5 July 2014

Why Rolf Harris received such a lenient sentence

The reason for Rolf Harris’ surprisingly lenient sentence — 5 years and 9 months — for a range of offences committed between 1969 and 1986, is clear from the judge’s sentencing remarks: the laws in effect at the times the crimes were committed were softer than today’s laws in England:
The maximum sentence on Count 1 is one of 5 years’ imprisonment, on each of Counts 2‐9 it is one of 2 year’s imprisonment, and on each of Counts 10‐12 it is one of 10 years’ imprisonment.

With the exception of Counts 10 & 11 the equivalent offences today attract significantly higher maximum sentences. For example on Count 1 the equivalent offence today is sexual assault of a child which carries a maximum of 14 years’ imprisonment and would be likely to involve a starting point of around one year’s imprisonment. On Counts 3,4,5,7,9&12 the equivalent offence today is assault by penetration which carries a maximum sentence of life imprisonment and would be likely, to involve a starting point (given the severity of the psychological damage to ‘C’) of around 8 years’ imprisonment on Counts 3,4,5,7, & 9 and a starting point of around 4 years’ imprisonment on Count 12
The laws have changed, so why don’t they apply to “new” cases? The new laws would have to apply to everybody, including those who have already been caught and sentenced for crimes committed during the same period. Otherwise, it would be a great injustice to victims of similar crimes committed back then who would be asking why their abusers received lighter sentences simply because they were caught earlier than Rolf Harris.

27 June 2014

Report does not state crew of MH370 was likely to have been unresponsive

Journalists are not accurately quoting a report released by Australian officials on the search for the missing plane of flight MH370 with statements that the crew was “likely” to have been unresponsive when it crashed. It is merely an assumption that best fits the limited evidence available for the purposes of narrowing the search area, as explained on pages 34 and 35:

Given these observations, the final stages of the unresponsive crew/hypoxia event type appeared to best fit the available evidence for the final period of MH370’s flight when it was heading in a generally southerly direction:

  • loss of radio communications
  • long period without any en route manoeuvring of the aircraft
  • a steadily maintained cruise altitude
  • fuel exhaustion and descent

This suggested that, for MH370, it was possible that after a long period of flight under autopilot control, fuel exhaustion would occur followed by a loss of control without any control inputs.

Note: This suggestion is made for the sole purpose of assisting to define a search area. The determination of the actual factors involved in the loss of MH370 are the responsibility of the accident investigation authority and not the SSWG.

The Australian Transport Safety Bureau (ATSB) has to make assumptions so that they have a model to guide their search for the missing aircraft. They’ve looked at scenarios that have led to previous aircraft accidents and chosen the one that seems more likely than the others to have occurred. It is just the candidate theory that currently wins in terms of the small amount of evidence available to support it.

22 April 2014

Heartbleed overblown

The Heartbleed bug has to be taken more seriously than the Y2K bug since it is a security vulnerability, however like the Y2K bug, IT journalists are creating unnecessary panic and may even be assisting hackers by giving this software flaw undue media attention.

Security vulnerabilities are being discovered and fixed all the time — just browse the history of installed updates in Windows Update. Rather than just issue an immediate patch as is typically done with such vulnerabilities, this vulnerability was advertised with the unhelpful advice that users should either (a) change all their passwords, which will be exposed in instances where a patch for the Heartbleed bug is yet to be deployed on the server the new password is sent to; or (b) farcically, change their password for certain servers, but leave it unchanged for others — hard and fast rules that shouldn’t be blindly followed.

The severity of a vulnerability cannot be measured by its pervasiveness and theoretical potential for exploitation by malicious Internet users alone. What matters is the material cost to users and businesses as a consequence of data theft, which on the available evidence, was zero for Heartbleed (before it received publicity, that is.)

Heartbleed is a significant security issue that IT personnel must act on, but the response should include thoughtfully balanced advice about the broad range of risks that exist and the measures that should be taken to mitigate them.

Hackers continually exploit software security flaws to steal military and industrial secrets, but government agencies and corporations tend to avoid informing the public when these security breaches occur. Those with the most nefarious intentions will seek to achieve their financial, military and political goals using the most efficient means possible. A system will always have a number of vulnerabilities in the form of programming errors and users that are naive or complacent about IT security, and hackers will use the avenue that will yield the most results with the least amount of effort. Heartbleed has been around for a couple of years, during which time hackers stole sensitive information on millions of people using other approaches that were more conducive to data theft on an industrial scale.

Two-step verification, which has become standard for performing online transactions and can be enabled on many of the most popular websites such Gmail, isn’t getting mentioned because commentators are too busy trying to convince Internet users that Heartbleed is an unprecedented security disaster.