Thursday, 31 March 2011

What 21CN really means?

"Putting all your eggs in one basket" is a phrase that comes to mind, or so it seems.

The way networks used to be run is that different services used different infrastructure and worked in different ways. Indeed, many services would inherently allow re-routing around problems either automatically or manually. If one service failed another continued as it did not use the same infrastructure.

Apparently, 21st Century Networks are different. It seems that with 21CN you can have lots of single points of failure, like a router in Slough perhaps, that can simultaneously take out lots of services and somehow not allow them to be re-routed! You can have Ethernet links and broadband services go down at the same time even though they are not actually in that area, just because they are routed via Slough.

Of course, in the good old days, a failure would mean using spare equipment or mending a fibre, and it would be done within a 4 hour window at most. But no, with 21CN you can have huge routers that don't apparently have hot, or even vaguely warm, spares, and so the idea of things fixed in 4 hours is out of the window.

Yes, this is a lot of guess work about the network of a major UK telco, but it is guess work based on the fact that 10% of our broadband and Ethernet lines have been down for NINE HOURS so far, and all that has happened during that time is some more lines going off in another area...

I guess we now know what 21CN means though. Thanks for showing us the way.

Wednesday, 30 March 2011

Ban phones, encourage bullies?

My daughter's school ban the kids from taking mobile phones into the school, it seems.

This may seem sensible to some. It seems a tad harsh to me. I am not even sure of the legality of it (or more importantly the legality of any enforcement actions such as confiscating phones), but that is a separate matter.

The problem is that all the kids take phones in to school - teenagers will. They keep them off/silent in class, etc, and occasionally they are confiscated and later returned. The school clearly know this happens so it seems silly having a ban.

The problem is that bullies can steal phones, break phones (see picture) and do what they like to phones and the owner feels they are unable to report it for fear of getting detention for breaking the school rules.

Seems a somewhat unintended side effect!

The problem has parallels in more normal life. Making something illegal does not stop it, but makes it impossible to police properly or for people who are mistreated to come forward.

[P.S. yes this will mean Sonim number 5 for her]

Monday, 28 March 2011

Damn, have to fill in census on paper now...

The employment question cannot be completed for someone that has more than 4 GCSE's but not grades A*-C, and "no qualifications" does not apply either, but the on-line form does not allow it to be blank.

Only option is paper completion where it can be correctly left blank.

Who the hell designs this stuff.

Little Bobby Tables (census)

Well James has gone one better...

Sunday, 27 March 2011

Job title: Orc polisher (census)

Looks like I have been an Orc polisher all week as Q.34 relates to job in Q.26 which is my job last week. Interestingly, last week I did get the Orc a lanyard for his ID badge (from Leeds) and and take pictures for the engraving, etc.

But "job title" is simply what is agreed between me and my employer, and that can be anything.

Census: First unclear questions?

OK, first one I am stuck on.

"People staying overnight on 27th March 2011"

Well, which night is that. There are 5 hours and 50 minutes of night at the start of the 27th and 5 hours and 55 minutes of night at the end of the 27th.

Do they mean both ends of the 27th or just one?

I am sure loads of people will have opinion on this, but what is the legally correct definition and how do I find out?

Grr

Saturday, 26 March 2011

iWaited (pic)

Says it all doesn't it...

Yes, in the queue, we updated the s/w on the iPad1 replacements we had received, and that is the screen we had to watch...

iOrc (pic)

iLike (pic)

Thrall's fingers are too fat to use it!

And what do you mean? £659.00 and my first born child, where is that in the small print. Oh, right, next to handing over my soul, gotcha.

Actually, people asked me why two of us queued and only got two iPads when we could have got two per person. Well, it was James I took, and he is my first born child, but somehow they let me off that bit.

Friday, 25 March 2011

iQueued iPurchased iHaveOne

Yes, as expected I am now the iProud owner of an iPad2.
I would post a picture, but you can't upload pictures to web sites, arg!

P.S. Picture (added from a real computer now I am home) shows a small part of the primary queue. The secondary queue we joined ended up going round the back of Covent garden. It took us 7 hours to get the iPads.

iMpressed

Well, seems they are happy to replace/repair an iPad even with accidental damage (sat on) free of charge, first time... Neat!

Now for 2nd one... This one replaced too, but replacement is DoA. Good job they check first!

The 3rd one is still at home, but now we know the process we can come in and get that sorted. Cool.

iPride 2

Do I go and queue up at Covent Garden for 5pm?
Decisions, decisions...

http://theoatmeal.com/comics/apple

Thursday, 24 March 2011

Price of legacy IP

http://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.html

Basically, Nortel (in bankrupcy) sold 666,624 IPv4 addresses to microsoft for $7.5 million, i.e. $11.25 per IP address.

That is mad!

Now, it could be iffy reporting of course. RIPE, for example, allow transfer of IPs if you can justify them. Right now, if you can justify them, you can have new IPs as the registries have not quite run out. So why would anyone pay for IPs just yet?

Of course, they probably buy the company and the company has the IPs, and so do not need to transfer them at the registry as such. That way they get to buy IP space that they could not in fact justify (on the short period registries require) but will last them a while. No idea if that is the case here.

Even so, if this sets the bench mark, before IPs have run out at the registries, surely the price can only go up once they do? What will be fun is how quickly those IPs lose value when IPv6 starts to properly take a grip.

Oh, and we have over 100,000 legacy IP addresses... Hmmm.

Wednesday, 23 March 2011

Kindle waste of money? (pic)

Apparently, it downloaded over 300MB via my mifi for no apparent reason and the decided to die. Arrrrg!

BringonIPv6

Well, good event, thanks Tref.

Over 300 people attended the Bring on IPv6 event at the London Transport Museum last night. We hope that we managed to get the message across to the press reasonably well. It is a challenge to ensure it is a story but also to try and give a positive message for the future.

Man walks in to a bar

... with "the internet"

Barmaid says "that's the internet!"

A barmaid that has seen the IT Crowd.... OMG!

Tuesday, 22 March 2011

When is an IPv6 address not an IPv6 address?

Thanks to Dave for sending me this excellent screen shot from CSI New York.

Clearly they do not know of documentation addresses (2001:db8::/32)

Monday, 21 March 2011

Lunch time doubly so!

Well, interesting start to the day.

My watch decides it must be lunch time (see pic). I think I have not been giving it enough sunshine.

My phone decides it is my wife's birthday, my daughter's birthday, and my friend's birthday, some of which are not for over 9 months.

My kindle decides to reboot several times in a row for no apparent reason.

The disk server for my home directory decides to kernel panic.

But at least the coffee machine is working :-)

Sounds like they did an update to the matrix and got it wrong.

[oooh marmite cereal bars, thanks Victoria]

Sunday, 20 March 2011

Busy week

Well, looks like LONAP on Monday, the BringonIPv6.com event on Tuesday, UKUUG on Wednesday and Thursday. Seems I may be in demand again :-)

Saturday, 19 March 2011

Arrrg, ebooks - kindle is no better!

The technology is good, but that the hell is the point if you can't get the books?

I decided I would re-read some of the Douglas Adams books that I have not read for a couple decades!

Holistic Detective Agency was on TV recently, and the story was very cut down to fit. Having re-read that, I thought I'll read the other Dirk Gently book again, on my kindle. I recall it being a tad confusing the first time and maybe would make more sense this time...

What is the point of a book shop which has so few books in it, and when it has books it has only some of a series of books and not the whole set. This is not a new book, so where is it? I also looked for Terry Pratchet and only a few of the discworld series are available.

If I walk in to a real book shop I find a whole shelf of Terry Pratchet, the whole discworld series plus several related books. No problem.

So, to continue reading this I have to go and get a paper copy. Yes, it is probably no different in price, and if I get a second hand copy it is way cheaper than an ebook. So what the hell is the point of ebooks?

Your search "Long, Dark Tea-time of the Soul" did not match any products in: Kindle Store

Friday, 18 March 2011

Not so secureID

Well, interesting article on the SecureID keyfobs from BBC.

I don't know if the RSA SecureID key fobs use the same algorithm as OATH based keys (as per the picture) but they certainly use the same principle. There is a secret of some sort that exists in the key fob, and also exists somewhere else such as in the server to which you wish to log in. This secret has to exist in plain text because it is the input to a function which uses the secret and the time of day to make a number (typically 6 to 8 digits, typically every minute).

This has security implications in itself. You see, with a normal password it is possible for it not to exist on the server - instead you can (usually) hold a hash on the server. You make a one-way hash of what the user entered and see if the hash matches, but you have no way to work out from the hash what password would match. It essentially means that (in principle) the server does not have to hide the hashes - it could publish them. That would, of course, allow off-line dictionary attacks and the like, so normally they are kept secret, but in principle they are less of a security risk.

With the one time codes like secureID the secret used is the input to a function, so cannot be a one way function hash like this. It could be encrypted but the software on the server that checks the code must have the encryption keys as well. Obviously, at one end, in the key fob itself, it is typically physically secure in that the device has no way for the secret to be extracted. Some devices may even have hardware fail-safes that wipe the memory if someone tries tampering with it. But at the server end the key is not inherently secure.

Now, one approach is to use a separate validation server. When you log in, the server you are logging in to asks a separate server to check the code. This has the advantage that the validation server can itself have some physical security rather than just a normal server with a hard disk. It can simply confirm or deny a code, and even count how many wrong attempts are made to stop brute force attacks. I suspect this is the sort of expensive box RSA would sell to the banks for their end. Obviously that communications has to be secured and authenticated somehow.

The trick then is how the new key fobs get read in to the server. I dare say there are ways that can be done with suitable encryption, but it is a security issue. You don't want anyone to ever see the secret, and you want it to end up only in the two ends with no risk of being leaked, or written down.

Of course, one of the nice things that this whole system does allow is the fact you can have one key fob for multiple systems. The down side is every system must have the same secret in order to work. So using these on linux boxes and the like with a simple config file gives all of these same security risks if someone finds the file of keys. Using on multiple servers means one server compromised could lead to others. Using a central authentication server creates additional points of failure and communications redundancy issues.

I have to say this sort of lends itself to a product opportunity - the server itself, perhaps using RADIUS, and having a way to exchange keys securely with whoever makes the key fobs, but having some inbuilt physical security against attack and loss of secrets. Sounds like a fun project :-)

As for the news article, I wondered if the secrets have been leaked. Someone would not know which accounts they are associated with. It would allow someone to deduce which key is in use if they see someone's code. Maybe they would have a few to choose from if there are millions of keys, but see two codes and you'll have it. It would mean that the previous ephemeral code from the key fob becomes a security risk. It is not clear exactly what happened in this case from the news article, but clearly a problem. It also sounds horribly like the keys are not just in the two places then need to be - the key fob and the authentication server... You have to wonder.

Sorry, you can't have fibre to the cabinet, your email address is too long!

Arrrrg,

We have been chasing why our favourite telco keep just cancelling orders for an FTTC line. Eventually found the cause - the email address provided to them as part of the end user contact details has a limit of 40 characters.

To be fair, it is a documented limit, but we did not apply it, and they did not either, accepting the order and then, every time, canceling the order a bit later with no explanation as to why...

How mad is that? Oh well, at least we know now. Well done to Shaun for spotting it.

Of course the end user may want his personal details correctly recorded as per the Data Protection Act, but we'll see how that discussion goes later :-)

Thursday, 17 March 2011

Magic smoke and well trained staff!

Well, from 10:07:32 to 10:39:58 today we had no power in Blue Square, Maidenhead.

It looks like a few bits of kit fried too - so looking surge and power cut.

Best I have heard so far is a major UPS went bang, and the smoke tripped an alarm and power safety shut-off and evacuation.

I would just like to say that I am very pleased with how my staff have handled this today - tackling the issues in a sensible priority and updating status pages. As it happened I was running training today, and was able to continue while staff did all the necessary work to resolve matters. It is nice to have a good team.

Broadband was not directly affected and this time the backup systems for DNS and RADIUS worked exactly as expected. Traffic levels showed no glitches at all. The most urgent impact was on VoIP services - sadly our grand designs for more diverse systems fell foul of the practical implementation of many SIP systems, though there may we ways to address this in future. Sadly our Ethernet customers were also affected which is never good for a premium service like this.

Needless to say I'll be chasing for a proper explanation for the data centre. The choice of one that is 10 minutes drive away proved it self today though - we know issues can happen wherever you are, but having staff jump in a car and get it sorted quickly is invaluable.

Well done all.

Wednesday, 16 March 2011

eBooks

I used to have a Sony ebook reader - which was not bad. The lack of a complete set of Terry Pratchet books led to its dis-use and it is somewhere on a shelf now.

So now I have a Kindle, and I have to say they have done a good job.

But what is mental is that I now have a device which allows access to web pages anywhere in the world at no cost, and runs javascript, and has a keypad.

Heck, you can even edit FireBrick configs on it!

I can see me making javascript & web pages specially for kindles now :-)

Oh, and maybe I'll read some books, but once again they only have some of the Terry Pratchet books available which is totally crazy. Paper books do not suffer this stupidity - you can buy them all and read them in order (which I have done now).

aa.co.uk

Well, odd. The auction for aa.org.uk and aa.co.uk were ping pong of £1 bids. We got aa.org.uk for £5! Very strange. Then today they suddenly went to £99, so we went just over the £100 (I had decided on £100 budget), so they went for £1000 (about £900 more than we would have paid)...

Seems odd they messed about with the £1 bids initially, well, for a day and a half.

Well done to either american airlines or the automobile association. Hopefully the latter as I think it makes a lot of sense for them to have it.

Tuesday, 15 March 2011

aa.org.uk

Well, we got aa.org.uk (as well as aa.net.uk). All good fun.

Somin guarantee working

Well, I expected G would break it (again)... This time not charging.

Got a return number sent off - and a few days later replacement (as they could not fix it).

Cool.

Sunday, 13 March 2011

Sunday off

Feeling very guilty - I have spent all day watching TV and not doing any work at all. Seems very strange somehow...

Normally a weekend is when I can get some real work done with no distractions, and at least I work in the morning.

Saturday, 12 March 2011

Nice employer - pick a job title for 27th March

A&A, as a company has decided to allow staff to have any job title and responsibilities they like for the whole of the 27th March 2011

The staff have to say what they would like and the company will officially state that they have that job title for the day. Being a Sunday not much work will be done for that job for that day we expect.

The director (me) has already bagged "Orc Polisher" so don't try that. You also cannot be director or company secretary, sorry.

Of course the official job title you have for that day is what you legally have to state on the census form.

P.S. It is job title for the week ending 27th March 2011

FB2700 s/w upgrade

On the basis that the A&A status pages are a "maze of twister turny passages all alike" at the best of times (yes, I know, we'll sort it), I am posting here as well.

This is all about Marmaduke:-


Customers with FB2700 FireBricks should be well aware that they can update the software at any time. The newer software makes this very easy via the web interface.

There are alpha builds which are for testing changes, and we issue these on a regular basis, sometimes several a day. These are not necessarily stable, but in general if there are any problems your FireBrick will automatically revert to older software. This are not recommended for production environments.

There are beta releases which are this we have a high level of confidence in it being stable and without major flaws. If you are concerned about risk of any problems it may be worth waiting a few days before trying a beta release as we will withdraw it in the event of any major problems being found.

Finally beta releases get promoted to be a factory release after several days use by a number of customers.

By default the FB2700 will check for new s/w automatically every day, and if it sees a new factory release it will automatically update and restart.

You can turn this off in the system settings in the config, setting sw-update="false". You can also set a sw-update-profile to restrict the upgrade to specific times or days but still allow it.

FireBrick expect to release a new factory release this week. It is expected to be V0.06.001 (Marmaduke) which is currently in beta. When this happens your brick will probably update at some point in the following 24 hours.

There are no major configuration file changes, so the upgrade should cause no problems. The FB2700 will reboot with typically under 1 second down time, and if used for things like PPPoE will re-establish PPP as fast as the network will allow (typically a couple of seconds). If not using NAT then sessions in progress should re-establish.

The longer term plan is to have discussions with customers on what they would like in terms of s/w update features. This could include simply emailing when there is new software available; a clearer notice on the control web pages; perhaps flashing LEDs to indicate there is a message saying new s/w available; anything else that customers would like. Obviously, having the product up to date in the field is better for customers and support staff, but we appreciate customers have concerns over such things and want to ensure this does what people want.

Note FB6000's do not auto update by default, so our core network sysrems will not be randomly restarting smiley

End of an era

The neighbouring office to ours have always had some rather quaint computer systems. I think they are something like windows stoneage. Well, to be fair maybe windows 2000, not sure. Something old - and did not even have IPv6. Still uses IE6.

Well, today, they are upgrading to modern machines, windows still (!), flat monitors not CRTs, and better coffee. OK, the better coffee is because I'll bring some cups round from our "bean to cup" machine to keep them on their toes. No, not java :-)

We used to go round to test things worked on IE6, and on a machine that not so much ran javascript but walked it using a frame with wheels on.

The IT support company they use still struggle with anything not starting 192.168, and seem to have reluctantly conceded that there will be addresses with colons in them floating around, which they will probably sort of pretend don't exist. I'll have to set up some port mappings for them (why can't they just do it properly!). Maybe I'll see if they want to come on one of my IP courses... Having said that, they are setting up their windows server, which I would not even try, so they know what they are doing in areas that really matter to our neighbours.

Anyway, all good fun. Hopefully should be a stress free day for them. I'm off to the office so I can lend a hand if/when needed.

How will we test our systems on legacy machines now I wonder?

Good luck guys.

Friday, 11 March 2011

Soul of a new release!

Fun day as ever, and been working, yet again, on trying to get a stable new factory release of the code...

The problem is that I want what ships with the product to be the "best you can get", obviously.

That is, of course, the latest code I am working on right now....

Sadly the latest code I am working on now also has the latest bugs I just added to the code. Sadly I don't know of these bugs, as, well, I would fix them if I did, obviously.

Writing new code is not really coding it is enbugging... Where else do bugs comes from?

So what happens is we make checkpoints - code freezes - and so on - and make a factory release candidate. I have done a few in the last two weeks! naturally this needs testing in the field as well as on the bench as much as possible, for many days at least...

During this time you find things. Now, if it really is totally cosmetic, a typo, then no need to re-issue a factory release candidate and start again. But what if it is something missing - something minor for which there is a simple work around? What if something not technically correct? Something just a few customers will notice? And what if this factory release is better than the last anyway as these are not new bugs? Arrrrg!

Where do you draw the line. Oh! the life of a perfectionist!

Well now, I have worked though about 5 release candidates and damn well this one will be a factory release. Unless there is a total show stopper it is happening. I don't mind doing a replacement next month, but it cannot go on any longer...

And its name is Marmaduke.

Plan of action (OFCOM)

OK, trying again. I have now sent a new application simply re-iterating the fact that we obviously comply with the rules for 07 mobile numbers as we are indeed required to by law. I have also sent a letter formally asking for clarification of how they interpret the rules.

But the other part of my plan is that I have sent an application on the basis that we own and operate a mobile network. It is only a pilot now, with three base stations in Bracknell, but easily extended.

The technology is 802.11 WiFi base stations using SIP/WiFi connected mobile phones.

I am not sure the size of the network is relevant for numbering requests.

We'll see what they say this time.

Thursday, 10 March 2011

OFCOM outlaw mobile call diverts?

OFCOM have made it very clear to us that because a call to a mobile number could be picked up on a fixed SIP handset, we cannot have a block of 07 numbers.

They have pointed out that the 07 mobile numbers have to be used for a mobile service which is defined as :-

‘Mobile Service’ means a service consisting in the conveyance of Signals, by
means of an Electronic Communications Network, where every Signal that is
conveyed thereby has been, or is to be, conveyed through the agency of Wireless
Telegraphy to or from Apparatus designed or adapted to be capable of being used
while in motion;

The fact that a call can be answered on a non mobile device is enough to block our application.

But this definition effectively blocks all use of any sort of divert on mobiles to a non mobile handset. It means that the calls to your 07 mobile number might not use wireless telegraphy to/from a mobile device, and the rules are clear that every signal that is conveyed has to.

I can only assume we'll get the announcement from OFCOM soon that they are banning the use of call diversion services on all UK mobiles (other than diverting to another mobile) so as to ensure they treat all operators equally. Anything less would be unfairly treating one operator differently to another, which I am sure OFCOM would not wish to do.

Comtrend a dead duck

We'll get something on the company status pages, but it looks like router manufacturers really do have no clue.

Comtrend had managed to get a router to us that did IPv6 and did not cost the earth. It sort of worked, and had minor niggles. We got ten and shipped them, and people are using them.

But turns out that not only will it be months before they fix these more minor niggles, but they cannot even fix more serious issues we have found.

The show stopped right now is that if the PPP link drops for any reason then the router reconnects with no IPv6!

We'll be taking them off the price list.

Thanks to those that are using them and thanks for the feedback. We'll get new s/w when it comes out anyway. They may be useful in the future.

What is a shame is they could be in there before the rest of the manufacturers. Not a big name in the UK, and could have got some real kudos from this.

What can I say?!

Toothless

Well, fun with OFCOM.

We are trying to get 07 numbers as we have mobiles. Customers want 07 numbers! They would rather not confuse the hell out of people giving them an 01/02/03 number, but more importantly so they do not have to pay for incoming calls to the mobile. An 07 number would allow incoming calls to be received for free like other mobile operators.

OFCOM should give us 07 numbers as we are are operating a mobile network (albeit the vast majority subcontracted to 3). We route calls to and from mobile handsets. Simples.

Guess why they won't give us 07s?

They say that we would put 07 numbers on a SIP fixed handset. I have no idea where they get that idea. We have no plans to allow 07's to be assigned to anything other than SIM cards. Yes, we will allow various call diverts as you would expect, and like other operators so, but not assigning an 07 to a fixed SIP handset alone.

What is interesting is that they are saying that if any call could fail to go via wireless telegraphy to/from a mobile device then that is not a mobile service and so we cannot have 07 numbers. Reading the numbering plan, it does indeed say that every call has to be from or to a mobile.

That is interesting. I can't see orange's 07973100150 customer service number going to a mobile - it clearly goes to a call centre (not picking on you orange, all the networks have such numbers). And I think every mobile operator allows a divert on out of coverage option which means calls do not go to/from a handset in those case. Sounds to me like they either need to correct their rules or revoke all 07 numbers in the UK!

I'm waiting for their reply...

Linking in img tags from other sites

I did this once and it caused huge debate at the time. Generally I don't do this, and it is a risk doing it, but the interesting point was on the legality of it and whether judges understood how things work.

The scenario is that a copyright holder has an image on their site, maybe a cartoon or a picture or some such. It is included in their web pages, and maybe they have other text and perhaps advertising which makes the copyright holder money. All well and good.

Then a rogue site links to the image using an img tag in the html, showing the image within their web site.

There seem to be two ideas why this may not be legal.

1. Secondary infringement. There have been cases of web sites that index and link to usenet postings of illegal copies of files. The web site does not copy the files, but was found to be guilty of secondary infringement because they facilitated the access to the illegal copies.

2. Unauthorised publication of the image on the rogue web site, even though the web site does not actually do any copying.

Firstly, for the technically challenged, the way it works is the rogue web site includes a link to the image on the copyright holders web site. When someone visits the rogue web site they get the web page, and their browser automatically gets all the linked in images including one from the copyright holder's web site, and presents the page as a whole on the screen. The rogue web site does not ever actually copy the image, but can expect that the end users browser will do its stuff as normal.

So point 1: When the browser gets the rogue web page and then gets the image it asks the copyright holder's server for a copy of the image. The server sends one. One can assume that as the server belongs to teh copyright holder then it sending a copy of the image when requested makes that an authorised copy of the image. You go to a musician and say "can I have a free copy of your latest CD" and he hands it to you - that makes it an authorised, legal, copy. That means there is no primary infringement happening, it is not an illegal copy, so facilitating that copy being made by linking to it from the rogue site cannot be secondary infringement.

Point 2 is harder. The meaning of publication is clear in the print world. I am not sure what it means in the web. Even so, assuming for a moment that somehow the rogue site is considered to be a publication and even though all it has is a link it is somehow considered to be publishing the image that is linked, you have the question of whether it is an authorised publication.

Now it is worth considering how the browser gets the image. It asks the copyright holder's server for a copy of the image. But that is not all it says. It says "I would like a copy of that image please to include in rogue web page". It sends details of the page in which it is to be included with the request as a "referrer". Many web servers are in fact configured such that they do little more than just log the referrer, but it is actually there in the request. The choice of the copyright holder to ignore that information when handling the request is, well, their choice. If they choose to hand out a legal authorised copy even when told "to be included in rogue web site" surely that can be taken as making the "publication" of the image in that context authorised?

Contentious I know. Copying other people's stuff is not on. Telling someone where they can see it (legally) is allowed. This is bang in the middle where you are telling them where to see it in a way that is all automated. Why does the automation make it wrong? :-)

What is really silly is why any cases like this ever get to court. The copyright holder has total control on the image being served in this scenario. They only lose control if someone makes an illegal copy which is much more clear cut. They can deploy many techniques, some of which are stupidly simple, to ensure the image is not included in a rogue web site, including having their web server check the referrer. They can even serve a totally separate image which could be offensive (questionable if that is legal) or just has text with a suitably rude message or maybe an adverts they make money from. They have control. The rogue web site takes a huge risk if they link to someone else's image without their agreement, so it does not happen that often.

With such simple technical solutions to this, why on earth do questionable legal cases need to ever be considered by the courts?

It is much better to have nice clear cut law on this than grey areas, IMHO.

Wednesday, 9 March 2011

More bad law (cookies)

The legislation on cookies on web pages is crazy.

The only real problem I am aware of seems to be advertisers profiling web page accesses to target adverts at people. I don't like it myself but can't pin down why more appropriate adverts on sites I visit is in fact bad. Even so many people really don't like it. I respect that. Making it a law is crazy though as it does not help.

The law at present is silly, but says if users can opt out it is fine. The change happening shortly is to say people have to opt in, unless strictly necessary for a service the user has request (e.g. shopping baskets and on-line banking, etc).

Sadly it applies to anyone using a communications system to store information in end users terminal equipment.

For a start a web server does not store anything- it sends a response to a request. The browser is what stores the information. It does not have to store cookies. The end users can set it not to in the settings. This is in itself proof that the server is not storing information. If the server was storing the information then the server would have to be the thing with the option to stop the information being stored. The fact the option is in the browser proves the browser does the storing and it is the end user that controls that. Sadly the ICO think differently and may convince a judge of that too. They seem to thing anyone operating a site is responsible for anything stored as a result, even if that is cookies served from third party sites and sites not in the EU. It means linking in any external resources (images, javascript, css, etc) becomes a legal risk and could mean just linking to other sites becomes a legal risk if the ICO follow on that logic.

Even so, if you consider sending data in response to a request is somehow causing information to be stored, then it must apply to all the information which is stored. That means the cache of the page or image and all the meta data such as last-modified date/time, expiry date/time, and so on. It includes the links in the page served. It includes the fact the browser history is updated. All of it. And most of that is definitely not strictly necessary to provide a service the end user has requested. Caches are not strictly necessary and so cache control meta data and last-modification date/times will need expicit consent to be stored. That means consent before the home page asking for consent is served. That is probably impossible.

This may seem overkill - surely we all know that it means cookies? Or at least means stuff that can be retried by the sending server later? Well that would cover Last-Modified as it is sent back in an If-Modified-Since header later and easily has a few billion combinations that could be used to hold a session identifier. Indeed, RFCs recommend browsers send back the exact string from Last-Modified in later If-Modified-Since requests thereby making it exactly like a cookie in operation. The problem is that this is part of normal cache operation and used on virtually every static web resource, so outlawing it would cause real problems, and in some cases costs (bandwidth costs).

But even if we only meant cookies, the law is stupid as cookies are used for a lot of not strictly necessary things which are also quite harmless. Simply tracking visits to a web site rather than number of page hits (very common). They are also used to hold preferences, even those that are there for disability access reasons. And nobody wants horrid pop-ups on every web site. They are often used to make a session track before a user goes to a shopping basket, and this would have to be changed to meet the rules.

If the law was actually enforced, we would see every web site that stayed in the EU having an landing pages "Yes I agree to terms of access to this site" like you get on adult web sites already. Even then, that may not meet the law as the page would go in the browser history before you agree. In fact the adult web sites (the very ones people do not want tracked) already have this sort of thing, and so you end up with their terms saying you agree to cookies and hence tracking!

If the law is not enforced properly you also have a bad situation. Almost anyone in the UK would be breaking this law. I bet having a facebook page makes you responsible for it in the eyes of the ICO and so probably makes you a criminal if you did not ask for explicit consent to store cookies (and last-modified time, and so on). So you have horrid uncertaintly. The powers that be can find yet another law that anyone they don't like is already breaking. It is not good for society to make everyone a criminal under a number of widely un-enforced laws. It allows a police state. The fact that this law cannot possibly actually tackle the problem it aims to also makes it a bad law.

How can we stop these bad laws?

Tuesday, 8 March 2011

Could bt.com or x.com be deleted?

Well, you would hope not. There has been a general principle that if a policy change makes a domain name no longer valid, the domain can stay in existence as long as it is renewed.

There are .uk domains that pre-date nominet and exist in spite of current policies not allowing them and the same is true for many domain heirachies.

As far as I am aware it is current policy that one and two letter .com domains are not allowed, but there is x.com and bt.com still in use and many others.

However, to my surprise, we have been advised that one of our domains is to be deleted. The reason being that a policy now in place, after they were registered, says they are no longer valid. One of them is aa®.com.

So, I am trying to find out. Is this some change in policy or rules, or law, that means when domain names no longer meet current rules then they will be deleted?

Do people like BT need to be worried that bt.com will be deleted?

Or have we been singled out for special treatment by verisign & ICANN I wonder?

I'll try and get to the bottom of it. Needless to say the wording of the contract we have with teh rgeistrar does not seem to allow them to delete the domain by my reading. So it will be interesting to see what happens if that gets to court.

P.S. the two letter thing is what I have read on forums after much googling. Would be nice to know for sure if that is policy or not to allow two letter and one letter domains in .com. Maybe it is, and hence this is a non issue for x.com and bt.com. Even so, it is an issue if policy changes can cause existing domains to be deleted as seems to be happening to us.

Fine

There has been a lively debate on private parking charges on a mailing list I am on. I won't go in to the debate in detail (phew!), but it is clear people have different views at a moral level on some things.

I am keen to learn how things should work, and do work, and have actually purchased and started reading a book on tort law. Interesting stuff. It does however surprise me how much things can be down to policy rather than a clear long standing idea of right and wrong. It is also interesting how much things have changed over the last few decades even. What is right clearly changes over time. That does make some sense, but gives rise to disputes where both sides are absolutely sure they are right.

The one policy thing which makes a lot of sense to be is that fines belong to criminal law, not civil. A fine is a financial charge that is there to punish and deter. It is not there to compensate for damages or losses.

You can be fined for something criminal even when there is no damage caused by your action and no risk of damage (e.g. speeding on a clear motorway on a dry sunny morning in a new car). The fine is not there to compensate for damages it is to punish and deter.

What seems odd to me is that people think there is any place for fines in civil disputes. The idea of me fining you for something you have done wrong to me. That really does not work. It creates all sorts of incentives that are not good for society. I mean, if it is a fine, what is to stop me fining you £250 for walking on my driveway? You may think that is silly and unreasonable but it is the same as some parking fines which are the same basic civil wrong (trespass). Basically, any fine is unreasonable. A charge for damages, yes, but not a fine.

Fines are for the courts...

I'll read more of the book though :-)

P.S. I can debate commercial late payment penalty charges another day. Truth is they raise less money than the cost of pursuing late payments and people going bust owning money that they would not have, and so are not a fine or penalty but a pre-estimate of damages for a breach of contract helpfully set in law to minimise the work for everyone. They are probably too low.

Monday, 7 March 2011

Quiet week?

I am sure this won't last long, but I seem to have no reminders or diary entries or even oustanding emails... A odd way to start a Monday morning.

Sadly I do have a big list of stuff to get designed and coded.

But for now, time for a coffee.

Saturday, 5 March 2011

Works for me?

Well, my sister-in-law said "that loops of zen works fine for me"...

The fact I set up their LAN to have IPv6 years ago had gone un-noticed (as it should), so an IPv6 only web site was not problem at all.

Little did they realise they were my guinea pigs for IPv6 deployment to residential users :-)

Thanks Pauline.

Tweaking how we handle IPv6CP

Looks like we have to tweak the normal PPP negotiation we do on the LNS. I plan to install the new code this weekend.

The reason is not flaky implementation of IPv6 on routers (and that is pretty flaky), it is flaky PPP on older routers.

PPP is pretty good in that there is a message to report back to the other end to say when you don't understand something. This allows backwards compatibility.

If we ask a router to do IPv6 (using IPv6CP conf request) the router should either understand it and reply, or generate an error. Normally one would expect a protocol reject message saying it does not understand IPv6CP.

This makes PPP pretty safe and easy to handle fallback. If we get such a response we conclude the device cannot handle IPv6 and continue accordingly, allowing an IPv4 only connection to work.

However, if we don't get a reply, we retry the request. Eventually we just give up because we are getting no reply to our PPP and close the link with a negotiation failed.

Sadly we have found routers with a couple of problems. One (I forget the make) sends an incorrect protocol reject message. So it is not rejecting IPv6CP but something completely different. Naturally we don't take any notice of this, and keep trying the IPv6CP. Another (an older juniper model) simply ignores the IPv6CP and does not reject it or reply. The result is the same.


The change we are making is that we'll now give up on the IPv6CP after a number of tries and conclude that the far end does not handle IPv6, but we will continue as if we had received a protocol reject, allowing IPv4 operation.

This makes the policy of giving all customers an IPv6 allocation as standard somewhat safer!

Thursday, 3 March 2011

Fun with javascript

Well, after much reading of the huge O'Reilly book on the matter, I am now somewhat better versed in javascript.

I have, like many people, tinkered with it before. It is the sort of language you can tinker with, much to the detriment of the users of web sites eveywhere...

I would however recommend reading up on the language properly. It is not quite as bad as it looks. I have used a lot of languages in the past and they all have quirks

As a C programmer you find the way the data types are handled a surprise. There are a few distinct types, and they are interchanged automatically. Numbers are all floating point (which is fun). There are objects which allow mapping of names to data, and also arrays which work in a similar way. The fact you can create literal functions which have a lexical scope are also rather run but typical of object oriented programming which fits well with an event drive UI model used by browsers.

What has been fun is writing code that works with a range of browsers. It does not seem to be that hard - there are a few well known areas of differences and a good book highlights them. The core javascript is pretty consistent. I found a couple of quirks the hard way, but I am quite chuffed that I have the web config for the FireBrick working on IE6 even!

Does this mean a lot more javascript on the A&A pages? Maybe... Maybe better javascript too. But to be honest, it is time consuming, and if it aint (too) broke, don't fix it. I am not a huge fan of the jquery type animations that get used a lot (and have been on some of our control pages). Done in subtle ways they are not too bad, but they get in the way and can be more of a nusiance than a help.

I suppose I better fix my photo site though as that never worked on chrome. Far too much else to do.

Wednesday, 2 March 2011

iGotWet

Damn, my iPad got slightly damp in the rain, and stopped working. Annoying. Not even a lot of rain. (My sonim was fine)

If only there was an iPad2 to replace it with. Oh, err...

Stolen car and recovery fees

Well, I have ranted about how there are too many nanny-state regulations to protect consumers. To be honest that is a bit over the top - I understand that without a lot of this there would be so many dodgy companies it would be unbearable.

What gets me though is when the laws penalise the citizen for no good reason, as happened to a friend of mine last week.

He had the mis-fortune to have both his cars stolen! Yes, someone broke in through the patio doors during the night while they were asleep, took the car keys and stole both cars!

No idea what they were used for but they were abandoned a few days later. They were not substantially damaged in any way, upright, and on the road, and not illegally parked or anything.

Now, when this happens you have all sorts of silly and annoying costs - new keys (expensive these days), valeting the car, that sort of thing. Sadly this can add up to less than the insurance excess, as is the case here.

What you don't need is extra costs you did not ask for. In this case the police obviously wanted to do proper scene of crime stuff on the cars, and so they wanted them "recovered" to a secure depot for them to do that. They would not allow the owner to go and get them himself.

Now they have finished he is expected to pay £250 for each car to cover the cost of recovery. Recovery he did not ask for and did not need or want. Something the police wanted to do, not him.

This is outrageous, obviously, and surely cannot be right. The yard where they are held are holding them to ransom, so he has no choice but to pay. Surely this extortion and/or theft? You would think so!

Apparently the Road Traffic Act allows the police to recover vehicles, even if not illegally parked, even if not causing any obstruction. Cars in a circumstance where they could be validly parked with no problem. However, as they were stolen and left they have been "abandoned", and so the police can recover them. The law goes on to say that the owner then has to pay for the recover, and storage, and any parking charges that may apply and the car can be held until paid!

This is clearly just wrong in these circumstances. There are many where this is sensible I am sure. If the owner abandons a car, then fine, make them pay, but this is a case where the owner has clearly done nothing wrong. The owner has not asked for the car to be recovered or stored. The owner is the victim of a crime and being punished. How is this valid or fair?

To add insult to injury the recovery company operate a set of rules, which they have clearly made up, where "if the car has to be lifted off the road then we charge £250, but if it can simply be towed then we charge £150". The law on the other hand says if the car is on the road, upright and not substantially damaged then the prescribed fee is £150. Only if it is substantially damaged is the charge £250. Not having keys present is hardly "substantially damaged" by any stretch of the imagination. But they have the car and will not let him have it unless he pays the inflated sum of £250 each.

So, I feel sorry for my friend who now has the hassle of dealing with all of this as well as dealing with the insurance company (who are also making his life hell) when it will not reach the excess anyway so he has to pay it all out of his own pocket.

But seriously, how do we have laws allowing you to be effectively fined for something you did not do when you are the victim of a crime? That is madness.

HD and SD TV

Well, I am pleased that Sky have swapped HD and SD channels round. Well, many of them. Odd that a few are not swapped like BBC1/BBC1 HD...

Anyway, this afternoon I actually got to see what it was like not being able to tell the difference. Eye drops for an eye test making everything bright and blurry for a few hours.

OFCOM's speed report

Speed of broadband lines is an interesting issue, and OFCOM have once again released a report that focuses on the larger ISPs.

Statements like "The average broadband access download speed UK users experienced rose 5% to 6.2Mbps, but this is less than half the average headline speed they pay for, communications regulator Ofcom says." just show some serious misunderstandings.

If you are paying for an "up to 8Mb/s" line then you are getting what you are paying for if it is 500K. In fact, you are only not getting what you pay for if it is over 8Mb/s (when you are getting more than you are paying for).

Oddly, I don't recall this being an issue when people purchased 56K modems. Unlike ADSL1 where a significant proportion of people get the full 8128K sync rate, 56K modems rarely, if ever, got 56K.

There are a lot of issues that affect the apparent speed of a connection. It is not simply a matter of "how fast can I download a big file", though that is obviously an important point. As speeds get higher factors which previously did not matter, such as the software in the TCP stacks at each end, the load on the sending server, the latency on the link, and the impact of low levels of packet loss, can have more and more noticable effects. In many cases what an end user sees as "slow" can be a latency issue or a DNS problem and not a line speed issue at all.

So, in light of that, it seems odd that there is so much focus on line sync rate.

For some time the A&A site has not headlined speeds, but listed technologies (ADSL1, ADSL2+, FTTC, FTTP). We then explain in the more detailed pages that, for example, ADSL2+ as a protocol will allow sync rates of not more than 24Mb/s.

It is a shame we can't use common phrases like "up to" and people understand. Perhaps by saying "not more than" people will. Who knows?

To be honest, for the vast majority of people, the difference between 10Mb/s and 40Mb/s is not relevant. Indeed, the 6Mb/s OFCOM quoted is really good as it allows iPlayer and the like (assuming there are not latency and packet loss issues). Yes, faster is generally better, but it gets to a point where the line speed is not the bottleneck.

The problem is people compare headline speeds. We have the crazy situation that one telco can do 100Mb/s fibre links, so another is looking at changing the settings, using gigabit ports, and being able to quote it as 101Mb/s. It makes no odds but people will buy the faster speed. This is why lines are often quoted as line sync rate, e.g. 8.128M for ADSL1 rather than IP throughput (e.g. 7.15M for 8.128M sync). If you have one ISP saying "up to 7.15M" and another saying "up to 8M" then which do you buy? In that case the line is exactly the same, it is just where you measure it.

Anyway, we decided OFCOMs voluntary code of practice was, this time, actually impossible to adhere to. We have not signed up to it. We have our own set of commitments which we think are better.

A&A Speed commitments
OFCOM code of practice

Note for example OFCOM define "the minimum guaranteed access line speed" as "the 10th percentile of the ISP's similar customers". Indeed, lines "at or below" this are considered to have a fault. This is, of course, totally crazy, as 10th percentile is a moving target (if you fix lines below it, or they leave then the target moves up). Also, by talking of "similar customers" you make the range narrow. e.g. if we were to say "ADSL1 lines very close to the exchange" we can expect the 10th percentile to be 8128K sync (as more than 90% of ADSL1 lines very close to the exchange get that top speed). This means that *all* of those customers are at or below the the minimum guaranteed access line speed of 8128K. The fact there is the hard limit on top speed of ADSL1 actually makes the best and fastest lines considered "at fault". Even looking at all customers on one line type, like ADSL1, there is huge incentive to not fix dodgy lines as that keeps the 10th percentile rate lower. An ISP that actually tries to fix slow lines makes their stats look worse and worse as the 10th percentile rises. Someone made these rules with no thought at all.

There is a point about "the spirit" of the code and not "the letter", which is carte blanche to ignore almost all of these annoying details and so make the code a waste of time. The writers of the code clearly want at least 10% of all lines or all ISPs to be considered to be faulty on an ongoing basis. That is clearly the "spirit" of the code.

Our code says we will actually monitor all lines all the time, making that available to customers, and use it to assess the problem, considering the causes of slow speed (like loss and latency) as well, and taking slow speed reports seriously. It even says we will monitor how well carriers are working in their core network and tackle issues we find.

I think our code is much better. It is also a lot easier to follow the "spirit" rather than the "letter" as it is worded in terms of objectives not specific percentiles and rules.

Tuesday, 1 March 2011

When is save 20% not save 20%? (pic)

More on a theme, thanks to a vigilant reader this advert starts top left with a big yellow "SAVE 20%", but that is not what they mean... (click to see full size).

Why I have no intention of ever using ADR

We are forced to provide ADR to customers. That is an "alternative" dispute resolution, using an arbitrator as an alternative to the courts.

To be honest I never saw the point, country courts are cheap and simple and easy to handle. They are fair (loser pays) and have controlled costs so low risk.

I am all for sorting out disputes if they arise - don't get me wrong. We are even quite happy to err on the side of the customer if things are not clear in a dispute. We do try to avoid ambiguity by having things like call recording and ticketed email systems, and so on, but lets be fair with customers!

It is the nanny state that insists on ADRs for all telcos and ISPs.

Thankfully we work hard to avoid disputes in the first place and to ensure they are resolved if ever they happen. We are keen to be fair in our terms and dealing with customers, and for that reason we have never had a matter actually go to ADR. Phew! FYI, we pay for ADR, win or lose!

I was already pretty resolved to avoid matters going to ADR as I have heard horror stories from other ISPs where decisions are made against the ISP/telco on what are apparently quite clearly wrong grounds. The ADR decision is binding on the telco (but not the customer!).

After a discussion today I am even more resolved to not go to ADR. Thankfully this is not yet a dispute, but has involved discussion with the ADR (to decide if to take on a dispute). The exact details are probably considered confidential, but the nature of the potential dispute is simple and generic.

In a possibly unrelated matter, I think there is no reason not to discuss what would happen if a customer asked for a directory entry for their VoIP number from us.

We make it clear when ordering that we have no facilities to provide directory entries. Also that access to directories are via Internet access to web sites, etc. The important point is that we have no way to get people listed, as yet. Nobody has asked, and that is why we have never investigated further.

I would stress that this is something we are working on anyway, as it seems like it may be useful, even though customers have not asked until recently. It is also something we would have to do if BT directories asked us. So we may as well preempt it and try and get it sorted. It will take time.

Common practice is indeed that telcos have a contract with BT directories, and pass all new and changed directory entries to BT regularly. BT then provide access to the database to companies providing directory services.

The problem would be if someone insists that we are "required" to provide directory information to BT, and to state that to our customer. We would not like that.

There are two relevant parts to the regulations, GC8 and GC19.

GC19 is pretty simple even if it does not fit with common practice. It is a regulation making it clear that if BT (or anyone else doing directory services) comes to us, we have to accept requests from them to enter in to an agreement to provide directory information.

That does not mean we have to approach BT or anyone else. Whilst that is indeed common practice, it is not required by that regulation. So, no quibble that we comply with GC19.

There is one other regulation, GC8, which requires us (and every other telco) to offer directory information, e.g. a phone book, which includes all numbers from all telcos (that want to be listed). We normally do this via Internet access, but we can send a real phone book if needed (and can charge for it too).

This is a possible sticking point. If we do not provide the directory information to BT directories, then no telco can comply with GC8 as they are not providing our customers number in the directory and hence not providing all numbers of all telcos.

However, in my opinion, we are in fact the only ones that can comply with GC8, as we can get the local phone book, staple our customers details in it, and send it out. Thereby ensuring it does have all numbers including our customer's number. This assume no other telco is in the same spot as us, in which case nobody complies with GC8. If the phone book we send has all directory numbers in it then we comply, simple as that, in my opinion.

The potential argument is that unless we provide the details to BT then nobody else can comply with GC8. Well, to be frank, so what? That is their problem. I am not responsible for ensuring other telcos comply with GC8! I can comply with GC8. Yes, it is silly and pointless, but it is compliant, and that is what matters.

Basically GC8 means that directory compilation companies have to come to us else they are not complying with GC8. And, of course, if they do that we have to sort a suitable contract with them and provide the data (as per GC19). So the system works and hang together.

The issue is what happens when it does not work - when BT directories have not asked use for directory information. Who exactly is in the wrong there?

Well, the way it is all worded, to me, it is clear. We comply with GC8 and GC19. Other telcos are not complying with GC8. So it is everyone else that is in the wrong and not us!

Why argue this though?

Because I try my hardest to "do the right thing", and if someone says to our customer that we are not doing what is required, that is something I object to. We do what is required, in my opinion. We do what is agreed with the customer, which is also very important.  The fact we do not follow common practice is not the point, and to be honest if someone said we are not following common practice I would not be upset. I do not try to be conformist :-)

So where now?

Well, given that one person, after many years and many thousands of numbers, wants a number in the directory, we have approached BT... again... and again... and eventually got someone that may have some clue and be able to progress matters. We have to get another reference number from OFCOM and then sort the standard contract and the technical means to send the data, but why not? I expect it will take months.

Also, it seems, after a lot of badgering, that a customer has managed to get BT directories to list his entry directly. Well done.

But what of ADR?

If it is true that the arbitrator cannot understand that being "technically correct" is still being "correct", then we will have problems if any dispute does get to ADR. Yes, this would, in my opinion be a close one, in that to comply with GC8 we would have to staple someone's details in to a BT phone book and send (on request and payment) to any of our customers that asks for it, but close to the line on the "correct" side of it is still "correct"!

Anyway, I can't do anything about a non dispute that will go away, even if someone has made statements about the company that are not strictly true. I'll just have to put up with it, and ensure we take every step to avoid ADR in future.

There are, in theory, ways to avoid ADR, including a rather nasty one... If the matter is going to court then it cannot go to ADR. This means that any dispute where we are asking our customers for money will go to court and not ADR, sorry. I am all in favour of the courts. My experience of them has been good mostly.

As usual, I'll keep trying to do the right thing...

Blizzard's Real-ID system starts to work (pic)

That, or a polymorph spell went badly wrong!