More Zonkyness

Blog

  • Volkswagen: Fixing Emissions Tests, But What Else. And Who Else?

    So it looks like Volkswagen has been fixing emissions testing in the US …

    220px-Volkswagen_logo_2012.svg

    It seems that they have probably built into the engine management software something that detects when the engine is being tested for emissions. This apparently detects testing conditions and switches to a test mode where the engine power is reduced sufficiently to reduce emissions below the legal limit. Real emissions are up to 40 times the legal limit.

    Volkswagen are apparently very sorry about this, but probably more about being caught than anything else. It could be just a one-off aberation, but frankly it is more believable that this sort of thing only happens within a company that has a culture where deceiving the customers and regulatory authorities is seen as perfectly acceptable practice.

    So what else are they up to?

    In a Science Fiction story by Charles Stross (Halting State), auditors do a much more thorough job of checking companies for ethical behaviour and screening executives for sociopathic tendencies; Volkswagon's path out of this mess involves and up close and personal relationship with a savage group of auditors looking into the ethics of the company. 

    But who else is using engines that lie to emissions tests? Not only do many other car manufacturers use Volkswagen engines, but other car manufacurers also have an incentive to do the same sort of thing. How much do we trust them?

    How many Volkswagen engineers and managers involved in this "special" project have gone on to work for other manufacturers?

  • Supermacro Experiments

    #0: Bread

    Bread

    #1: Damascus

    Damascus

  • Regular Password Changes Considered Harmful

    According to the latest advice from CESG: "Regular password changing harms rather than improves security, so avoid placing this burden on users."

    Wrong!

    (Thanks to xkcd.com).

    Most of the advice given is eminently sensible, and indeed forcing password changes on a frequent basis does more harm than good – when forced to change their passwords every 30 days (yes really!), people will commonly resort to sanity and use passwords of the form: someword-${month} (such as "happy-July"). However the advice to never force password changes was obviously written by someone who is under the belief that staff accounts have a somewhat limited lifetime – people change jobs, etc.

    There is still a great deal to be said for changing passwords less frequently – say every couple of years. Or even a random number of days between 730 and 1,095, which will help to randomise calls to the Helpdesk. Amongst other things :-

    1. The concept of a strong password changes over the decades; allowing account passwords to remain the same for the lifetime of a staff account will mean that a considerable number of staff accounts will have weak passwords.
    2. There is such a thing as "accidental shoulder surfing" whereby someone acquires knowledge of part of your password by merely being present when you enter it. Over time they can acquire more and more of your password. 
    3. Only changing an account password when there is a suspicion it has become compromised means that there is no mechanism to lock stealthy intruders out. Whatever kind of anomolous account behaviour detection mechanism you have in place, there is always the chance that a compromised account can remain below the radar; periodic password changes do lock this intruder out.
    4. Less directly, but forcing regular account password changes on an infrequent basis does have the side effect that it allows the education of people that passwords can be compromised.

    Of course every security person who read the CESG advice on passwords probably thought "Great. Now who is going to educate the auditors?". 

  • Are Drone Strikes Self-Defence?

    The big story of the day is the news that a UK drone strike took out an ISIS terrorist in Syria; one who used to be a UK citizen. After all, ISIS claims to be a nation state and so their "fighters" (actually terrorists) could be said to have given up their previous citizenship.

    Arguing about whether it was justified is completely pointless without access to all of the relevant information which we won't get. It would be a very good idea for someone sensible (i.e. not a sleezy politician) outside of the intelligence community to review that secret information and to be the one authorising such activities.

    But is a drone strike self-defence? It may well be under military terminology or even under international law.

    In terms of ordinary understanding of self-defence, it is not – in terms of someone assaulting you, it is self-defence to break someone's arm as they are striking you; it is not self-defence to break their arm because they have promised to assault you tomorrow.As ordinary people understand the term, a drone strike is not self-defence.

    It might be somewhat less contraversial to call a spade a spade and term this attack a "pre-emptive defence againt an imminent mass terrorist act" (or whatever phrase would fit the facts). On the face of it, using a drone strike to kill two terrorists only who are about to launch a terrorist attack, is the least-worst action. 

    That does not justify so-called "collateral damage" (in honest spade terms, that would be the indiscriminate murder of innocent civilians), and anyone who authorises drone strikes that results in murder should be prosecuted.

  • The European Refugee “Crisis”

    The news has been filled for a few weeks now with stories about "immigrants" making their way into Europe through various routes – across the sea to the Greek islands, and across land through Hungary. Of course technically they are all travellers until they stop moving and set up home (at which point they are immigrants unless they stopped moving before they left their home country.

    It turns out that most of the travellers are from Syria or from Afghanistan which makes them refugees.

    This is a special category of migrant, and such migrants have the right under international law to seek and enjoy asylum.

    child_sea4

    Anyone trying to limit that right of asylum is almost certainly a criminal under international law, and morally bankrupt to boot. Those thinking that we can't take any more should take a long hard look at that dead child above; you are as responsible for that death just as much as if you beat that child to death personally.

    There is no refugee crisis except in the sense that the refugees are not being treated properly. The fact that Europe was going to see an increase in the number of refugees was entirely predictable given the situation in Syria; particularly given that Turkey is hosting 1.7 million refugees. If anything there has been a crisis of political leadershiop amongst European politicians, and a failure to take a strong moral position. With a handful of exceptions.

    The UK government is busy playing osterich games by pretending that by dealing with the Syrian crisis in Syria will make all the refugees disappear. Yes the ultimate solution is to sort out the situation in Syria, but in the meantime there are refugees dying. 

    The EU needs to start funding the cost of dealing with refugees so that the countries least able to afford to don't have to pay a disproportionate amount (i.e. Greece).

    The EU needs to set up safe, secure, and comfortable refugee centres where refugees can be accommodated, assessed, and then allocated a new country to go to.

    The EU needs to allocate refugees out amongst all of the countries of the EU on a fair basis, and need to shame the reluctant into accepting their fair share.

    And we all need to slap down those who oppose treating the refugees properly.