Archive for the 'Computers' Category

WYSINWYG

Sunday, June 22nd, 2014

Most people are familiar with WYSIWYG- What You See Is What You Get- a computer user interace that displays things in a format that fairly accurately displays on screen what the final output will be, so that (as a simple example) rather than a bit of code:


<b>this text is bold</b>

you get

this text is bold

I’ve spent several hours of my life recently trying to find out why a program I have to use daily was refusing to email people. Here’s the UI:

Skeuomorphic twice over? A web app emulates a phone emulating a slider switch, badly.

Skeumorphic twice over? A web app emulates a phone emulating a slider switch, badly.

.

You’ll notice the option to email two people, controlled by sliders. These are a skeuomorph: soemthing that icorporates design features of something it emulates- in this case, a slide switch. In fact, it’s a double skeuomorph: it’s a web interface impersonationg a smartphone impersonating a slide switch.

I’ve got two problems with it. Firstly it’s unneccesary frippery and animation, and secondly, it plain doesn’t work. It’s distinctly What You See Is Not What You Get. I’ll grant you there’s a certain amount of PEBCAK here on my part, but the control is broken.

If you click on the left-hand side of the control, and swipe accross, like you might with the control it imitates on a smartphone, the control changes to YES. It does the same if you click the right-hand end, or if you click and drag, keeping within the boundaries of the control. The difference is that if you use the first method, like I did, it shows YES, but registers NO to the back-end software, and gives you a several-hour troubleshooting session to work out why the email didn’t send. An older version of the software has a simple check-box here, and I suspect that this is a simple case of layering a bit of wankery over the top for effect…

Opinions differ on skeuomorphs: some consider them to be problematic, and some think them great, for the same reason: they imitate familiar technology, and so either make people confused, or make then feel at home. This one definitely left me confused.

Openretch

Wednesday, April 16th, 2014

Can anyone tell me how BT’s line providing division, Openretch Openreach survive?

The company I work for provides network services to varying people and organisations, and this means dealing with telecoms providers, and that almost certainly means the loose collective of fuckwits we know and love.

So far this week, I’ve had:

1) In response to a circuit order in a building that is partially let out (and where the BT duct enters via the let out area, and is a retail shop) “can we come tomorrow”.

2) In response to an order made 3 months ago, in a central Birmingham hotel, with the clear stipulation “you must make an advance appointment, the circuit is required by 17/4/14″, an “engineer” arrives today, has to wait a few minutes and is told “no, sorry, the room is in use, come back tomorrow”, and says “no”.

Said engineer was told “sorry, you have to. This is required by 1pm tomorrow, and was ordered 3 months ago. It cost a metric shitload of cash, and you haven’t called in advance, like we told you to, and you do this *every time* we request this. The room is available afer 5:30, or anytime tomorrow”

*shaking of head*

This barely describes the quantity of fucks the engineer didn’t give. “Resourcing”, he said. “not gonna happen”. “we’re only supposed to wait 15 minutes, and I’ve been 20″. The guy was, to be fair, a master of fuck not giving.

and not a single fuck was given.

Behold!

He departed. I called my colleague, among whom’s many talents are shouting at BT (and personally, I think it would be worth his salary just for that). He did so. Our circuit should be active tomorrow AM. We have a reference and everything. I will not hold my breath.

Honestly, if they weren’t still a virtual monopoly, they’d be fucked. I’m very thankful to the abilities of my colleagues, and still wondering what shape BT would be in had they not inherited a state-owned monopoly, but thanking my lucky stars I don’t have do deal with Cable and Hopeless Wireless any more, because they had sufficent sense to disappear.

[edit]

The engineer (the same one) came back the next day, and it worked….

Spam School

Thursday, March 27th, 2014

The other day, I was unpleasantly suprised by this email in my inbox:

Spam, spam, spam and spam

Spam, spam, spam and spam

Most spam is pretty generic, and gets culled by Spamassassin without me ever seeing it, but this one stood out as it didn’t hit the filter (sneaking under the radar with 3.9 points of spamminess), and it had an attachment that wasn’t a zip file containing a virus.

As you can see, it’s from Pat Jewitt, whose email address is pat@qe.org, for all you hungry spambots out there.

Pat seems to be registrar of Queen Ethelburga’s School, who are busy promoting their expensive service by spamming me. I took exception to this,

Screenshot from 2014-03-27 18:21:42
as I have no prior relationship with them: for a start, I have no children.

No answer for several days, so I kept trying. Then tried again:

Not Giving Up

Not Giving Up

This was a reference to my UCE policy here.

The mail originated from a netblock goegraphically right for the school, and appeared to be from a legitimate email server for the school too:


Received: from mta3.mail-qe.org ([185.7.151.53])

So this seems to be a fairly blatant bit of spamming from the school itself that they’ve done fairly decisively, rather than handing off to a third party. The links were all correct, not passing thorugh a linkbait or click-thorugh referrer too.

I eventually got a response to my question as to if I should send a bill:

Very Professional.

Very Professional.

Charmed. I’m sure. Do they have a vacancy for a PR officer?

After a few questions (read from the bottom):

Screenshot from 2014-03-26 22:38:20

They changed tack. You’ll note my questions, and the link I posted, refer to this legislation and indeed this definition.

Hmmm...

Hmmm…

Now, in my opinion this sounds like a clear breach. I’ve had no prior contact with this organisation, they have bought my email address from some shady spam company, and are now spamming me with completely irrelevant mass-marketing junk.

At worst this may be illegal, though I should stress I’m not a lawyer. At best, it’s poor netiquette and a pretty unpleasant way to behave.

It’s quite telling that there’s a unsubscribe link, labelled “If you consider this email to be SPAM please report abuse click here” as well as an unsubscribe- this is almost as if they know they’re doing wrong. (The unsubscribe is required by law, I believe). Also, both links are a http request to the sending server- again this looks like they have gone out of their way to set this up themselves.

The school looks to be a well-funded, expensive organisation, just a pity they see fit to tarnish their reputation by buying email addresses. There are ways to market yourself without upsetting the nerds.

At this point, many of you might be thinking that there’s a quick fix: delete the damn email and forget it. I nearly did that, but here’s a thing: I spend my day job working with mail systems. Many of these would be simpler, and more reliable, were it not for all the kludges that we have to implement to stop this rubbish. DNSBLs, sender ID, authenticated SMTP, restricted relays, spam filters, and all the other bits that make mail harder and more complicated are all because of this.

The next time you go onto a wifi hotspot and can’t SMTP mail, or you get an email bounce with a 550 error, or dissapear with no non-delivery report, that’ll be why. Spam is delivered partly at cost to you: using your bandwidth, your disk space, and your time.

If you have a company email server, you pay someone to guard you against this shit. Your ISP and mobile phone provider pay people to do the same. Commercial spam filters cost thousands of pounds to run.

Question is, do I inform the ICO?

Compare the Meraki

Thursday, March 6th, 2014

(The title thanks to my colleagues who misread the SSID (Meraki-test1)I sent them by email)

I’ve been playing with wireless networks a good bit at work: I’ve finally got PEAP going to do 802.1x authentication- the practical result being WPA-2 Enterprise wireless networking with the Cisco 1600i access points. As I’ve commented before, Cisco gear is great, but it can be a game to get going when you come across something new, and this was the case here: there were guides for doing this with wireless LAN contoller systems, but not for autonomous APs, and the interface was just different enough to confuse. Getting the right amount of debug info was tricky too.

Enter Meraki. Like earlier with Aironet, they’re now a division of Cisco, which makes me wonder if we’ll see a merging of product…

Meraki
‘s product is a [*cough*] cloud-based solution. It pains me to say that. Cloud is today’s IT bullshit phrase that is just a new way of saying things. “In the cloud” means “on a server or servers somewhere on the Internet”: the cloud everything bollocks wears thin after a while, but here’s a clever application.

You unpack the AP, power it up, and connect it to any Internet connection. The AP establishes a connection to “the cloud” [cough]bollocks[/cough], and establishes a tunnel. You log into a web page, enter the serial number, place a marker on a Google map, and then manage the device from the web:

The clever dashboard

The clever dashboard

From there you can implement multiple SSIDs, Captive portals, the aforementioned 802.1x, you can monitor devices and applications, time access, and create mesh networks that will track clients (handy for marketing tossers) and all manner of stuff, with an embarrasingly few mouse clicks compared to the pain of a conventional Cisco AP. It’s quick too.

Sounds too good to be true?

Maybe. There is a downside. While the dashboard is impressive, it costs. The APs themselves are a similar price to an enterprise-level conventional AP (a good 300-400 quid or so list), but on top of that, you need a licence for the dashboard (£150 for 1 device for one year list, reducing for quantity), and without the licence, your AP is an expensive ornament.

There’s applications that are a perfect fit: if you have remote sites with no IT staff, the Meraki devices can be shipped with no config, then set up remotely. Potentially big savings there. The tools on the dash are very clever too, but you’re tying yourself to the cloud dash for a few years, effectively leasing the kit.

Next on the list? Aerohive, who seem to do the clever online managment but still allow local config, so no tie-in.

Close Call

Monday, February 24th, 2014

Today, a colleague had this email:

A Spear Phishing attack

A Spear Phishing attack

from “customercare@parcel-tracking.net”. It fooled two people: The original recipient forwarded it to a colleague to deal with, who clicked on the link, and got this:

Nice mock-up....

Nice mock-up….

With graphics nicely nicked from the genuine Royal Mail site. The URL calling the site had a ID embedded, presumably to mark the recipient out as a sucker if they click, so I changed it for my investigation. The Captcha image remains the same, even if you vary the ID.

If you enter the code, you get prompted to download a .zip file with a random filename, and inside the zip file is a windows executable, disguised with a icon for Adobe Acrobat Reader.

Should you be convinced enough to run the attachment, you’ll get a pop-up demanding money to unencrypt your files, and this is no idle threat: running this inside an isolated Windows XP Virtual Machine really does damage files in My Documents- this is known as ransomware. Fortunately, the security measures on the computer used by this user stopped it.

Time for a reminder: think before opening. Questions the user *should* have asked:

1. Why would Royal Mail know my email address?

2. Why would they not just post a card through the letterbox?

3. Why “nobody was at home” for a business address?

4. Why would I need to download and run something just for a receipt?

To be fair, item 4 is picking flies a bit: some websites demand plug-ins or other crap, so differentiating the genuine from the scam gets harder.

Also, the site and email are quite a nice mock-up, using elements from the real site. Fairly convincing, and it also had the correct business name, which is a clever touch.

[edit]
It’s also worth noting that our (up-to-date) anti-virus didn’t catch this, either the original email or the downloaded file. It seems to be a zero-day attack.

Halt: Who Goes There?

Sunday, October 27th, 2013

One for the IT bods here.

A few weeks ago on Twatter, I posted this tweet:

Screenshot from 2013-10-01 20:21:30

Here’s the screenshot in better detail:

Cool message from VMWare's vMA appliance.

Cool message from VMWare’s vMA appliance.

It genuinely made me laugh and call colleagues round, but despite the witty use of a Spiderman quote, there is of course, a serious message there: the superuser has great power:

sudo make me a sandwich

so you probably want to make the password secure, huh?

They did. They added cracklib (a password-checking library) checking, resulting in this situation, where it’s actually quite hard to come up with a password complex enough, and people suggest a way to bypass it.

Now that’s all well and good, but do you know what I did with my complex password (one special character, a capital letter, a number, 8 letters and another special character)?

Well, specifically, I whinged like fuck, then I wrote it down. On a post-it note. Exactly what you shouldn’t do.

Irritatingly, the vMA appliance also didn’t like “correcthorsebatterystaple” either (this appliance was being used for a test- seriously, you shouldn’t use that password now):

Correct Horse

Putting aside the serious message at the bottom of the cartoon- that complex passwords are not that effective against cracking- it’s highly significant that the complexity rules made me break the rules- and I have to remember many passwords, so I’m probably not that bad at it.

Of course, I’m not suggesting that we all make passwords easy to guess- that leads to all sorts of fun- but clearly this is counter-productive. If someone’s determined enough, has access, and a system doesn’t detect the attack, then chances are they’ll crack it, so it’s wise to not re-use passwords across sites and or systems, though of course if complexity rules make passwords hard to remember, chances are the user will choose one complex password and re-use it. This probably means we’ll see more two-factor authentication, which also gives a defence against keyloggers, meaning the attacker will have to revert to social engineering…

Drowning in Superfast 4G Hype

Wednesday, October 31st, 2012

Less than 24 hours have elapsed since yesterday’s rant about the 4G hype and already there’s some bullshit piece in tonight’s Express and Star showing the cutting-edge, well researched, informative and technically accurate that publication has an unenviable reputation for, saying that the lack of 4G will cost the UK economy £120 million, according to “a study” (and then it fails to mention who commissioned the study [edit- reading the article again, Ebay commisiioned it], or any data whatsoever). It then quotes Ebay as saying that “slow connection speeds, payments timing out, and network reliability” were barriers that would be “effectively eliminated by 4G”

E&S Article

From the Express and Star, 31-10-2012. Unmitigated bollocks.
Click to embiggen.

This is starting to look like a Daily Mash Story with bold assertions, quotes from imaginary experts, and meaningless, unqualified stats.

I’m now drowning in bullshit. As my dear friend Andy points out there’s so much marketing crap here, and as a tech who is asked to provide solutions to people who read this shit, it’s wearing very thin.

Does the lack of mobile internet really cost sales? Maybe a few. A smartphone is a crappy way to browse Amazon or Ebay, with small screens and no proper keyboard. I’m sure a smartphone app will improve this, as would using a tablet, which may well have mobile data capability, but £120 million? really? Will people not just wait until they’re at home/work/Starbucks?

If 3G was actually available everywhere, it would do just fine for present-day Internet shopping, being about as fast as many people’s fixed-line ADSL. Of course given time, bandwidth requirements will rise: the Internet of the 90s coped on 33.6-56Kbit/sec, whereas now even 10 times that seems sluggish, so we will need 4G one day, and yes, installation should start now, but it’s not a requirement right now, and a good job too, because it will take a good while.

4G will not magically fix poor coverage, and will, trust me, cost a lot of money to implement.

I do find the tech industry very frustrating: the false promises, the use of tech terms as (inaccurate) buzzwords, the assumption that a “new” technology will magically make everything rosy. The shiny adverts, and the shiny-suited salesmen that perpetuate the myths. It must be very confusing for those of us that don’t have a deeply cynical view…

Virgin Media DHCP oddity

Thursday, May 10th, 2012

I’ve encountered two occurences locally of an oddity of late with Virgin Media cable Internet services: this may be related to speed upgrades?. In each case, internet routers have stopped connecting. Swapping the PC directly to the cable modem works OK, putting the router back fails. Before anyone junks their router, try changing the MAC address of the router via it’s web interface- most have the facility to clone the MAC of the PC. Then reboot everything, but allow the cable modem to fully start before powering up the router.

It seems that VM are handing out duff DHCP addresses (I saw a combination of 92.x.x.x with a mask of 255.255.255.x and a gateway of 77.x.x.x, and of course, once an address has been issued, it will tend to be re-issued to a device (the router) until the lease expires- which could take several days of power-off. Spoofing a different address forces a new lease, which seems to work. I don’t know what has happened, but something is wrong, and it isn’t your router…

Skyhook

Sunday, April 8th, 2012

A technical oddity from a colleagues Android phone today led me to do a bit of googling, and discover a interesting bit of tech: Skyhook.

The oddity was that the colleague’s phone kept thinking we were in Glasgow, before realising we were actually in Birmingham. The interesting thing being that we had been in Glasgow about a year ago, but my colleague had replaced his phone in the intervening time. What was going on? It had us both stumped for a while.

The answer was this:we were using a number of Cisco wireless access points that were last used there, and then packed in a box.

Skyhook uses a combination of Wardriving and automatic submission by wi-fi and GPS equipped devices to keep a database of the BSSID (or hardware) address of wi-fi access points and their location. Android and Apple smartphones then use this data to do automatic location in addition to, or instead of GPS (which doesn’t work if the signal is blocked by, for example, several concrete floors) and cellphone tower triangulation, so Skyhook evidently had records of our APs being used in Glasgow (probably auto-submitted by the older phone), and my colleague’s current phone was using this data, and then later correcting via cellphone triangulation.

The BSSID is (or should be) unique to each AP, so unless someone does exactly what we did, it’s reasonably reliable for locating things. One thing is for sure, there’s a lot of location data held by Skyhook.

Dirty Trick

Saturday, March 3rd, 2012

For some years now, I’ve been a great fan of Lenovo PCs, especially laptops: the build quality is good, and the price not obscene. However, there’s one aspect I’ve discovered today that makes me less happy, though it would seem that HP and others are not above the same tickery.

Laptops are less stndard than a desktop PC, but always the great advantage of the PC platform over a Mac has been the openish nature of it: hardware is semi-standardised, drivers are available. This is also often the downfall: the fact that you can shove in any bit of hardware means you then run the gauntlet of dodgy drivers, but that is your choice.

So, then, when my other half’s Lenovo laptop stopped connecting to wireless and then bluescreened, after testing the obvious first thing, I suspected the wireless adaptor. It’s a Mini-PCIe card, so an easy swap, and a quick look on ebay found that a card with the same Broadcom chipset was very cheap.

It takes a while to arrive, from Hong Kong though :-(

Once installed, dissapointment awaits:


Unauthorised network card is plugged in. Power off and remove the Mini-PCI card.

Get this: the BIOS looks at the ID of the card, and unless it’s one of the ones deemed acceptable for that model, the computer won’t boot. Even though the card is compatible in every other way (and, in this case, identical except for the ID), only a limited range of Lenovo-branded cards will work- sometimes not even ones from another Lenovo model. This really isn’t on: it’s deliberatley closing something just because you can: this behaviour would be expected from Apple: it’s one of the ways they keep stability, by using a limited range of approved, tested hardware- but it just goes to show that big, evil tech firms always are and always will be that way.

Off to Ebay again for a secondhand genuine part then… I did consider flashing the BIOS with a modified one, but there’s a risk of bricking the laptop, and the download links for this model seem to have gone.


This blog is protected by Spam Karma 2: 37628 Spams eaten and counting...