Deceleration doesn't affect computer security. That aside, users aren't stupid (in the main). They just aren't entirely sure what a computer will or won't do. The same as I'm not quite so sure I could do the job my system users perform (i.e. surgery, anaesthetics, haematology etc.). Part of my job is to make sure they're as safe as they can be in doing their job, while still allowing them to do it. There are so many infection vectors (compromised web sites, including the occasional high profile one, webmail, mail that makes it past the filters for the local mail servers etc.) that to blame it all on "stupid users" is completely unfair, unwarranted, and incorrect. Lack of admin on a machine doesn't mean that nothing can be done. After all, what's a crack from outside your site? Oh, can't be done because they don't have admin when they start looking? Course it can. Cracking is all about privilege escalation, just having someone execute something from an existing shell cuts out a lot of the hard work. As the the guy with the tracking number.. Wouldn't be the first time that an old 'lost' parcel got unearthed, and I've heard from the courier that there's new activity.. "I don't know" to the question of whether he's expecting a delivery is absolutely correct. You don't know 'till you look. However, to know to look safely, you need to know more about computers. That's where your training hat comes in (you have trained your users how to look for extensions on files, and what they mean, haven't you? That should be a basic security point. You've told them what these files do, right? If not, that's your problem as the professing expert, rather than theirs as users who rely on you to do what they know how to do).
0.5-1% of the cumulative gross of the work would be more like it. Cumulative being the vital thing (otherwise, if something just doesn't sell after the 'big hit few years', then you effectively get the extension almost free as a big studio. Steamboat Willie not selling much? Well that renewal is $50 for the year; go for it!). This won't affect the small time authors much either; will cost a pittance for a work that doesn't sell much, but at some point, they'll just not care enough to keep it going, especially if they're doing other things that also need protecting).
You don't have to assume that everything will be a WoW killer. Just that one completely different model (free to play, unsubscribed, content rich game without grind) has a chance. Sooner or later, WoW will topple. It's not if, it's definitely when. The question that needs to be asked is what it takes to topple it. That's what the game devs are theorising about; it just takes one of them to get it right.
That it's not as disappointing as the last one.. Maybe it's just me, but it seemed like a great departure from his normal style (the bad guys actually think about what they're doing, which makes them interesting), and had the "bad guys" acting like they'd never encountered politics before in their lives.. Just had a few "belief no longer suspended" moments in it.. Hope this one goes back to the old "dark and gritty".. Victories are great and all, but in the earlier volumes, they were earned..
Wholeheartedly agree.. Not long ago, I had to call the HR department out in a serious fashion. I was recruiting for a couple of Developers.. HR field the CVs, and pass them on. I ended up with a pile, and in that pile were just a couple that looked vaguely interesting, but on interview turned out not to have the goods. Shortly afterwards, I got a few calls from candidates who were asking if their applications had been received (which to me, they hadn't, and over the phone, they seemed pretty good fits).. I went and asked HR where these applications were, and was told that they'd been 'Pre-Filtered' through HR's own internal process for applicability for the role. After yanking out the ones they'd 'filtered out', I discovered several that were pretty much an exact fit. HR just didn't know the words that actually said what the experience was, so discounted them entirely, rather than leave the judgement call to someone who knew what was going on. Needless to say, I hit the roof with them for wasting my time. I went on to hire a couple of those that HR had rejected.
Set up a Male only group, and say that women aren't welcome there (because the guys want a bit of privacy). I can pretty much guarantee it'll be banned by Facebook's anti-discrimination policy in a trice, and have a large amount of women's pressure groups yelling sexism in an instant. Personally, I don't have a problem with them doing this, as long as they then don't start complaining that they're excluded from, say, a gentleman's club somewhere online.
Until politics gets in the way. I seem to remember Randal Schwartz getting involved in this way back in the 90s at Intel (and a variety of other people who were tasked with 'ensuring that the security was sufficient'.
When they probed, and used the techniques crackers would to obtain access, they were charged with Felony crimes. Despite that being in their effective remit.
Incidentally, Randal spent about a decade fighting Intel on this, until 2007 when the charges were quashed retrospectively (as they shouldn't have been brought in the first place).
This really is rediscovering what we all used to do in "the good old days", and tell the sysadmins about, making things more secure. Approach the sysadmin and gain the 'unofficial' approval, probe the systems, feed back and get beer and pizza for the effort..
That changed late '90s to get a lawsuit landing on you instead as the suits got scared. At that point, security got rather worse (strangely, company management seemed to think that lawsuit threats were a better investment than real security spending).
Scientific theory is a viewpoint arrived at by repeated observation, watching the outcomes, and making the attempt to determine how the initial conditions gave rise to the final state. A general theory (that non-scientists, i.e. politicians use) is "I have an idea I plucked from thin air with no basis, but I think it sounds great.". The problem lies in that politicians like to equate the scientific theory (observable behaviour, and rigorous attempts to explain the observed) with the general idea that something may be great. It's not a valid comparison. So, the "It's not just a theory" holds true, if you accept the semantic assumptions that the politicians are trying to table (i.e. that Evolution is a non-scientific theory). It's not "just a theory", it's a "scientific theory". Think that's the general gist of it..
Hopefully by the time the kid gets the chemistry set, it'll have learned enough to survive, and not do stupid things. If not, then hell, I did a bad job bringing it up. Personally, I'd be up for giving the kid a start in life. Hey, I know what.. What if giving out the address caused a leak of information that paedophiles knew where the kid was? What if letting it cross the road caused accidents and you were PERSONALLY liable? Basically, deal with things pragmatically. If you live in fear, and never take a risk, you'll never do anything to get the world to be a better place. It's all about calculated risks. And the idea of letting kids do things as they grow that lead to pain and suffering is that they get better at calculating those risks.. So by the time they get to work out the big ones, they'll have a fair idea of what they're dealing with (rather than be stuck like a deer in the headlights with absolutely no idea of how to cope until events steam roller them into the ground).
However, his practical skills, and forthrightness are perfect for higher management, where all that really counts are results. You can't just the interpersonal skills from that snippet, so that's not even on the table here.. I'd say your wishful thinking that everything is all solvable by a nicely nicely approach is perfect for a purely political post with lots of fluffy aspects to it and telling people that it's all alright, apart from the nasty people who tell them then have to look after themselves.. You know, the kind of job that's being cut in the global recession, because everyone does have to look after themselves, as well as try and help out who they can.
When I was a kid, I was the geeky enthusiastic type. I spent ages on work pieces, and was among the top of the class. This, however, didn't correlate to the recognition given to work/achievement. I can remember doing a long project, and it came out well. When it came to the judging/awards, the 'winner' was one of the most mediocre pieces of work in the set. Several parents asked why on earth this project won, and the answer given was "The kid came from a deprived background, which affects his self esteem. The award is to make him feel better about himself, in the hope that he'll do better and strive harder". The kid in questions was proud before the award that he'd got away with doing the minimum possible, and he couldn't give a rats arse about the work. After the award, it just reinforced that he didn't have to work, he could play victim, and he'd get rewards. This was back in the 70s, and about the time I realised that the fluffy optimistic approach to dealing with people really didn't work a lot of the time. If he'd been told his work was crap, and that he could do a lot better (he actually could), and that this kind of performance was just failing himself, then maybe he'd have tried harder. Telling someone that a piece of work is crap doesn't mean you can't help them get better, it just stops them getting that instant gratification of 'recognition and respect' for doing sub-standard and lacking work.
The problem, of course, being copyright, and claiming work as their own. Google create a false entry, accessible only through their own site. This is a work that is intended only to determine whether someone is actually stealing their results (i.e. taking those results, and passing them off as MS's own). By all means, index non-search sites. That's what search engines are for, but you can't possibly convince me that Microsoft didn't know they were looking at Google's search results. That really is akin to writing a dictionary by seeing what people read, then saying "Well, lots of people read this other dictionary, so I'll just lift entries verbatim from it, and claim they are my own".. Yes, search engine tweaking is a very fine art.. It's easy to pick up the wrong signal by mistake. if MS had confessed, and said "Ooops, programming/design error in our browser, this is how it happened, and we're now going to remove all search engine sites from our allowed input", weight of opinion may have been behind them more, rather than blithely saying "It's all Google's fault we're ripping them off". The root of this is that they're building a dictionary by directly reading a competing dictionary. This isn't creating a diverse, resilient ecosystem. It's parasitism. Everyone screws up, and things always go wrong. That's a fact of life. What isn't a fact is that strange need to point fingers and say "It's everyone else's fault but mine". Especially when it blatantly is your fault.
For the comment on 'fit on a few hard drives at most', do a quick capacity plan. This was intended to scale for about 60 million people. With all the data stored (pictures, other biometrics, text etc), think about 1 meg per person (probably more with other things like audit trails, update trails, historical info etc.). Gives you about 60,000 GB of data. Add in indexes (can be close to data sizes) for about 1.2 PB. Add in redo log sizes, backup sizes etc and you're definitely into the several PB range. Now there's redundancy to be taken into account. Say 4 datacentres, fully redundant and replicated. Definitely into the tens of PB and higher. Now, for speed of databases, these disks are going to be about 70GB each in raid config (either 6 or 10, so some in the arrays will be 'wasted' for resilience). When you do the math, you realise you're actually going to be taking thousands of disks from several sites, auditing the pick up, movement and security of each platter by security vetted personnel, and then doing the crusher loading, ensuring each of the drives going in is one of the drives that was in a server at the start (to ensure the disks don't "go missing").
For full security, no you can't reuse the disks. That's not a valid 'Sensitive' data destruction method. You don't want the "I think it's gone" quote. You want to know it's gone. Full stop. Nobody gets it back. Ever.
You're paying for the whole thing. £400k isn't a bad figure at all. Probably in the region of less than £100 per disk for dismantling, transport, audit and destruction. That's a good commercial rate for the service.
Interesting. This is based on what personal experience of yours? And what role did you have in the plan? I can guarantee you that for something of this scale and sensitivity, £400k is a drop in the ocean. I'm actually pretty impressed with that figure.
Interesting. Come from pretty hefty positions in the private sector (where I was deemed more than sufficient to do what I do), and now work in the NHS (ethical/personal reasons), I can assure you there are a goodly many people who are very capable (some who hands down beat people I've met in the private sector) in the Governmental arena. Yes, there are some "dead weight" ones. But that happens anywhere with strong union presence.
Interesting. So you're an expert on Public sector software. Some of it is a travesty, yes. An awful lot of it is actually pretty decent. And some of the internally developed stuff is absolutely top notch. I work in the NHS, and the amount of stuff I've had to turn down from commercial vendors because they frankly don't have a clue is astonishing. Stuff written by places like medical physics departments go into the devices that actually get used front line in medical equipment.
Interesting to see you're so sure that the software will get written anyway.. Where did you hear that? With sources? Or are you merely posting hot air? With the current cuts in the UK, if something isn't actually proven necessary, it's in great danger of vanishing (and speaking of someone on the inside of that, it's not always a bad thing). This project is as dead as the dodo. The work to date is a writeoff, with no new investment. If you really want to gripe about something, complain about the idiots who started the whole venture, despite being told by everyone who really knew about these things that the whole thing was unworkable, ineffective, costly and a complete waste of money. Every thing it was ever justified as fixing was debunked in a thoroughly methodical manner. Yet still they insisted on starting it up. Idiots.
Ok, I spot someone that's never dealt with systems at the high end. There's a lot of prep work to unpicking things, and removing servers from secure areas, auditing them, planning to have them securely transferred and held in areas that are inaccessible with heavy physical security. Logged/scanned to provide proof of transit, vetting everyone who handles the data volumes. Ensuring you have all sources of the data, auditing the backups, and pulling all of those, so on, so forth. Everyone involved in this process will have to be security audited (most likely taken from an existing group of vetted people), and their services carry a premium. There is a huge difference between destroying the data on your home gaming machine, and the sheer detail involved in transport and destruction of sensitive governmental machines. £400k is actually a pretty lean number for dismantling the structure of this old project, considering that the infrastructure was sufficient to handle the predicted scale out to cover the entire UK population.
Slashdot is supposed to be about news worthy things. Original, interesting, thought provoking.
If this had got any of those elements, then sure I'd have said "interesting, fresh take, well done"..
However, there's nothing new to the idea. Dans le sac Vs Scroobius Pip did this quite some time ago.. Seems like someone's watched the video, and gone "we can do that too"..
While there is interest in recreating that, I wouldn't say it's overly geeky, or new.
of Dans le Sac Vs Scroobius Pip..
If you're going to post something on Slashdot as original and newsworthy, it's best not to rehash something done better elsewhere and claim originality.
Interesting points.. I'm not so sure that the audits are the solution though (I know quite a few people in the financial arena that are adept enough to know just how to fool audits; they're a check, and a useful one, but they're not a cast iron solution).
I definitely take your point about valuing them not being a definitive solution (you can still end up with jerks on a trip), so I concede that point.. Would still be nice to be treated well though (the cost of treating someone well isn't that much, and you can't put a price on good morale when things get rough)..
I'm still not sure about the requirement for 4 eyes being a solution. Given complete access to a machine (including the flaws, and suchlike), it becomes possible to compromise internally to a much greater extent. If you can compromise your machine, then you can compromise someone else's identically configured one (I was kind of wondering how that distributed secure configuration would work if you found an attack vector on your own machine, used it against the identical other ones to alter their signature, forcing them offline, leaving yours as the authoritative). It's an interesting game of cat and mouse out there; as far as I can see it at the moment, all approaches are risk mitigation. I don't see any risk removal. But there again, being a long way from the forefront of that arena, better clued people than I will see things I don't..
That you have one person doing it. It's effective, and versatile. If you have multiple people empowered to do exactly the same thing, you end up at the mercy of the one that decides to shut everyone else out. If you then have a security admin that's the only one to be able to alter the login info, then you're at their mercy. With the "dual key" type approach, what's to stop someone installing a back door along with a normal software upgrade? Does everyone have the same knowledge as your prime sysop? Can you afford to have one person that completely mirrors another, instead of distributing the skills across a time (with duplication covered across the team)? What if both the key holders are in cahoots?
Interestingly, who is stopping your CEO from making those really bad decisions, or your FD from siphoning the cash, or a whole host of other areas where you trust one person to do a job?
Value the person, and make sure you treat them well enough to make it not worth their while to play you up.. Then you'll have no problem. Screw them over at every opportunity, and you'll really have to trust their ethical views (you're still usually safe, but it's no guarantee then).
Umm.. No they wouldn't... Apart from people so far outside the realms of being normal humans that they think people dying is funny.. Those are the kind that need to be locked away anyway..
However much you disagree with what someone says, taking a weapon out on them means you lose the argument and whatever point you were trying to make. It's the resort of the unthinking and the incompetent.
If something isn't fitted to its environment, it won't prosper. In this case, the smaller devs may have excellent games, but their whole presence isn't fitted well to the environment (lack of visibility, lack of ability to exploit the user base etc.). Zynga are excellent at exploiting the environment, which is a great way to prosper. Prospering means greater population base. That really is part of Darwinian evolution (if you prosper, you're doing well at exploiting the environment). Note, they do mention it's the economy of FB that's taking shape, not the nature of the individual games.
Slashdot Mirror
Deceleration doesn't affect computer security. That aside, users aren't stupid (in the main). They just aren't entirely sure what a computer will or won't do. The same as I'm not quite so sure I could do the job my system users perform (i.e. surgery, anaesthetics, haematology etc.). Part of my job is to make sure they're as safe as they can be in doing their job, while still allowing them to do it.
There are so many infection vectors (compromised web sites, including the occasional high profile one, webmail, mail that makes it past the filters for the local mail servers etc.) that to blame it all on "stupid users" is completely unfair, unwarranted, and incorrect.
Lack of admin on a machine doesn't mean that nothing can be done. After all, what's a crack from outside your site? Oh, can't be done because they don't have admin when they start looking? Course it can. Cracking is all about privilege escalation, just having someone execute something from an existing shell cuts out a lot of the hard work.
As the the guy with the tracking number.. Wouldn't be the first time that an old 'lost' parcel got unearthed, and I've heard from the courier that there's new activity.. "I don't know" to the question of whether he's expecting a delivery is absolutely correct. You don't know 'till you look. However, to know to look safely, you need to know more about computers. That's where your training hat comes in (you have trained your users how to look for extensions on files, and what they mean, haven't you? That should be a basic security point. You've told them what these files do, right? If not, that's your problem as the professing expert, rather than theirs as users who rely on you to do what they know how to do).
0.5-1% of the cumulative gross of the work would be more like it. Cumulative being the vital thing (otherwise, if something just doesn't sell after the 'big hit few years', then you effectively get the extension almost free as a big studio. Steamboat Willie not selling much? Well that renewal is $50 for the year; go for it!). This won't affect the small time authors much either; will cost a pittance for a work that doesn't sell much, but at some point, they'll just not care enough to keep it going, especially if they're doing other things that also need protecting).
You don't have to assume that everything will be a WoW killer. Just that one completely different model (free to play, unsubscribed, content rich game without grind) has a chance.
Sooner or later, WoW will topple. It's not if, it's definitely when. The question that needs to be asked is what it takes to topple it. That's what the game devs are theorising about; it just takes one of them to get it right.
That it's not as disappointing as the last one..
Maybe it's just me, but it seemed like a great departure from his normal style (the bad guys actually think about what they're doing, which makes them interesting), and had the "bad guys" acting like they'd never encountered politics before in their lives.. Just had a few "belief no longer suspended" moments in it..
Hope this one goes back to the old "dark and gritty".. Victories are great and all, but in the earlier volumes, they were earned..
Wholeheartedly agree.. Not long ago, I had to call the HR department out in a serious fashion. I was recruiting for a couple of Developers.. HR field the CVs, and pass them on. I ended up with a pile, and in that pile were just a couple that looked vaguely interesting, but on interview turned out not to have the goods. Shortly afterwards, I got a few calls from candidates who were asking if their applications had been received (which to me, they hadn't, and over the phone, they seemed pretty good fits).. I went and asked HR where these applications were, and was told that they'd been 'Pre-Filtered' through HR's own internal process for applicability for the role. After yanking out the ones they'd 'filtered out', I discovered several that were pretty much an exact fit. HR just didn't know the words that actually said what the experience was, so discounted them entirely, rather than leave the judgement call to someone who knew what was going on.
Needless to say, I hit the roof with them for wasting my time. I went on to hire a couple of those that HR had rejected.
Set up a Male only group, and say that women aren't welcome there (because the guys want a bit of privacy).
I can pretty much guarantee it'll be banned by Facebook's anti-discrimination policy in a trice, and have a large amount of women's pressure groups yelling sexism in an instant.
Personally, I don't have a problem with them doing this, as long as they then don't start complaining that they're excluded from, say, a gentleman's club somewhere online.
Until politics gets in the way. I seem to remember Randal Schwartz getting involved in this way back in the 90s at Intel (and a variety of other people who were tasked with 'ensuring that the security was sufficient'.
When they probed, and used the techniques crackers would to obtain access, they were charged with Felony crimes. Despite that being in their effective remit.
Incidentally, Randal spent about a decade fighting Intel on this, until 2007 when the charges were quashed retrospectively (as they shouldn't have been brought in the first place).
This really is rediscovering what we all used to do in "the good old days", and tell the sysadmins about, making things more secure. Approach the sysadmin and gain the 'unofficial' approval, probe the systems, feed back and get beer and pizza for the effort..
That changed late '90s to get a lawsuit landing on you instead as the suits got scared. At that point, security got rather worse (strangely, company management seemed to think that lawsuit threats were a better investment than real security spending).
Scientific theory is a viewpoint arrived at by repeated observation, watching the outcomes, and making the attempt to determine how the initial conditions gave rise to the final state.
A general theory (that non-scientists, i.e. politicians use) is "I have an idea I plucked from thin air with no basis, but I think it sounds great.".
The problem lies in that politicians like to equate the scientific theory (observable behaviour, and rigorous attempts to explain the observed) with the general idea that something may be great.
It's not a valid comparison. So, the "It's not just a theory" holds true, if you accept the semantic assumptions that the politicians are trying to table (i.e. that Evolution is a non-scientific theory). It's not "just a theory", it's a "scientific theory".
Think that's the general gist of it..
Hopefully by the time the kid gets the chemistry set, it'll have learned enough to survive, and not do stupid things. If not, then hell, I did a bad job bringing it up.
Personally, I'd be up for giving the kid a start in life.
Hey, I know what.. What if giving out the address caused a leak of information that paedophiles knew where the kid was? What if letting it cross the road caused accidents and you were PERSONALLY liable?
Basically, deal with things pragmatically. If you live in fear, and never take a risk, you'll never do anything to get the world to be a better place. It's all about calculated risks. And the idea of letting kids do things as they grow that lead to pain and suffering is that they get better at calculating those risks.. So by the time they get to work out the big ones, they'll have a fair idea of what they're dealing with (rather than be stuck like a deer in the headlights with absolutely no idea of how to cope until events steam roller them into the ground).
However, his practical skills, and forthrightness are perfect for higher management, where all that really counts are results.
You can't just the interpersonal skills from that snippet, so that's not even on the table here..
I'd say your wishful thinking that everything is all solvable by a nicely nicely approach is perfect for a purely political post with lots of fluffy aspects to it and telling people that it's all alright, apart from the nasty people who tell them then have to look after themselves..
You know, the kind of job that's being cut in the global recession, because everyone does have to look after themselves, as well as try and help out who they can.
When I was a kid, I was the geeky enthusiastic type.
I spent ages on work pieces, and was among the top of the class. This, however, didn't correlate to the recognition given to work/achievement.
I can remember doing a long project, and it came out well. When it came to the judging/awards, the 'winner' was one of the most mediocre pieces of work in the set.
Several parents asked why on earth this project won, and the answer given was "The kid came from a deprived background, which affects his self esteem. The award is to make him feel better about himself, in the hope that he'll do better and strive harder".
The kid in questions was proud before the award that he'd got away with doing the minimum possible, and he couldn't give a rats arse about the work.
After the award, it just reinforced that he didn't have to work, he could play victim, and he'd get rewards.
This was back in the 70s, and about the time I realised that the fluffy optimistic approach to dealing with people really didn't work a lot of the time.
If he'd been told his work was crap, and that he could do a lot better (he actually could), and that this kind of performance was just failing himself, then maybe he'd have tried harder. Telling someone that a piece of work is crap doesn't mean you can't help them get better, it just stops them getting that instant gratification of 'recognition and respect' for doing sub-standard and lacking work.
The problem, of course, being copyright, and claiming work as their own.
Google create a false entry, accessible only through their own site. This is a work that is intended only to determine whether someone is actually stealing their results (i.e. taking those results, and passing them off as MS's own).
By all means, index non-search sites. That's what search engines are for, but you can't possibly convince me that Microsoft didn't know they were looking at Google's search results.
That really is akin to writing a dictionary by seeing what people read, then saying "Well, lots of people read this other dictionary, so I'll just lift entries verbatim from it, and claim they are my own"..
Yes, search engine tweaking is a very fine art.. It's easy to pick up the wrong signal by mistake. if MS had confessed, and said "Ooops, programming/design error in our browser, this is how it happened, and we're now going to remove all search engine sites from our allowed input", weight of opinion may have been behind them more, rather than blithely saying "It's all Google's fault we're ripping them off".
The root of this is that they're building a dictionary by directly reading a competing dictionary. This isn't creating a diverse, resilient ecosystem. It's parasitism.
Everyone screws up, and things always go wrong. That's a fact of life. What isn't a fact is that strange need to point fingers and say "It's everyone else's fault but mine". Especially when it blatantly is your fault.
For the comment on 'fit on a few hard drives at most', do a quick capacity plan.
This was intended to scale for about 60 million people. With all the data stored (pictures, other biometrics, text etc), think about 1 meg per person (probably more with other things like audit trails, update trails, historical info etc.).
Gives you about 60,000 GB of data. Add in indexes (can be close to data sizes) for about 1.2 PB.
Add in redo log sizes, backup sizes etc and you're definitely into the several PB range.
Now there's redundancy to be taken into account. Say 4 datacentres, fully redundant and replicated. Definitely into the tens of PB and higher.
Now, for speed of databases, these disks are going to be about 70GB each in raid config (either 6 or 10, so some in the arrays will be 'wasted' for resilience).
When you do the math, you realise you're actually going to be taking thousands of disks from several sites, auditing the pick up, movement and security of each platter by security vetted personnel, and then doing the crusher loading, ensuring each of the drives going in is one of the drives that was in a server at the start (to ensure the disks don't "go missing").
For full security, no you can't reuse the disks. That's not a valid 'Sensitive' data destruction method. You don't want the "I think it's gone" quote. You want to know it's gone. Full stop. Nobody gets it back. Ever.
You're paying for the whole thing. £400k isn't a bad figure at all. Probably in the region of less than £100 per disk for dismantling, transport, audit and destruction. That's a good commercial rate for the service.
Interesting. This is based on what personal experience of yours? And what role did you have in the plan?
I can guarantee you that for something of this scale and sensitivity, £400k is a drop in the ocean.
I'm actually pretty impressed with that figure.
Interesting. Come from pretty hefty positions in the private sector (where I was deemed more than sufficient to do what I do), and now work in the NHS (ethical/personal reasons), I can assure you there are a goodly many people who are very capable (some who hands down beat people I've met in the private sector) in the Governmental arena.
Yes, there are some "dead weight" ones. But that happens anywhere with strong union presence.
Interesting. So you're an expert on Public sector software.
Some of it is a travesty, yes. An awful lot of it is actually pretty decent. And some of the internally developed stuff is absolutely top notch.
I work in the NHS, and the amount of stuff I've had to turn down from commercial vendors because they frankly don't have a clue is astonishing. Stuff written by places like medical physics departments go into the devices that actually get used front line in medical equipment.
Interesting to see you're so sure that the software will get written anyway.. Where did you hear that? With sources? Or are you merely posting hot air?
With the current cuts in the UK, if something isn't actually proven necessary, it's in great danger of vanishing (and speaking of someone on the inside of that, it's not always a bad thing). This project is as dead as the dodo. The work to date is a writeoff, with no new investment.
If you really want to gripe about something, complain about the idiots who started the whole venture, despite being told by everyone who really knew about these things that the whole thing was unworkable, ineffective, costly and a complete waste of money. Every thing it was ever justified as fixing was debunked in a thoroughly methodical manner. Yet still they insisted on starting it up.
Idiots.
Ok, I spot someone that's never dealt with systems at the high end.
There's a lot of prep work to unpicking things, and removing servers from secure areas, auditing them, planning to have them securely transferred and held in areas that are inaccessible with heavy physical security.
Logged/scanned to provide proof of transit, vetting everyone who handles the data volumes. Ensuring you have all sources of the data, auditing the backups, and pulling all of those, so on, so forth.
Everyone involved in this process will have to be security audited (most likely taken from an existing group of vetted people), and their services carry a premium.
There is a huge difference between destroying the data on your home gaming machine, and the sheer detail involved in transport and destruction of sensitive governmental machines.
£400k is actually a pretty lean number for dismantling the structure of this old project, considering that the infrastructure was sufficient to handle the predicted scale out to cover the entire UK population.
Slashdot is supposed to be about news worthy things. Original, interesting, thought provoking.
If this had got any of those elements, then sure I'd have said "interesting, fresh take, well done"..
However, there's nothing new to the idea. Dans le sac Vs Scroobius Pip did this quite some time ago.. Seems like someone's watched the video, and gone "we can do that too"..
While there is interest in recreating that, I wouldn't say it's overly geeky, or new.
But it's still a rip off.. Dans le sac Vs Scroobius Pip did this idea a few years back.
of Dans le Sac Vs Scroobius Pip..
If you're going to post something on Slashdot as original and newsworthy, it's best not to rehash something done better elsewhere and claim originality.
Interesting points.. I'm not so sure that the audits are the solution though (I know quite a few people in the financial arena that are adept enough to know just how to fool audits; they're a check, and a useful one, but they're not a cast iron solution).
I definitely take your point about valuing them not being a definitive solution (you can still end up with jerks on a trip), so I concede that point..
Would still be nice to be treated well though (the cost of treating someone well isn't that much, and you can't put a price on good morale when things get rough)..
I'm still not sure about the requirement for 4 eyes being a solution. Given complete access to a machine (including the flaws, and suchlike), it becomes possible to compromise internally to a much greater extent. If you can compromise your machine, then you can compromise someone else's identically configured one (I was kind of wondering how that distributed secure configuration would work if you found an attack vector on your own machine, used it against the identical other ones to alter their signature, forcing them offline, leaving yours as the authoritative).
It's an interesting game of cat and mouse out there; as far as I can see it at the moment, all approaches are risk mitigation. I don't see any risk removal. But there again, being a long way from the forefront of that arena, better clued people than I will see things I don't..
That you have one person doing it. It's effective, and versatile.
If you have multiple people empowered to do exactly the same thing, you end up at the mercy of the one that decides to shut everyone else out.
If you then have a security admin that's the only one to be able to alter the login info, then you're at their mercy.
With the "dual key" type approach, what's to stop someone installing a back door along with a normal software upgrade? Does everyone have the same knowledge as your prime sysop? Can you afford to have one person that completely mirrors another, instead of distributing the skills across a time (with duplication covered across the team)?
What if both the key holders are in cahoots?
Interestingly, who is stopping your CEO from making those really bad decisions, or your FD from siphoning the cash, or a whole host of other areas where you trust one person to do a job?
Value the person, and make sure you treat them well enough to make it not worth their while to play you up.. Then you'll have no problem.
Screw them over at every opportunity, and you'll really have to trust their ethical views (you're still usually safe, but it's no guarantee then).
Umm.. No they wouldn't... Apart from people so far outside the realms of being normal humans that they think people dying is funny.. Those are the kind that need to be locked away anyway..
However much you disagree with what someone says, taking a weapon out on them means you lose the argument and whatever point you were trying to make. It's the resort of the unthinking and the incompetent.
If something isn't fitted to its environment, it won't prosper. In this case, the smaller devs may have excellent games, but their whole presence isn't fitted well to the environment (lack of visibility, lack of ability to exploit the user base etc.).
Zynga are excellent at exploiting the environment, which is a great way to prosper. Prospering means greater population base. That really is part of Darwinian evolution (if you prosper, you're doing well at exploiting the environment).
Note, they do mention it's the economy of FB that's taking shape, not the nature of the individual games.
Big balls, and a wish to not get credit in the 5-10 year period about to come up (perhaps longer).