Because every environmentalist I've ever seen is never for anything. They've got nothing constructive to say, it's purely "Let's get rid of dirty power sources!".
The important lesson you are about to learn is this: Pick your battles.
This is a battle you cannot possibly win.
Why not? Because you're still a pupil.
Virtually every argument you can come up with for why that certificate shouldn't be there - no matter how well-reasoned - is going to be dismissed by staff. Even if you can come up with a well-reasoned argument that no sensible adult would counter (you probably can't; there are very good reasons for a school to want to monitor everything that are likely to be perceived as overriding any concerns you have about privacy), you'll be crushed.
At this level, arguments like this inevitably wind up being less about who is technically right or wrong and more about who has the power. As far as the school is concerned, the person who wins the argument has the power - and there is no way they will ever let a pupil win such an argument because it means conceding power to a pupil.
In your position, I'd install some sort of plugin that allowed me to verify that my HTTPS session was using the "right" certificate - and if not, I'd tether my laptop to a personal mobile phone.
Replying to myself, but.... £200,000 is a pretty big fine by ICO standards.
Reading the report, it seems that while the BPAS did everything right once the breach was discovered, the circumstances that led to it happening in the first place were caused by pretty blatant incompetence. They knew (or should have known) that the details of people who wanted to use their services would be confidential information, they sacked the firm that built the website over concerns for their ability but they kept the site without ever auditing it.
The fine isn't just based on how flagrant the data breach was, it's also based on how much the organisation being fined can afford without causing undue hardship.
I'm not surprised the CEO wants to appeal the fine. The circumstances that led to it suggest gross incompetence at several levels; if she doesn't appeal or the appeal is unsuccessful, I imagine her job is on the line.
That's not how ICO fines work.
The way they work is this: If you suffer a data breach that the ICO hears off, they'll investigate.
Once the investigation is complete, they'll do a few things:
1. Write a beautifully-worded press release explaining exactly what you did wrong and put it on the news wires.
2. Write an equally beautifully-worded report explaining what you did wrong in explicit detail.
3. Issue a thumping great fine.
It's important to note that they don't have to take an organisation to court to raise this fine. It's the other way around - if your organisation gets fined, it's down to you to raise an appeal.
Virtually anything you might buy or sell derives at least some of its value from faith, and currencies are no exception to this. In other words, as long as a sufficient number of people believe that 1BTC is worth ~$680, then 1BTC is indeed worth ~$680.
This is even true of gold to a certain extent - its value goes up and down too, though it's seldom as volatile because it has other uses beyond currency.
When something happens to shake that faith, the value drops. When something happens to strengthen that faith, the value rises.
Any currency that isn't backed by something tangible (eg. a precious metal) by definition derives more-or-less all its value from faith. This isn't usually a big deal - most countries came off the gold standard decades ago - but one side-effect is that if your country's government is unstable, there's a very good chance your currency will follow suit in short order. For extreme examples, see Zimbabwean dollars, Afghan Afghanis and German Papiermarks.
It's already been done - though only in fiction.
Roald Dahl wrote about a machine called the Great Automatic Grammatizator. A machine that you plug in various parameters - such as type of book, characters, proportions of violence/sex/humour - and it churns out something that's pretty much guaranteed to be a bestseller according to those parameters in fifteen minutes flat. Being a writer himself - and a somewhat dark one at that - the end result was a dystopian universe in which writers were forced to give up writing and just license their name to the man with the machine, simply because the machine brought the cost of production down so much that this was the only way to earn a living as a writer.
Now, had he figured out a way to divine the secret device ID from the generated codes, well now that would be bad.
Worse than "bad".
Looking at the (admittedly obfuscated) screen grabs and the comments that say the bank provide RSA hardware tokens if anyone wants one - I reckon it's a software implementation of an RSA SecurID token, probably bought in directly from RSA. And if it's bought in from a third party, it follows that anyone else who's bought in the same product would almost certainly be vulnerable to the same issues.
There seems to be this idea - and I've been guilty of it myself - that the world is black and white.
In this case, the argument is DRM either works 100% or it works not at all. As "working 100%" is obviously wrong, it follows that it does not work at all and is in fact a stupendous waste of money on the part of the people who commission ever-more-complex DRM systems.
But what if DRM was never meant to work 100%? What if it was only ever meant to slow things down - for instance, to ensure that you can't find a good quality version of a new movie on the Pirate Bay the first weekend it's in the cinema? To ensure you can't pirate a game on the day it's released in stores - and for maybe a couple of weeks after?
More often than not these things get named by the antivirus vendors when they hit the wild and not before, which is why there isn't a name for it.
Hint to manufacturers: there's a portion of the market that likes nice things, or at least not bottom-of-the-barrel cheap things.
There is, but when you've spent thirty years turning PCs into commodity items the habits become ingrained and hard to change.
Then you discover that the word "commodity" has a number of connotations, most of which are pretty bad for your business.
In which case, it makes a lot of sense from Schneier's point of view to leave. Why would you want to hang around a company that's so heavily tainted when your entire CV is based on your being a guru in the field of security?
I know this because I just inherited one of these. My predecessor promised cheap, I'm stuck with managing expensive (and am moving the #$@! thing back into our existing colo space as soon as I can practically do so...)
Sounds like your predecessor fell for a scam that's existed since time immemorial. Outsourcing isn't always cheaper. How can it be when the company you're outsourcing to faces the exact same costs as you do but needs to make a profit on top?
Oh, sure, it is under some specific circumstances. But the idea that it always is is downright lazy management.
'Course it isn't.
Oh, sure, someone like Amazon can probably get a better price on the hardware than you or I. But they still need to buy it, power it and arrange bandwidth, same as anyone else.
Where they come into their own is in a few very particular (and for that matter very common) use cases:
- Where you don't need the power of a whole server and can get by just fine on a tenth that amount.
- Where your requirements may spike occasionally - but the keyword is "occasionally". They don't spike often enough to merit building out a system based upon theses spikes.
- Where you don't have the credit to be able to buy a shedload of new equipment on some sort of leasing agreement and you don't have the cash to pay for the whole lot up front.
Something similar is true of any outsourcing-type arrangement.
The idea of a secure network and a VPN to get into it if you're working away from the office is all very fine, but the list of problems it throws up is huge - and it just gets bigger as your company expands:
- You almost invariably wind up with a two-tier experience. People who are in the office and get nice fast access to everything and people who are out of the office and everything's dog slow. Oh, sure, you can reduce this problem somewhat by putting servers in a colo, but now you've got to engineer systems so you don't wind up with everyone getting the dog slow experience. (I'm particularly looking at legacy file servers here; SMB was never really designed for use over a slow, high-latency link, though I understand newer versions of Windows Server have mostly cracked this).
- You don't gain an enormous amount of security. Even with a heavily locked-down perimeter firewall it's seldom that difficult to figure out a way to get information out, as long as you can get something nefarious in. And that really isn't difficult with a little light social engineering.
- Expanding beyond one office gets very expensive very fast. You need to be looking into Terminal Server, very fast (=expensive) links or have branch offices put up with terrible application performance. IT as an industry automatically assumes that multiple branches = huge business with a huge budget that takes IT very seriously (seriously, throw that bit of information into any proprietary system you're pricing up and watch the price skyrocket). I can tell you now that every single town has loads of small businesses spread across multiple branches that don't have a huge budget, don't feel the need to dedicate enormous resources to IT and they are absolutely loving the various web-based products such as espoused by Google.
Oh, sure, there's a lot of business applications that are designed on the assumption that you're a company in just one office - or if you have several offices, you have gigabit links between them - but I don't think Google really need to care too much about those.
He doesn't need to.
A car with power steering has MUCH heavier steering when the power steering's failed versus an equivalent model that never had power steering fitted in the first place. To the point where even steering a moving vehicle is damn hard work.