The three who were brought to trial were putting expenses through that - no matter how you interpreted the rules - were downright fraudulent.
The others were by and large taking advantage of a very poorly drafted set of rules which were wide-open to abuse. (eg. it's well established in the UK that you pay extra tax when you sell any home beyond your first, but it seems you can re-designate which home is your first to suit you. Oooh, how could that possibly be abused?). Many were taking advantage to such an extent that they'd almost certainly have been sacked in the private sector, but I'm not sure how many could have been prosecuted.
How do you deal with that when your bosses at the top level ship you to somewhere like Afghanistan or Iraq where there's virtually no visible difference between soldiers and civilians?
AIUI most modern armed services do exactly the same thing - it doesn't matter two hoots who gives the order, if it's illegal you are perfectly within your rights (indeed, you're obliged) to refuse to follow it.
I'm given to understand (though IANASoldier and never have been) that a significant amount of training time is spent explaining this quite clearly and also explaining what constitutes an illegal order.
Thing is, in the scenario you describe it is vanishingly unlikely that Officer Bob will ever be caught in the first place.
Firstly, he'll be wearing a balaclava and nondescript clothes which he'll dispose of immediately after he gets home.
Secondly, anything which might provide direct evidence of Bob throwing the first stone (eg. CCTV) will mysteriously "not be working" on the day of the riot. (This doesn't work so well now that virtually everyone's got a phone that can record video).
Thirdly, it's a riot FFS. It's never going to be particularly clear what the exact sequence of events was, which means it's whatever those in power say it is.
Fourthly, note that Bob was acting in a professional capacity. He may have gone a little too far, but he was instructed to be there by his superiors. While they could hang him out to dry, that could easily backfire - why did they put him in that position in the first place? Far easier (and rather safer) to close ranks against any investigation. In fact, I'd argue that this is more likely in the States because of the number of officials you guys elect. Our police chiefs aren't elected.
Technically, that may be true, but the police (and, for that matter, most people employed in the public sector) in the UK have developed a remarkable way of avoiding criminal liability for these things.
It works something like this: If one person does something illegal, that will be prosecuted within the law. OK?
If a whole bunch of people are involved in something illegal as part of their job, and those people are employed in the public sector, that is never a crime. It is - at most - a "concern" which may result in an investigation, a report, and maybe even a full-blown inquiry. At no point will any individual (or, for that matter, group of individuals) be singled out for punishment. The most they can expect is some harsh criticism in the resulting report, but that criticism will in no way harm their career.
No chance, unfortunately, the/. view is very unlikely to agree.
Thing is, most hacks these days have rather more to do with the application than the platform it's running on. When I said "you have no business running a public website which processes transactions...", I include a public website running Linux.
I don't actually have any experience running Windows on a public server, and hence I wouldn't feel entirely confident I could do a decent job. But to claim it's impossible to do it properly is just ignorant. Frankly, I'd have been just as scathing of someone who was running RHEL 2.1, for much the same reasons.
The Win2K web server was with an outside hosting company.
I can't believe any self-respecting hosting company is still operating anything running 2K, so my money's on it being their own server in a colo (which is now an Apache server with United Hosting - who I don't think do colo so I'd imagine it's a case of "we need to move our site to something which we can be 100% certain hasn't been hacked 15 ways from sunday - only way to do that is to run it on a different server altogether").
They do virtually no make-up, but they've always billed themselves as a cosmetic company - their UK products are mostly moisturisers, massage bars, bath and shower products. They have a sister company that does do make-up, though I'm not sure that's made it terribly far outside of Covent Garden. Possibly in other countries they put the make-up in the Lush stores.
(My wife is a Lush fanatic and I have a hell of a memory).
Very much in so, they've openly admitted that they have been approached by people wanting to license/franchise the brand outside the UK where they're based and refused.
It does not, however, forbid taking the details in the first place. Which means that it'd be easy enough to slip a few lines into the shopping cart script that forward card details for every transaction to some hacker.
Which would explain why they're only worried about customers who bought stuff in the last couple of months.
Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].
... perfectly correct, provided the server is administered competently.
This means you run an up to date version of Windows and IIS, you lock everything down so tightly you can barely do anything with the damn thing, you make sure any extra things you need to install for your application are kept up to date (and ideally don't run any with a history of serious security issues), you keep it in a DMZ, you run a separate server configured identically in a test environment so you can test patches as soon as they become available with a view to rolling them out ASAP, your firewall offers application-layer security which you have learned how to configure properly and have done so and you're regularly ensuring the integrity of your site.
And if you don't have the time to maintain solid security for the important parts (such as card transactions), don't even try. There's plenty of card processors on the market that can do all that for you, and your systems never need to even see a card number.
I would argue that if you can't do all this (or at least understand what I'm talking about), you have no business running a public website which processes transactions in the first place.
The thing is, I would argue that a huge number of Windows admins (possibly 80% or more) are not even equipped to recognise their own shortcomings, much less do all of this.
The hackers have already demonstrated that they're probably a cut above the average script kiddie, insofar as they hacked the site to forward credit card numbers and this went unnoticed for a couple of months.
There's a good chance that the IT team at the time this all blew up weren't sure exactly how the hackers got in in the first place. And if they were, they had evidence to suggest that attacks continued after the website was brought down and fixed. In which case, one line added to mod_security configuration may block the issue that caused the original hack but it won't do anything for any of the other issues that may exist.
Were I to hazard a guess (and from my own experience of corporate IT), I'd wager that Lush's IT department have been trying to get a project for some major website re-redevelopment approved for some time. It wouldn't surprise me if they knew full well the site was a disaster waiting to happen, but until that disaster does happen it can be very difficult to get such projects approved.
I daresay that the project will be made top priority now.
As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.
That's the biggest advert they've got! You can smell one of their shops halfway down the street.
There's a number of protocols that don't sit terribly well with NAT - SIP is a good example, but there are others. FTP, for example, and IPSec.
Generally speaking, there have been solutions to these problems - proxies which overcome the issue, firewall and router software that can understand the underlying protocol and deal with NAT or additions to the protocol to make usage over NAT practical. But every single one of these solutions is fundamentally a bodge to a problem that wouldn't exist in the first place were it not for the delay in rolling out IPv6, and inevitably introduce problems of their own.
Interoperability issues are usually the most obvious - a particular issue with IPSec, for instance, is you find specific routers which deal with IPSec over NAT but break horribly if you enable NAT/T on the other end of the tunnel. Which you can't disable because that breaks IPSec for the other 90% of your road warriors.
Right now, what we feel is relatively mild pain occasioned by IPv4. The odd person complains that their VPN doesn't work from a particular location, for instance. But that pain is getting worse, and for the most part it wouldn't exist were it not for the bodges made to account for NAT. Which itself is a bodge to account for the slow rollout of IPv6.
Yes, you're missing that even if everything else in an IP header between versions 4 and 6 were identical (they're not), IPv6 has 128 bit source and destination addresses. Which means that the router would calculate the offset for the payload within the packet incorrectly.
ITS YOUR COMPUTER, if they change it against your will, we have laws to protect you. It is illegal for them to do this without your permission.
They're not doing it without your permission.
If you've ever taken something into Apple for repair, you'll know they have you sign a document (which, among other things, states "I have backed this system up so it's my problem if I get it back wiped"). Apple will simply add a line to it saying they reserve the right to replace screws to bring your equipment in line with "current specifications" if they haven't already, and that you agree to this.
Technically it is, but you might find your local law enforcement surprisingly unwilling to send a patrol car to arrest Steve Jobs over a few screws worth about 4 pence.
How do you blame Mozilla? I'm not seeing it. The same is true for Microsoft's software. You have zero warranty for any particular purpose according to the EUL.You are making excuses rather than bringing it up to your superiors in charge of IT policy.
He's not, I've seen the same thing before.
You know you can't usefully blame a software vendor. I know you can't usefully blame a software vendor. But do the senior management know, understand and accept they can't usefully blame a software vendor? 9 times out of 10, the answer's no.
In fact, quite often it's not only "no", it's "no, and they won't accept being told by underlings".
Probably because the last time they touched it since the end of series 6, they messed it up horrifically.
Series 1 was not fantastic, but then both the writers and the actors were still finding their feet. Series 2 was OK, but it definitely needed the refreshment that took place at the beginning of series 3.
4 and 5 were also great series. By series 6, however, it was pretty obvious they were running out of gags. 7 and 8... ugh.
Then they remastered series 1 and 2. The net result was:
Scene 1 - characters sat around wearing grey boiler suits on a grey set which was obviously cobbled together some time in the 1980's from a bit of scrap wood and a special deal on grey paint. Scene 2 - characters wandering around a fantastically cheap grey set.
Cut to swishy modern CGI spaceship animation with lots of colour and pretty FX. Maybe a starfield in the background and a few bright colourful planets.
Scene 3 - character walks in on a cheap & nasty grey set.
The mental jarring was painful.
Then they did "Back to Earth". I couldn't watch that through, it was so bad, and I don't think I'm alone.
Wikipedia is lousy for a lot of recent history precisely because (as soon as you drift away from relatively mainstream stuff) so little of it has been documented elsewhere on the web - I've seen plenty of articles myself which I'm 100% certain are factually inaccurate, and I can name the inaccuracies - but I can't find an appropriate citation. So any correction I make is likely to have a very limited life expectancy.
Unless something is drastically different between call centres in the US versus those in the UK, a "higher tier" customer service rep just means "one who can be trusted to continue breathing after they take off the headphones with the recorded message saying "breathe in.... breathe out..."".
Threatening with a lawsuit is an extremely good way to get them to clam up and come off the phone - chances are they're not authorised to discuss anything concerning legal proceedings and so about all they can do is apologise and hang up.
I can't remember an exact source, but IIRC someone has done the arithmetic. There's only so many permutations of musical notes you can have, and it turns out the back catalogue of every major label is rather larger than the number of permutations available.
This is before you discount the fact that most of those permutations sound complete rubbish and most genres have essentially "rules" dictating what works together. So your average song of any given genre has substantially fewer permutations available. The upshot is it is virtually impossible to write something totally original.
If you're lucky, nobody will notice what other song your music sounds like. But I wouldn't bet on it...
Slashdot Mirror
The three who were brought to trial were putting expenses through that - no matter how you interpreted the rules - were downright fraudulent.
The others were by and large taking advantage of a very poorly drafted set of rules which were wide-open to abuse. (eg. it's well established in the UK that you pay extra tax when you sell any home beyond your first, but it seems you can re-designate which home is your first to suit you. Oooh, how could that possibly be abused?). Many were taking advantage to such an extent that they'd almost certainly have been sacked in the private sector, but I'm not sure how many could have been prosecuted.
How do you deal with that when your bosses at the top level ship you to somewhere like Afghanistan or Iraq where there's virtually no visible difference between soldiers and civilians?
AIUI most modern armed services do exactly the same thing - it doesn't matter two hoots who gives the order, if it's illegal you are perfectly within your rights (indeed, you're obliged) to refuse to follow it.
I'm given to understand (though IANASoldier and never have been) that a significant amount of training time is spent explaining this quite clearly and also explaining what constitutes an illegal order.
Thing is, in the scenario you describe it is vanishingly unlikely that Officer Bob will ever be caught in the first place.
Firstly, he'll be wearing a balaclava and nondescript clothes which he'll dispose of immediately after he gets home.
Secondly, anything which might provide direct evidence of Bob throwing the first stone (eg. CCTV) will mysteriously "not be working" on the day of the riot. (This doesn't work so well now that virtually everyone's got a phone that can record video).
Thirdly, it's a riot FFS. It's never going to be particularly clear what the exact sequence of events was, which means it's whatever those in power say it is.
Fourthly, note that Bob was acting in a professional capacity. He may have gone a little too far, but he was instructed to be there by his superiors. While they could hang him out to dry, that could easily backfire - why did they put him in that position in the first place? Far easier (and rather safer) to close ranks against any investigation. In fact, I'd argue that this is more likely in the States because of the number of officials you guys elect. Our police chiefs aren't elected.
Technically, that may be true, but the police (and, for that matter, most people employed in the public sector) in the UK have developed a remarkable way of avoiding criminal liability for these things.
It works something like this: If one person does something illegal, that will be prosecuted within the law. OK?
If a whole bunch of people are involved in something illegal as part of their job, and those people are employed in the public sector, that is never a crime. It is - at most - a "concern" which may result in an investigation, a report, and maybe even a full-blown inquiry. At no point will any individual (or, for that matter, group of individuals) be singled out for punishment. The most they can expect is some harsh criticism in the resulting report, but that criticism will in no way harm their career.
No chance, unfortunately, the /. view is very unlikely to agree.
Thing is, most hacks these days have rather more to do with the application than the platform it's running on. When I said "you have no business running a public website which processes transactions...", I include a public website running Linux.
I don't actually have any experience running Windows on a public server, and hence I wouldn't feel entirely confident I could do a decent job. But to claim it's impossible to do it properly is just ignorant. Frankly, I'd have been just as scathing of someone who was running RHEL 2.1, for much the same reasons.
The Win2K web server was with an outside hosting company.
I can't believe any self-respecting hosting company is still operating anything running 2K, so my money's on it being their own server in a colo (which is now an Apache server with United Hosting - who I don't think do colo so I'd imagine it's a case of "we need to move our site to something which we can be 100% certain hasn't been hacked 15 ways from sunday - only way to do that is to run it on a different server altogether").
They do virtually no make-up, but they've always billed themselves as a cosmetic company - their UK products are mostly moisturisers, massage bars, bath and shower products. They have a sister company that does do make-up, though I'm not sure that's made it terribly far outside of Covent Garden. Possibly in other countries they put the make-up in the Lush stores.
(My wife is a Lush fanatic and I have a hell of a memory).
Very much in so, they've openly admitted that they have been approached by people wanting to license/franchise the brand outside the UK where they're based and refused.
It does not, however, forbid taking the details in the first place. Which means that it'd be easy enough to slip a few lines into the shopping cart script that forward card details for every transaction to some hacker.
Which would explain why they're only worried about customers who bought stuff in the last couple of months.
I note that they also switched hosting provider. Obviously they're not too keen on their previous provider.
Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].
... perfectly correct, provided the server is administered competently.
This means you run an up to date version of Windows and IIS, you lock everything down so tightly you can barely do anything with the damn thing, you make sure any extra things you need to install for your application are kept up to date (and ideally don't run any with a history of serious security issues), you keep it in a DMZ, you run a separate server configured identically in a test environment so you can test patches as soon as they become available with a view to rolling them out ASAP, your firewall offers application-layer security which you have learned how to configure properly and have done so and you're regularly ensuring the integrity of your site.
And if you don't have the time to maintain solid security for the important parts (such as card transactions), don't even try. There's plenty of card processors on the market that can do all that for you, and your systems never need to even see a card number.
I would argue that if you can't do all this (or at least understand what I'm talking about), you have no business running a public website which processes transactions in the first place.
The thing is, I would argue that a huge number of Windows admins (possibly 80% or more) are not even equipped to recognise their own shortcomings, much less do all of this.
The hackers have already demonstrated that they're probably a cut above the average script kiddie, insofar as they hacked the site to forward credit card numbers and this went unnoticed for a couple of months.
There's a good chance that the IT team at the time this all blew up weren't sure exactly how the hackers got in in the first place. And if they were, they had evidence to suggest that attacks continued after the website was brought down and fixed. In which case, one line added to mod_security configuration may block the issue that caused the original hack but it won't do anything for any of the other issues that may exist.
Were I to hazard a guess (and from my own experience of corporate IT), I'd wager that Lush's IT department have been trying to get a project for some major website re-redevelopment approved for some time. It wouldn't surprise me if they knew full well the site was a disaster waiting to happen, but until that disaster does happen it can be very difficult to get such projects approved.
I daresay that the project will be made top priority now.
I think you're describing 6to4 or something very like it.
As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.
That's the biggest advert they've got! You can smell one of their shops halfway down the street.
Lush isn't an IT firm, they're a cosmetics firm.
I would be astonished if their IT staff are in-house - there's a very strong chance they outsource it all.
There's a number of protocols that don't sit terribly well with NAT - SIP is a good example, but there are others. FTP, for example, and IPSec.
Generally speaking, there have been solutions to these problems - proxies which overcome the issue, firewall and router software that can understand the underlying protocol and deal with NAT or additions to the protocol to make usage over NAT practical. But every single one of these solutions is fundamentally a bodge to a problem that wouldn't exist in the first place were it not for the delay in rolling out IPv6, and inevitably introduce problems of their own.
Interoperability issues are usually the most obvious - a particular issue with IPSec, for instance, is you find specific routers which deal with IPSec over NAT but break horribly if you enable NAT/T on the other end of the tunnel. Which you can't disable because that breaks IPSec for the other 90% of your road warriors.
Right now, what we feel is relatively mild pain occasioned by IPv4. The odd person complains that their VPN doesn't work from a particular location, for instance. But that pain is getting worse, and for the most part it wouldn't exist were it not for the bodges made to account for NAT. Which itself is a bodge to account for the slow rollout of IPv6.
Yes, you're missing that even if everything else in an IP header between versions 4 and 6 were identical (they're not), IPv6 has 128 bit source and destination addresses. Which means that the router would calculate the offset for the payload within the packet incorrectly.
ITS YOUR COMPUTER, if they change it against your will, we have laws to protect you. It is illegal for them to do this without your permission.
They're not doing it without your permission.
If you've ever taken something into Apple for repair, you'll know they have you sign a document (which, among other things, states "I have backed this system up so it's my problem if I get it back wiped"). Apple will simply add a line to it saying they reserve the right to replace screws to bring your equipment in line with "current specifications" if they haven't already, and that you agree to this.
Which, by an amazing coincidence, is sold by the company that the man creating all this fuss happens to run.
Strange, isn't it?
Technically it is, but you might find your local law enforcement surprisingly unwilling to send a patrol car to arrest Steve Jobs over a few screws worth about 4 pence.
How do you blame Mozilla? I'm not seeing it. The same is true for Microsoft's software. You have zero warranty for any particular purpose according to the EUL.You are making excuses rather than bringing it up to your superiors in charge of IT policy.
He's not, I've seen the same thing before.
You know you can't usefully blame a software vendor. I know you can't usefully blame a software vendor. But do the senior management know, understand and accept they can't usefully blame a software vendor? 9 times out of 10, the answer's no.
In fact, quite often it's not only "no", it's "no, and they won't accept being told by underlings".
Probably because the last time they touched it since the end of series 6, they messed it up horrifically.
Series 1 was not fantastic, but then both the writers and the actors were still finding their feet. Series 2 was OK, but it definitely needed the refreshment that took place at the beginning of series 3.
4 and 5 were also great series. By series 6, however, it was pretty obvious they were running out of gags. 7 and 8... ugh.
Then they remastered series 1 and 2. The net result was:
Scene 1 - characters sat around wearing grey boiler suits on a grey set which was obviously cobbled together some time in the 1980's from a bit of scrap wood and a special deal on grey paint.
Scene 2 - characters wandering around a fantastically cheap grey set.
Cut to swishy modern CGI spaceship animation with lots of colour and pretty FX. Maybe a starfield in the background and a few bright colourful planets.
Scene 3 - character walks in on a cheap & nasty grey set.
The mental jarring was painful.
Then they did "Back to Earth". I couldn't watch that through, it was so bad, and I don't think I'm alone.
Wikipedia is lousy for a lot of recent history precisely because (as soon as you drift away from relatively mainstream stuff) so little of it has been documented elsewhere on the web - I've seen plenty of articles myself which I'm 100% certain are factually inaccurate, and I can name the inaccuracies - but I can't find an appropriate citation. So any correction I make is likely to have a very limited life expectancy.
Unless something is drastically different between call centres in the US versus those in the UK, a "higher tier" customer service rep just means "one who can be trusted to continue breathing after they take off the headphones with the recorded message saying "breathe in.... breathe out..."".
Threatening with a lawsuit is an extremely good way to get them to clam up and come off the phone - chances are they're not authorised to discuss anything concerning legal proceedings and so about all they can do is apologise and hang up.
I can't remember an exact source, but IIRC someone has done the arithmetic. There's only so many permutations of musical notes you can have, and it turns out the back catalogue of every major label is rather larger than the number of permutations available.
This is before you discount the fact that most of those permutations sound complete rubbish and most genres have essentially "rules" dictating what works together. So your average song of any given genre has substantially fewer permutations available. The upshot is it is virtually impossible to write something totally original.
If you're lucky, nobody will notice what other song your music sounds like. But I wouldn't bet on it...