We (as in the IT Sec industry including me) prefer to blame Matthew. Or my 80 year old mother for not installing the latest Adobe patches in real time.
With 30 years of daily experience in this field, I am ashamed about how we fail Matthew & my mother in the sense that they can still not just enjoy the internet and open random emails without one of us blaming them for how stupid they are.
That analogy doesn't work in my opinion, because to even be allowed to drive, an extensive amount of training is required.
I think we need to start very early. There should be more mandatory comouter science and information security classes at schools because we are all confronted with these topics everyday.
Most people can work systems such as washing machines, vacuum cleaners and so on, the problems arise when the internet (or other forms of connectability) comes into the picture. But the reality is that most such systems will probably soon be connected in some way, so the challenge grows.
So I think it is very important that we push for more information/education instead of going into the direction of more locked down, closed off and proprietary systems because these can easily "not respect" the end user.
I blame the way we design our computer systems. For some reason, every program a user runs on a desktop computer has full access to every file saved by every other program. And full network access, and a slew of other permissions. In seconds a single malicious program can make a right mess of things, or exfiltrate sensitive data. A ransomware attack hit a large aged care provider in Australia recently and encrypted the files listing which medication to administer. How? I’d guess that every program on every computer in their network has full write access to their network shares. We made these attacks easy to pull off with our insecure by default designs.
It’s like we’ve given every Tom, Dick and Harry a F1 supercar then we blame them when they crash the thing. The mistake is ours for not making better security models. Desktop apps should be sandboxed by default, and isolated like we isolate phone apps. For all the justifiable fear people have about apple’s control over what software can run on their machines, I think the app sandboxing and signing security model they’re working towards is the right one for 95% of computer users.
I'm sad to agree. Having watched my own family, and my older parents, it would absolutely be better for them if everything worked that way.
They don't understand the concept of files as separate from applications. They just don't. They understand the concept of sharing -- that seems to be intuitive enough -- but not of files as objects in themselves.
A system which works this way would, of course, be completely rage-inducing to myself.
I disagree. Anyone with minor observation can get behind a wheel and drive. Will they do it well? No (same with a computer) Is it legal? No, but thats because we all decided that as a group. The danger is different, but I think it's still an interesting analogy.
I think we need to all realize that most people aren't cut out for computer science, per se, but most people are cut out to learn to responsibly use a computer.
Well, put it this way. Let's say that most people is cut out to learn to responsibly use a computer; I don't disagree with this fact.
As a matter of fact though, the same people do _not_ use computers responsibly. What do you do, then? Metaphorically jail them?
There are lots of areas where as humans, it's easy to reach a "sufficient" level, _and_ the dangers of an insufficiency are well known. Punishments or strict measures just don't work.
Everybody knows that they can be sufficiently and with little effort fit, but especially, that unsufficient fitness leads to sicknesses and earlier death. In this sense, which punishment can be worse? Yet, this doesn't work.
You can't compare this. There are much less bad actors in mobile traffic that constantly try to steal your keys, try to suck gas from your gas tank, hide in your trunk or trick you into insurance fraud...
The invoice shouldn’t have to be a PDF and shouldn’t have to be sent via e-mail. Sadly those are still the best tools we have.
It would be really cool to have an invoice format that contains payment and tax information in a machine readable way and a way to send that information around with a verifiable channel.
pdf.js lacks capabilities to extract the XML or verify signatures, so the usual way will be to use Acrobat Reader or the usual bunch of "industry-standard" invoice-processing crap that now suddenly has to deal with malicious input.
The idea to do it differently might be nice in theory, but is lacking a smooth way to change over from the old paper-invoice ways. PDF will be the thing for some decades and we will have to deal with it.
Having implemented rudimentary ZUGFeRD support at $dayjob a few years ago (our main product is sending, receiving and validating invoices for energy companies in Germany), I don't see ZUGFeRD becoming relevant anytime soon. At least for b2b invoices, nothing has changed since the release of ZUGFeRD. They prefer sticking to EDI formats (many with some custom edge cases for their SAP monstrosities, e.g. putting the `-` sign for negative numbers _after_ the number like `10-` for `-10`...)
Quite possible, yes. But the alternatives to zugferd look quite similar, due to requirements from the relevant laws:
https://de.wikipedia.org/wiki/Elektronische_Rechnung
translated excerpt:
an electronic invoice must be [...]
3. human readable
4. origin of the invoice must be guaranteed (digital signature or internal controls)
5. integrity of the invoice must be guaranteed
[...]
This means that while you might be able to use something other than PDF for the human-readable part, I don't think anything other than PDF will be used. All the other stuff (XML with embedded SVG or PNG, Word, plaintext) will have acceptance problems in one form or the other.
EDI is big business to big business, as evidenced by you mentioning SAP. There, you may be completely right, I don't know.
This is painfully accurate. A chain is really only as strong as its weakest link :/