There is no such thing as unbreakable encryption
Regarding David Lacey's blog about claims of unbreakable encryption from EADS, any crypto system can be broken with the right amount of time. Sure, the information that has been encrypted may not be useful any more, but that does not mean that the encryption cannot be "broken", even if it is by brute force. There is also the possibility of social engineering in order to gain access, which is something that EADS' NSA certification does not take into account.
I am also sure that if they are addressing an identified problem then there are going to be products that others have come up with to solve it. EADS may not be aware of them, but that does not mean they are not out there.
It should also be noted that the HAIPE IS certification they mention is defined by the NSA as a type 1 certification which "refers only to products, and not to information, keys, services, or controls". So although it has the right components, there is no guarantee that they have been put together correctly.
In the current market where new security products come daily (if not every few hours), you have to make a judgement call on what you consider worth looking at more closely, and given EADS' focus on big claims and lack of focus on technical detail on their website, I agree with Bruce Schneier's initial assessment, it looks like snake-oil.
Was Northern Rock web downtime just a ploy?
Joanna Sedley-Burke, business development director, Sovereign Business Integration
It does seem odd for a business of such stature as Northern Rock to not have the back-end IT infrastructure to handle an increase in traffic. After all, the recent issues are reported to have been apparent since August, so why the lack of planning for recent events?
The blame in such a situation instantly falls to the IT department. Lack of foresight, poor infrastructure and ineffective communication are various claims. However, is it time to forget the easy option of blaming the IT department and start looking at the business case? Was the website downtime just a very clever business decision by Northern Rock?
Rather than planning ahead to adapt the IT infrastructure and risk leaking the story when the issues first arose, perhaps the bad publicity of nervous customers queuing outside branches far outweighed the negativity of allowing customers the luxury of extra bandwidth to withdraw their money easily and quickly.
Now forced to physically visit their branch to get their hands on their money, it would be interesting to see just what percentage of customers re-evaluated their hasty decision to withdraw, and in turn, stayed as valuable Northern Rock account holders.
Url busy tone would have benefited Northern Rock
With Northern Rock's website failure due to high demand, it seems logical that ISPs introduce some form of "hit gapping", along the same vein as "call gapping" for the PSTN.
Yes, there is bandwidth throttling and weighted fair queuing, but a simple html page that informs the user that a site is temporarily busy, such as a Pots engaged tone, could help. The majority of people understand the busy tone and may find a "url busy" preferable to a timeout.
Many people do not realise the Pots busy tone is put on at the ingress to the PSTN network, so protecting the destination and core network. ISPs could adopt a similar schema, thus allowing some people access instead of the majority getting a slow or timed-out url.
The Northern Rock website demand could have been predicted, as financial news broke into mainstream news. As the mass "hit" event built in intensity, ISPs could have dammed the flood with a "url busy" instead of releasing the flood of hits onto a target Lan and web cluster that eventually drowned under the demand. PSTN mass call events are often predictable and "call gapping" can be employed.
Why not employ the same idea for public facing infrastructure?
Whitehall must do more on C# skills shortage
Geraint Allday, team leader, Concept IT Recruitment
I would like to voice my concern that the government is not doing enough to help ease the worsening C# skills shortage.
The facts are:
● The demand for C# skills nationwide is higher than virtually any other technology.
● Universities have only recently started teaching C# as part of degree courses, meaning that it will be a few years before any volume of C# developers hits the marketplace.
● There has been a severe reduction in graduates of computer science degrees: it has been widely reported that mathematics and computer sciences have the highest university dropout rate in the UK.
● There are too few qualified EU nationals to fill the UK skills gap.
Despite this, however, the government has yet to officially recognise that there is a critical C# skills shortage in the UK. If it did, requirements on work permits would be significantly relaxed and employers would find it much easier to source the skills they need from abroad. In the meantime, however, we are all bound by the costly, complex and time consuming work permit demands and requirements imposed by the Home Office, and potential workers from overseas are put off by the constantly changing requirements of the UK's Highly Skilled Migrants Programme.
It is time for the government to realise that the long-term face of programming in the UK relies on the short-term importation of skills from abroad. Action is needed now.