Archive for the 'Computers' Category

Surface Treatment

Saturday, September 6th, 2014

A few days ago, we got a Microsoft Surface Pro 3 at work. It’s not a bad machine: it’s a Laplet: a hybrid laptop/tablet, and it works well, if we excuse it for Windows 8- the hardware is nice, thin, light, and i7 versions are quick, so it’s a good fit for the very mobile staff that
will be using it.

I remain convinced that Win 8 is a bastardisation of touch-screen tablet OS and a desktop OS that feels like an unholy marriage, though I’m hating it less as I get used to it.

What really creates a whinge is this little stroke of genius, which caused a support call and much fannying around testing chargers this week.

You can see the product launch meeting now:

Dilbert

Yes, Microsoft launched a device, launched a dock for it at the same time (we got the dock a day or two after the device itself), and managed to make the two not work together at launch. Cue a large loss of faith in what should be a good product.

*facepalm*.

You see this a lot with technology, and come to that, with poorly managed processes outside of tech:

1. Decide on arbitary launch date and fix everything to that.
2. Skimp on the preparation/testing, or ignore the problems.
3. Wonder why it’s all gone wrong.

The result is pretty much as you’d expect; you look inept…

Dirty Boy

Tuesday, July 29th, 2014

I’ve gone on here before about how web filtering is wrong and doesn’t work properly, and how the bigger the scale, the harder it is.

We’ve also seen that, according to an Ofcom report (PDF, 1.1MB) customers have greeted the filters with rejection.

That’s quite gratifying, I think. People are being actively prompted to allow censorship, and are rejecting it. Of course, that the tech required is now in place will make it easier to do more packet inspection should law (or other means) request it…

Here’s the Open Rights Group‘s take on it, the approach is humourous, but the message is serious.

If you think this won’t happen, try the Scunthorpe Problem for size.

I’m personally of the opinion that an ISP should do one thing: provide the infrastructure to route packets to the internet, and maybe a few basic services (like DNS, SMTP etc). You might note that the sponsors of that video refuse to offer a filtered connection, something they’re to be congratulated on.

If, like me, you want to defend an open, uncensored Internet with reasonably privacy, then consider joining the Open Rights Group or the Electronic Frontier Foundation. Note that ORG is a UK organisation, EFF is US-based.

Loosely Comnnected

Saturday, July 26th, 2014

This is quite a wierd one: some time ago at a company I work for sometimes, a colleague tried to replace some old 15″ LCD monitors with shiny new 19″ ones, to be confronted by extereme flickering. I had a look, tried the monitors with my laptop, and got a flicker-free picture. I made sure the leads weren’t too close to mains cable, but no change.

We assumed some incompatibility with the (elderly) PCs, and another colleague changed the PCs recently. In the course of doing so, he discovered the real cause. A power lead- just a normal BS1363-IEC C13 (colloquially known as a kettle lead), but, tellingly, with a rewireable BS1363 plug, not a moulded one. Remove the lead, problem stops. This lead was connecting one of the PCs that was working perfectly well, and flicker-free with the 15″ monitor.

I looked at the lead the next day:

The culprit: a badly fitted plug.

The culprit: a badly fitted plug.

and it seemed kind of OK at a glance, though that neutral lead should have been cut shorter.

What did turn out to be wrong was every terminal was loose: loose enough to turn by hand, so I presume that the intermittent connection caused enough noise to upset the new monitor, but not the old one. Disturbingly, this lead had passed a current PAT test, when potentially it’s a fire hazard: loose connections can overheat.

I don’t know if the connections had worked loose (which is one reason why connections in screw terminals should not be tinned with solder) or just sloppily fitted in the first case. The plug did rattle when shaken, but it would do that even with tight terminals, as the pins have a bit of play in the housing. Full marks to my colleague for spotting an obscure fault.

WYSINWYG

Sunday, June 22nd, 2014

Most people are familiar with WYSIWYG- What You See Is What You Get- a computer user interace that displays things in a format that fairly accurately displays on screen what the final output will be, so that (as a simple example) rather than a bit of code:


<b>this text is bold</b>

you get

this text is bold

I’ve spent several hours of my life recently trying to find out why a program I have to use daily was refusing to email people. Here’s the UI:

Skeuomorphic twice over? A web app emulates a phone emulating a slider switch, badly.

Skeumorphic twice over? A web app emulates a phone emulating a slider switch, badly.

.

You’ll notice the option to email two people, controlled by sliders. These are a skeuomorph: soemthing that icorporates design features of something it emulates- in this case, a slide switch. In fact, it’s a double skeuomorph: it’s a web interface impersonationg a smartphone impersonating a slide switch.

I’ve got two problems with it. Firstly it’s unneccesary frippery and animation, and secondly, it plain doesn’t work. It’s distinctly What You See Is Not What You Get. I’ll grant you there’s a certain amount of PEBCAK here on my part, but the control is broken.

If you click on the left-hand side of the control, and swipe accross, like you might with the control it imitates on a smartphone, the control changes to YES. It does the same if you click the right-hand end, or if you click and drag, keeping within the boundaries of the control. The difference is that if you use the first method, like I did, it shows YES, but registers NO to the back-end software, and gives you a several-hour troubleshooting session to work out why the email didn’t send. An older version of the software has a simple check-box here, and I suspect that this is a simple case of layering a bit of wankery over the top for effect…

Opinions differ on skeuomorphs: some consider them to be problematic, and some think them great, for the same reason: they imitate familiar technology, and so either make people confused, or make then feel at home. This one definitely left me confused.

Openretch

Wednesday, April 16th, 2014

Can anyone tell me how BT’s line providing division, Openretch Openreach survive?

The company I work for provides network services to varying people and organisations, and this means dealing with telecoms providers, and that almost certainly means the loose collective of fuckwits we know and love.

So far this week, I’ve had:

1) In response to a circuit order in a building that is partially let out (and where the BT duct enters via the let out area, and is a retail shop) “can we come tomorrow”.

2) In response to an order made 3 months ago, in a central Birmingham hotel, with the clear stipulation “you must make an advance appointment, the circuit is required by 17/4/14″, an “engineer” arrives today, has to wait a few minutes and is told “no, sorry, the room is in use, come back tomorrow”, and says “no”.

Said engineer was told “sorry, you have to. This is required by 1pm tomorrow, and was ordered 3 months ago. It cost a metric shitload of cash, and you haven’t called in advance, like we told you to, and you do this *every time* we request this. The room is available afer 5:30, or anytime tomorrow”

*shaking of head*

This barely describes the quantity of fucks the engineer didn’t give. “Resourcing”, he said. “not gonna happen”. “we’re only supposed to wait 15 minutes, and I’ve been 20″. The guy was, to be fair, a master of fuck not giving.

and not a single fuck was given.

Behold!

He departed. I called my colleague, among whom’s many talents are shouting at BT (and personally, I think it would be worth his salary just for that). He did so. Our circuit should be active tomorrow AM. We have a reference and everything. I will not hold my breath.

Honestly, if they weren’t still a virtual monopoly, they’d be fucked. I’m very thankful to the abilities of my colleagues, and still wondering what shape BT would be in had they not inherited a state-owned monopoly, but thanking my lucky stars I don’t have do deal with Cable and Hopeless Wireless any more, because they had sufficent sense to disappear.

[edit]

The engineer (the same one) came back the next day, and it worked….

Spam School

Thursday, March 27th, 2014

The other day, I was unpleasantly suprised by this email in my inbox:

Spam, spam, spam and spam

Spam, spam, spam and spam

Most spam is pretty generic, and gets culled by Spamassassin without me ever seeing it, but this one stood out as it didn’t hit the filter (sneaking under the radar with 3.9 points of spamminess), and it had an attachment that wasn’t a zip file containing a virus.

As you can see, it’s from Pat Jewitt, whose email address is pat@qe.org, for all you hungry spambots out there.

Pat seems to be registrar of Queen Ethelburga’s School, who are busy promoting their expensive service by spamming me. I took exception to this,

Screenshot from 2014-03-27 18:21:42
as I have no prior relationship with them: for a start, I have no children.

No answer for several days, so I kept trying. Then tried again:

Not Giving Up

Not Giving Up

This was a reference to my UCE policy here.

The mail originated from a netblock goegraphically right for the school, and appeared to be from a legitimate email server for the school too:


Received: from mta3.mail-qe.org ([185.7.151.53])

So this seems to be a fairly blatant bit of spamming from the school itself that they’ve done fairly decisively, rather than handing off to a third party. The links were all correct, not passing thorugh a linkbait or click-thorugh referrer too.

I eventually got a response to my question as to if I should send a bill:

Very Professional.

Very Professional.

Charmed. I’m sure. Do they have a vacancy for a PR officer?

After a few questions (read from the bottom):

Screenshot from 2014-03-26 22:38:20

They changed tack. You’ll note my questions, and the link I posted, refer to this legislation and indeed this definition.

Hmmm...

Hmmm…

Now, in my opinion this sounds like a clear breach. I’ve had no prior contact with this organisation, they have bought my email address from some shady spam company, and are now spamming me with completely irrelevant mass-marketing junk.

At worst this may be illegal, though I should stress I’m not a lawyer. At best, it’s poor netiquette and a pretty unpleasant way to behave.

It’s quite telling that there’s a unsubscribe link, labelled “If you consider this email to be SPAM please report abuse click here” as well as an unsubscribe- this is almost as if they know they’re doing wrong. (The unsubscribe is required by law, I believe). Also, both links are a http request to the sending server- again this looks like they have gone out of their way to set this up themselves.

The school looks to be a well-funded, expensive organisation, just a pity they see fit to tarnish their reputation by buying email addresses. There are ways to market yourself without upsetting the nerds.

At this point, many of you might be thinking that there’s a quick fix: delete the damn email and forget it. I nearly did that, but here’s a thing: I spend my day job working with mail systems. Many of these would be simpler, and more reliable, were it not for all the kludges that we have to implement to stop this rubbish. DNSBLs, sender ID, authenticated SMTP, restricted relays, spam filters, and all the other bits that make mail harder and more complicated are all because of this.

The next time you go onto a wifi hotspot and can’t SMTP mail, or you get an email bounce with a 550 error, or dissapear with no non-delivery report, that’ll be why. Spam is delivered partly at cost to you: using your bandwidth, your disk space, and your time.

If you have a company email server, you pay someone to guard you against this shit. Your ISP and mobile phone provider pay people to do the same. Commercial spam filters cost thousands of pounds to run.

Question is, do I inform the ICO?

Compare the Meraki

Thursday, March 6th, 2014

(The title thanks to my colleagues who misread the SSID (Meraki-test1)I sent them by email)

I’ve been playing with wireless networks a good bit at work: I’ve finally got PEAP going to do 802.1x authentication- the practical result being WPA-2 Enterprise wireless networking with the Cisco 1600i access points. As I’ve commented before, Cisco gear is great, but it can be a game to get going when you come across something new, and this was the case here: there were guides for doing this with wireless LAN contoller systems, but not for autonomous APs, and the interface was just different enough to confuse. Getting the right amount of debug info was tricky too.

Enter Meraki. Like earlier with Aironet, they’re now a division of Cisco, which makes me wonder if we’ll see a merging of product…

Meraki
‘s product is a [*cough*] cloud-based solution. It pains me to say that. Cloud is today’s IT bullshit phrase that is just a new way of saying things. “In the cloud” means “on a server or servers somewhere on the Internet”: the cloud everything bollocks wears thin after a while, but here’s a clever application.

You unpack the AP, power it up, and connect it to any Internet connection. The AP establishes a connection to “the cloud” [cough]bollocks[/cough], and establishes a tunnel. You log into a web page, enter the serial number, place a marker on a Google map, and then manage the device from the web:

The clever dashboard

The clever dashboard

From there you can implement multiple SSIDs, Captive portals, the aforementioned 802.1x, you can monitor devices and applications, time access, and create mesh networks that will track clients (handy for marketing tossers) and all manner of stuff, with an embarrasingly few mouse clicks compared to the pain of a conventional Cisco AP. It’s quick too.

Sounds too good to be true?

Maybe. There is a downside. While the dashboard is impressive, it costs. The APs themselves are a similar price to an enterprise-level conventional AP (a good 300-400 quid or so list), but on top of that, you need a licence for the dashboard (£150 for 1 device for one year list, reducing for quantity), and without the licence, your AP is an expensive ornament.

There’s applications that are a perfect fit: if you have remote sites with no IT staff, the Meraki devices can be shipped with no config, then set up remotely. Potentially big savings there. The tools on the dash are very clever too, but you’re tying yourself to the cloud dash for a few years, effectively leasing the kit.

Next on the list? Aerohive, who seem to do the clever online managment but still allow local config, so no tie-in.

Close Call

Monday, February 24th, 2014

Today, a colleague had this email:

A Spear Phishing attack

A Spear Phishing attack

from “customercare@parcel-tracking.net”. It fooled two people: The original recipient forwarded it to a colleague to deal with, who clicked on the link, and got this:

Nice mock-up....

Nice mock-up….

With graphics nicely nicked from the genuine Royal Mail site. The URL calling the site had a ID embedded, presumably to mark the recipient out as a sucker if they click, so I changed it for my investigation. The Captcha image remains the same, even if you vary the ID.

If you enter the code, you get prompted to download a .zip file with a random filename, and inside the zip file is a windows executable, disguised with a icon for Adobe Acrobat Reader.

Should you be convinced enough to run the attachment, you’ll get a pop-up demanding money to unencrypt your files, and this is no idle threat: running this inside an isolated Windows XP Virtual Machine really does damage files in My Documents- this is known as ransomware. Fortunately, the security measures on the computer used by this user stopped it.

Time for a reminder: think before opening. Questions the user *should* have asked:

1. Why would Royal Mail know my email address?

2. Why would they not just post a card through the letterbox?

3. Why “nobody was at home” for a business address?

4. Why would I need to download and run something just for a receipt?

To be fair, item 4 is picking flies a bit: some websites demand plug-ins or other crap, so differentiating the genuine from the scam gets harder.

Also, the site and email are quite a nice mock-up, using elements from the real site. Fairly convincing, and it also had the correct business name, which is a clever touch.

[edit]
It’s also worth noting that our (up-to-date) anti-virus didn’t catch this, either the original email or the downloaded file. It seems to be a zero-day attack.

Halt: Who Goes There?

Sunday, October 27th, 2013

One for the IT bods here.

A few weeks ago on Twatter, I posted this tweet:

Screenshot from 2013-10-01 20:21:30

Here’s the screenshot in better detail:

Cool message from VMWare's vMA appliance.

Cool message from VMWare’s vMA appliance.

It genuinely made me laugh and call colleagues round, but despite the witty use of a Spiderman quote, there is of course, a serious message there: the superuser has great power:

sudo make me a sandwich

so you probably want to make the password secure, huh?

They did. They added cracklib (a password-checking library) checking, resulting in this situation, where it’s actually quite hard to come up with a password complex enough, and people suggest a way to bypass it.

Now that’s all well and good, but do you know what I did with my complex password (one special character, a capital letter, a number, 8 letters and another special character)?

Well, specifically, I whinged like fuck, then I wrote it down. On a post-it note. Exactly what you shouldn’t do.

Irritatingly, the vMA appliance also didn’t like “correcthorsebatterystaple” either (this appliance was being used for a test- seriously, you shouldn’t use that password now):

Correct Horse

Putting aside the serious message at the bottom of the cartoon- that complex passwords are not that effective against cracking- it’s highly significant that the complexity rules made me break the rules- and I have to remember many passwords, so I’m probably not that bad at it.

Of course, I’m not suggesting that we all make passwords easy to guess- that leads to all sorts of fun- but clearly this is counter-productive. If someone’s determined enough, has access, and a system doesn’t detect the attack, then chances are they’ll crack it, so it’s wise to not re-use passwords across sites and or systems, though of course if complexity rules make passwords hard to remember, chances are the user will choose one complex password and re-use it. This probably means we’ll see more two-factor authentication, which also gives a defence against keyloggers, meaning the attacker will have to revert to social engineering…

Drowning in Superfast 4G Hype

Wednesday, October 31st, 2012

Less than 24 hours have elapsed since yesterday’s rant about the 4G hype and already there’s some bullshit piece in tonight’s Express and Star showing the cutting-edge, well researched, informative and technically accurate that publication has an unenviable reputation for, saying that the lack of 4G will cost the UK economy £120 million, according to “a study” (and then it fails to mention who commissioned the study [edit- reading the article again, Ebay commisiioned it], or any data whatsoever). It then quotes Ebay as saying that “slow connection speeds, payments timing out, and network reliability” were barriers that would be “effectively eliminated by 4G”

E&S Article

From the Express and Star, 31-10-2012. Unmitigated bollocks.
Click to embiggen.

This is starting to look like a Daily Mash Story with bold assertions, quotes from imaginary experts, and meaningless, unqualified stats.

I’m now drowning in bullshit. As my dear friend Andy points out there’s so much marketing crap here, and as a tech who is asked to provide solutions to people who read this shit, it’s wearing very thin.

Does the lack of mobile internet really cost sales? Maybe a few. A smartphone is a crappy way to browse Amazon or Ebay, with small screens and no proper keyboard. I’m sure a smartphone app will improve this, as would using a tablet, which may well have mobile data capability, but £120 million? really? Will people not just wait until they’re at home/work/Starbucks?

If 3G was actually available everywhere, it would do just fine for present-day Internet shopping, being about as fast as many people’s fixed-line ADSL. Of course given time, bandwidth requirements will rise: the Internet of the 90s coped on 33.6-56Kbit/sec, whereas now even 10 times that seems sluggish, so we will need 4G one day, and yes, installation should start now, but it’s not a requirement right now, and a good job too, because it will take a good while.

4G will not magically fix poor coverage, and will, trust me, cost a lot of money to implement.

I do find the tech industry very frustrating: the false promises, the use of tech terms as (inaccurate) buzzwords, the assumption that a “new” technology will magically make everything rosy. The shiny adverts, and the shiny-suited salesmen that perpetuate the myths. It must be very confusing for those of us that don’t have a deeply cynical view…


This blog is protected by Spam Karma 2: 38102 Spams eaten and counting...