT companies seem to be doing things like this routinely, and the regulators don't seem to be objecting much so far, much as some of us might wish they would.
Slashdot Mirror
Why even bother with a bomb, if you can take remote control of thousands of already occupied vehicles anyway?
I wish this was just some sort of distasteful joke, but unfortunately the combination of increasing reliance on computers and horrific lack of awareness of (and/or caring about) security by auto manufacturers is starting to make that kind of attack look like a credible threat.
I wish that were true, but based on the figures I'm familiar with in the UK, I fear you're being optimistic.
For example, the government health R&D budget here in the UK is around 1.5B pounds per annum. As another relevant figure, Cancer Research UK had an income of just over half a billion pounds last year; CRUK is our main umbrella body for cancer research today, which in turn funds university research projects and so on.
I don't know exactly how much we spend on all the questionable security and "anti-terrorism" activities, because of course the government doesn't disclose exactly what they are or how they're funded. However, to pick an example we do know about, the cost for implementing the Internet monitoring required for the "Snooper's Charter" has been estimated at around 1B pounds, and IIRC that was primarily for the equipment over an initial ten-year period and doesn't include the running costs. So, that measure alone probably costs a significant fraction of the total cancer R&D budget.
Another telling example is our road safety funding, which is only a few million pounds per year. That is a drop in the ocean compared to funding on security matters, even though we lose thousands of people every year on our roads and many of the deaths and injuries are avoidable.
I don't know exactly what the analogous figures are for other places such as the US, but looking at the general pattern it still seems fair to say that disproportionate amounts of time and money are being spent on the "war on terror" that could surely be put to more constructive uses elsewhere.
Perhaps the most important thing, though, isn't the time and money spent by governments on these different issues. The government speaks with the loudest voice in any country, and when political leaders and the associated media commentators speak, they can shift public attention. If our leaders used that influence to direct more mind share to positive issues and wasted less precious public attention on fear-mongering, I think we'd be a lot better off in many ways.
The best alternative, IMHO, is a combination of principled leadership and education.
We could start by not doing the bad guys' job for them, for example by using scary words like "terrorist" to describe these people. Just call them what they are: murderers, cowards, bullies who think might means right. Every school child used to know that these things are unacceptable, and that the way to beat cowards and bullies is to stand up to them. When did our political leaders and influential media commentators and, for that matter, teachers forget that?
Likewise, you don't beat someone who wants to change your way of life through force or the threat of force by... changing your way of life. Every time someone gets delayed at airport security or monitored online or stopped and searched by a police officer in the street, every drop of taxpayers' money that funds those activities, every law that enables them, is one more feather in the cap of the people who want to change our way of life for their own purposes. Yes, some pragmatism is needed because we live in the real world, but we should never give up those freedoms lightly and never more than is demonstrably justified.
We could also try putting terrorism in perspective through better public education. As a matter of fact, the worst terrorist incident in recent history was 9/11 in the US, killing nearly 3,000 people and of course injuring many more and causing massive damage to property. That was 15 years ago. All the "terrorist attacks" since then combined still don't reach the same total. Meanwhile, almost as many people die on US roads every month as died due to the 9/11 attacks. There are more than 10,000 homicides using guns alone in the US each year. If you look at a much more damaging cause of death, say cancer, that claims around half a million people too early in the US alone each year, and of course has profound impacts on their lives and those of their friends and families and carers until that point. In the big picture, terrorism simply isn't that big a danger, and there is little indication that it ever was or is likely to become so any time soon.
And yet, we don't see the time and money and political resources diverted to researching improved cancer treatments, or safer road designs, or identifying those who need psychiatric help before they hit breaking point, that we see diverted to the so-called war on terror, despite the dramatically better results we might reasonably expect to achieve in terms of saving lives, improving quality of life, and keeping property safe. IMHO, that is a failure of leadership, pure and simple.
In short, I think the best alternative is very clear: stop the political and media fear-mongering around terrorism and the hypothetical bogeyman, stop all the intrusions and harassment and day-to-day costs of ineffective or excessive security, divert all that attention and all those resources to more constructive purposes like improving education or healthcare or infrastructure instead, and make sure the resulting benefits are visible for all to see.
The cameras and microphones are not what actually matters, so much as the objectives of the controlling entity.
The trouble is, it's remarkably difficult to identify all possible future objectives of anyone controlling data, and at the risk of Godwinning the thread albeit on an entirely legitimate basis, we know all too well what can happen when the objectives change over time.
Can someone explain this one to me?
You might be interested Liberty's video on communications surveillance. It shows, quite effectively IMHO, that once normal people are actually aware of intrusive surveillance, they really aren't happy about it at all. You could make very similar arguments about AV surveillance and recording in public spaces.
We really need to stop and question what privacy actually means in the 21st century, with the capabilities of modern technology. We should be asking why what we used to call privacy was important, and what the modern equivalent is, and how and why we might want to protect it for the same reasons.
Otherwise, you get people who can't see a difference between someone just passing someone else anonymously in the street for a few seconds and someone being monitored 24/7 whenever they are on any public street, identified by correlating the video feed with other biometric data sources, recorded in a readily searchable format for further correlation with other data sources, so that the resulting data may be analysed by unknown parties for unknown purposes at any future time, without any meaningful form of accountability or regulation applying to the much larger and more powerful organisation(s) doing the monitoring.
I just got back from visiting Germany, and I promise you there are still plenty of people there and throughout Europe who are acutely aware of the difference between those two scenarios. Unfortunately, the generations with living memory of the potential results are leaving us all too quickly, and the younger generations are in danger of not learning from history and being doomed to repeat it.
You consented when you got on the bus.
That argument is right up there with "If you have nothing to hide, you have nothing to fear."
Freedom of movement is a basic necessity of a civilised society. By attaching riders -- sure, you have freedom of movement, but only if you consent at metaphorical and/or literal gunpoint to some other undesired behaviour -- you are undermining that freedom as surely as if you just locked someone up in the first place.
Reliable 5:1 success stories are very difficult to find.
True enough, though they are still much easier to find than 50:1 success stories.
Many businesses with sound business models, good people, and in the right place at the right time fail.
That seems rather pessimistic. Certainly many businesses fail, but a great deal of the time when they do, it is precisely because one of the elements you just mentioned was missing. A business that really has found product-market fit, has good people running it, and has access to the resources it needs for those people to exploit that fit is basically a money-printing machine.
I suspect the issue for VCs is simply that by the time you're looking at a series A, you probably already have a good idea of whether all of those things are true. For an investor looking for spectacular returns, the window might already be closed by the time founders/angels know they're onto a good thing and the interesting questions are how good and how soon. Better to look for something you believe could be spectacular while there is still an element of risk to keep the price down, particularly if you can find a time when a big cash injection would dramatically improve the odds of success.
Given that I've been working in this field on and off for multiple decades, I'm reasonably sure I understand one of the most basic principles, thanks. And yes, I would agree with your example there.
Since posting earlier, I'm wondering whether I just parsed Trongy's post differently to how it was meant. If the intended point was that there exist systems that rely on secrecy but are not examples of security through obscurity, I would have agreed with that, too.
I agree with your examples, but I think your first sentence is inconsistent. If a system becomes trivially easy to compromise only once a secret is revealed then self-evidently that system does rely on secrecy for its security.
If you're talking about VC-level investment, that model makes economic sense.
Of course, if you find one 50:1 hit and 99 total losers instead, you're toast.
Even if you find one 50:1 hit and only back 9 losers, you're still no better off than someone who consistently backs modest 5:1 success stories. It always surprises me that we don't see more successful investors using this sort of strategy, given that by the time you're closing VC funding rounds your business isn't likely to be some random six-month-old start-up any more. Maybe those investors just aren't as high profile as the big VCs.
How is that fundamentally different to what I wrote before? I think we're making the same point, even if we used slightly different words to do it.
"Security through obscurity" is a term of art, a quick way of referring to a useful concept that anyone who works in the field understands. That meaning is surely also what the OP was referring in their post. Perhaps you weren't familiar with it, but every professional or academic working on IT security will be.
Security through obscurity is not a particularly successful technique and never has been, as you can tell from the vast number of published exploits against systems that were not actually secure based on vulnerabilities that were discovered despite their obscurity.
By the way, the point of private keys isn't (just) that they are longer than passwords, though that is a significant practical benefit. Authentication using public-private key pairs is also asymmetric: someone possessing the public key can verify that someone they are talking to, for example someone requesting SSH access to a server, is in possession of the corresponding private key without the private key ever being disclosed. This is qualitatively different to typical password-based authentication, where someone logging in to the server does actually send their full password to the server's SSH daemon (encrypted, obviously), even if further processing is then based on some derived hash value.
The term "security through obscurity" normally refers to the method being secret, not to secret information used to authenticate an actor within the system. More specifically, it normally refers to relying on the method being secret to make discovery of a vulnerability more difficult, rather than actually fixing the vulnerability. Clearly this is bad if an adversary becomes aware of that vulnerability anyway.
Well, Intel's view seems to be:
While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure.
I don't know about you, but I'm totally convinced and no longer worried at all.
On a totally unrelated note, does sarcasm work on the Internet?
But... But... Browser plugins are evil, and we must do away with them and move everything into the browser itself to be safe! The Internets keep telling me so.
It was a while ago that I last looked at Drupal specifically, but as I recall it wasn't extending the content types that was the issue, it was being able to build almost anything interesting on top of that data. I can't remember all the details now, but so many things that should have been simple programming tasks or database queries wound up needing awkward code and/or a lot more of it because of the overheads of integrating with the CMS framework, marshalling the data around different components in the system, and sometimes less than ideal design decisions in the framework itself.
In the end, we took a decision to write off the work in Drupal and rewrote that entire project as a straight-up programming and web development job. We had the whole thing up and in production in probably 1/3 of the time we'd spent fighting Drupal by that point, so since we had been about 3/4 of the way through the job using Drupal, the switch approximately paid for itself by the time the system went live.
Now, to be fair, Drupal and the other heavy CMSes have developed significantly since that time. I assume it wouldn't be as painful now, and I know some of the things that caused us a lot of trouble with co-ordinating different extras before are built in these days. However, the improvements in productivity would need to be off the charts to make it worthwhile, IME. Like any framework-based development, you can often get faster results and easier maintenance as long as what you want to do fits within the capabilities and conventions of that framework, but you can pay a heavy and often prohibitive price if you need to do anything significantly outside the normal scope.
The challenge for systems like Drupal is that they are also squeezed at the bottom end, for basic to moderately complicated CMS requirements, by the likes of WordPress. They're squeezed at the top end, for more customised content and data processing needs like the system I'm thinking of, because it's so easy to throw together a simple CMS-style front-end and supporting database these days and then a full programming language is so much more powerful for any specialised data manipulation. Even with the more recent developments, I'm not sure how much space is left in between where a heavyweight CMS is going to be a good choice.
I see this argument a lot, as with any build-or-buy kind of decision, but I'm not sure it's always true with something like a CMS. You basically have a scale, from something you install and configure that requires little or no programming at one end to developing a bespoke system at the other, and working at either end of that scale has significant pros and cons.
The first end is the space dominated by WordPress today. You can install WP (or get hosting that already has it), throw a template and maybe a plugin or two on there, and start writing. As long as your needs are straightforward, this will probably work OK.
The other end needs some real programming and enough control over your servers/hosting to install whatever software you want to use. However, there are so many libraries and toolkits available today that you can write a basic CMS with all the essential features in a matter of hours, and then the sky is the limit for flexibility and customisation.
What I don't really understand is people who opt for the space in the middle if they have access to those basic programming and sysadmin skills. I've looked into more heavyweight CMS tools like Drupal in the past, but as soon as I wanted to do something beyond the basics, it became awkward to fit everything into the CMS's model for storing and rendering the content and doing so often required programming and database skills anyway. These tools lacked the speed and ease of use of WP, and they also lacked the flexibility of a custom system, and they offered little apparent advantage in any of those respects over the alternatives.
The only time I could imagine it making sense to use this sort of heavyweight CMS tool was if you needed something much more complicated than you could reasonably achieve with WP and a few plugins, but you really didn't have access to the programming or sysadmin skills needed to go bespoke. Even then, unless the big CMSes have become dramatically better lately, it's hard to imagine you wouldn't get better results by bringing someone on board for a few days to get the job done if that was an option.
Sheesh. If you wouldn't accept it for a car/appliance don't accept it for a computer/software!
Please don't give the car manufacturers ideas.
In Accounting, most computer hardware has a 2-3 year depreciation for a reason.
And that reason is mostly that 20 years ago the useful working lifetime for a PC before either a significant hardware failure or a cost-effective major upgrade actually was around 3 years.
However, that hasn't been true for at least a decade, with increasing reliability of hardware and reducing real world benefits to upgrading so often unless your hardware did already fail. I don't work with any accountants who would assume such a short lifetime for depreciation purposes today.
And sometimes, when things aren't really that old, built-in obsolescence happens too.
For what it's worth, I think the problem is often that our lawmakers try to be too specific when legislating in technical fields that (inevitably) most of them don't fully understand. I think sometimes they would do better to write laws that clearly establish the intended principle, and leave applying that principle under specific circumstances to the courts. The trouble is that when they try to get too specific, they wind up creating loopholes, which may then be exploited by lawyers acting for the very people or organisations those laws were intended to restrict.
In some areas, sticking to simpler laws about principles also potentially allows the law to adapt to a changing world more effectively, particularly in fast-moving fields like technology. As I've mentioned previously, I think the problem with a lot of our privacy and data protection laws today is that they were written for a time when collecting a single data point was the big concern, and the focus was on limiting how much data could be collected at that point or how it could be used. Today, with advances in technology, there are also risks to privacy from collecting lots of little data points and then analysing them together, but typically our existing data protection frameworks don't contain any safeguards to protect people from that sort of danger. If you started from more fundamental principles about why privacy is considered important enough to protect in the first place, rather than focussing on specific aspects of collecting, using and sharing personal data, it might be easier to look at new situations and behaviours and decide whether those behaviours are basically fair and reasonable things to do or whether they are in danger of crossing a line and need a closer look.
The thing is, while I've heard the kind of argument you make there before and it looks reasonable on the face of it, ultimately that entire argument is based on the idea that individuals can freely collect personal information about other individuals they know. Obviously it would be both undesirable and impractical to require every individual to register as a data controller and document every kind of personal data they ever came across about their friends or professional contacts, so whatever sort of implicit permission is involved it must be given or the whole legal foundation becomes silly. But then there's nothing to say explicitly where that permission does or doesn't end, and that creates huge grey areas in the kind of situation we're talking about.
To me, it seems obviously counter to the spirit of the data protection rules that large data harvesting organisations can entice someone who is being trusted with someone else's personal data in that way to hand over that data, often on terms that aren't fully understood, for purposes that aren't fully described, and quite possibly without even the knowledge of the actual data subject. There really ought to be some absolutely clear rules, with meaningful penalties for violation, about organisations collecting personal data from people about third parties, including both reasonable disclosure requirements to the people providing that data and hard limits beyond which the actual data subjects must give their explicit consent and no-one else can give it for them.
The difficulty with this is that some of these large data-harvesting organisations can now do so much with even tiny data points, because of the scale they operate at and the number of connected data points they have access to, that I'm starting to think any processing of data about third parties should be limited to temporary analysis for some specific purpose (such as checking whether any of the friends in your address book are already on a social network you're joining) with no permanent storage of data specifically about anyone else, and with a requirement that no processing is done in regard to any data incidentally collected about third parties, such as a friend who appears in a holiday photo you upload. It's the scale and co-ordination of all these modern systems that poses the biggest threats to privacy these days, but our laws data from a time when it was assumed the individual data points were what mattered.
I'm not so sure. Housing is one of those issues that isn't quite big enough to sway elections yet, but it's painful for a lot of people in the UK at the moment, and the government has essentially been propping up house prices by artificially limiting the market for years. Now they've backed themselves into a corner, because so many older voters have houses and possibly second buy-to-let houses that they want to keep the values up, but younger generations are already completely priced out of the market in some places. As more of those younger people become active voters, it's going to become more difficult for the government to continue propping up the relatively well-off property owners anyway, and supporting this sort of obviously creepy move is just a needless political risk from their point of view.
[T]hey're providing a credit score. This is a regulated industry by the FCA, and they're not registered as a financial services company with the FCA for this purpose.
Interesting. That looks like a credible way to go after them if they pursue this, independent of the general data protection rules.
From a non-financial aspect in terms of the DPA, the DPA states that an organisation cannot capture more data than is necessary for the purposes of their business.
Indeed, but in this case if the purpose is to evaluate the prospective tenant's trustworthiness based on their social media activity and they've given their explicit consent for that to happen, it seems optimistic to assume the DPA prohibits such activity. This feels like something you'd need a court case to determine with certainty.
No individual can ever give permission to a company to harvest another individual's data in this way.
I'd like to think that was the case, and as I read the law it always seemed to be. However, it makes me wonder how social media apps get away with harvesting their users' entire phone/address books, services like Google Mail get away with scanning mails sent to one of their users by another party who doesn't know Google is involved, and so on. Plenty of big IT companies seem to be doing things like this routinely, and the regulators don't seem to be objecting much so far, much as some of us might wish they would.