...and they don't even provide a way to verify the site (other than it's linked to from equifax.com). Even their SSL cert doesn't include their company name. It's amazing geniuses like these had security flaws in their systems!
They're giving themselves plenty of time on diesel and petrol, although I guess we'll see more 'stop the engine at the lights' in the near future.
From TFA, "By 2025, VW aims to have 50 purely battery-powered vehicles and 30 hybrid models in its lineup, with a goal of selling as many as 3 million all-electric cars by then."
'hybrid' can mean 'stop the engine at the lights', or it can mean something more like a Prius. There are a lot of years between then and now, so there's plenty of time for Nissan to beef up the Leaf, or Tesla to find an Italian to style their cars. Hell, we might even see another new start company jump in - some googling suggests Tesla started in 2003 and showed the Roadster in 2008 (so 5 years from nothing to demo). By 2025 there's be exponentially more places to charge an EV than today, access will be more aggregated than today, and so owning an EV by then will be much easier than today - selling 3 million by then doesn't sound too hard (wikipedia says 250,000 Leafs have been sold to December 2016). VM group has far better 'reach' than Nissan, so should be able to do this comfortably.
Anything to promote documentation, is, in my opinion a good thing. I once documented a simple REST API - I looked for a good style guide, or even some good examples of what to document and in what detail - I really found nothing especially useful. Even finding good examples of documentation on other APIs was pretty hard.
That said, if you've ever read any Google documentation, you'll know that a lot of it is really pretty confusing. There's never a summary, it talks about lots of steps you probably should do, but not right now as you're just trying to get the thing to work and just want to learn it. In short, it's not especially productive. So in that sense, I'm not sure if this is a guide you should follow or not;-)
This shows how easy some legal steps are, but also how hard they are too. How do you get legal advice whether you should use this chatbot or sue for far more money some other way, perhaps after your data is actually used illicitly?
Over here, we call most lawyers 'solicitors'. I'm sure some have a wild, edge-of-your-seat lives, but many do 'conveyancing', which is a paper pushing exercise to do with house buying and selling. It's a job that could, and should be completely automated into non-existence, and one that a 'chat bot' could easily achieve - were it not for the insistence of various parties to post documents to each other.
My point is... a lot of legal processes are really quite simple, and only look complicated because those that execute those procedures continue to make them look more complex than they are. 'Chat bots' or other electronic solutions show just how simple those processes are, but as I say, can't really do so well at the 'advice' part of the legal profession.
One's 'mental health' is a thing to be considered in sentencing in the UK. It might well be in the US too, but it's unlikely to be a mitigating feature in any trial, if indeed he gets anywhere near a trial.
Thus, it comes down to how humane the UK wants to be here. What this story is all about is to ask the UK judge (via public pressure) to look at the likely sentence he'd get in the UK versus the likely sentence (and treatment) he'll get in the US. Given that disparity, which is the most humane and likely to achieve a positive outcome for the people of the UK and US?
I struggle to see how 99 years in prison being force-fed anti-depressants, being severely mistreated really helps humankind any more than the alternative he'd get in the UK. Let's be honest, neither will knock the autism out of him, and neither are really going to 'rehabilitate' him. One does give him the chance to become a productive member of society in some other way, and hopefully contribute in some way to the human race. The other really doesn't.
I'd rather accept a thermostat that does what it wants without my control if I knew I was going to get a grid that would actually stay working just because a bunch of people fancied a cup of tea at around the same time.
I get the notion of co-operation, but it seems on this point the customers all have to co-operate with the provider so that the provider doesn't have to do any cooperating of its own.
...and yet, for any given model, you can look up the total weight of the car, battery capacity/range, charge time, etc etc. Essentially, even if they put a bunch of bricks where the battery would be, you still get all the information you need to make a buying decision.
What they don't tell you, and in fact what no manufacturer tells you is how good or crap their GPS maps are, or how good/crap their directions will be. Or how much you're going to hate trying to do on their entertainment system. If you want somewhere to get angry about, I'd start there, personally.
...and regardless of what the batteries could do, either in 'aggressive' or 'passive' mode, Tesla (and others) are fairly clear about the range/output of the batteries and the expected lifespan. If you (as the consumer) don't like the quoted numbers, then to some extent, you should just buy something else.
That said, I do agree than some personal tinkering should be possible. In the case of Tesla specifically, they could conceivably have an 'advanced' menu, perhaps pin-code protected that let you put the car into 'aggressive battery usage' mode for a period of (say) 48 hours at a time. That way they'd get telemetry of how often you used the feature, and could then tell you about the consequences if it seems you're using it too regularly. If they don't do stuff like this, then the tinkerers get motivated, and then they won't get the telemetry, and when batteries fail before they expect, they'll get all the bad publicity without having any 'come back'.
I worked for a financially-regulated place here in the UK and every once in a while you'd hear "that sort of f-up could see us lose our license" (and so stuff didn't happen) - exactly what the regulator intended (and for the most part, it seemed like a good outcome, from what I could tell).
In the case of Equifax in the US - why do they need SSNs? I presume it's a way to differentiate Jim Kirk from New York and Jim Kirk from Boston. I don't imagine they ever actually have a need to use the SSN with someone else (right?). In which case, they could have simply hashed the SSN on receipt and stored the hash. Right now, they'd still be in a world of trouble, but a lot less than they actually are (and could arguably have been a smaller target).
I guess what I'm asking is what could (really) cause such an incredible failure of judgement/execution on their part? Even the US's relatively slack laws on data protection would at least make hashing SSNs something you might at least think about, don't they?
Whilst I agree that some major sanctions against companies doing this sort of thing is definitely in order (here, the US might do well to look to the EU or Singapore for some ideas), but will that actually solve the real, core, underlying issue that let this happen in the first place, or will it just throw a couple of extra firewalls on the network for "due diligence" and leave the same crappy implementation choices in the systems that actually run the show?
Not without it's problems, but you could imagine such a site for all professions. Thinking about it, there are lots of places where you can review tradespeople, why not sysadmins, developers and product owners?
If only linked in had half a brain, they could add this as a feature, and it could actually make linkedin a bit more useful.
I mean, if it's really Equifax, then why can't it be on equifax.com? It's got a video about cyber security, and well, lesson 1 is to identify who a site really is before entering any data into it. I'm a techie, so know to look at certs and whatnot - I couldn't see anything in it to verify it actually was Equifax (all I got was a cloudflare cert). The 'normals' won't be able to do any of that, so apart from a logo at the top of the page, and it's 'https', most people have nothing to verify it's real.
Other comments talk about it being a scam - it might actually be.
It's almost like they've invented a way to contact people you know - sort of like a paper letter, but electronic, but at the same time sort of like a phone call, but one you type out rather than using your voice.
I tell you, those FB engineers have really excelled this time;-)
It is indeed an odd decision, when considering that (shock, horror!) Microsoft has a competing product, which amazingly works quite well, works on the Mac, and isn't going through some sort of poorly-thought-out-microsoft-rebranding right now.
Google makes a mis-step so bad that Microsoft can capitalise on it? Not a good day for Google, or indeed us minions.
In other news, surveys show that 85% of executives have no imagination and the attention-span of a gnat. They have no interest in what's happening next quarter, let alone what might happen in a year or two.
Hmm... poke a speaker through your letterbox? Turn the amp up to 11 just outside your back door? (the neighbours won't hear it - it's ultrasonic) Play sounds through an air vent, or open window too small to climb through? Drill a hole in the wall or door?
Yeah, until I see a double-blind study on climate change, I'm not going to believe it either. If it's real science they should be able to do proper tests to prove it. Otherwise, the only possible explanation that makes any sense is that it's bullshit - even the scientists can't agree, so it must all be make-believe.
I'lll quite happily live in the upstairs of my house because the floods are 5 feet deep, I know there'll be no power or water, but hey, I've got some gas canisters and I've filled up the bath tub with fresh water. I won't be able to get anywhere because I'm too lazy to row my boat and I won't be able to get any fuel for the outboard. I'll happily watch thousands of my less-'manned-up' neighbours become displaced and subsequently destitute, because I'm still waiting on that double-blind study before I'll take any sort of action at all.
As Richard Attenborough said on the subject "[whether it's true or not] that's sort of not the point".
Unlike the US, the UK has something called the "current account switching service" (which covers personal and business accounts). For anyone affected by this, or anyone who thinks it's time to get out of HSBC, here's what you do:
1) Get HSBC to unfreeze your account 2) Pop into your local branch of Metrobank, talk to them and have them fill out the forms for you (other banks are also available, but stay away from FirstDirect as they're owned by HSBC, and the likes of Barclays and Natwest are about as bad as HSBC, so avoid them unless you're a masochist) 3) Wait a while until your account is approved (not sure why business accounts need this, personal ones are approved instantly) 4) Have your new bank switch your account, and say goodbye to HSBC - you don't even need to speak to HSBC to close your account there*.
Then, for the next 2 years, any money that happens to arrive at your old HSBC account will simply be forwarded to your new account.
I realise some small businesses will find this a hassle, but the 'one mad band' type small businesses should be able to do this by the end of the day if they so choose. 2 years to get your clients to send their money to your new account should be manageable - although any stragglers will eventually see their payments 'bounce'.
Honestly, banks need to realise that in the UK we have some pretty customer-focussed regulation, and doing this sort of shit will mean business opportunities for the other banks (which is what the regulator intends). There's a lot of things wrong with the FCA (and the FSA that preceded it), but this isn't one of them.
* If HSBC do feel the need to hassle you, argue a bit, and then mention that you don't believe you're being treated fairly. Remind them of their legal obligation to 'treat customers fairly' and ask that your case is reviewed and handed as a suspected contravention of that rule.
Aside from the legal hoops you'd have to jump through, it would alert him to their intent and allow him to build a case against them. Just because the US requests extradition doesn't mean it happens every single time (although I'll grant you, it's closer to a formality between the UK and US than it probably should be). This way, he didn't know a thing about it, and they've arrested him and have 100% control over him - the UK can piss right off.
Right now, UK diplomats are talking to US diplomats about this. They're asking for a comfier prison cell, faster proceedings, lesser sentences, serve his time in the UK etc etc. The US is by far the larger of the negotiating parties and has probably said "okay, we'll send him another blanket, but that's all you're getting".
Whatever their reasoning, they've got him and won't be letting go anytime soon. An example must be made, whether real or not. Someone must pay, ideally a foreigner, but under no circumstances must any responsibility be taken for any of it.
"Done right" for GMO sounds to me like "done right" for nuclear power - it's possible, but it'll never really happen because financial realities always make it fail.
Selective breeding has nature taking a hand in the outcome, and as such it far less likely to cause a problem that we find hard to solve (although exceptions occur, I guess). GMO research is frankly at the very beginning - we "think" a particular gene or whatever 'turns on and off' some feature of the plant, but honestly, we have no idea what else it does too. I strongly suspect that in a few decades people will wonder how on earth we ate any of the GMO food around today. Then they'll look into it and realise the only way people would buy it was if it was mixed in with non-GMO and not labelled as such.
I'm by no means saying we shouldn't research this stuff - I just seriously doubt we know even half of what we really need to know for it to be "done right".
...to put a discrete bug in your house you need some way to get the audio or video out of your house and into the hands of the attacker. Thus, they need physical access and a means to transmit data. If you want to transmit data a long way, you also need to take care of powering the bug in some way, as batteries won't last long. They need to put all of that in a central position in your house so they can actually capture the audio they want.
Once you've conveniently tuned your Echo to your wifi, you've handed an attacker an arguably difficult part of the problem. It's always on, and if it gets turned off, someone will turn it on for you. It's conveniently located, so will capture everything you want to hear. It now meets most of the non-functional requirements of any useful bug. This hack just finishes the job.
If you want to do the 'security' agencies or criminals a favour, then be my guest. Personally, since I spend a bit of time locking my doors when I leave the house, I'm going to keep trying to make it harder for such people, but maybe that's just me.
Coax also degrades over time - obviously, it's designed not to, but the dielectric breaks down, changing the properties of the cable. It's probably not too terrible for 'strong' signals, but 'aerial' strength signals may suffer.
Personally, I'd pull it out, but if potential buyers expect to see coax, then I might think twice (I guess you could be unscrupulous and cut it out wherever you find it under the floor or whatever - then potential buyers would see coax sockets, but few of them would actually work).
Slashdot Mirror
I would love to know what versions their software stack is on right now - would make very interesting reading, I'm sure.
...and they don't even provide a way to verify the site (other than it's linked to from equifax.com). Even their SSL cert doesn't include their company name. It's amazing geniuses like these had security flaws in their systems!
They're giving themselves plenty of time on diesel and petrol, although I guess we'll see more 'stop the engine at the lights' in the near future.
From TFA, "By 2025, VW aims to have 50 purely battery-powered vehicles and 30 hybrid models in its lineup, with a goal of selling as many as 3 million all-electric cars by then."
'hybrid' can mean 'stop the engine at the lights', or it can mean something more like a Prius. There are a lot of years between then and now, so there's plenty of time for Nissan to beef up the Leaf, or Tesla to find an Italian to style their cars. Hell, we might even see another new start company jump in - some googling suggests Tesla started in 2003 and showed the Roadster in 2008 (so 5 years from nothing to demo). By 2025 there's be exponentially more places to charge an EV than today, access will be more aggregated than today, and so owning an EV by then will be much easier than today - selling 3 million by then doesn't sound too hard (wikipedia says 250,000 Leafs have been sold to December 2016). VM group has far better 'reach' than Nissan, so should be able to do this comfortably.
Anything to promote documentation, is, in my opinion a good thing. I once documented a simple REST API - I looked for a good style guide, or even some good examples of what to document and in what detail - I really found nothing especially useful. Even finding good examples of documentation on other APIs was pretty hard.
That said, if you've ever read any Google documentation, you'll know that a lot of it is really pretty confusing. There's never a summary, it talks about lots of steps you probably should do, but not right now as you're just trying to get the thing to work and just want to learn it. In short, it's not especially productive. So in that sense, I'm not sure if this is a guide you should follow or not ;-)
This shows how easy some legal steps are, but also how hard they are too. How do you get legal advice whether you should use this chatbot or sue for far more money some other way, perhaps after your data is actually used illicitly?
Over here, we call most lawyers 'solicitors'. I'm sure some have a wild, edge-of-your-seat lives, but many do 'conveyancing', which is a paper pushing exercise to do with house buying and selling. It's a job that could, and should be completely automated into non-existence, and one that a 'chat bot' could easily achieve - were it not for the insistence of various parties to post documents to each other.
My point is... a lot of legal processes are really quite simple, and only look complicated because those that execute those procedures continue to make them look more complex than they are. 'Chat bots' or other electronic solutions show just how simple those processes are, but as I say, can't really do so well at the 'advice' part of the legal profession.
One's 'mental health' is a thing to be considered in sentencing in the UK. It might well be in the US too, but it's unlikely to be a mitigating feature in any trial, if indeed he gets anywhere near a trial.
Thus, it comes down to how humane the UK wants to be here. What this story is all about is to ask the UK judge (via public pressure) to look at the likely sentence he'd get in the UK versus the likely sentence (and treatment) he'll get in the US. Given that disparity, which is the most humane and likely to achieve a positive outcome for the people of the UK and US?
I struggle to see how 99 years in prison being force-fed anti-depressants, being severely mistreated really helps humankind any more than the alternative he'd get in the UK. Let's be honest, neither will knock the autism out of him, and neither are really going to 'rehabilitate' him. One does give him the chance to become a productive member of society in some other way, and hopefully contribute in some way to the human race. The other really doesn't.
I'd rather accept a thermostat that does what it wants without my control if I knew I was going to get a grid that would actually stay working just because a bunch of people fancied a cup of tea at around the same time.
I get the notion of co-operation, but it seems on this point the customers all have to co-operate with the provider so that the provider doesn't have to do any cooperating of its own.
...and yet, for any given model, you can look up the total weight of the car, battery capacity/range, charge time, etc etc. Essentially, even if they put a bunch of bricks where the battery would be, you still get all the information you need to make a buying decision.
What they don't tell you, and in fact what no manufacturer tells you is how good or crap their GPS maps are, or how good/crap their directions will be. Or how much you're going to hate trying to do on their entertainment system. If you want somewhere to get angry about, I'd start there, personally.
...and regardless of what the batteries could do, either in 'aggressive' or 'passive' mode, Tesla (and others) are fairly clear about the range/output of the batteries and the expected lifespan. If you (as the consumer) don't like the quoted numbers, then to some extent, you should just buy something else.
That said, I do agree than some personal tinkering should be possible. In the case of Tesla specifically, they could conceivably have an 'advanced' menu, perhaps pin-code protected that let you put the car into 'aggressive battery usage' mode for a period of (say) 48 hours at a time. That way they'd get telemetry of how often you used the feature, and could then tell you about the consequences if it seems you're using it too regularly. If they don't do stuff like this, then the tinkerers get motivated, and then they won't get the telemetry, and when batteries fail before they expect, they'll get all the bad publicity without having any 'come back'.
I worked for a financially-regulated place here in the UK and every once in a while you'd hear "that sort of f-up could see us lose our license" (and so stuff didn't happen) - exactly what the regulator intended (and for the most part, it seemed like a good outcome, from what I could tell).
In the case of Equifax in the US - why do they need SSNs? I presume it's a way to differentiate Jim Kirk from New York and Jim Kirk from Boston. I don't imagine they ever actually have a need to use the SSN with someone else (right?). In which case, they could have simply hashed the SSN on receipt and stored the hash. Right now, they'd still be in a world of trouble, but a lot less than they actually are (and could arguably have been a smaller target).
I guess what I'm asking is what could (really) cause such an incredible failure of judgement/execution on their part? Even the US's relatively slack laws on data protection would at least make hashing SSNs something you might at least think about, don't they?
Whilst I agree that some major sanctions against companies doing this sort of thing is definitely in order (here, the US might do well to look to the EU or Singapore for some ideas), but will that actually solve the real, core, underlying issue that let this happen in the first place, or will it just throw a couple of extra firewalls on the network for "due diligence" and leave the same crappy implementation choices in the systems that actually run the show?
Not without it's problems, but you could imagine such a site for all professions. Thinking about it, there are lots of places where you can review tradespeople, why not sysadmins, developers and product owners?
If only linked in had half a brain, they could add this as a feature, and it could actually make linkedin a bit more useful.
Is this site real?
I mean, if it's really Equifax, then why can't it be on equifax.com? It's got a video about cyber security, and well, lesson 1 is to identify who a site really is before entering any data into it. I'm a techie, so know to look at certs and whatnot - I couldn't see anything in it to verify it actually was Equifax (all I got was a cloudflare cert). The 'normals' won't be able to do any of that, so apart from a logo at the top of the page, and it's 'https', most people have nothing to verify it's real.
Other comments talk about it being a scam - it might actually be.
It's almost like they've invented a way to contact people you know - sort of like a paper letter, but electronic, but at the same time sort of like a phone call, but one you type out rather than using your voice.
I tell you, those FB engineers have really excelled this time ;-)
It is indeed an odd decision, when considering that (shock, horror!) Microsoft has a competing product, which amazingly works quite well, works on the Mac, and isn't going through some sort of poorly-thought-out-microsoft-rebranding right now.
Google makes a mis-step so bad that Microsoft can capitalise on it? Not a good day for Google, or indeed us minions.
In other news, surveys show that 85% of executives have no imagination and the attention-span of a gnat. They have no interest in what's happening next quarter, let alone what might happen in a year or two.
Hmm... poke a speaker through your letterbox?
Turn the amp up to 11 just outside your back door? (the neighbours won't hear it - it's ultrasonic)
Play sounds through an air vent, or open window too small to climb through?
Drill a hole in the wall or door?
If I can send it out at night to turn robot tricks to pay for it's amazon buying habit, then I'm in ;-)
Yeah, until I see a double-blind study on climate change, I'm not going to believe it either. If it's real science they should be able to do proper tests to prove it. Otherwise, the only possible explanation that makes any sense is that it's bullshit - even the scientists can't agree, so it must all be make-believe.
I'lll quite happily live in the upstairs of my house because the floods are 5 feet deep, I know there'll be no power or water, but hey, I've got some gas canisters and I've filled up the bath tub with fresh water. I won't be able to get anywhere because I'm too lazy to row my boat and I won't be able to get any fuel for the outboard. I'll happily watch thousands of my less-'manned-up' neighbours become displaced and subsequently destitute, because I'm still waiting on that double-blind study before I'll take any sort of action at all.
As Richard Attenborough said on the subject "[whether it's true or not] that's sort of not the point".
For a brief moment in history, baseball became interesting. Then it went back to being just like it was before.
Unlike the US, the UK has something called the "current account switching service" (which covers personal and business accounts). For anyone affected by this, or anyone who thinks it's time to get out of HSBC, here's what you do:
1) Get HSBC to unfreeze your account
2) Pop into your local branch of Metrobank, talk to them and have them fill out the forms for you (other banks are also available, but stay away from FirstDirect as they're owned by HSBC, and the likes of Barclays and Natwest are about as bad as HSBC, so avoid them unless you're a masochist)
3) Wait a while until your account is approved (not sure why business accounts need this, personal ones are approved instantly)
4) Have your new bank switch your account, and say goodbye to HSBC - you don't even need to speak to HSBC to close your account there*.
Then, for the next 2 years, any money that happens to arrive at your old HSBC account will simply be forwarded to your new account.
I realise some small businesses will find this a hassle, but the 'one mad band' type small businesses should be able to do this by the end of the day if they so choose. 2 years to get your clients to send their money to your new account should be manageable - although any stragglers will eventually see their payments 'bounce'.
Honestly, banks need to realise that in the UK we have some pretty customer-focussed regulation, and doing this sort of shit will mean business opportunities for the other banks (which is what the regulator intends). There's a lot of things wrong with the FCA (and the FSA that preceded it), but this isn't one of them.
* If HSBC do feel the need to hassle you, argue a bit, and then mention that you don't believe you're being treated fairly. Remind them of their legal obligation to 'treat customers fairly' and ask that your case is reviewed and handed as a suspected contravention of that rule.
Aside from the legal hoops you'd have to jump through, it would alert him to their intent and allow him to build a case against them. Just because the US requests extradition doesn't mean it happens every single time (although I'll grant you, it's closer to a formality between the UK and US than it probably should be). This way, he didn't know a thing about it, and they've arrested him and have 100% control over him - the UK can piss right off.
Right now, UK diplomats are talking to US diplomats about this. They're asking for a comfier prison cell, faster proceedings, lesser sentences, serve his time in the UK etc etc. The US is by far the larger of the negotiating parties and has probably said "okay, we'll send him another blanket, but that's all you're getting".
Whatever their reasoning, they've got him and won't be letting go anytime soon. An example must be made, whether real or not. Someone must pay, ideally a foreigner, but under no circumstances must any responsibility be taken for any of it.
Is there something wrong with trying to raise your own kids to be somewhat better than the stereotype?
If you've got kids, would you prefer your kids be on the talkative end of the spectrum when they're teens, or on the quietest, most rolly-eyed end?
"Done right" for GMO sounds to me like "done right" for nuclear power - it's possible, but it'll never really happen because financial realities always make it fail.
Selective breeding has nature taking a hand in the outcome, and as such it far less likely to cause a problem that we find hard to solve (although exceptions occur, I guess). GMO research is frankly at the very beginning - we "think" a particular gene or whatever 'turns on and off' some feature of the plant, but honestly, we have no idea what else it does too. I strongly suspect that in a few decades people will wonder how on earth we ate any of the GMO food around today. Then they'll look into it and realise the only way people would buy it was if it was mixed in with non-GMO and not labelled as such.
I'm by no means saying we shouldn't research this stuff - I just seriously doubt we know even half of what we really need to know for it to be "done right".
...to put a discrete bug in your house you need some way to get the audio or video out of your house and into the hands of the attacker. Thus, they need physical access and a means to transmit data. If you want to transmit data a long way, you also need to take care of powering the bug in some way, as batteries won't last long. They need to put all of that in a central position in your house so they can actually capture the audio they want.
Once you've conveniently tuned your Echo to your wifi, you've handed an attacker an arguably difficult part of the problem. It's always on, and if it gets turned off, someone will turn it on for you. It's conveniently located, so will capture everything you want to hear. It now meets most of the non-functional requirements of any useful bug. This hack just finishes the job.
If you want to do the 'security' agencies or criminals a favour, then be my guest. Personally, since I spend a bit of time locking my doors when I leave the house, I'm going to keep trying to make it harder for such people, but maybe that's just me.
Coax also degrades over time - obviously, it's designed not to, but the dielectric breaks down, changing the properties of the cable. It's probably not too terrible for 'strong' signals, but 'aerial' strength signals may suffer.
Personally, I'd pull it out, but if potential buyers expect to see coax, then I might think twice (I guess you could be unscrupulous and cut it out wherever you find it under the floor or whatever - then potential buyers would see coax sockets, but few of them would actually work).