The auto manufacturers are looking for this data themselves -- this is a matter of public record in some cases, and widely acknowledged privately in others -- and so it is logical that they will choose their commercial partnerships in light of that. If Google want to keep that data for themselves but someone else will implement more integrated telemetry that lets the manufacturers spy on drivers and send the data to insurers, the second person is probably going to win the deal, unless and until the privacy regulators start stepping in.
As for ads, just tracking the locations someone visits regularly is a treasure trove of mineable information, and you can probably tell a lot about someone from their driving style as well. Of course, the implications of commercial services literally tracking our every move are pretty unpleasant for some of us.
The information isn't that interesting either, the most likely use would be applications to help people
The most likely use of collecting data about vehicles and driving style is probably selling it to insurers for a huge profit.
The next most likely use of collecting data about vehicles and driving style is probably selling it to advertisers for a huge profit.
Somewhere down the list there are probably things to do with law enforcement.
Somewhere near a footnote on page 17 there are probably things that will actually help make cars better for their owners, or least make future versions of cars better for their future owners. Auto manufacturers already do a huge amount of both simulation and real world testing during development of a new vehicle, using vastly more sophisticated and comprehensive systems than anything fitted to a production car you or I would drive on the road. There is only so much extra they could learn from large scale collection of real world driving data that they can't already determine from other sources.
There might be a decent argument for some sort of black box style recording for all cars, to help with investigating after something went wrong and hopefully make the roads safer for everyone in the long term. But like any black box, the integrity of that data would be important, so some remotely accessible system that is also hooked up to all kinds of infotainment widgets is probably the last place you would want it.
Are you sure about that? What little actual user research I've seen suggests that most customers don't think much of in-car "infotainment" systems generally. The same research suggests that these systems are almost never a deciding factor in sales, except in the wrong direction if they are so bad that they stick out or, in a few cases, because of security or privacy concerns.
And really, who can blame those customers, when these systems almost invariably look awful and work even worse, even in very expensive prestige vehicles? It bends my mind that luxury car brands spend so much money getting metalwork and paint colours and seat shapes just right, but then throw in a "high tech" system that looks like the love child of a 1990s "under construction" web site and a first generation iOS app written by your neighbour's 14-year-old kid.
One day I really want to walk into a dealership for one of these brands and when they do the spiel about how great their high-tech keyless entry and infotainment systems are, see if they're willing to bet me the car that I can't compromise their system in some significant way in under 24 hours. Given I've worked in several relevant industries and have some idea of how low the standards are in the auto industry in this area, I find it disturbingly possible that I might actually be able to do that. But even if I couldn't, it would be fun watching the sales guys squirm, a bit like the SEO people who spam me saying they can get my business onto page 1 of Google in our field, when I reply that we actually are on page 1 of Google in our field and but when I searched for SEO I didn't see their site on the first page.
Thanks for the ideas, but yes, we've pretty much exhausted the sensible options, at least with the current card payment service we use. We do wonder whether that service might itself be part of the problem -- if having a programmer-friendly system so taking card payments on-line make it easier to take payments, naturally it also makes it easier to take fraudulent payments, and I wonder whether these new services' own "reputations" within the industry affect their custoemrs' fraud ratings on whatever systems check these things.
As for the crooks angle, of course there is always the problem with services being used to validate illegally obtained credentials, but in this case it is likely that every one of those users was legitimate. We're in a niche market, and the access patterns of the users in question are far too consistent with normal use and unlike anything someone just testing out a card would be likely to hit by accident -- we're talking dozens if not hundreds of page views looking up specialised information in specific, logical orders here. Also, while we see quite a few failures in month 2, in a frustrating proportion of the cases that mysteriously fail it's a subscriber who's had many months of continued membership and/or been known in our field and/or been in touch with us personally at some point, i.e., a good customer who was probably very happy to continue subscribing (but might not get around to doing it again for a while if the failed payment means hassle to stay signed up).
Peoples cards expire, and they don't update their user data if they've been subscribed for a while.
Sadly, it's definitely not that simple. I'm already excluding all other identified forms of card failure, including expiry. And actually, that particular issue isn't such a big problem these days anyway, as there are mechanisms to avoid routine card expiry or change of address details breaking existing subscriptions now that most of the major card schemes participate in.
What I'm talking about here is literally just some neutral "payment refused" code, and that's it. We've queried the high rate of failures with our own payment service, and they are (or at least say they are) in the dark as we are. We also know of a few other small businesses with a similar story, so it's not something special about us or probably about the payment service we're using.
Our hunch is that because we're in the UK and we see a dramatically higher proportion of such failures from customers abroad compared to back home, the charge from a different country is considered a big signal of potential fraud by some customers' card issuers, and since we see a way dramatically higher proportion of failures around the second or third month of a subscription the lack of CVC on repeat transactions is enough to tip us over someone's threshold.
I had my card suspended because i sent $2.50 over paypal to a kid in the UK for some software.
I'll see you that and raise you how it looks from a UK merchant's side. Running a simple on-line service with a small monthly subscription fee and a fair proportion of international customers, we literally lose more subscriptions because of unexplained card failures than all other causes put together, including active cancellation by a subscriber's own choice.
Worse, as far as we can tell, there is absolutely nothing we can do about it. The system simply doesn't work reliably and there is no useful information whatsoever provided to the merchant when the card fails. About the best you can do as a merchant is contact your customers after the failed charge, try to convince them that their card being declined is neither an indication of fraud on your part nor something they should be embarrassed about themselves, and hope they are willing to sit on the phone being told how important their call is for a few minutes while they wait to speak to their card issuer and confirm it's a valid transaction. Unsurprisingly, relatively few customers will actually do this, even those who have otherwise been active customers apparently happy with the service.
The card industry's incompetence is a tax on trade, and the sooner it dies its long overdue death and payment methods fit for this century take over, the better off literally everyone involved else will be.
It's a shame they don't seem to have added much about EULAs and similar "agreements", though.
To clarify a little, there certainly is an attempt to include this sort of licence agreement within the fairness regime -- the new law refers to "consumer notices", which as defined would almost certainly include most EULAs and similar agreements -- but we still have the flaky legal basis for having EULAs in the first place.
The law has always said that you are owed one, this just clarifies the situation further.
In particular, the legal changes that came into effect today extend various rights specifically in relation to digital content. Prior to these changes, there were a lot of loopholes and grey areas if you bought something like software or audio-visual content purely on-line. For example, a lot of the laws we had before dated from a time when we were talking about a single physical copy of something.
It's a shame they don't seem to have added much about EULAs and similar "agreements", though. These already had a somewhat unclear legal status, thanks to various technicalities about copyright law. However, they also increasingly seem to be abused by suppliers of on-line content and those who use DRM, product activation, and similar measures.
For example, it seems grossly unfair to me that a games distributor might have a policy where a dispute about a new purchase or an unproven allegation about on-line behaviour in one game could result in no longer having access even to other games or previous purchases from the same distributor. This would be a totally disproportionate level of power that could allow such a distributor to abuse a past purchase history in order to resolve any current dispute in its favour or to prevent a customer from legitimately exercising their normal consumer rights in relation to one purchase without risking losing items of much greater value. Not that I'm suggesting this actually happens with any specific game distributor, of course.
I really don't understand why anyone pre-orders games that are delivered via digital download. A few years ago, it made sense, because maybe you wanted to make sure there was a physical box waiting for you at the game store on launch day. How many games are still bought that way today, though? It's not as if the download server is going to run out of copies.
Game companies want everyone to pre-order, of course, because it guarantees them income no matter how much of a turkey the game turns out to be. But usually they offer at best some token DLC to go with the pre-ordered version, and often different token DLC for people getting the game in different ways so no-one can have everything, and in any case if that DLC is worth anything it will unbalance the game (which is bad) and if it's not then it's no incentive to pre-order anyway.
Don't pre-order on-line games, kids. There is no way it ends positively for you, and it gives the game companies every incentive to ship unfinished junk instead of polished products you'll enjoy.
I don't think that's cynical, just realistic. I'm quite sure that's why they do it, and it's why I have no sympathy with them when they bleat about how terrible it would be for the health and safety of patients if they had to actually do things at a normal speed. For one thing, I don't believe them. For another, screw anyone who tries to play the health and safety card without justification, because there are enough genuine H&S issues worth thinking about and trying to fix that distracting from them by crying wolf is damaging.
While we're at it, taking a regulated document (a prescription signed by a qualified doctor) from a customer when you can't actually fill it, and then trying to keep hold of it and use it as leverage to get the customer not only to accept a partial supply that day but also to come back another day should be both a criminal offence and grounds for having the relevant licence to practise revoked. Way too many pharmacies -- again, it somehow always seems to be the ones in big stores -- try to play this trick, and in some cases it literally means people aren't getting the medication prescribed by their doctor until several days after they could have had it if they'd been able to take the prescription to a different pharmacy instead.
This seems rather off-topic now, but actually it's a great example of why you need supervision that understands enough of a technical field to call bullshit at the appropriate point and not accept dubious justifications for underperformance.
Yes, I agree with that as well. As they say, there are two important questions: did we build the right product, and did we build the product right? It takes a mix of technical and non-technical skills to handle both aspects well.
I don't think one person necessarily needs to have deep skills on both sides, but you need a combination of people who do. Crucially, you also need enough understanding of the business side from the technical people and vice versa for everyone to communicate effectively.
If the management team for a project don't know enough about the technical issues to understand what is realistic to achieve and when, then that communication can't happen. At that point, management are essentially just trusting that the senior technical people will know what they're doing and deliver good results anyway. Perhaps they will, because a business-savvy tech lead can help a lot in this situation, but in any case ignorant management probably isn't contributing much to the project.
Having done it, that can certainly be true. As it turns out, my biggest asset when I'm doing freelance/consultancy gigs isn't my technical skills, it's my ability to understand the customer's real problem and devise a technical solution. The fact that I'm also pretty good at building the technical solutions helps, but it's being able to bridge the gap that really makes clients value you.
But this would be less of an issue if the in-house managers actually knew enough to value their own people, and that in turn would be helped if more of those people made an effort to understand how their contribution fits into the business as a whole.
Exactly. I find that if I go to a big store with an in-store pharmacy here in the UK, say a city centre branch of Boots, I invariably get told to come back for my prescription after $SIGNIFICANT_DELAY. And yet if I go to a small local pharmacy to collect exactly the same product with exactly the same regulatory regime dispensed by people with exactly the same qualifications, they can manage to pick the product off the shelf and get a colleague to check it just fine in exactly the amount of time you'd think it would take to carefully select a product, check it yourself, and get the next available colleague to double-check it. That amount of time is not normally given as a fraction of an hour.
This is like the software guys who tell management they can't give anything resembling a useful estimate on any time or resources question, everyone's software is impossible to maintain long term and has high fault rates in production, and so on. Sometimes these things really are true for good reasons, but a lot of the time it's just crap they're making up to try to cover up their own incompetence and/or laziness.
And that's the best argument there is for having supervision with at least enough understanding of the relevant technical issues to tell the difference.
Erm... Did you actually understand my post, at all? Did you even read it? It's like I wrote that whole post and you still think I'm on the other side of the debate or something.
If you take my private data and send it to someone else, then you are violating my privacy.
But it's obviously not as simple as equating private data with personal data. If I send you an e-mail, then unless you and I both run our own mail servers, some number of service providers between us are going to be involved in forwarding the mail, complete with your e-mail address and mine. I don't think most people would say sending or receiving an e-mail is violating the other party's privacy, but there is certainly personally identifiable data there, and in connection with other personally identifiable data and when used for other purposes than forwarding the mail it came from, that can become an issue of concern.
It may well be against European law, but that doesn't make it shady.
No, it's the involuntary collection and mining of personal data that makes it shady.
This really has very little to do with European vs. US business. We've had much stronger emphasis on privacy and, consequently, data protection in Europe since long before the Internet was a big deal, and our laws and social expectations reflect that emphasis. This will happen when things like the holocaust are still within living memory and there are still living members of a generation who really did have to fear for their lives because of government power.
The trouble with this debate is that most of the US population has no personal frame of reference here. Most people in the US probably consider the biggest attack on civilians in the modern age to be 9/11, when about 3,000 people were murdered by terrorists. Obviously that was a terrible day, and we've felt the consequences ever since.
However, let's try to put that in perspective, to the extent that any such loss of human life can ever can be. In Europe, most people probably consider the biggest attack on civilians in the modern age to be the Holocaust, when about 6,000,000 people were murdered by Nazis with the power of a state behind them. That is the equivalent of two thousand 9/11s, more than one for every day between the Night of Broken Glass and the end of World War II, and it was backed by a national government gone crazy and with a vast information gathering apparatus used to identify the targets.
There is an old saying about those who do not learn from history. And if you think the US is somehow immune from such barbaric behaviour, I would remind you that the leading candidate for the Republican presidential nomination is a shameless xenophobic racist, not far below him in the list is someone smart enough to be a qualified doctor yet who says no-one should lead the free world if they follow the second most popular religion in the world, and the most famous non-electoral news from the US in recent days has been how a 14-year-old kid was arrested and led away in handcuffs for being interested in building useful things, and how many people involved in running his school and local authorities thought that was OK.
Those are just the headlines from the past week or two, but to an outside observer, they seem to represent a disturbing pattern that has been developing for much longer. We should all be wary of giving any government where these kinds of values are not just tolerated but apparently flourishing the kind of access to huge databases of personal information that we're talking about here.
Facebook almost certainly does some things with personal data about some EU citizens against their will. For example, by uploading the contents of users' phone books, it would be collecting personal data about everyone in those phone books, not just their owners. Because phone numbers are effectively unique IDs, and because Facebook appears to be collecting that data systematically from a large number of people, it would also be building a database about the social relationships of everyone in those phone books. It is now well established that Facebook could derive other potentially sensitive details about those people with a high probability of being correct based on that social graph.
Now consider that not everyone uses Facebook, and indeed some people actively choose not to because of privacy concerns, and there is clearly a concern about the legality of such a system in Europe.
If you're about to argue that it's not Facebook's fault and everyone shouldn't just upload their phone books and give up their friends'/family's/colleagues' details, then we next get into arguments about incitement/coercion and about misrepresentation, which are things the law typically takes a dim view of. It is also now well established that many people using these on-line services don't fully understand the implications for themselves or for others, and that sometimes people find the reality surprising and undesirable when it is fully explained to them.
In any case, it doesn't matter what the Facebook users themselves think in the scenario I've been discussing, because the people who didn't sign up are entitled to have their personal data protected under EU law regardless of what their friends do. That doesn't necessarily mean the data can't be used or shared, and there are certainly interesting ethical and legal questions when it comes to service providers that need some information to provide their service but operate at a scale that has deeper implications for privacy such as, say, Google Mail. But what Facebook reportedly does with personal data about individuals who didn't opt in seems pretty far towards the shady side of legal in Europe.
This is a problem that is easily solved by providing read only access to sensor data. There is no reason for the external communication systems to allow write operations of any sort.
Absolutely true, but unfortunately a lot of cars shipping today have a CAN bus architecture that can't make that distinction, and the components communicating via the bus aren't set up with the necessary security in mind either. That's a large part of the problem here.
Personally, I'm not sot so sure; nobody expected that Corbyn would be anything more than a loser in the leadership election, yet he won.
That "nobody expected" wasn't really true for more than a few days after the campaign started, though, and it didn't help that the other three candidates weren't exactly political giants.
I think the challenge for Corbyn and his team is that they have won a modest degree of influence for now, but they've done it by essentially reducing the Labour Party to the "idealistic protest vote" role held by the Liberal Democrats until a couple of elections ago. Just think about that for a moment: a party which has formed the government for three of the last five administrations in the UK has successfully replaced a party that in one of the last five general elections managed to form a coalition giving it power for the first time in generations and then mishandled that opportunity so badly that they lost almost 90% of their MPs and their leadership disintegrated at the next election. (Have you heard anything from the Lib Dems since the election? I literally haven't seen any Lib Dem speaking about anything since that time, not even a quick news sound bite from their new leader.)
At this point, four years from another general election, it's easy for Corbyn and company to criticise widely and take an idealistic stance of many issues. No-one's really going to challenge them and force them to defend those positions in the face of reality. But three years from now, if the same Labour leadership has survived the inevitable coup attempt(s), they're going to have to start explaining exactly who they are going to hurt personally with those higher taxes, and how they're going to make up for the jobs that are lost by their heavily anti-business economic policies, and how they're really going to pick up over £100,000,000,000 in uncollected tax revenues that no previous generation has found. They're going to have to explain how they will protect our country if the laudably diplomatic approach to international relations that they propose doesn't work with some bad people. They're going to have to deal with whatever happens as a result of the EU referendum. And so on.
I agree with you that Corbyn's election will probably be very good for the country in the short term. For the first time in a long time we might actually have an official opposition who are actually opposing some of the government's policies with more than lip service and sound-bites. Given the complete lack of effective opposition from any of the other English parties since the general election, that is no bad thing at all.
However, I reckon he's probably got until the party conference season next year to convince people that he can actually do real politics as well. If he can't then, in the words of a UK political drama, I expect his candle will burn brightly, but briefly. Labour just lost one election standing by someone even though a lot of them didn't really think he was a credible leader. They won't be quick to make the same mistake again.
These kinds of failsafe should be completely reliable, and it's crazy that they aren't, but it seems auto makers are just trying to be too clever with what they do in software and they sometimes get it wrong.
The problem is that nobody gives a rat's ass until people wind up dying on a massive scale, as in the hundreds to thousands.
Isn't the real problem that in this case that might actually happen? A few posters right here in this discussion have already described some very nasty scenarios that could have that kind of result, and the necessary proofs of concept have already been demonstrated, which is why we're having today's discussion in the first place.
All too literally, the only thing protecting us from this kind of attack right now is the blessing that there aren't yet very many people in the world with all of the knowledge, the resources and the desire to hurt a lot of people by doing it.
I don't understand why the same computer needs to handle both work loads as they do not cross over in functionality or need.
There is a half-truth here.
The underlying problem is that a lot of the electronic systems within most modern cars probably communicate using an insecure channel. The systems were designed with the assumption that the other devices on the same bus were trustworthy. And of course, they typically were, before remote access came along.
Today that assumption no longer holds, but a lot of systems that seem unrelated do actually have genuine reasons to interact to some degree. For example, consider a modern system that will call the emergency services in the event of a crash, which is obviously a beneficial feature other than in contrived situations. However, that system needs to know whether a crash has occurred, and how is it going to do that? It needs access to some sort of sensor, but by its nature that same sensor is probably also used by some of the other modern systems that provide collision avoidance/mitigation features. Bang, now you've a link between a system that has remote communication capabilities and a system that has a need for direct control of essential vehicle systems.
One possible solution to this is to have proper internal firewalls so that trust is only given where it's actually necessary, and it can also be a one-way relationship. However, this simply isn't possible with the current generation of bus-based designs that a lot of these modern vehicles use. So, the car companies don't want to acknowledge the problem because that would potentially increase their liability if anything later goes horribly wrong. Since they can't ship a software update to fix the numerous potentially at-risk vehicles they already sold, nor retrofit more secure infrastructure in a financially viable way, there would be nothing they could do to control that risk.
The result is the three wise monkeys calling the shots, and unfortunately the commercial incentives are likely to keep it that way until either serious laws with meaningful penalties are passed or something awful happens.
Software can no longer afford to be static. It needs to roll with the punches of exploits and support updates out in the field at a moments notice.
Or we could just, y'know, not connect every essential system in the universe to arbitrary remote devices, some of which will inevitably be compromised or otherwise hostile.
Watching the train wreck we're calling the Internet of Things is like watching cloud computing all over again but ten times worse. It seems the manufacturers can't get enough of it because of the hype train and so most of their customers get on board as well, even though they don't really know whether there's anything in it for them or have any concept of the risks.
Most people would likely say, "sure, put it in if it is free, so long as I don't have to use it (and they don't)".
It helps the car makers that the overwhelming majority of people have no idea how much their security and/or privacy are actually being compromised by these new systems.
"Do you like our new advanced recovery system? It automatically calls for help and sends your location if someone crashes into your car, so it might save your child's life one day."
"Thanks, that's great to know."
vs.
"Do you like our new advanced insecurity system? Because we're incompetent at software development, any punk with a $10 black market device can open your car while you're away and steal anything in it, or the next big terrorist attack could be someone with a laptop 25 miles away causing everyone with this model to accelerate to 100mph, so you and your children can be terrified for the last few seconds of your life before you die in a horrific collision.
"ARE YOU F*?#ING CRAZY?"
The reality, of course, is that these two scenarios are not at all mutually exclusive, and both are somewhat unlikely. However, most normal people who haven't worked in either the auto industry or the software industry are only thinking about one of them when they get the sales pitch.
Slashdot Mirror
The auto manufacturers are looking for this data themselves -- this is a matter of public record in some cases, and widely acknowledged privately in others -- and so it is logical that they will choose their commercial partnerships in light of that. If Google want to keep that data for themselves but someone else will implement more integrated telemetry that lets the manufacturers spy on drivers and send the data to insurers, the second person is probably going to win the deal, unless and until the privacy regulators start stepping in.
As for ads, just tracking the locations someone visits regularly is a treasure trove of mineable information, and you can probably tell a lot about someone from their driving style as well. Of course, the implications of commercial services literally tracking our every move are pretty unpleasant for some of us.
My existing car dashboard:
Essential information I actually need when driving
No other junk
No other distractions
What do I win?
Yes, that definitely all sounds like a good idea and an excellent way to promote road safety. Can I subscribe to your newsletter?
The information isn't that interesting either, the most likely use would be applications to help people
The most likely use of collecting data about vehicles and driving style is probably selling it to insurers for a huge profit.
The next most likely use of collecting data about vehicles and driving style is probably selling it to advertisers for a huge profit.
Somewhere down the list there are probably things to do with law enforcement.
Somewhere near a footnote on page 17 there are probably things that will actually help make cars better for their owners, or least make future versions of cars better for their future owners. Auto manufacturers already do a huge amount of both simulation and real world testing during development of a new vehicle, using vastly more sophisticated and comprehensive systems than anything fitted to a production car you or I would drive on the road. There is only so much extra they could learn from large scale collection of real world driving data that they can't already determine from other sources.
There might be a decent argument for some sort of black box style recording for all cars, to help with investigating after something went wrong and hopefully make the roads safer for everyone in the long term. But like any black box, the integrity of that data would be important, so some remotely accessible system that is also hooked up to all kinds of infotainment widgets is probably the last place you would want it.
Information about the car is what CONSUMERS want.
Are you sure about that? What little actual user research I've seen suggests that most customers don't think much of in-car "infotainment" systems generally. The same research suggests that these systems are almost never a deciding factor in sales, except in the wrong direction if they are so bad that they stick out or, in a few cases, because of security or privacy concerns.
And really, who can blame those customers, when these systems almost invariably look awful and work even worse, even in very expensive prestige vehicles? It bends my mind that luxury car brands spend so much money getting metalwork and paint colours and seat shapes just right, but then throw in a "high tech" system that looks like the love child of a 1990s "under construction" web site and a first generation iOS app written by your neighbour's 14-year-old kid.
One day I really want to walk into a dealership for one of these brands and when they do the spiel about how great their high-tech keyless entry and infotainment systems are, see if they're willing to bet me the car that I can't compromise their system in some significant way in under 24 hours. Given I've worked in several relevant industries and have some idea of how low the standards are in the auto industry in this area, I find it disturbingly possible that I might actually be able to do that. But even if I couldn't, it would be fun watching the sales guys squirm, a bit like the SEO people who spam me saying they can get my business onto page 1 of Google in our field, when I reply that we actually are on page 1 of Google in our field and but when I searched for SEO I didn't see their site on the first page.
Thanks for the ideas, but yes, we've pretty much exhausted the sensible options, at least with the current card payment service we use. We do wonder whether that service might itself be part of the problem -- if having a programmer-friendly system so taking card payments on-line make it easier to take payments, naturally it also makes it easier to take fraudulent payments, and I wonder whether these new services' own "reputations" within the industry affect their custoemrs' fraud ratings on whatever systems check these things.
As for the crooks angle, of course there is always the problem with services being used to validate illegally obtained credentials, but in this case it is likely that every one of those users was legitimate. We're in a niche market, and the access patterns of the users in question are far too consistent with normal use and unlike anything someone just testing out a card would be likely to hit by accident -- we're talking dozens if not hundreds of page views looking up specialised information in specific, logical orders here. Also, while we see quite a few failures in month 2, in a frustrating proportion of the cases that mysteriously fail it's a subscriber who's had many months of continued membership and/or been known in our field and/or been in touch with us personally at some point, i.e., a good customer who was probably very happy to continue subscribing (but might not get around to doing it again for a while if the failed payment means hassle to stay signed up).
Peoples cards expire, and they don't update their user data if they've been subscribed for a while.
Sadly, it's definitely not that simple. I'm already excluding all other identified forms of card failure, including expiry. And actually, that particular issue isn't such a big problem these days anyway, as there are mechanisms to avoid routine card expiry or change of address details breaking existing subscriptions now that most of the major card schemes participate in.
What I'm talking about here is literally just some neutral "payment refused" code, and that's it. We've queried the high rate of failures with our own payment service, and they are (or at least say they are) in the dark as we are. We also know of a few other small businesses with a similar story, so it's not something special about us or probably about the payment service we're using.
Our hunch is that because we're in the UK and we see a dramatically higher proportion of such failures from customers abroad compared to back home, the charge from a different country is considered a big signal of potential fraud by some customers' card issuers, and since we see a way dramatically higher proportion of failures around the second or third month of a subscription the lack of CVC on repeat transactions is enough to tip us over someone's threshold.
I had my card suspended because i sent $2.50 over paypal to a kid in the UK for some software.
I'll see you that and raise you how it looks from a UK merchant's side. Running a simple on-line service with a small monthly subscription fee and a fair proportion of international customers, we literally lose more subscriptions because of unexplained card failures than all other causes put together, including active cancellation by a subscriber's own choice.
Worse, as far as we can tell, there is absolutely nothing we can do about it. The system simply doesn't work reliably and there is no useful information whatsoever provided to the merchant when the card fails. About the best you can do as a merchant is contact your customers after the failed charge, try to convince them that their card being declined is neither an indication of fraud on your part nor something they should be embarrassed about themselves, and hope they are willing to sit on the phone being told how important their call is for a few minutes while they wait to speak to their card issuer and confirm it's a valid transaction. Unsurprisingly, relatively few customers will actually do this, even those who have otherwise been active customers apparently happy with the service.
The card industry's incompetence is a tax on trade, and the sooner it dies its long overdue death and payment methods fit for this century take over, the better off literally everyone involved else will be.
It's a shame they don't seem to have added much about EULAs and similar "agreements", though.
To clarify a little, there certainly is an attempt to include this sort of licence agreement within the fairness regime -- the new law refers to "consumer notices", which as defined would almost certainly include most EULAs and similar agreements -- but we still have the flaky legal basis for having EULAs in the first place.
The law has always said that you are owed one, this just clarifies the situation further.
In particular, the legal changes that came into effect today extend various rights specifically in relation to digital content. Prior to these changes, there were a lot of loopholes and grey areas if you bought something like software or audio-visual content purely on-line. For example, a lot of the laws we had before dated from a time when we were talking about a single physical copy of something.
It's a shame they don't seem to have added much about EULAs and similar "agreements", though. These already had a somewhat unclear legal status, thanks to various technicalities about copyright law. However, they also increasingly seem to be abused by suppliers of on-line content and those who use DRM, product activation, and similar measures.
For example, it seems grossly unfair to me that a games distributor might have a policy where a dispute about a new purchase or an unproven allegation about on-line behaviour in one game could result in no longer having access even to other games or previous purchases from the same distributor. This would be a totally disproportionate level of power that could allow such a distributor to abuse a past purchase history in order to resolve any current dispute in its favour or to prevent a customer from legitimately exercising their normal consumer rights in relation to one purchase without risking losing items of much greater value. Not that I'm suggesting this actually happens with any specific game distributor, of course.
I really don't understand why anyone pre-orders games that are delivered via digital download. A few years ago, it made sense, because maybe you wanted to make sure there was a physical box waiting for you at the game store on launch day. How many games are still bought that way today, though? It's not as if the download server is going to run out of copies.
Game companies want everyone to pre-order, of course, because it guarantees them income no matter how much of a turkey the game turns out to be. But usually they offer at best some token DLC to go with the pre-ordered version, and often different token DLC for people getting the game in different ways so no-one can have everything, and in any case if that DLC is worth anything it will unbalance the game (which is bad) and if it's not then it's no incentive to pre-order anyway.
Don't pre-order on-line games, kids. There is no way it ends positively for you, and it gives the game companies every incentive to ship unfinished junk instead of polished products you'll enjoy.
I don't think that's cynical, just realistic. I'm quite sure that's why they do it, and it's why I have no sympathy with them when they bleat about how terrible it would be for the health and safety of patients if they had to actually do things at a normal speed. For one thing, I don't believe them. For another, screw anyone who tries to play the health and safety card without justification, because there are enough genuine H&S issues worth thinking about and trying to fix that distracting from them by crying wolf is damaging.
While we're at it, taking a regulated document (a prescription signed by a qualified doctor) from a customer when you can't actually fill it, and then trying to keep hold of it and use it as leverage to get the customer not only to accept a partial supply that day but also to come back another day should be both a criminal offence and grounds for having the relevant licence to practise revoked. Way too many pharmacies -- again, it somehow always seems to be the ones in big stores -- try to play this trick, and in some cases it literally means people aren't getting the medication prescribed by their doctor until several days after they could have had it if they'd been able to take the prescription to a different pharmacy instead.
This seems rather off-topic now, but actually it's a great example of why you need supervision that understands enough of a technical field to call bullshit at the appropriate point and not accept dubious justifications for underperformance.
Yes, I agree with that as well. As they say, there are two important questions: did we build the right product, and did we build the product right? It takes a mix of technical and non-technical skills to handle both aspects well.
I don't think one person necessarily needs to have deep skills on both sides, but you need a combination of people who do. Crucially, you also need enough understanding of the business side from the technical people and vice versa for everyone to communicate effectively.
If the management team for a project don't know enough about the technical issues to understand what is realistic to achieve and when, then that communication can't happen. At that point, management are essentially just trusting that the senior technical people will know what they're doing and deliver good results anyway. Perhaps they will, because a business-savvy tech lead can help a lot in this situation, but in any case ignorant management probably isn't contributing much to the project.
Having done it, that can certainly be true. As it turns out, my biggest asset when I'm doing freelance/consultancy gigs isn't my technical skills, it's my ability to understand the customer's real problem and devise a technical solution. The fact that I'm also pretty good at building the technical solutions helps, but it's being able to bridge the gap that really makes clients value you.
But this would be less of an issue if the in-house managers actually knew enough to value their own people, and that in turn would be helped if more of those people made an effort to understand how their contribution fits into the business as a whole.
Exactly. I find that if I go to a big store with an in-store pharmacy here in the UK, say a city centre branch of Boots, I invariably get told to come back for my prescription after $SIGNIFICANT_DELAY. And yet if I go to a small local pharmacy to collect exactly the same product with exactly the same regulatory regime dispensed by people with exactly the same qualifications, they can manage to pick the product off the shelf and get a colleague to check it just fine in exactly the amount of time you'd think it would take to carefully select a product, check it yourself, and get the next available colleague to double-check it. That amount of time is not normally given as a fraction of an hour.
This is like the software guys who tell management they can't give anything resembling a useful estimate on any time or resources question, everyone's software is impossible to maintain long term and has high fault rates in production, and so on. Sometimes these things really are true for good reasons, but a lot of the time it's just crap they're making up to try to cover up their own incompetence and/or laziness.
And that's the best argument there is for having supervision with at least enough understanding of the relevant technical issues to tell the difference.
Erm... Did you actually understand my post, at all? Did you even read it? It's like I wrote that whole post and you still think I'm on the other side of the debate or something.
If you take my private data and send it to someone else, then you are violating my privacy.
But it's obviously not as simple as equating private data with personal data. If I send you an e-mail, then unless you and I both run our own mail servers, some number of service providers between us are going to be involved in forwarding the mail, complete with your e-mail address and mine. I don't think most people would say sending or receiving an e-mail is violating the other party's privacy, but there is certainly personally identifiable data there, and in connection with other personally identifiable data and when used for other purposes than forwarding the mail it came from, that can become an issue of concern.
It may well be against European law, but that doesn't make it shady.
No, it's the involuntary collection and mining of personal data that makes it shady.
This really has very little to do with European vs. US business. We've had much stronger emphasis on privacy and, consequently, data protection in Europe since long before the Internet was a big deal, and our laws and social expectations reflect that emphasis. This will happen when things like the holocaust are still within living memory and there are still living members of a generation who really did have to fear for their lives because of government power.
The trouble with this debate is that most of the US population has no personal frame of reference here. Most people in the US probably consider the biggest attack on civilians in the modern age to be 9/11, when about 3,000 people were murdered by terrorists. Obviously that was a terrible day, and we've felt the consequences ever since.
However, let's try to put that in perspective, to the extent that any such loss of human life can ever can be. In Europe, most people probably consider the biggest attack on civilians in the modern age to be the Holocaust, when about 6,000,000 people were murdered by Nazis with the power of a state behind them. That is the equivalent of two thousand 9/11s, more than one for every day between the Night of Broken Glass and the end of World War II, and it was backed by a national government gone crazy and with a vast information gathering apparatus used to identify the targets.
There is an old saying about those who do not learn from history. And if you think the US is somehow immune from such barbaric behaviour, I would remind you that the leading candidate for the Republican presidential nomination is a shameless xenophobic racist, not far below him in the list is someone smart enough to be a qualified doctor yet who says no-one should lead the free world if they follow the second most popular religion in the world, and the most famous non-electoral news from the US in recent days has been how a 14-year-old kid was arrested and led away in handcuffs for being interested in building useful things, and how many people involved in running his school and local authorities thought that was OK.
Those are just the headlines from the past week or two, but to an outside observer, they seem to represent a disturbing pattern that has been developing for much longer. We should all be wary of giving any government where these kinds of values are not just tolerated but apparently flourishing the kind of access to huge databases of personal information that we're talking about here.
Facebook almost certainly does some things with personal data about some EU citizens against their will. For example, by uploading the contents of users' phone books, it would be collecting personal data about everyone in those phone books, not just their owners. Because phone numbers are effectively unique IDs, and because Facebook appears to be collecting that data systematically from a large number of people, it would also be building a database about the social relationships of everyone in those phone books. It is now well established that Facebook could derive other potentially sensitive details about those people with a high probability of being correct based on that social graph.
Now consider that not everyone uses Facebook, and indeed some people actively choose not to because of privacy concerns, and there is clearly a concern about the legality of such a system in Europe.
If you're about to argue that it's not Facebook's fault and everyone shouldn't just upload their phone books and give up their friends'/family's/colleagues' details, then we next get into arguments about incitement/coercion and about misrepresentation, which are things the law typically takes a dim view of. It is also now well established that many people using these on-line services don't fully understand the implications for themselves or for others, and that sometimes people find the reality surprising and undesirable when it is fully explained to them.
In any case, it doesn't matter what the Facebook users themselves think in the scenario I've been discussing, because the people who didn't sign up are entitled to have their personal data protected under EU law regardless of what their friends do. That doesn't necessarily mean the data can't be used or shared, and there are certainly interesting ethical and legal questions when it comes to service providers that need some information to provide their service but operate at a scale that has deeper implications for privacy such as, say, Google Mail. But what Facebook reportedly does with personal data about individuals who didn't opt in seems pretty far towards the shady side of legal in Europe.
This is a problem that is easily solved by providing read only access to sensor data. There is no reason for the external communication systems to allow write operations of any sort.
Absolutely true, but unfortunately a lot of cars shipping today have a CAN bus architecture that can't make that distinction, and the components communicating via the bus aren't set up with the necessary security in mind either. That's a large part of the problem here.
Personally, I'm not sot so sure; nobody expected that Corbyn would be anything more than a loser in the leadership election, yet he won.
That "nobody expected" wasn't really true for more than a few days after the campaign started, though, and it didn't help that the other three candidates weren't exactly political giants.
I think the challenge for Corbyn and his team is that they have won a modest degree of influence for now, but they've done it by essentially reducing the Labour Party to the "idealistic protest vote" role held by the Liberal Democrats until a couple of elections ago. Just think about that for a moment: a party which has formed the government for three of the last five administrations in the UK has successfully replaced a party that in one of the last five general elections managed to form a coalition giving it power for the first time in generations and then mishandled that opportunity so badly that they lost almost 90% of their MPs and their leadership disintegrated at the next election. (Have you heard anything from the Lib Dems since the election? I literally haven't seen any Lib Dem speaking about anything since that time, not even a quick news sound bite from their new leader.)
At this point, four years from another general election, it's easy for Corbyn and company to criticise widely and take an idealistic stance of many issues. No-one's really going to challenge them and force them to defend those positions in the face of reality. But three years from now, if the same Labour leadership has survived the inevitable coup attempt(s), they're going to have to start explaining exactly who they are going to hurt personally with those higher taxes, and how they're going to make up for the jobs that are lost by their heavily anti-business economic policies, and how they're really going to pick up over £100,000,000,000 in uncollected tax revenues that no previous generation has found. They're going to have to explain how they will protect our country if the laudably diplomatic approach to international relations that they propose doesn't work with some bad people. They're going to have to deal with whatever happens as a result of the EU referendum. And so on.
I agree with you that Corbyn's election will probably be very good for the country in the short term. For the first time in a long time we might actually have an official opposition who are actually opposing some of the government's policies with more than lip service and sound-bites. Given the complete lack of effective opposition from any of the other English parties since the general election, that is no bad thing at all.
However, I reckon he's probably got until the party conference season next year to convince people that he can actually do real politics as well. If he can't then, in the words of a UK political drama, I expect his candle will burn brightly, but briefly. Labour just lost one election standing by someone even though a lot of them didn't really think he was a credible leader. They won't be quick to make the same mistake again.
You can also always turn off the car
Unfortunately, in modern vehicles even that doesn't always work.
These kinds of failsafe should be completely reliable, and it's crazy that they aren't, but it seems auto makers are just trying to be too clever with what they do in software and they sometimes get it wrong.
The problem is that nobody gives a rat's ass until people wind up dying on a massive scale, as in the hundreds to thousands.
Isn't the real problem that in this case that might actually happen? A few posters right here in this discussion have already described some very nasty scenarios that could have that kind of result, and the necessary proofs of concept have already been demonstrated, which is why we're having today's discussion in the first place.
All too literally, the only thing protecting us from this kind of attack right now is the blessing that there aren't yet very many people in the world with all of the knowledge, the resources and the desire to hurt a lot of people by doing it.
I don't understand why the same computer needs to handle both work loads as they do not cross over in functionality or need.
There is a half-truth here.
The underlying problem is that a lot of the electronic systems within most modern cars probably communicate using an insecure channel. The systems were designed with the assumption that the other devices on the same bus were trustworthy. And of course, they typically were, before remote access came along.
Today that assumption no longer holds, but a lot of systems that seem unrelated do actually have genuine reasons to interact to some degree. For example, consider a modern system that will call the emergency services in the event of a crash, which is obviously a beneficial feature other than in contrived situations. However, that system needs to know whether a crash has occurred, and how is it going to do that? It needs access to some sort of sensor, but by its nature that same sensor is probably also used by some of the other modern systems that provide collision avoidance/mitigation features. Bang, now you've a link between a system that has remote communication capabilities and a system that has a need for direct control of essential vehicle systems.
One possible solution to this is to have proper internal firewalls so that trust is only given where it's actually necessary, and it can also be a one-way relationship. However, this simply isn't possible with the current generation of bus-based designs that a lot of these modern vehicles use. So, the car companies don't want to acknowledge the problem because that would potentially increase their liability if anything later goes horribly wrong. Since they can't ship a software update to fix the numerous potentially at-risk vehicles they already sold, nor retrofit more secure infrastructure in a financially viable way, there would be nothing they could do to control that risk.
The result is the three wise monkeys calling the shots, and unfortunately the commercial incentives are likely to keep it that way until either serious laws with meaningful penalties are passed or something awful happens.
Software can no longer afford to be static. It needs to roll with the punches of exploits and support updates out in the field at a moments notice.
Or we could just, y'know, not connect every essential system in the universe to arbitrary remote devices, some of which will inevitably be compromised or otherwise hostile.
Watching the train wreck we're calling the Internet of Things is like watching cloud computing all over again but ten times worse. It seems the manufacturers can't get enough of it because of the hype train and so most of their customers get on board as well, even though they don't really know whether there's anything in it for them or have any concept of the risks.
Most people would likely say, "sure, put it in if it is free, so long as I don't have to use it (and they don't)".
It helps the car makers that the overwhelming majority of people have no idea how much their security and/or privacy are actually being compromised by these new systems.
"Do you like our new advanced recovery system? It automatically calls for help and sends your location if someone crashes into your car, so it might save your child's life one day."
"Thanks, that's great to know."
vs.
"Do you like our new advanced insecurity system? Because we're incompetent at software development, any punk with a $10 black market device can open your car while you're away and steal anything in it, or the next big terrorist attack could be someone with a laptop 25 miles away causing everyone with this model to accelerate to 100mph, so you and your children can be terrified for the last few seconds of your life before you die in a horrific collision.
"ARE YOU F*?#ING CRAZY?"
The reality, of course, is that these two scenarios are not at all mutually exclusive, and both are somewhat unlikely. However, most normal people who haven't worked in either the auto industry or the software industry are only thinking about one of them when they get the sales pitch.