|
|
Thursday, March 6th, 2008
| |
3:04 pm - ID cards again
|
http://www.guardian.co.uk/politics/2008/m ar/06/idcards.privacy Choice quotes from the article: "Smith said the scheme would not be vulnerable to hacking because it would not be online, and biometric details could only be accessed by people with high security clearance."
Clearly the very fact the the databse is not online makes it impossible to hack. Does this mean that there will be a single terminal in a locked room guardeed by geeks in white coats like a scene from Mission Imposible? No. It will be on a network run by EDS or some other large contractor with connections from many offices across the country. If the biometrics are such an important part of the scheme then organisations are going to need to access to the database of biometrics millions of times a day. If the database is not online, then maybe an official asks to see your fingerprint. He draws a picture of it. and sends it through the post to the office where the terminal is. The man who sits at the terminal all day looks at the picture of the fingerprint, looks that the picture on his database, puts a form in an envelope and posts it back to the official. Copies of everyone's "biometrics" would be stored on three government computer systems, making the scheme fraud-proof because individual cards could be cross-checked against the central database, Smith said.
"It is not the case that large amounts of information will be kept on one database," she said.
Indeed not! Large amounts of information will be kept on 3 databases! Reminds me of the joke from HitchHikers Guide to the Galaxy: What's better than a telephone that never rings? 3 telephone that never ring. Asked how much information would be required on each individual, Smith explained it would be "about the same amount as the information needed to open a bank account".
Or gain access to an existing one? She insisted there were "big benefits" from the ID card system, which she said should be rolled out as far as possible. Strangely the article does not contain any discussion of these benefits.
|
|
|
| Saturday, November 24th, 2007
| |
2:09 pm - HMRC Data Circus
|
This entry is just collecting some of the interesting commentary on the HMRC data giveaway so that I can consruct a well reasoned and sensible letter to my MP explaining why the government is not in a position to be continuing with the ID card database.
For anyone who hasn't already cottoned on: now would be a great time to support the No2ID campaign. www.no2ID.co.uk
The parties involved seem to be:
HMRC
EDS (who were going to charge many thousands of pounds for an SQL query to filter out the uncessary data)
NAO
The Register:
Register. super secure page containing all of their stories on the matter in one super secure location:
http://www.theregister.co.uk/2007/11/22/hmrc_roundup
Comments worty of note are:
http://www.theregister.co.uk/2007/11/22/hmrc_roundup/comments/#c_102330
Communications between HMRC and NAO
Nick Robinson has posted a pdf on his blog that contains email communications regarding the issue. I gather that this was released in response to a FOI request. It absolutely stinks. No where in the entire organisation does anyone seem to know anything about databases.
All the knowledge has been outsourced to stinking EDS. This doesn't inspire cnfidence in either government departments or EDS.
A comment attached to Nick's blog entry says:
http://blogs.bbc.co.uk/nickrobinson/2007/11/those_emails_in.html#c4445449
I've quoted the comment in its entirety because it really does illustrate the exact source of the problem:
Never mind "procedures" that weren't followed. There's no point in blindly following (or ignoring) procedures if the basic knowledge is not in place.
There's a shadow in the background which you can glimpse here as through a glass, darkly - EDS and more generally the outsourcing of the HMRC's IT. It reads as if the HMRC are not in control of their own data, but have to ask (and hence pay) EDS to do anything that is out of the ordinary.
Of course, its incomprehensible that *anyone* in HMRC can even have unfiltered access to the entire database, let alone copy it onto CD, but one gets the impression that this was done out of frustration that they couldn't get the NAO the relatively simple dataset they asked for any other way.
Really, this supposedly difficult 'filtering' operation is the most basic database operation there is - it's simply leaving out certain columns in the query and limiting the number of rows. Any vaguely competent programmer with some basic knowledge of the file format (probably something basic like CSV) could have done this in an hour *from the data on the CDs* (which is what the criminals will be doing if they get their hands on it) - so if they had the whole dataset, why on earth didn't they do this basic filtering themselves?
The only explanation is that there simply isn't *any* deep IT capability left in the organisation and that it has all been outsourced. So the real issue this whole sorry affair drags up is not just that the civil service doesn't understand data security, but also that it doesn't really 'own' the data it collects from us.
Now, my own commentary;
Furthermore to the issues in the above quotation, this outsourcing means that there is no one to ultimately take responsibility for the data. EDS (hypothetically) may point out that what they are being asked to do is stupid and wrong, but at the end of the day the HMRC will point out that its their data and they should be able to do what they like with it. Nobody has the authority and knowlege combined to say "No!".
In any organisation like this I would like to expect that there is a highly paid database professional who knows everything about the data and is responsible for setting up the access control policies. This person will ultimately be responsible if some member of staff gets their hands on all of the data. If the correct TECHNICAL access control policies are in place then the only way that member of staff could get that data would be by consulting the database professional. One would clearly expect that if IT has been outsourced, then the role that I've just described would be played by a member of EDS staff; who should be just as responsible as the in-house role. Clearly that is not the case. At the end of the day EDS are not going to be held responsible for this; which is a shame, because they are the ones with the knowledge and know how. They are the people who really understand just how bad this fuck up is. After all, if this had happened with one of their private sector clients then the client would likely have gone out of business and EDS would have lost their contract; and may well be facing criminal proceedings. To be quite frank, every single person who is responsible for handling that data in those organisatons should have a PGP key. All data that is passed around the organisation should be encypted SOLELY FOR the recipient of that particular transaction. (If you don't understand how this can be done then go and read a primer on PGP public/private key encryption). A suitable secure method to transmit this data (lets assume suitably filtered with unneccessary fields removed) would have been to set up a n SSH connection with a 128 bit key, then transmit the PGP encypted zip files over that connection. This way, there is no way for the discs to get lost, or copied. Of course, the correct way to do that audit would have been for EDS to provide a reasonably priced service where by they consulted with the audit office to find out exactly what information they needed, and wrote the SQL queries to extract this data. They could then provide a secure connection to the NAO offices and transmit the results of the queries. The Labour MPs that have been on telly about this have been appaling. The party line seems to be that the government stil wants to push on with ID cards. They keep saying that 'there are important lessons to be learned here'. Surely the most important lessons to learn are: - When any large store of information is entrusted to an organisation then that organisation needs to be responsible to every single person whose information they hold.
- Any large store of information like this is very valuable to more seedy side of humanity; criminals, fraudsters and marketing departments.
- Any large store of information is VUNERABLE. Always. Absolute vigilence must be maintained to protect it. That means recruiting, training and retaining highly qualified and competent IT staff who work in house; and who will be held responsible in the event of a breach.
The IT industry has best practices for storing sensitive information. The tools that we have are not absoloutely bombproof, but they are definitely more than adequate for the protecting this kind database, when they are used properly. I'm talking about technologies like PGP encryption, draconian access control policies, secured networks). If Her Majestys Goverment of the United Kingdom of Great Britain and Northern Ireland is not using the industry's best tools and the industry best practices to protect the data now, then how can we ever trust them to ALWAYS use the upmost diligence at all times in the future? Furthermore, how can we possibly extend that trust to future governments who haven't even been elected yet? I'll reiterate that: This child benefits database is an example of the most sensitive information that the government handles about its citizens. If it's not using any encryption tools or following any industry best practice for protecting this data, then that's absolutely horrendously incompetent. Absolutely. I have no trust whatsoever that any data in government hands is safe. Absolutely non at all. It's going to take a lot more than a few half assed statements in the House of Commons and on Newsnight to convince me otherwise. If you do support the principle of ID cards then you need to be absolutely convinced that the governemet's procedures for protecting the data that you entrust to them are absolutely flawless. I do not recommend tthat any citizen hands over data for an ID card until the IT industry leaders are satisfied with the way that the government handles data.
|
|
|
| |
2:07 pm
|
Found this as a saved draft that I wrote about 4 weeks ago but never posted...
There's quite a lot to catch up on since the last entry.
- Raced in Dusk til Dawn in early October. It hurt.
- Just got back from a week long climbing holiday in Font
- Entered the foundry bouldering league and completed the first round last night. Score so far: 110 points out of a possible max of 150.
- Finally got my new Rock Shock forks that I ordered in August. (Don't speak too soon, the courier is booked to arrive today)
- Parents are coming down from Aberdeen this weekend coming to deliver Mum's trike which needs some work doing on i
Bouldering league
One of the people who was on the Font trip works at the Foundry climbing wall and mentioned a bouldering leagure starting this Monday. With my bouldering skillz all toned up from a week in Font, and my fingertips thourougly skinned, I decided to enter. There are 3 categories of varying difficulties. I entered the easiest. This consisted of about 8 easy problems that did not present a challenge, and 7 more difficult problems that I felt challenged by. Out of 15 problems, I flashed 8 (10 points each) got 1 on the second attempt(7 points) 1 on the third attempt (4 points), 4 on subsequqnt attempts, and I failed on the most difficult problem.
|
|
|
| Thursday, August 16th, 2007
| |
6:49 am - Sleepless in the Saddle
|
I've been meaning to post this all week, but I only just got the circular tuit.
I raced in Kona Sleepless in the Saddle last weekend and thoroughly enjoyed it.
I'm very pleased with my lap times and generally very pleased with how my riding is improving.
Joolz, the legendary photographer who photographs all the events got this great photo of me: http://www.flickr.com/photos/joolzed/1106242657/
And here are the results for our team We came 50th out of 83 mixed teams, and that's good considering that we were a 4 person team, wheras most mixed teams were 5 people.
Just out of interest, I've gone through the results and found all the other teams in the mixed category with only 4 riders.
High Peak Cycles were 24th
The High Peak Cycles A Team were 46th.... You've put all the slow people on the A team?
Fig Racing Rolls (Us) were 50th
Team AT1 were 74th
Our A Team (Fig Rolls Racing) came 4th which was superb. They would have needed another lap under their belts to get onto the podium.
Lap 24 was a really sloppy changeover. Luke came in at about 45, I got to the coralle at about 46, so he spent 13 minutes looking for me then finally came back to find me on the hour. I noted down the changeovers that were slow so that I could work out the actual racing time for those laps:
Lap 24 was a 13 minute changeover, bringing the actual time racing down to 47 minutes.
When I handed over to Steve, I came in at midnight, and Steve went out at 6 minutes past on Lap 13, so Steve's actual time for that lap was a speedy 45 minutes.
I'll be entering Dusk til Dawn in October, hopefully in a team of 3. That's a 12 hour race in the hours of darkneess between 8pm Sat and *am Sunday.
So that's what I did with my weekend. It's the best weekend I've had in ages, and I hope to do every single 24 hr race in the country next season...
|
|
|
| Friday, August 10th, 2007
| |
9:27 am
|
|
| Sunday, August 5th, 2007
| |
8:05 am - Italian
|
Just been to an Italin resatuarant. Very small, very cosy. The desert menu was like a childrens party.
I had a meringue with cream, chocolate ice cream, smarties, maltersers, chocolate buttons, bannana, and grapes, oh and Tia Maria. I felt sick on the walk home.
Tolberone, Mars bars, Walnut whips, aeros and flakes were also on the menu.
If I could remember the name then I'd recommend it. It's the very small place in Crookes, opposite the Punchbowl, between the pet shop and the hairdressers.
|
|
|
| Friday, August 3rd, 2007
| |
11:27 am - Boris Johnson for PM
|
|
| Thursday, August 2nd, 2007
| |
8:36 am - Power of a bike bell
|
|
| Wednesday, August 1st, 2007
| |
5:36 pm - Tidbits
|
A nice article at K5 about what makes us happy, and why capitalism isn't the answer: http://www.kuro5hin.org/story/2007/7/27/9289/40217
And when BBC news reads like 'The Day Today": http://news.bbc.co.uk/1/hi/wales/6925416.stm
The mine's owners said that it will be capable of producing up to one million tonnes of coal a year for the next 25 years. Chairman Gerwyn Williams said: "The mine is capable of producing about a million tonnes of coal a year. "There are transport conditions to consider but that's what we're aiming for - for about a million tonnes a year for about 20 to 25 years."
|
|
|
| Sunday, July 22nd, 2007
| |
10:50 am - Fun with mobiles
|
Carphone warehouse upgraded my phone to a Blackberry pearl, which was basically a dog turd in a box. I couldn't get used to the keypad. Predictive text that can't be turned off, with a fake querty keyboard where every key has two letters. It wouldn't import the contacts from my SIM card, and I couldn't find the web browser. it took me 10 minutes to work out how to make a call. When I tried to register the phone with the blacknberry email service, the webpage told me that my phone didn't exist.
Due to distance selling regulations, I was able to exchange it for a Nokia N73 which is very impressive. A usable camera, Symbian, and a very nice user interface. Set it up to download pop3 mail in about 5 minutes.
Now, I have a a problem:
I want to play Dragon Go moves from my GPRS mobile.
I only get 1MB of bandwith a month so don't want to have to download all the images every time I view the page. The browser doesn't cache the images.. My phone is capable of drawing a board itsself. I've already loaded two Go applications on to it. I just need to download the current board position as an SGF.
What I need:
A page on my server that will connect to Dragon, log in, and get a list of SGFs for moves that I have to make.
Zip up this data and send it to my phone (response to post).
The go client on the phone will then unzip the file and then use go software to present each SGF. In order to make a move, it sends the move number back to my server app, which then passes it on to Dragon. Don't want the phone to communicate directly with Dragon, as Dragon's response is too large. Only actually need to receive an OK or NOKay message.
Should be a nice introduction to J2ME.
|
|
|
| |
10:40 am - Playing Go again.
|
After a long haitus, I've started playing Go again on Dragon and suprised myself by actually still being quite good at it.
You never know, I might start going back to the Sheffield Go club again. OK, make that a goal.
If you want to play a game, I'm Yavanna Stompywitch on Dragon.
Off to Switzerland on Monday for a week mountain biking in the alps. Should be fun, taking the bikes up on the Gondola and then wheeeeeee! Well I imagine they'll be some rocks and trees in the way but Wheeee! all the same.
Doesn't feel right, taking a lift up the hill on a bike. I mean, where would I be if I hadn't been riding up the hill from work every day? I certainly wouldn't have the legs I've got now, or the stamina for endurance races.
Disappointed that I can't take the SLR. Not because of the size, but because I don't really want to carry it in my backpack when I'm riding. I'll have to get used to the little point and shoot again. It's so pathetic compared to the SLR, changing the settings takes ages, and it always over exposes things.
Speaking of endurance races, I raced in the Bontrager 24/7 last weekend, and hoping to race in Sleepless in the Saddle too, if we can get a place. Apparently it's rather over booked.
Still, will get myself sorted next year earlier and get lots of training in - then maybe I can race properly as a four, or even as a pair next summer. Something to look forward to anyway. Jam tomorrow! Goal 2.
So things are finally looking up, This goal setting malarkey is quite fun.
Oh, and I stayed upl ate because I couldn't sleep and saw a film on TV, . Bit cliched, but very well played. 'Emerald Forest.' Look it up.
And yay to Livejournal tech support for restoring this post after Firefox crashed. That's some nifty automated draft javascript.
|
|
|
| Wednesday, July 11th, 2007
| |
3:18 am
|
I'm 28.
Dear gods.
Thanks to CJK for absolutely amazing birthday presents. Dearie, I totally think that should try to make a living out of your photography.
In other news, I think I hate this woman:
http://news.bbc.co.uk/1/hi/magazine/6250184.stm
A quote:
If we could bring ourselves to improve the spellings of just 200 of the most frequently used words that have silly spellings, like "once, only, said", we would completely transform yung children's lives and educational progress. Even just shedding the surplus letters from 100 of them, as in "friend- frend, beautiful - butiful, slow - slo, have - hav" would make initial phonics teaching much easier and mor succesful than it is now.
You are not going to butcher my favourite words. Big Elephants Are Ugly. It's not difficult.
If Beautiful is Butiful, then surely beauty would be buty. What would a beautiful young girl be? A bu? The phonetics come from the combination of the vowels. Yes, we say it as 'b u t i ful, but the word is actually bowtiful. It's got French roots. Why would you want to just erase that information from a language? It's rich, it's historical.
Recognising that other words are spelt similarly can take your mind on wonderful flights of fancy, exploring strange new words, gaining insight into grammatical structures of the root languages, then working out where the simplifications have been made. Language is complex because life is complex.
Masha Bel. Dubal Plus Ungood.
|
|
|
| Friday, June 29th, 2007
| |
1:25 pm - Flood photgraphs are here
|
|
| |
1:22 pm - Doomed ducks sail oceans for all eternity
|
|
The Register reprts: Residents of the western UK and Irish coasts have been warned to expect an invasion by a vast flotilla of ghostly, immortal albino plastic ducks, according to reports. The tale of the floating, whitened bird-simulacra migration is a strange one, dating back many years. It seems that the plastic bathtime companions were originally made in China. They were on their way to America in 1992 when a terrible storm struck their vessel in mid-Pacific, and shipping containers holding 30,000 of the hapless playthings were washed overboard. A majority of the ducks - at that stage still tinted a healthy yellow - headed south, many of them reportedly finishing up in Australia, where they were doubtless accorded the traditional hostile reception. Ten thousand of the plastic anatidaens, however, went north, embarking on an endless odyssey across the world's oceans. Like the legendary Captain Vanderdecken in his ill-omened ghost ship the Flying Dutchman, the flocks of plastic kiddy-pals seemed doomed to roam the oceans for eternity. The luckless fleet of cursed, wandering sea-going toys - Flying Duckmen, perhaps - circled the northern Pacific for some years before a fresh horror befell them as they drifted into the Arctic. Here they became frozen into the pack ice, suffering untold torment in their icy prison as they slowly transited past Greenland into the Atlantic. Read more at http://www.theregister.co.uk/2007/06/28/doomed_ducks_sail_oceans_for_all_eternity/
|
|
|
| Tuesday, June 26th, 2007
| |
12:15 am - Water! (Photos to come)
|
I went exporing after work with mountain bike and camera to see the extent of the flooding in Sheffield and found a lot more than I expected.
The River Don had burst its banks, the Rivelin flooded B&Q in Hillisbrough.
Took lots of pictures, but forgot that the camera was in RAW mode from when I was playing with it earlier, so I've spent the rest of the evening working out how to make a .deb for dapper for the latest version of dcraw.
The current version of dcraw in dapper (7.94) doesn't support the Pentax K100D raw format. Version 8.76 does.
Here's what I did (so I don't forget):
Downloaded: http://ftp.debian.org/debian/pool/main/d/dcraw/dcraw_8.39.orig.tar.gz
(Latest version of the source).
This contained a getsource script which I ran to get the source for version 8.76.
This didn't make, so I changed to remove all references to dcfixdates (because the source not included for that target).
I then added the flags that David Coffin (author of dcraw) suggested. changing CFLAGS from -I. -O3 -g -Wall to -I. -O4 -g -Wall
and added -llcms to the make rule for dcraw.
I updated the changelog in /debian/changelog (need to do this in order for it to name the package with the correct version number)
I pruned the broken stuff out of ./debian/rules
then ran ./debian/rules binary to make dcraw_8.76-1ubuntu1_i386.deb.
If you want a copy of it then drop me a comment and I'll stick it on an ftp server.
Tomorrow I'll learn about what I need to do to make that an offical part of ubuntu so that other people can use it too.
And more importantly I can now get on with converting my photos....
|
|
|
| Thursday, June 21st, 2007
| |
3:51 am - BSO's and big waves (MLP)
|
CJK pointed me to this piccy this evening. Just wanted to share and remember it. I really like the silohetted shape of the surfer. Nice bum!
Reminds me that I want to go snowboarding. (Yes, in June).
Also read a nice article on the false economics of Bicycle Shaped Objects before I went to work. Read and learn.
http://www.southcoastbikes.co.uk/Articles.asp?article=NO_BSO
|
|
|
| Thursday, June 14th, 2007
| |
3:20 am - A success!
|
The wizards at Ubuntu! Never has a distro upgrade gone so smoothly!
Dapper is much more polished. The desktop seems more responsive and it just looks sexier.
Also had a look at the abstracts I took the other day, only one was worthy:
|
|
|
| Tuesday, June 12th, 2007
| |
3:37 am - Photos
|
Got another new toy. Close up and Macro lenses for the SLR. I should have got an SLR ages ago. There's so many inexpensive little add ons that I've been wanting to play with ever since I first got into photography. Circular polarisers, close up filters...
I'm aware that the quality of cheap filters bought from India on Ebay may not be as good as Hoya but they're a damn sight cheaper and they seem to do the job.
Got lots of abstract photos to upload but pbase is down at the moment so you'll have to wait.
Also looking at setting up my own photo gallery in Drupal so that I don't have to rely on pbase all the time. It's about time I learned about Drupal anyway.
Also trying to get Ubuntu Breezy to upgrade to Dapper. Not much luck at the moment, none of the entries in /etc/apt/sources.list can be found. Need to find some reliable sources.
|
|
|
| Tuesday, June 5th, 2007
| |
11:14 pm - It gets better
|
|
| |
1:22 am
|
*snigger*
|
|
|
|
|
|
|
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
ptigga's journal
Choice quotes from the article:
Clearly the very fact the the databse is not online makes it impossible to hack. Does this mean that there will be a single terminal in a locked room guardeed by geeks in white coats like a scene from Mission Imposible?
No. It will be on a network run by EDS or some other large contractor with connections from many offices across the country. If the biometrics are such an important part of the scheme then organisations are going to need to access to the database of biometrics millions of times a day.
If the database is not online, then maybe an official asks to see your fingerprint. He draws a picture of it. and sends it through the post to the office where the terminal is. The man who sits at the terminal all day looks at the picture of the fingerprint, looks that the picture on his database, puts a form in an envelope and posts it back to the official.
Indeed not! Large amounts of information will be kept on 3 databases!
Reminds me of the joke from HitchHikers Guide to the Galaxy: What's better than a telephone that never rings? 3 telephone that never ring.
Or gain access to an existing one?