From a while back …
So there has been a disaster at Grenfell Tower; who is responsible?
Ultimately the government :-
- England requires that all new tower blocks higher than 30m must have sprinkler systems fitted (in Scotland the height limit is 18m). So for some reason new towers are unsafe without sprinkler systems and old towers are safe?
- Allowing a tower block to be clad in a flammable material which has been linked to previous serious fires and is banned in the US. It’s use in a residential tower block is at best foolish. A government report as far back as 2000 suggested that “We do not believe that it should take a serious fire in which many people are killed before all reasonable steps are taken towards minimising the risks”.
- The appearance of council tower blocks is more important (after all they’re next door to rich neighbourhoods) than the safety of residents.
- The government believes that regulation and red tape are an unnecessary burden on business; to put it another way, the government would rather let rich people get richer than stop poor people being incinerated in their own homes.
There will be an enquiry into the fire, and undoubtedly the government will find someone other than themselves to blame.
But don’t forget that the ultimate responsibility for warehousing poor people in fire traps lies with the government.
Short answer: NO!
One of the infuriating things I come across is the notion that final salary pension schemes are generous; it seems that a generation of Tory propaganda has persuaded people that such schemes were wildly over-generous and completely affordable. Of course many of those doing the persuading are taking advantage of those “generous” pension schemes.
What it is easy to forget is that many of those final salary pension schemes collapsed because successive governments turned a blind eye to the private sector looting pension scheme surpluses and panicking when the surpluses turned into deficits. In other words when pensions were profitable they were affordable, but whenever a company suddenly had to contribute more than it expected they were suddenly too expensive.
Now don’t get me wrong – with increasing life expectancy there are problems with funding pension schemes, and we can decide that they are too expensive, or not. But if a pension scheme was perfectly reasonable in the 1970s, it doesn’t suddenly become overly generous in the 21st century.
As it is, we have “decided” that rather than share wealth out amongst the working-class, it should be kept in the hands of the already wealthy.
Of course we could always decide to revisit that decision and spend more time thinking about it.
Any serious cryptographic routines needs a good source of random numbers, and whilst Linux provides a random number generator by default it’s sources of entropy can be somewhat limited. Especially when you’re talking about a virtual machine.
Indeed if you try to pull too much randomness out of the Linux entropy pool (especially when it is especially limited), what you get might not be quite as random as you expect.
Which is where hardware randomness generators come in. And I finally have one (actually two), and have hooked them up. You may be able to guess what time I plugged it in from the graph below :-
So what real world difference does it make?
Well nothing is dramatically obvious, but :-
- I have slightly more confidence that any cryptographic software I might run has a good source of randomness and is less likely to accidentally perform poorly (in terms of cryptographic strength).
- Some cryptographic software blocks if the Linux entropy pool is empty; with a hardware source I can be more confident that any performance issues are not due to a lack of randomness.
During a recently on-line rant about anti-abortion terrorists, I happened to trip over some statistics on the rate of mortality during childbirth (the “Maternity Mortality Rate”) from the WHO. And being the kind of person that statistics interest, I spent some time looking into them; indeed I got so interested I transcribed some of the raw figures to generate a pretty graph :-
This obviously excludes many countries – what we could call the developing countries. The countries included (which you’ll have to peer closely in order to see – sorry about that) are all rich. At least relatively speaking.
Just look at the USA! Down with the also-rans amongst what could be called the relatively dysfunctional countries at the fringes of being considered “developed”. Now you could argue that there is something special about the reason why the USA doesn’t have a single-digit MMR like the overwhelming majority of developed countries. I can think of a few possibilities myself :-
- Perhaps the USA is the only country in the world to tell the truth about it’s actual MMR and all the other countries are lying. Perhaps. I am not going to argue there isn’t a bit of shady practices going on with the figures in some cases, but these figures are produced by statisticians and as an overall group statisticians don’t like lying about numbers. Yes there is the old saw about “lies, dammed lies, and statistics”, but the source of that distrust is the twisting that politicians apply to statistics to support their lies.
- Perhaps the USA didn’t read the instructions from the WHO properly about what kind of deaths to include in their returns and they’re including deaths that other countries wouldn’t include. But whilst I’ve not read the instructions from the WHO about this, I have read other instructions on statistics and they usually go into excruciating detail about what should and should not be included. It’s possible that the USA handed this little job over to a complete dumb-arse, but it doesn’t seem very likely.
- The WHO is anti-American and decided to inflate the figures. This is just laughable – the WHO isn’t going to risk getting called out by doing something so obvious even if it really was anti-American.
Sometimes the most obvious reason is the real reason – and here the most obvious reason is that the US health care system sucks.
There is additional evidence to show that – the WHO figures cover years other that 2013, and the US figures are consistently bad and getting worse.
But how can this be? The USA is one of the wealthiest countries in the world that spends a ridiculous percentage of it’s annual GDP on health care. It also produces many healthcare innovations and undoubtedly has improved maternal care at some point with some new technique. The really rather obvious (although it really needs to be tested) is that healthcare in the USA is divided into three.
There are those who have full insurance, and this group probably gets pretty good healthcare.
There are those who are covered by government schemes and this group probably gets reasonable healthcare.
And there are those who fall between the cracks – they’re not covered for various reasons – and their care is abysmal and probably limited to emergency care only. Which can sometimes be too late.
But when you come down to it, if you are pregnant it may be worth avoiding the USA until you’ve given birth. And if you’re already in the USA, it may be worth thinking about a long break somewhere where they have a healthcare system that doesn’t suck.
Moaning about the weather? You’re just making the world a little bit less happy and surprisingly often making yourself look ridiculous.
It’s fine to whinge a little bit when there are solid lumps coming out of the sky and the lumps are being driven horizontal in the wind, but complaining about normal weather is just a bit ridiculous.
Today for example, everyone is screaming about how cold it is. It’s actually a pretty normal temperature for the time of year, and as a bonus it was pretty sunny today. Every cloud has a silver lining.
As for the people who kept complaining that last week was cold … please! The warmest Halloween on record and you were complaining about the cold!
Now the following looks cold :-
(Stolen from Wikipedia).
There’s no bad weather; just the wrong clothes.
To anyone who is aware of the history of Nazi Germany’s actions leading up to Word War II, there’s something alarmingly familiar about Putin’s actions recently.
Germany lost a lot of territory after World War I, and Russia lost a lot of territory after the break-up of the Soviet Union.
Germany annexed Austria in what became known as the Anschluss, and in a quite similar move Russia annexed the Crimea.
Germany “rescued” the German minorities from “repression” in Czechoslovakia by annexing the parts of the country with large ethnic German populations; Russia appears to be trying the same thing in the eastern Ukraine.
It is probable that Putin is not trying to emulate Hitler by exterminating a whole “race” of people, but Hitler wasn’t considered to be a monster just because he tried to exterminate the Jews (and other minorities he didn’t like), but also because he was a military adventurer who provoked one of the deadliest wars in history.
And Putin does seem to be in the early stages of something like that.
One of the interesting aspects of Heartbleed are some of the criticisms of OpenSSL, the relevant developers, and open source.
Isn’t this the fault of the OpenSSL developers?
Yes, but …
Whilst it is very easy to blame the OpenSSL developers, and ultimately they were the ones who made the mistake of introducing this vulnerability, it is not quite that simple.
What has become clear is that the OpenSSL is chronically underfunded with less than four active developers (only one of whom is full time). This is despite the fact that OpenSSL is probably in roughly 1/2 of all software products including products from technology giants such as Cisco, IBM, HP, Lenovo, etc.
If OpenSSL is underfunded, everyone who makes use of the library in their products should look into why they should not be contributing towards the product. Surely every one of the technology giants could afford to contribute the cost of one developer each towards the project?
Isn’t this the fault of the open source methodology?
Every time a vulnerability crops up, someone blames the development model for the vulnerability. But when you come down to it, both open source and closed source projects contain vulnerabilities.
In theory it is possible for open source to be more secure. Because the source code is publicly available, it can be audited by independent researchers. And that is effectively what seems to have happened – a Google researcher found the vulnerability and informed the OpenSSL developers of the problem.
What went wrong is that the audit happened after the release of the code. To be more secure than closed source, open source needs to be audited before the code is released. Perhaps some automated system that checks every code check in.
Is it the fault of the C programming language?
No, it’s the programmer’s mistake.
But C does make it easy to make mistakes with memory handling although we have to remember that half of this bug was a different sort of mistake – trusting user supplied data. And no matter what kind of language you are using, if you trust user supplied data then attackers everywhere will be chortling.
Back to C’s memory handling. C is a very old programming language and expects the programmer to safely deal with memory management. The best programmers can do this safely, but even those programmers have the occasional Friday afternoon and most programmers are not that good.
A more modern system programming language such as Go or Rust would be very helpful in reducing the possibility of certain types of errors, and there’s a great deal to be said for switching to one or other.
But OpenSSL is written in C, and switching now would be very difficult especially as the OpenSSL library needs to maintain compatibility with hundreds or thousands of programs written to call functions within a C library. Even if that compatibility problem were overcome, rewriting OpenSSL in some other language is an enormous amount of work which is hard to do with just four developers.
It’s a bit ridiculous to compare the two, but if you look at the number of casualties involved, the 9/11 terrorist incident which caused around 2,900 casualties is very roughly comparable in size to The Troubles (with some 3,500 casualties). Of course the troubles consisted of many small incidents over a period of 30-odd years.
During that time, one of the IRA‘s (the “Official IRA”, the “Provisional IRA” and the INLA) principle source of funds were the groups NORAID and Clan na Gael. Which were based in the USA, and raised funds from supporters in the USA.
Or in other words, some US citizens were helping to fund a 9/11.
What’s more anyone who reads the history of the IRA is made very aware that the IRA regarded the US as a safe haven for their “soldiers”.
It’s interesting to contemplate using some the war on terror’s weapons against some US citizens :-
- Extra-ordinary rendition of US citizens to concentration camps excluded from the protection of the law – so they could be tortured.
- Freezing of the assets of some US citizens suspected of helping to fund terrorism.