Last updated: April 19, 2018 12:22 PM (All times are UTC.)

April 18, 2018

Researchers found a new iOS vulnerability called “trustjacking,” which exploits a feature called...
This is the first part of four of our GDPR Glossary. GDPR is an EU regulation to be implemented on the 25th May 2018 which seeks to give people more control over how organisations use their data, introduce greater penalties for organisations who fail to comply with these rules and greater protection for those that suffer a breach of data.

April 17, 2018

You may have seen or heard about the recent advisory on Russian state-sponsored...
The use of automated bots is becoming more prevalent for novice attackers as...
I work as Cyber Security Consultant for Sopra Steria, a digital services provider to...

April 16, 2018

I was heartened and reassured by the feeling of growing confidence at this...

April 13, 2018

Many Android device manufacturers are not telling the truth when they say they...
The tech industry in the UK has issued a warming to ministers that a transition away from EU data protection standards following Brexit will damage the UK’s status as a technology hub. Amid the growing misunderstanding amongst Brexiteers that diverging from the tough EU data protection laws will give Britain a competitive advantage compared to other EU states in this fast growing sector.

Reading List by Bruce Lawson (@brucel)

As a technology company who are passionate about all things tech, we love the opportunity to help develop the skills of young talent in this...

The post Children’s coding development at stickee appeared first on stickee.

April 12, 2018

Microsoft patched a bug that allowed attackers to steal a target’s Windows account...
Political actors and privacy activists are calling for more regulations on data privacy...
Amazon Web Services (AWS) S3 buckets are the destination for much of the...
There are three main threats to our modern civilization that could cause humanity...

April 10, 2018

If you’ve established an online brand, monetising your website and earning a passive income is a perfect way to turn your online platform into a...

The post Why monetise your site with a White Label? appeared first on stickee.

The team at stickee are thrilled to share that we are shortlisted for five awards this year already! Spanning from our RnD department to our...

The post stickee shortlisted for 5 awards appeared first on stickee.

April 09, 2018

A new wave of document attacks targeting inboxes do not require enabling macros...
WHOIS, one of oldest tools on internet for verifying real identities, is at risk of being killed due to tough data protection with new GDPR regulations. The General Data Protection Regulation (GDPR) comes into effect in May and is an attempt to strengthen European data protection. However, it is thought that some of the new rights and responsibilities will conflict with existing technologies that have provided transparency on the internet.

April 08, 2018

Many software libraries are released with version “numbers” that follow a scheme called Semantic Versioning. A semantic version is three numbers separated by dots, of the form x.y.z, where:

  • if x is zero, all bets are off. Otherwise;
  • z increments “if only backwards compatible bug fixes are introduced. A bug fix is defined as an internal change that fixes incorrect behavior.”

Problem one: there is no such thing as an “internal change that fixes incorrect behavior” that is “backwards compatible”. If a library has a function f() in its public API, I could be relying on any observable behaviour of f() (potentially but pathologically including its running time or memory use, but here I’ll only consider return values or environment changes for given inputs).

If they “fix” “incorrect” behaviour, the library maintainers may have broken the package for me. I would need a comprehensive collection of contract or integration tests to know that I can still use version x.y.z' if version x.y.z was working for me. This is the worst situation, because the API looks like it hasn’t changed: all of the places where I call functions or create objects still do something, they just might not do the right thing any more.

Problem two: as I relaxed the dependency on running time or memory use, a refactoring could represent a non-breaking change. Semver has nowhere to record truly backwards compatible changes, because bugfixes are erroneously considered backwards compatible

  • y increments “if new, backwards compatible functionality is introduced to the public API”.

This is fine. I get new stuff that I’m not (currently) using, but you haven’t broken anything I do use.

Problem three: an increment to y “MAY include patch level changes”. So I can’t just quietly take in the new functionality and decide whether I need it on my own time, because the library maintainers have rolled in all of their supposedly-backwards-compatible-but-not-really changes so I still don’t know whether this version works for me.

  • x increments “if any backwards incompatible changes are introduced to the public API”.

Problem four: I’m not looking at the same library any more. It has the same name, but it could be completely rewritten, have any number of internal behaviour changes, and any number of external interface changes. It might not do what I want any more, or might do it in a way that doesn’t suit the needs of my application.

On the plus side

The dots are fine. I’m happy with the dots. Please do not feel the need to leave a comment if you are unhappy with the dots or can come up with some contrived reason why “dots are harmful”, as I don’t care.

Better: meaningful versioning

I would prefer to use a version scheme that looks like z.w.y:

  • y has the meaning it does in semver, except that it MUST NOT include patch level changes. If a package maintainer has added new things or deprecated (but not removed) old things, then I can use the package still.
  • z has the meaning it does in semver, except that we stop pretending that bug fixes can be backwards compatible.
  • w is incremented if non-behavioural changes are implemented; for example if internals are refactored, caches are introduced or removed, or private data structures are changed. These are changes that probably mean I can use the package still, but if I needed particular performance attributes from the library then it is on me to discover whether the new version still meets my needs.

There is no room for x in this scheme. If a maintainer wants to write a new, incompatible library, they can use a new name.

Different: don’t use versions

This is more work for me, but less work for the package maintainer. If they are maintaining a change log (which they are, as they are using version control) and perhaps a medium for announcing important changes including security and bug fixes and new features, then I can pick the commit that I discover does what I need. I can maintain my own tree (and should be anyway, in case the maintainer decides to delete their upstream repo) and can cheery pick the changes that are useful for me, leaving out the ones that are harmful for me.

This is more work for me than the z.w.y scheme because now I have to understand the impact of each change. It is the same amount of work as the semver x.y.z scheme, because then I had to understand the impact of each change too, as changes to any of the three version component could potentially include supposedly-backwards-compatible-but-not-really changes.

April 07, 2018

Implementing the actions outlined in the Small Business Guide Actions (PDF) will significantly reduce...

April 06, 2018

Researchers said a Mirai botnet variant, possibly linked to the IoTroop or Reaper...
A highlight of the top nine threats to information security over the next...
Privacy advocates are up in arms after Facebook CEO Mark Zuckerberg said most...

Reading List by Bruce Lawson (@brucel)

A mostly-weekly dump of links to interesting things I’ve read and shared on Twitter. Sponsored by those nice folks at Wix Engineering who shower me with high-denomination banknotes to reward me for reading this stuff.

Has it really been a year? We are looking forward to throwing open the...
The Games are back this year at CYBERUK 2018! There will be a...

April 05, 2018

Defending against cyber attacks requires a two-pronged approach: proactive and reactive. A good...
The NCSC has a security architecture team who consult on the design and...
We've just published guidance for Android 8 (Oreo). In it we recommend the best...

April 04, 2018

This guidance is applicable to Android 8 devices configured in work-managed mode...

April 03, 2018

UK government is under increasing pressure to confirm whether BREXIT data flow between the UK and EU will be allowed to remain uninterrupted post-Brexit. Lack of even initial negotiations on data, now the lifeblood of the digital economy representing hundreds of billions of pounds of annual trade, raising concerns that the UK focus on tech in its post-Brexit plans, may run into problems if it can’t retain access to or process EU data.
The NCSC's annual conference, CYBERUK 2018, is almost upon us. I'd like to...
DLP appears to be following in the footsteps of another once-ubiquitous but now...

April 02, 2018

Organizations must proactively assess their security posture and focus on mitigating risk with...

In What is to be done?: Burning Questions of our Movement, Lenin lists four roles who contribute to fomenting revolution – the theoreticians, the propagandists, the agitators, and the organisers:

The theoreticians write research works on tariff policy, with the “call”, say, to struggle for commercial treaties and for Free Trade. The propagandist does the same thing in the periodical press, and the agitator in public speeches. At the present time [1901], the “concrete action” of the masses takes the form of signing petitions to the Reichstag against raising the corn duties. The call for this action comes indirectly from the theoreticians, the propagandists, and the agitators, and, directly, from the workers who take the petition lists to the factories and to private homes for the gathering of signatures.

Then later:

We said that a Social Democrat, if he really believes it necessary to develop comprehensively the political consciousness of the proletariat, must “go among all classes of the population”. This gives rise to the questions: how is this to be done? have we enough forces to do this? is there a basis for such work among all the other classes? will this not mean a retreat, or lead to a retreat, from the class point of view? Let us deal with these questions.

We must “go among all classes of the population” as theoreticians, as propagandists, as agitators, and as organisers.

Side note for Humpty-Dumpties: In this post I’m going to use “propaganda” in its current dictionary meaning as a collection of messages intended to influence opinions or behaviour. I do not mean the pejorative interpretation, somebody else’s propaganda that I disagree with. Some of the messages and calls below I agree with, others I do not.

Given this tool for understanding a movement, we can see it at work in the software industry. We can see, for example, that the Free Software Foundation has a core of theoreticians, a Campaigns Team that builds propaganda for distribution, and an annual conference at which agitators talk, and organisers network. In this example, we discover that a single person can take on multiple roles: that RMS is a theoretician, a some-time propagandist, and an agitator. But we also find the movement big enough to support a person taking a single role: the FSF staff roster lists people who are purely propagandists or purely theoreticians.

A corporate marketing machine is not too dissimilar from a social movement: the theory behind, say, Microsoft’s engine is that Microsoft products will be advantageous for you to use. The “call” is that you should buy into their platform. The propaganda is the MSDN, their ads, their blogs, case studies and white papers and so on. The agitators are developer relations, executives, external MVPs and partners who go on the conference, executive briefing days, tech tours and so on. The organisers are the account managers, the CTOs who convince their teams into making the switch, the developers who make proofs-of-concept to get their peers to adopt the technology, and so on. Substitute “Microsoft” for any other successful technology company and the same holds there.

We can also look to (real or perceived) dysfunction in a movement and see whether our model helps us to see what is wrong. A keen interest of mine is in identifying software movements where “as practised” differs from “as described”. We can now see that this means the action being taken (and led by the organisers) is disconnected from the actions laid out by the theorists.

I have already written that the case with OOP is that the theory changed; “thinking about your software in this way will help you model larger systems and understand your solutions” was turned by the object technologists into “buying our object technology is an easy way to achieve buzzword compliance”. We can see similar things happening now, with “machine learning” and “serverless” being hollowed out to fill with product.

On the other hand, while OOP and machine learning have mutated theories, the Agile movement seems to suffer from a theory gap. Everybody wants to be Agile or to do Agile, all of the change agents and consultants want to tell us to be Agile or to do Agile, but why does this now mean Dark Scrum? A clue from Ron Jeffries’ post:

But there is a connection between the 17 old men who had a meeting in Snowbird, and the poor devils working in the code mines of insurance companies in Ohio, suffering under the heel of the boot of the draconian sons of expletives who imposed a bastardized version of something called Scrum on them. We started this thing and we should at least feel sad that it has sometimes gone so far off the rails. And we should do what we can to keep it from going more off the rails, and to help some people get back on the rails.

Imagine if Karl Marx had written Capital: Critique of Political Economy, then waited eighty years, then said “oh hi, that thing Josef Stalin is doing with the gulags and the exterminations and silencing the opposition, that’s not what I had in mind, and I feel sad”. Well Agile has not gone so far off the rails as that, and has only had twenty years to do it, but the analogy is in the theory being “baked” at some moment, and the world continuing to change. Who are the current theorists advancing Agile “as practised” (or at least the version “as described” that a movement is taking out to change the practice)? Where are the theoreticians who are themselves Embracing Change? It seems to me that we had the formation of the theory in XP, the crystallisation (pardon the pun) of the theory and the call to action in the Agile manifesto, then the project management bit got firmed up in the Declaration of Interdependence, and now Agile is going round in circles with its tiller still set on the Project Management setting.

Well, one post-Agile more-Agile-than-thou movement for the avocado on toast generation is the Software Craft[person]ship movement, which definitely has theory and a call to action (Software Craftsmanship: the New Imperative, which is only a scratch newer than the Agile Manifesto), definitely has vocal propagandists and agitators, and yet still doesn’t seem to be sweeping the industry. Maybe it is, and I just don’t see it. Maybe there’s no clear role for organisers. Maybe the call to action isn’t one that people care about. Maybe the propaganda is not very engaging.

Anyway, Lenin gave me an interesting model.

April 01, 2018

Frozen Crunchie by Bruce Lawson (@brucel)

Public service announcement: it’s good to eat Mars bars straight from the freezer, but don’t try it with a Crunchie: freezing makes them totally brittle and they turn into dust. I ate all the dust I could scoop off my shirt, but had to sweep 50% of it off the floor.

My friend Jooly informs me

Caramac will be fine … I’d be very careful with Turkish Delight though and only a fool would try to freeze a large bar of Dairy Milk Marvellous Creations Jelly Popping Candy. You better know yourself if you’re going to mess with that.

March 29, 2018

At the reportedly-excellent PerfMatters Conference on Tuesday, our Stylable — The Musical music video was unleashed in its world premiere. For those of you who missed this epoch-defining event, here it is!

We had great fun making it. It started out one Friday when I was failing miserably to do some important Git/ NPM/ Yarn/ Jekyll stuff. To cheer myself up, I decided to do something I know I’m good at, so fired up my music software and began recording a little ditty I’d been working on. (Old chums will know I occasionally make Web Standards-based reinterpretations of classic songs, such as Like A Rounded Corner and Living Standard.)

I sent the a roughly-mixed soundcloud link to three members of the Wix Engineering team I work most closely with, who played it to the wider team. The next day I was told that the song had been played during the annual product presentation to Wix’s senior management.

The incomparable Estelle Weyl tweeted that if we made a music video, she would play it at PerfMatters Conference which she was organising. I mentioned this to the team, and suddenly a professional director and crew had been engaged. One night in early January, I drank a bottle of Tempranillo wine and wrote the script, and then flew out to Tel Aviv to make the video.

Shooting took all day, in our team office, and at sunset on the roof of the Wix HQ building on the same street. I think that it properly captures the fun and enthusiasm of the Stylable team, while being professionally lit, shot and edited. I’d be willing to bet that we’re the first open-source project to launch with our own music video.

Big thanks are owed to Danielle Kanish of Wix Academy, who co-ordinated with the outside contractors; Maya Alon, Queen of Wix Academy and 14th incarnation of Parvati, for finding the budget; to director Yoav Gertner and his crew, who took my somewhat odd brief and made it happen; to Tal, Iftach, Tom, Uri, Benita, Kieran, Barak, Avi, Arnon, Hadar, Ido and Nadav from the Stylable team for being such good sports and being willing to make fools of themselves on video; to Estelle Weyl for giving me the idea, and to Alessio Carone for his help and advice on the karaoke subtitles.

I’m very lucky to work with an organisation that would sanction and fund such a daft project. Thanks, Wix! And if they fire me, I shall be offering bespoke dance tuition — but book soon; there’s a long line of people wanting to be able to move as seductively as I do in this video.

The ransomware attack on the City of Atlanta shows that the time is...
With CYBERUK In Practice fast approaching, I wanted to paint a picture of what you...

March 28, 2018

Researcher finds Microsoft’s January Patch Tuesday release included a fix for the Intel...
CYBERUK provides an important opportunity for the NCSC to facilitate a national conversation...

Early last month, our beloved CTO, Karl Binder, was invited to give a talk at the University of Wolverhampton’s Visual Communications department, speaking to students...

The post Karl talks tech careers at Wolverhampton University appeared first on stickee.

March 27, 2018

Facebook announced that in the coming weeks it will expand its bug bounty...
Researchers identify a new malware family called GoScanSSH that avoids servers linked to...

March 26, 2018

Blockchain can provide transparency, decentralization, efficiency, security, and other benefits, revolutionizing multiple industries....

Last week we had the pleasure of welcoming technology enthusiast, Hadley, to our office. Currently in Year 10 at Arden Academy, he wanted to experience what...

The post Hadley’s Work Experience at stickee appeared first on stickee.

Mozilla is testing a method of securing DNS traffic via HTTPS, but is...
Many have labelled the rise of Artificial Intelligence (AI) as a new type of industrial revolution. AI has the potential to improve productivity across a range of sectors, whilst lowering costs. However, there are risks of AI, similar to any technology that is not adequately managed or secured. The criminal network has been improving this capability for years through the use of botnets, and AI brings with it a new range of cyber security risks.

March 25, 2018

Squares and prettier graphs by Stuart Langridge (@sil)

The Futility Closet people recently posted “A Square Circle“, in which they showed:

49² + 73² = 7730
77² + 30² = 6829
68² + 29² = 5465
54² + 65² = 7141
71² + 41² = 6722
67² + 22² = 4973

which is a nice little result. I like this sort of recreational maths, so I spent a little time wondering whether this was the only such cycle, or the longest, or whether there were longer ones. A brief bit of Python scripting later, and the truth is revealed: it’s not the only cycle, but it is the longest one, with six entries.

There are no other 6-cycles; there’s a 5-cycle (start from 68²+50²=7124), a 4-cycle (47²+56²=5345) and interestingly two 1-cycles, numbers which lead to themselves: 12²+33²=1233 and 88²+33²=8833. That’s rather cool.

I did wonder whether there are also interesting cycles with more numbers, so I tried out adding the squares of 3-digit numbers:

but sadly they’re really boring; there’s a 2-cycle (137²+461²=231290, 231²+290²=137461), another 1-cycle (990²+100²=990100) and that’s it. Nonetheless, quite an interesting little property to fiddle around with.

Prettier graphs

Originally I was going to make my script count the lengths of the cycles and show the largest one and so on, but I realised that that was annoying and fiddly and what I ought to do is just display a nice picture of them and that’d be clear to my eyes immediately and take no code at all. My go-to tool for this sort of thing, where I’m drawing graphs (in the mathematical nodes-and-edges sense) programmatically, is Graphviz, because it’s really easy; you basically write out your graph as obvious simple words with arrows:

digraph {
    "get up" -> "go to work";
    "go to work" -> "come home again";
    "come home again" -> "go to sleep";
    "go to sleep" -> "get up";

and then you can make it a graph with one command: dot -Tpng > output.png:

A basic graphviz graph of the above code; plain black and white, and not pretty

That looks pretty terrible, though; plain black and white, ugly. I tweaked my graph above to look a bit nicer, with some colours, and that’s really easy; you just add a few extra properties to the nodes (the things to do) and edges (the arrows) in your graph specification:

digraph {

    node[shape="rectangle" style="rounded,filled" gradientangle="270" 
        fillcolor="#990033:#f5404f" color="#991111" 
        fontcolor="#ffffff" fontname="Arial"]

    edge [color="#006699" len=2.5]

    "get up" -> "go to work";
    "go to work" -> "come home again";
    "come home again" -> "go to sleep";
    "go to sleep" -> "get up";

and then you get something a bit nicer:

Same graph, but with a little colour and niceness

Now, I am no graphic artist. I’m not good at this stuff. If you’re thinking “that looks rubbish; I could make it look loads nicer” then great! Please, please do so! I would very much like one of the many graphic artists involved in the open source world to put together a “theme” for graphviz that just makes graphs look a bit nicer and classier, by default. Seriously, if you’ve got an artistic eye this is the sort of thing that’d probably take you a lunchtime to do. Just pick some nice colours, line widths, arrow shapes, node shapes, and you’re done. Write a blog post saying “these are the six lines to add to the top of your graphviz .dot files” and that’s the job complete; that would be a small but measureable improvement to the universe that you’ve made, there, with not much effort at all.

The graphviz people are pretty open to the idea of even including such a thing in their releases, maybe even by default. I asked on Twitter whether someone could or had already done this that I’m asking for, and one of the people who responded was Stephen North, who’s part of the graphviz team, saying that they’d be happy to include and publicise such a thing.

To be clear, this is not a complaint about the graphviz team themselves; their job is mostly to think very hard about layout algorithms, which they indeed do a good job of. But I think it’s really important, not just that open source stuff can be made to look pretty if you know what you’re doing, but also that it already does look pretty by default where it can. It turns people off your software, no matter how powerful it is, if some less-powerful alternative puts out more attractive output. There are some things where this would take a lot of work; rejigging the entire UI of a complex programme is difficult and time-consuming, absolutely. But I really feel like someone with a decent artistic eye (i.e., not me) could put together a simple set of colours and font choices and line widths that would make graphviz look much nicer either by default or by specifying --pretty or something, and it wouldn’t take long at all. I’d certainly be way happier if that happened. Maybe that person is you, gentle reader?

March 23, 2018

Reading List by Bruce Lawson (@brucel)

A weekly (mostly) dump of links to interesting things I’ve read and shared on Twitter. Sponsored by those nice folks at Wix Engineering who hurl money at me to read stuff.

Employees can help a company avoid catastrophic data breaches and protect their own...

March 22, 2018

In a raging cyber war, it pays to think like cybercriminals and understand...

stickee are thrilled to share that our Competitor Price Monitoring software, Magpie, is shortlisted for another award. The Computing Big Data Excellence Awards celebrates the top...

The post stickee shortlisted for Computing Big Data Excellence Awards appeared first on stickee.

March 21, 2018

Facebook CEO Mark Zuckerberg broke his silence on the Cambridge Analytica scandal that...
Orbitz said Tuesday a breach of both its consumer and partner platform...

March 20, 2018

Popular secure messaging service Telegram loses battle with Russian courts and now must...
Dewan Chowdhury, founder of MalCrawler, talks at SAS about the risks that companies...

March 19, 2018

Facebook is in hot water after acknowledging that a consulting group – that...
Back to Top