.io domains considered harmful, A Quick Primer on Robert "Uncle Bob" Martin, Good Practices For Supply Chain Cybersecurity, Stop Ignorance in Testing
recap. ethos capital was formed to raise money to buy and profit from the .org domain which has historically been not-for-profit and had a price ceiling but they were stopped 🥳 but they got pissed and bought some other domains 😠and now, ethos capital owns .io[…]
1967: the USA asks the UK to expel the native Chagossians from the chagos archipelago
* the chagos archipelago is - you guessed it - within the british indian ocean territory * the UK obeys and expels the native Chagossians1971: the USA builds a military base on the chagos archipelago
* since 1971, the chagos archipelago has _only_ been inhabited by employees of the US military - everyone else is forbidden.[…]
2021: the Chagossian Refugees Group submits complaint against paul kane and ethos capital, seeking repatriation of $7m/year for the .io domain
Ah … du coup j'ai fait un quick check sur Wikipedia :
Paul Kane is chief executive of the British technology firm CommunityDNS and from 2010 to 2017 was one of seven people entrusted with a credit card-like key to restart portions of the World Wide Web or internet which are secured with DNSSEC, after a catastrophic event such as a major security breach or terrorist attack. If such a situation arises, five keyholders will travel to the United States to meet up and restart the DNSSEC system. Kane runs ICB, registrars for the controversial .io ccTLD.
Et
Le gouvernement américain ayant exigé au cours des négociations un « contrôle exclusif », le gouvernement britannique entreprend d'expulser peu à peu les Chagossiens, habitants autochtones de l'archipel : interdiction de retour après un voyage, restriction de l'approvisionnement en nourriture et en médicaments, empoisonnement et gazage de tous les chiens, etc. En 1973, les derniers habitants sont déportés par cargo vers les Seychelles et l'île Maurice […] Au début du mois de janvier 2023, le Royaume-Uni accepte de participer aux négociations avec Maurice28.
If you respect and follow Martin's work, I think it's worth evaluating why that is, and I hope that this post will help you in doing so.
Je ne vais pas divulgâcher les incohérences techniques, c'est la partie qui m'a le plus intéressé dans cet article. J’ai lu son livre Clean Code il y a longtemps, et je n'avais pas l’esprit critique et ni le personnage en tête. J’ai cependant fini par ne plus le considérer à cause de ses opinions et son mode d’expression culpabilisant. En revanche je ne savais pas à quel point il pouvait être techniquement à côté de la plaque …
Among the findings the following points are observed.
- 86 % of the surveyed organisations implement information and communication technology / operational technology (ICT/OT) supply chain cybersecurity policies.
- 47 % allocate budget for ICT/OT supply chain cybersecurity.
- 76 % do not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
- 61 % require security certification from suppliers, 43% use security rating services and 37% demonstrate due diligence or risk assessments. Only 9 % of the surveyed organisations indicate that they do not evaluate their supply chain security risks in any way.
- 52 % have a rigid patching policy, in which only 0 to 20 % of their assets are not covered. On the other hand, 13.5 % have no visibility over the patching of 50 % or more of their information assets.
- 46 % patch critical vulnerabilities within less than 1 month, while another 46 % patch critical vulnerabilities within 6 months or less.
The report also gathers good practices on supply chain cybersecurity derived from European and international standards. It focuses primarily on the supply chains of ICT or OT. Good practices are provided and can be implemented by customers (such as organisations identified as essential and important entities under the NIS2 directive) or their respective suppliers and providers. The good practices cover five areas, namely:
- strategic corporate approach;
- supply chain risk management;
- supplier relationship management;
- vulnerability handling;
- quality of products and practices for suppliers and service providers.
Finally, the report concludes the following.
- There is confusion with respect to terminology around the ICT/OT supply chain.
- Organisations should establish a corporate-wide supply chain management system based on third party risk management (TRM) and covering risk assessment, supplier relationship management, vulnerability management and quality of products.
- Good practices should cover all various entities which play a role in the supply chain of ICT/OT products and services, from production to consumption.
- Not all sectors demonstrate the same capabilities concerning ICT/OT supply chain management.
- The interplay between the NIS2 directive and the proposal for a cyber resilience act or other legislation, sectorial or not, which provides cybersecurity requirements for products and services, should be further examined.
ICT : Information and Communication Technology OT : Operational Technology
Un rapport (plutôt long si on lit la partie good practices) sur la sécurité des supply chain d'entreprises/services critiques en europe. Rien que le résumé est intéressant. Les graphes qui suivent ne sont pas tous très lisibles.
Scripted testing… There are so many things wrong with it, its hard to know where to begin. Many test experts and prolific bloggers have written about this theme, therefore there is an abundance of literature about topics such as scripted testing vs. exploratory testing out there.
The highest form of ignorance is when you reject something you don’t know anything about. Wayne Dyer ST is like an old wives’ tale, an urban legend, something that gets passed down from generation of testers to generation, and gets propagated and perpetuated due to the ignorance of testers everywhere. I was once an ignorant tester myself, who like many others learned from another unenlightened tester that the way to test is to write countless numbers of test scripts, with detailed steps, which will be diligently reported upon daily and you will get a gold star if you execute the pre-set quota of test cases for the day.
In this day and age however, there is no excuse to be uninformed about anything,
Un article court qui finit par des (bonnes) références sur le test exploratoire.
