Discussions

7 minutes ago, wastingtime​withforums wrote

And by bundling XP SE with IE8 (instead of IE6) they can retire it at regular XP's deadline too.

And what exactly would that achieve?

@cheong: No, there's no excuse. Vista and IE7 were released 7 years ago. That's plenty of times to fix what is an important (and I can't imagine particularly challenging) website. This isn't some corner shop outfit, it's a national government.

EDIT: Although most corner shops probably have better IT systems than the UK government anyway...

The fun doesn't stop here it seems. In an effort to ensure tried and tested usability and security the DWP have some interesting requirements for online benefits claimants.

@dahat: The actual calls (video and audio) are still routed p2p afaik. I think the supernode network just handles locating users and sending ims (which also used to be p2p but were changed to improve reliability and allow offline message and, for those of use with tin foil hats, allow easier law enforcement access).

EDIT: In fact, the MS spokesperson in that article is quoted as saying:

This has not changed the underlying nature of Skype's peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes)

(And quite honestly I don't want that to change...)

41 minutes ago, Dr Herbie wrote

@figuerres: I think you'll find they invented...  ...And towels.

Hey, you sass that hoopy Steve Jobs? There's a frood who really knows where his towel is!

Jan 08, 2013 at 5:51 PM, wkempf wrote

"If you don't pay for it, you are the product." No one is being conditioned to accept continued incursions. Advertising is a necessary alternative to paid services. Always has been, and always will be. No, what's changing is that we, as customers, are becoming less willing to actually pay for anything. As such, we're getting what we've asked for.

Skype (real time video and audio, at least) is p2p. It costs Microsoft jack to run, except a few login servers.

This is just a PSA for UK Niners:

Barnes and Noble are currently selling ("for a limited time only") the Nook Simple Touch for £29. Sounds like a bargain, although I've never used a Nook, so I have no idea what they're like.

http://uk.nook.com/

4 hours ago, evildictait​or wrote

*snip*

But without encryption, the pagefile, any syncronised documents and the VPN keys are all recoverable

1) I'm not suggesting they don't encrypt, I'm just suggesting that they shouldn't be relying on encryption. If I ask how I know my data is safe and they say encryption I won't be satisfied (although I will be less dissatisfied than I am at the moment).

2) I'm precisely suggesting they wouldn't sync the documents. They'd log onto the database, say via SSH, view what they needed to, change what they needed to and be done with it. There may be cases where a specific individuals files are required offline and they have to keep them locally, but that should never need to be more than a handful of individuals in one go. That's just an unavoidable risk. Yes, encrypt but don't have a false sense of security. Work in a remote/virtual desktop on the server if needs be.

3) The VPN keys are hopefully password protected. That user's keys should be revoked and replaced as soon as the laptop is lost. Even better your logs will help you know if any data has been compromised, who's data and even some clue as to by whom.

4) The pagefile: Not my area of expertise. But your complete database with millions of people's records won't be in there, right? Regardless, you've made the bad guys' job harder.

If you work for a company, and you don't have encryption on your work tablet/laptop then you shouldn't be allowed to take it outside. And even if you didn't want to ever take it outside, encryption won't hurt.

Bitlocker everything, do it now. Now add two-factor auth and swipe access to your offices. Until you've done that, everything else is just pretending you've got security.

I'm not disagreeing. But I don't think "it's encrypted" is an excuse for having that stored locally data on a portable device. And it's only cold comfort - after all you have to assume that once an attacker has physical access to a machine it's compromised (sure, it helps that you probably won't get it back so surreptitiously sticking a key logger in there won't help them but I'd argue that the point still stands).

@Richard.Hein: No matter how good your memory, or how much of me you see in the public convenience, you cannot upload that image to the internet or share it with others. And, even if you could, 99.9% of us will not have perfect memories so they'd never have that level of "photos or it didn't happen" authority.

2 hours ago, evildictait​or wrote

2. Don't ever put data on laptops, or take laptops out of buildings (this makes it hard for the government employees to work from home, meet contractors etc, so there is a large cost associated with this. 

It may be true for some of the data that gets lost (e.g. a laptop with security plans for a major event) that not putting it on a laptop would be an inconvenience, but there are many many cases of lost data (and it's not just the government that this happens to) where they leave behind a laptop or portable storage device that has a database of individuals' data on it. There is no excuse for this ever being on a personal computer. If they need to work out of the office they should VPN onto the corporate network and access the data remotely.

I applaud encryption of the data, it's a step in the right direction. But, in the words of XKCD, "strictly speaking it's better than the alternative, yet someone is clearly doing their job horribly wrong". 

EDIT: Of course, even on the server, the data should still be encrypted.