Friday, 29 April 2016

$5 wrench #IPBill

Encryption is all about keeping your information (e.g. stored data or communications) secure from attack, i.e. so that nobody else apart from those you intend can get access to it.

Technical attack

The first, and most obvious, line of defence against an attack is against the technical aspect of the encryption itself - an attack on the maths. You need systems where it is not possible for a computer to try every password in a few seconds, or where there are not mathematical tricks to extract the data.

It is fair to say that modern encryption systems are pretty good at this and getting better all of the time. This is the main thing people think of when considering the defence against attack.

However, as xkcd make very clear, tackling the mathematics is not how you attack good encryption. The "$5 wrench" is much more effective, sadly. So we need a defence against that.

Detection

One of the first things to consider is whether someone can detect you have something encrypted in the first place! If they cannot tell you have something encrypted, then they will not try and force the keys out of you with a $5 wrench!

There are several techniques for this. They generally rely on the fact that modern storage devices and things we store have spare space. So on a hard drive, you may have terabytes of space and actual content that is only a hundred megabytes. What is in the rest of the space? Well, it can be random data and nobody will think it is anything else. Except, if you know the right key you can turn random data in to an alternate file system with stuff on it. Drives have random data padding, or can, so you have some degree of plausible deniability.

Another, perhaps safer, system is using the random elements in some types of data. Audio, video, images, all have low levels of random noise. By replacing this with encrypted data, which looks like random noise, the images all look pretty much the same, but can be decoded. The nice thing is, as long as they are original recordings (so no reference to which they can be compared) there is typically no way to prove the "noise" is encrypted data and not "random" without the key. Again, plausible deniability.

Duress

Another simple approach, which may mean the $5 wrench gets re-applied, is that you can have a system were there is a duress code which, when used, wipes the data. You may think that it is hard to quickly wipe a hard disk, or that the hard disk can be copied first so you can always try again, but there are simple ways around that. The idea is you have a security device that holds the (long, and random) key used on the hard disk. It needs the code to extract the key to decode the disk. But, if given the wrong code, it wipes the key (which is quick and easy). It cannot be copied and has tamper detection as well, so trying to open it causes the key to be lost anyway. Apparently iPhones have this sort of technology now, but I don't think they have a duress code (yet) just the "wipe after a number of wrong attempts".

Deflection

Another cunning plan in that the encrypted data is arranged such that with one key you get the actual stored data, but with another, you get some benign data - though ideally the benign data wants to be something embarrassing that you might have wanted to encrypt. This is harder to do, as the data has to be somewhere, but with things like alternative file systems in hidden partitions, as above, it means that application of the $5 wrench can get access to encrypted data that "they" were sure was there, but not get the data you want to keep secret.

When it is not a $5 wrench

All of this is trying to address the adversary that is wanting to get to your data, on the assumption that they are "the bad guy". But what if the data is something you want to hide because you are a criminal?

Well, the problem is that every one of these techniques, designed to protect us against "the bad guy with the $5 wrench" work just as well to protect us from the FBI or the police. They will use threats of law enforcement, imprisonment, and so on, rather than a $5 wrench, but the answers are the same. If you can make it so they have no way to know there is something hidden at all, you win. If you can make it so after threats, you give a key that provides non-criminal data, you win. Even the duress code to wipe the data may work, if it does not flash up saying "wiping key" and just says "invalid code" and you can claim you really have forgotten the key.

The protections are the same, and so, if we are to continue to mostly win against the "bad guys" we will have systems that win against the police as well. That is just a fact of life, without which we open doors to criminals (and $5 wrenches). Sadly, maths does not understand law, and law should realise this and jus get over it and stop being an arse.

Wednesday, 27 April 2016

So, I'll try contacting Lord West #IPBill

Dear Sir,

I have heard some of your comments in the Lords, on parliament TV, and I would like to try and impart some technical knowledge to assist you in your work, if I may.

One of the key points you make, quite strongly, is that there should be no way that terrorists, pedophiles, criminals, should be able to communicate such that proper authority cannot by some means monitor what they say. No "safe places" for them.

I fully understand that the monitoring of communications is carefully controlled with safeguards and oversight to ensure such an intrusive power is used where necessary against such serious crimes.

However, I feel you may lack some understanding of basic mathematics of encryption.

It is a simple matter of fact that it is possible for two people to communicate in a way that is totally secret. Whilst computers make this easier, it can be done with no more then pen and paper and dice. It would allow secret messages that can only be read by the intended recipient, and not by GCHQ or NSA no matter how much resource they throw at it.

This is a fact - it is a fact of life and mathematics. It is not changed by speeches in the Lords or legislation.

Indeed, with the help of computers, it is possible for such communications to be embedded in random data in images and videos in such a way that it is mathematically impossible to prove there is a message being conveyed. So even outlawing such communications cannot be detected or enforced.

I will be more than happy to visit you and explain these basic principles, and even demonstrate pen and paper encryption to you. I also have some videos on the matter if you are interested.

Given that this is a fact of life, a reality, can you perhaps concentrate your efforts on the negative side effects of Draconian laws to stop people communicating. Criminals can communicate, end of story. All such laws do is impact those of us that choose to abide by laws, and in doing so we open ourselves to criminals attacking us.

Please do take this email seriously. I am a technology expert. I have given oral and written evidence to the committee on the IP Bill. I run training courses on this. I write code for a living and I run an ISP. I can help you understand the issues, and perhaps the serious negative side effects, of your views.

Respectfully,

--
Adrian Kennard
Director, Andrews & Arnold Ltd.

Good question from @LordStras on #IPBill today - shame about the answer!

Lord Strasburger asked at 15:20 today:

My Lords, paragraph 217 of the Investigatory Powers Bill gives the government almost unlimited powers to force, in secret, companies to, I quote: "remove electronic protection" from their products. Could the minister tell the house how the government intends to use this power in the increasingly frequent case where a company has designed the security of its products so that even the company itself is incapable of unlocking the equipment or decrypting the data. Will Apple, and others, be require to redesign their products so that they can break in to them, or will they be required to stop selling them in the UK?

Lord Keen seems to totally miss the point, and ends up, after several questions, stating: There is no question of encryption keys being weakened. There is no question of encryption keys being made available in response to a warrant. The encryption key would remain wholly in the possession of the provider of the service. The warrant will ask that they apply the encryption key in order to provide the decrypt. So there is no weakening of any encryption in these circumstances.

I am sorry, but (a) why can they not answer a straight question, and (b) do they really not understand?

A company can make their communications system, like Apple with iMessage, so that Apple do not have the keys to decrypt the communications. So that the key does not "remain wholly in the possession of the provider of the service" and so that it is not reasonably practicable for them to decrypt the messages.

The question is whether paragraph 217 could be used to force a company to redesign such a system so that they do have access to keys. The problem is that if they do this they are weakening the encryption system. They are not following best practice. They are making the communications more vulnerable to attack.

Think about it for a second - any step that changes from "government cannot see message" to "government can see message" (even under strict rules) has to be a step to weaken the encryption in some way. One more person being able to see the message means it has weaker encryption.

Lord West goes on to repeat the stupidity of saying that there can be no place for terrorists and pedophiles to communicate - as if he wants to outlaw multiplications. As I have pointed out so many times, anyone, with no more than pen and paper and dice, can send secret communications without a "service provider" providing the encryption, and without a way for GCHQ or NSA to crack the encryption. That is a fact of life and mathematics and no amount of legislation or speeches in the Lords can change that. Get a clue Lord West, please.

Tuesday, 26 April 2016

More on SciFi: Stargate communications stones

I am watching Stargate universe (SGU) again, why not, and they make extensive use of the "communication stones".

These allow two people to swap bodies over any distance. There is a device that handles the stones, and they can be disconnected. Interestingly the link is disrupted when one end going in to, our out of, FTL (Faster Than Light) travel. The connection breaks totally if one side goes through an intergalactic gate...

One of the odd things on this plot device is the issue of what happens if someone dies?

The plot is that normally there is no physical effect on one side yay effects the other, so lack of sleep, caffeine, food, etc, does not impact the other person, but death and near death does! If one end dies, both die.

I was thinking, why would this be? The mind swap seems pretty absolute, so one end dying should leave the other end stuck in a transferred state, surely?

Well, I forgot the Terry Pratchett narrative imperative...

If the communications stones allowed any way for the swap to be permanent, even with one party dying to make it so, it would create a massive plot device. Any person can extend their life by simply swapping with a younger person and then getting killed. It would break the normal flow of most fiction - you cannot easily have immortals in a story line (Dr Who excepted).

So that is why both ends have to die, no matter how illogical that may seem.

Shame.

Number porting update

Just a quick update - thanks to all those that have emailed in - we'll be in touch as soon as we can start trials.

So far it seems BT may possibly have a bug in their order processing that means these orders just don't work. We are trying to get that fixed now. It does kind of suggest this will be a pretty unique offering though. So I'll update when we know more.

Update: BT a/c manager has confirmed: "I do have access to a Openreach specialists who can help us with the questions that are raised. He has informed me that the renumber for exporting is a current process then in theory should work." so we are not going mad, this should indeed work. Working with BT to get it fixed now.

Monday, 25 April 2016

European Convention on Human Rights

I was shocked when Cameron was saying we need a new Bill of Rights to replace this, and then this week was more shocked when I hear Theresa May wants us out of the ECHR.

If Government, or MPs, want to reduce or remove human rights to get around what they want to do, it says a heck of a lot about what they want to do!

But I have to say that when someone like Patrick Stewart steps in and does something like this, it really shows the problem so well. This is gold. Life of Brian classic, but a serious point. Very serious.

CPP why do you hate me?

Compilers are quite smart, and as you get newer and newer compilers they get better and better are spotting when you have slightly questionable code. These warnings are sent to try us, we all know, but they are usually very good to heed rather than hide.

One of the warnings that caused a tad annoyance recently was my sloppy use of asprintf. This is a lovely function which does a printf but allocates memory as needed to do it. It avoids one of the big issues with sprintf over running space and why you must always use snprinft and not sprintf. Obviously it needs tidying (free).

My sloppiness was simple, I was not checking the return value. It is always important to check return values, though, to be fair, with memory limits so high these days the time a malloc fails is pretty unlikely.

So, the simple answer is wrap it in an assert. If it fails, that is fatal, end of story. Easy to track and debug if it happens and a lot easier than a random seg fault or uninitialised pointer being used.

But that makes the code messy, so bingo, lets make a safeasprintf that can assume it worked.

How to do it? Why not something simple like :-

#define safeasprintf(...) assert(asprintf(__VA_ARGS__)>=0)

That is simple. It takes whatever I put in the safeasprintf and does an asprintf with it checking there is no error (-ve) return value, and aborts if there is. A bit of a global edit s/asprintf/safeasprintf/g and Bob's some relative. No warnings and safer code.

Except... There is, it seems, a specific build of linux, gcc, cpp, whatever, that does not work. Works all over the place, but on a couple of machines it does not. It does not generate an error but treats the whole macro as nothing. The clue was warnings that variables defined and then used in a safeasprintf were "defined but not used". The bigger clue was the code just not working in all sorts of places. Every asprintf had not in fact printed a thing! I was almost impressed my code did not crash horribly as a result!

I have no idea what cpp did. If it did not understand __VA_ARGS__ then surely that would have left gcc with an error? How could it fail in such a special way? Even the asserts did not barf.

Well, what can I say, lesson learned.

int
safeasprintf (char **strp, const char *fmt, ...)
{                               // Do asprintf but abort if error
   va_list ap;
   va_start (ap, fmt);
   int ret = vasprintf (strp, fmt, ap);
   va_end (ap);
   if (ret < 0)
      errx (1, "Bad asprintf");
   return ret;
}

P.S. Looks a lot like it is the mis-use of assert that is the issue. It does nothing. I understood it did not check and abort but in spite of decades of C coding I did not know it actually did not do the expression within the assert either. You learn something new every day.

Friday, 22 April 2016

Who would want to work for an ISP? #IPBill

Working for an ISP you could find yourself between complying with IP Bill, or Data Protection Act, or your employer contract, and no way out. One way or another you are in the shit!?

Who would want to work for an ISP?

And those that do - will government compensate ISPs for the extra cost?

#IPBill madness

As reported, under the IP Bill/law "[Companies] subject to a technical capability notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the [company] to provide a technical capability on the new service,", and "The tech companies will have little say and the Government say explicitly they have the power to bring legal action against them if they do not comply,"

Seriously why would any company comply?

OK law will be law, so one simply makes a separate company which does not actually come under the IP Bill/law, and which is not subject to a technical capability notice which develops all new products. It has no obligation to notify. Then when launch arrives, it having prepared all the technical and marketing in advance, it tells the main company which is subject to a notice, and launches. Main company complies with law and tells government in advance of new product/service launch, 30 seconds in advance, but in advance, job done.

Many companies already develop new products and services with a degree of secrecy internally and externally, especially people like Apple, so this will simply add a legal layer of separation between R&D and product development and the main company. Simple step, easy, and makes the law on this totally fucking pointless.

Getting really really cross with UK Government wanting to spy one everyone now.

P.S. A&A are not subject to data retention or technical capability notices. Even so, we are agile enough that we will often launch a new service within days of coming up with the idea, so even complying with such laws will leave the government dragging their heels.

P.P.S Why would any foreign company comply with this bullshit anyway? They will have a UK subsidiary company which can be kept in the dark until actual launch.

Tuesday, 19 April 2016

Keeping your number

I posted on this over two weeks ago now, and I thought it worth explaining progress.

We are understanding BT better on this every day - yay! I have to thank the "EMP Knowhow" team at BT on this, they are helping a lot.

I am now confident that we can port a number to VoIP without breaking the broadband. Very confident. Sadly BT are enforcing an unnecessary, and incorrect, 14 day lead time on such orders which means, after a couple of false starts, I cannot confirm having done this until later this week.

However, we have managed a lot. We have several test lines which BT are incorrectly ceasing after cancelled number ports, and lots of threats of legal acton and escalations. But definitely progress.

I even managed to work out some of the renumber logic to get back my old house phone number, from 10 years ago, and now am porting out to VoIP! That is just a cool thing to do!!!

We have also had a lot of discussion with the telco we use to handle porting, and interestingly this is new to them. I am not sure people offering VoIP can offer to port a number without killing the broadband, but it looks like we can - yay!

So we are pretty much at the stage for volunteers to try this!

There are two types I am after.

1. People with PSTN with us (and broadband) wanting to resurrect their old PSTN number and have it on VoIP.

2. More likely, people with broadband with us, but PSTN via someone like BT, that are interested in us taking over the phone line part and porting the number to VoIP in the process.

Email trials@ our usual domain, and we can discuss. We'll not charge normal porting fees to do this, but VoIP is £1/month+VAT and call charges as normal. There is a danger of things going wrong, but we'll cover any reconnect costs and try to ensure the number is not lost. I'll throw in a free dragon :-)

More and more I feel dealing with BT is like learning magic (XML) spells.

P.S. We have several volunteers waiting now, thank you - the first test port done like this had a completion date of 2016-04-22T23:59:59 and as of 23:33:00 last night it is Warning 572 KCI-3 (Order Completed) Delayed In Processing. We'll see how that goes before we put anyone's real order in.

P.P.S BT have cancelled the orders we have submitted - and to be frank I an getting fed up with threatening to sue telcos already today. We're trying to get to the bottom of it, but could mean another 2 week wait.

Monday, 18 April 2016

Protection from Harassment Act 1997

Verso Group (UK) Ltd has taken up some of my time of late, starting with a "junk call" clearly claiming to be from Verso Group (UK) Ltd, but apparently not (according to a man calling and claiming to be from Verso Group (UK) Ltd).

Personally, and this is totally my own honest opinion, I cannot see how the original call (here) was not in fact from them - I see no motivation for someone to impersonate them. The call seemed to be trying to use "tricks" to be a survey rather than even a lead generation call and even had the caller stating he would give my details to other companies. None of that shit works (well it does not really work anyway) if you are not actually calling from the company you say you are in the first place. However, in the interests of fairness, and understanding how things like this can be frustrating for those impacted, I have to re-iterate that the call was apparently not in fact from Verso Group (UK) Ltd, according to the man calling and claiming to be from Verso Group (UK) Ltd. I may yet get the call traced though if this goes any further. I hope this post is the end of it.

Now this is where the fun starts.

My employer started getting hassled (no other word for it) with a couple of emails and several calls, all claiming to be from Verso Group (UK) Ltd, and one particular director (that I won't name here today). They start (in email) asserting the call recording must be removed as it is confidential. Then (in calls) they insist it was not them calling. We try to call back several times and are told this gentleman* is in meetings or on a call. I tied up quite a lot of our company solicitor's time on this as legal threats were made against my employer in emails and calls, and even a "threat" to come to the office, which we welcomed and waited all day for.

To be clear, my employer are not involved. They do not host my blog and I do not post here or on social media in an official capacity. The call was to my home number. Oddly, to my wife's number (more on that later).

I have posted links to these blog posts on twitter automatically, and even a comment that we tried to call back mentioning the person that called the office. Several others have commented on twitter too.

Then, on the 10th, I get a call from Bedfordshire Police Crime Bureau advising that this person, who is a director of Verso Group (UK) Ltd (as I understand it), has called them alleging that I am harassing him on twitter!

Note this call was also to my wife's number, one I never publish as associated with me, so where did the police get it? I am asking them. The same number as the junk call definitely not made from Verso Group (UK) Ltd.

First off - no actual official complaint has been made to the police (phew!) - we are a week later and the police have confirmed that. They also confirmed the call I got was genuine, and I am working on getting permission to publish the recording...

But it got me thinking - I have not looked at the Protection from Harassment Act 1997 in any details before. Could I have been harassing someone without realising it?

For a start I am not 100% sure what "harassment" means. I may post on twitter to make a point, or further a discussion. I have no intention to "harass" anyone. The definition in the Act does include causing "alarm" and "distress". The problem is that I am reading this legislation like an engineer and not a lawyer. We do not always come to the same conclusions :-)

I cannot find a requirement for "intent" in there, which is a shame, just that I should know it ought to be harassment of another, and the test is that a reasonable person would know that if they knew all the facts. Given the level of religion and mental ill health in society, finding a "reasonable" person may be hard. But oddly, "intent" is not in there. So I could be harassing someone unintentionally.

However, there is some light at the end of this, my "conduct" would also have to be "unreasonable". Naturally I don't think I am ever unreasonable. There is also allowance for preventing or detecting crime. The junk calls, are they a crime? Certainly unlawful, so maybe.

It is also good that you can only harass an individual, and not a company. The Act makes that clear. All posts about Verso Group (UK) Ltd, even if they are harassment, would be of a company and not an individual.

The other caveat is that one has to do it twice. To make it an offence you need a "course of conduct" which, for one person, is twice at least.

This raises some interesting points for social media, like twitter or even my blog. I state on my blog, and expect in other social media, that if I do harass or otherwise offend people, I expect them to "block me". Social media allows that. So if I "upset" you once, you block me, so the second time cannot be upsetting you. Would a "reasonable person" think the same? That would make all but the most convoluted social media "harassment" non existent, surely? I can see some blocking on twitter for this particular gentleman*.

Anyway, someone has not had the nerve to follow through and actually make an official report against me. I almost want him to - as that would be wasting police time, and would also give me a good excuse to get the original call traced.

Even so, is this really the way a reputable company handles complaints? Accuse people of harassment and report them to the police. I think not.

The offer is open for a meeting at our offices resolve this - that makes this blog post more than "reasonable" and not harassment.

What I do take from this is that one cannot harass a company!

* I say gentleman but he is listed as "Ms" not "Mr" on some company check sites, as several people have pointed out on twitter.

Sunday, 17 April 2016

Stepping back

I have posted a lot on what A&A have been doing, and we are now getting to quite a good place with capacity to grow. We still have to do work in the data centres in London moving some links, setting up LACP/LAG links on some routers and LNSs, and moving around some the transit/peering between routers. We have more routers to deploy (such as "H" shown on that diagram), but even at a busy time we are seeing sensible levels of usage around the network and everything coping.

Whilst we have had some challenges I am very pleased with the outcome and my team handling this, as well as the sales and support people handling customers during all of this work.

Of course, there is always more to do - we have to upgrade and extend links to carriers and transit and peering over the coming months and years as we grow, but I am a lot more confident we can provide the quality of service we have always strived to offer.

I thought some of our more technical customers would like to see this "weather map" overview of a peak usage point even without numbers on it. It is perhaps a rare glimpse at some of our network - the part that provides "broadband" to you all.

It is all about us not being the bottleneck and not dropping packets.

Friday, 15 April 2016

Is this why we need to spy on every citizen on everything they do in their home all the time? #IPBill

This is one of the examples from the National Crime Agency as to why we need the IPBill and automated filters to search a huge distributed database of everything everyone does on-line in the UK.

This really does show how invasive this will be if allowed to continue in to law. It is quite shocking. This is police state gone mad.

There are so many things one could say about this terrible example, I don't know where to begin. But here are just a few of the issues.

  1. Firstly I am surprised it is reported to the police as it would very quickly become apparent the the emails in questions are not from who they claim to be, and the recipients just put them in their spam folders and never see them again. Even so, this is some kid being naughty. It is not on, I agree, but does it really justify an expensive police investigation?
  2. If it was reported to the police, would they actually do anything to investigate? I would suggest not - we simple do not have the resources in the police to handle such trivial cases. It is a sad state of affairs I know, but the police are under enough pressure as it is. I seriously doubt the case would get any attention. Problems like this go away if ignored (look like they stopped after two weeks anyway), so even more likely to get no urgent attention.
  3. But seriously, if the sender is smart enough to use a Russian anonymising service, they probably are not going to get traced by this - for a start the service would probably be using https on a generic cloud based platform, or several of them, where the IP is shared with loads of other generic services and is changing all the time.
  4. Also, the service would almost certainly suggest ways to be less traceable, using wifi in a coffee shop, using tor, and maybe even offering delayed sending of emails so you can be in the room when the email arrives removing any suspicion from you and screwing with the above detection method.
  5. The whole thing relies on today's method of communication using a simple TCP connection, but that is changing, there are many other protocols and an increasing need (because of NAT) to communicate by a long standing persistent connection. As technology moves to that, any time stamp correlation goes out of the window.
  6. In practice, all of this will only identify a household. It is possible the household has more than one suspect (sisters perhaps), and the suspect does not confess. Even with one child in the house, what if they do not confess? So what then? A raid on the house, seize all computers, phones, and tablets for investigation, demand PIN and passwords to unlock them? Breadwinner of house has work laptop taken, ends up losing job over stigma? The kid in question used privacy mode on the browser so police find no trace, and even if they did, they cannot tell which of the sisters used the machine, so no conviction or further action happens.
  7. Worse, actual sender is a different kid, that uses the house wifi from outside, knowing that in this police state the house will get raided, which was their intention all along.
  8. Or finally, what if the the kid sends these abusing communications by post,. Does the NCA call for a national database of everyone's handwriting and DNA to be collected and stored. Or do we just go for cameras in every room in every house to keep us safe?
I am just shocked that they do not see this as an example of how invasive and police state this example shows the IP Bill to be... Shocked!

P.S. Look how easy such a system is for tracking the confidential source for a journalist, or such like. All without a warrant even!

P.P.S. Technical point...

The police would have the name of the service used. The CSPs would have the IP addresses of the TCP connections made - they would not have the name. (Yes, https can expose the certificate name using DPI at present, but that will change soon).

So, the query needs to state IP addresses to be checked, not a service name or domain name.

I see nothing in the IP Bill providing for a system to track the IP addresses used by every domain name in the world in real time as they change. Indeed, I am not sure such a system is technically possible. It would also have to track the "view" from each ISP at the very least as DNS servers can (and do) give different answers depending on who is asking. Such a system would be a really huge project, but without it, the police would have no way to know what IPs to ask the CSPs for in their search as they would have no way to know what IP was in DNS two weeks ago!

Thursday, 14 April 2016

Mondo

I have myself a Mondo card! Having used it for a week, I thought it worth reporting a bit about it, and what they seem to be trying to do.

Firstly, where it is now is basically a pre-pay MasterCard with a good API and App. This is actually a useful thing for certain people that seem unable to manage their money, want the convenience of a card rather than cash, but need to have a hard limit on spending, no overdraft, and a really clear idea of where the money is going. I can see it really being a heck of a cash alternative for a lot of people right now.

Where they want to get to is being a full bank, and the attitude seems right so far. The App is based on a published API, so you can program your own interface to it. Once it has BACS and fast payment stuff in and out, it will be actually quite useful even for business use. I'd love to be able to pick up incoming fast payment instantly at the company.

The other good news is that, as they are testing, they are taking feedback and suggestions and making changes, so there is a good chance we can make this a bank I would want to use. It is still early days, but interesting.

Anyway, looking at it now, it is worth explaining a few things that I have found so far.

I have the app on an iPhone and it is very nice.
  • Transactions show instantly, and I mean instantly - we did tests at the office charging me £1, and my phone was going "ka-ching" and showing the transaction as we hit the button to charge the card!
  • It works on-line, in shops, and for cash (with no fee on Mondo's side)
  • You can freeze and unfreeze the card from the app! Great if you misplace it.
  • You can tag the transaction with notes that show on the main "feed"/statement screen.
  • You can take a photo of a receipt and tag to a transaction
  • You can place transactions in to categories, including "expenses" which will make expense claims at work easy
  • You can advise the correct company name, twitter, Facebook, website for the company on a transaction, and they pick up the logo from twitter once the check it out - so even A&A have a logo on Mondo, yay!
  • There is text chat to query things and suggest ideas - can take a while, like 20 mins, but works well
  • They show declined transactions, and why declined (like expiry date wrong), which is brilliant!
  • You top up very simply from a saved debit card at the moment
  • You can send money, even 1p, with UTF8 (emoji capable) notes to any other Mondo card, instantly, on a fingerprint (yes, we are living in Back To The Future now where you can "thumb a quid" to someone)
Getting a card - you sign up and are advised of place in the queue, and you can refer other people to get bumped up queue. No checking on referral emails, so owning a wildcard domain is fun. What is slightly odd is that you cannot do anything referring a friend once you have a card - it is not putting them top of queue for example, only referring before you are top of queue yourself, or so it seems to me. You do need £100 to start.

Oh, and the cards are a horrid, very fluorescent, pink/orange colour. Victoria loves it!

Anyway, the kids are all getting them. Failing to manage money seems to run in the family, and this will help, I am sure.

I did note a card refund is slow - but I think that is the way cards work - auth is quick, credit is like two working days.

The other fun thing was my mobile number. As you may know I have an 01344 number on my mobile which breaks lots of systems, including Barclays, but Mondo accepted it. Then they could not text it. So I had to borrow a number to get the set up and PIN texts. The good news is that I then got them to correct it with no hassle (impossible on Barclays, I tried many times). Now people can send me money from a Mondo card using my (01344) mobile as the reference and it arrives (instantly). So well done on that!

Minor caveat - they are using some other bank and do not have a proper licence themselves just yet - read their terms carefully as to protection of money deposited. It seems legit, but maybe don't put all your eggs in that basket just yet,  just in case. Very much one to watch...

P.S. I like how they do not use the usual red=-ve, black=+ve, but green=+ve and black=-ve colour scheme.

P.P.S. As commented on twitter, thank you: "Pre-paid card with an app — looks good. Not credit card so no s75 CCA 1974 protection for, say, big whisky purchases"

P.P.P.S. The Whisky will be here tomorrow (Friday)!

Tax avoider?

With all the hassle Cameron is getting I am starting to worry that I will get branded a "tax avoider".

I drink a lot of fruit juice. I am pretty sure it is off-shore juice as well, after all we don't grow many oranges or mangos in the UK do we. It has all the sugar of energy drinks but will have none of the "sugar tax". So by drinking juice, and not red bull, I'll be avoiding my fair share of tax.

What worries me more is that I don't drive or smoke - that is loads of tax I avoid.

Is that ethical?

Saturday, 9 April 2016

My solicitor

This is not something I have done before as such, i.e. officially a solicitor on a retainer of some sort - "my solicitor". Obviously one does not go through 52 years of life without encountering the legal profession in many areas, but this is the first time I have had "my solicitor".

It has sort of come about as a result of A&A getting one. A&A have now engaged a solicitor on a more permanent basis, having used several for various reasons in the past. It is mainly down to finding someone we like.

It is one of those resources you hope not to have to use, but even little things like reviewing the wording of our terms and conditions at A&A, and so on, it is useful to pay someone to do that.

In fact the main reason for A&A getting one is to sort some letters to BT and TT over SFI issues, but more on that when the dust settles. If nothing else, it is massively helpful to have a second opinion on such matters.

I won't say the firm's name unless they are happy for me to do so. I believe it is correct to say they are a specialist telecoms solicitors.

But I thought "what the hell?" and have signed up myself to have a solicitor. I hope I never have to use you, sorry...

Dear Blogspot - just in case Verso Group (UK) Ltd contact you...

I get the impression Verso Group (UK) Ltd have given up actually talking to us - we have tried calling back many times, and offered to meet with them in our offices as he said "I'm going to come down to your office" after his 10:30 meeting last week - we were there and waiting, me and a solicitor (after all, he made several legal threats)... But I get the impression he may be trying to contact blogspot now.


Of course, that may be unrelated. It may be that there are more people than just myself causing him some concern. I could not possibly comment.

I posted on 17th March (here), but please note, whilst I mention Verso Group (UK) Ltd, I explain that it is only "apparently" a call from them - listen to the recording (which you don't host) and you will hear why, and the clear statement that the call is recorded to be posted in the public domain (Facebook). There is a clear statement from the caller that it is Verso Group and he confirms Verso Group (UK) Ltd calling as well as the call being from 02081507530 which is one of their numbers.

I posted on 6th April (here) which is a post to clarify matters as someone claiming to be from Verso Group (UK) Ltd (Dene Walsh himself, I assume) asserts that the call in question is not from them. I make that crystal clear in that post. This call recording is apparently not a call made by them. Given that it is not a call by them I am not sure they have any legal reason to suppress it.

I posted on 8th April (here) with a purely factual link to an OFCOM news item investigating Verso Group (UK) Ltd.

The call recording is not hosted on blogspot!

I own copyright in the call recording, and if you listen to it (here) you will hear that the caller is giving permission for it to be published on Facebook, where it is. I do not see that this is any concern of Verso Group (UK) Ltd if they did not make the call.

Given that I have made it clear that the recording is apparently not made by Verso Group (UK) Ltd, it is clear that no matter how stupid, idiotic, ironic, moronic, or ill informed, the caller sounds, or how unlawful such a call is to a TPS registered number, that is not in any way defamatory of Verso Group (UK) Ltd, as they were (apparently) not the one making the call. I can't see it is defamatory at all, but if it was, then it is defamatory of the unknown caller and not of Verso Group (UK) Ltd, as they are apparently not the caller.

I have offered to help - I am happy for the call recording to be used as evidence in pursuing someone impersonating Verso Group (UK) Ltd.

Indeed, I am happy to contact the call provider, Andrews & Arnold Ltd, to try and get the call traced to the real source and identify the spoof caller to assist in enquiries. Indeed, I may do that anyway - wouldn't it be funny if it really was a call from Verso Group (UK) Ltd after all - but that is purely amusing myself with speculation and not to be taken seriously in any way.

Anyway, Blogspot, if someone makes a complaint, feel free to contact me, and my solicitor will be happy to discuss the matter with you right away.

P.S. was I bang on?


Friday, 8 April 2016

Verso Group (UK) Ltd

I see Verso Group (UK) Ltd are being investigated by OFCOM

"Ofcom has issued a notification to Verso Group (UK) Limited (“Verso Group”), under section 128 of the Communications Act 2003 (the “Act”) as part of Ofcom’s ongoing own-initiative investigation."

More details here...

Remember this is the bunch that definitely did not call, me honest guv... Listen here.

Wednesday, 6 April 2016

Posting about A&A

This is my personal blog. The text on the right makes that clear. But I post about A&A stuff from time to time. So what's the deal?

Well, yes, this is my personal blog, and it is not in any way ever any sort of official statement by Andrews & Arnold Ltd. This is the very reason I made the blog, so I could make frank personal and even emotional posts (rants even) that would perhaps be unprofessional if made as posts by the company.

When I post about A&A I am posting because I work there and am a director. I am posting about my personal experience and about my day. I live and breath A&A - it is hard not to when you own and run a small company. But I am posting about my day and not officially as the company. I post because the company allows me to post details of things that have happened and are happening in the company from my personal perspective. Not all employees of all companies enjoy that freedom, and it is good being the boss to allow myself that freedom.

I do have to be a bit careful and draw lines - the company cannot give any employers carte blanc to reveal personal information. I try to ensure I am playing by the rules, but also that I can tell people what is really happening without feeling too constrained.

So yes, some times, details of what is happening in A&A get posted here. I like to think I can post more about the experiences and the challenges and the issues in a more frank and personal way than could be done "officially".

I also post on the A&A status pages as "official" comment and news items on the A&A web site, but they are more politically correct as an official company statement.

It means I can really explain some of the frustrations. It was due to serious rants against BT back in the day when we only had the A&A status page that caused me to make this blog, and why it is called RevK's Rants in the first place. It was, back then, getting to the stage that BT were causing me a lot of very unprofessional stress and frustration. It was not right for the company to make such statements, so I make them personally in my blog. These days BT are generally much better.

I find it massively therapeutic to put my concerns down in writing. I can lose sleep over an issue for days, but make a blog post on the matter an I can "put it to bed" and sleep better. Some things need to be said and this is a forum on which to say them.

I hope that makes sense, but I thought it worth just making clear - there are people that massively confuse the personal blog that this is, and the company, and think they are the same. They are far from it. Andrews & Arnold Ltd have no editorial control or responsibility for this blog in any way. It is all me.

Verso Group (UK) Ltd

I want to set the record straight here.

When I made a blog post on the 17th March (here) I honestly thought the unlawful junk call I had received had been made by Verso Group (UK) Ltd. I am TPS registered and this was a marketing call, so unlawful.

You can see how I might have jumped to that conclusion:
  • The call was from 02081507530, a number from which they apparently call
  • The caller claimed to be calling from British Savers Club, a name they apparently use
  • This was apparently a "lead generation" type call, the very business they are in
  • The caller claimed to be calling from Verso Group, even spelling it for me, and confirming when I said Verso Group (UK) Ltd.
It was an easy, and honest, mistake to make, as you can see.

It seems that I was wrong!

Someone has called today apparently from Verso Group (UK) Ltd, and stated in no uncertain terms that "We've actually never dialled him", and "the recording he's posted has nothing to do with our business", and "it wasn't a call that was made by our company".

So clearly, on the word of a man claiming to be calling from Verso Group (UK) Ltd today, I have to assume that the call from a man claiming to be calling from Verso Group (UK) Ltd on 17th March was actually lying, and was not in fact calling from Verso Group (UK) Ltd and was, in fact, an imposter.

I do sincerely apologise for making this assumption.

The blog post makes it clear that the call was only apparently from Verso Group (UK) Ltd, and I hope that my apology here meets with the approval of Verso Group (UK) Ltd and clears up this misunderstanding.

I appreciate that it can be frustrating when this sort of thing happens - we have had A&A customers get pop-ups claiming to be a survey by A&A and then being a scam, and they too are nothing to do with us.

I am really struggling why someone would impersonate Verso Group (UK) Ltd, and to what end, but that is what they are suggesting has happened. You have my sympathies, Verso Group (UK) Ltd. Clearly you are not the sort of company that would flout rules on calling people on the TPS, or laws on company names on web sites and emails, or any of those things, oh, wait... No, really, it was not you calling, obviously.

The good news is that, now that we know the call was definitely not made by Verso Group (UK) Ltd, it is clear that there can be no issue with my posting the recording - here it is again for you to listen to. Remember, it is apparently not actually Verso Group (UK) Ltd making the call, so no matter how daft they sound, you should not form any bad opinion about Verso Group (UK) Ltd when listening to it. Even so, it does not even appear to be defamatory of Verso Group (UK) Ltd in its content from what I can hear - it is the exact business they are in - lead generation, and exactly the sort of call people report as having received from them on various forums. I made it clear in the call that it was being recorded to post on Facebook (which that link is) and he said "yes" and continued with the call. Verso Group (UK) Ltd have no say over the call recording as it was not them making it, not that they had much anyway, but they can't claim the employee was not authorised to agree to publication as it was not their employee.  They cannot claim it is private or confidential as it was not them making the call. It may be useful evidence for them if they have an issue with people passing off as them and I am happy for them to use the recording for that purpose if they want to pursue legal action against the actual caller.


Anyway, now that is out of the way, it is interesting to report on some aspects of my day...

Last night A&A got an email, claiming to be from Verso Group (UK) Ltd,  threatening legal action, claiming that the recording is private and confidential and Verso Group UK Ltd do not give any permissions for the recording to be posted on a public domain. Well, permission was obtained in the call, listen. But this seems at odds with the claims today, apparently from Verso Group (UK) Ltd, that they never made the call. If they never made the call they cannot claim it is private or confidential to them! Maybe this email was also from an imposter! Or was it the calls today that were from an imposter. How could I know?

Today we got calls from someone claiming to be from Verso Group (UK) Ltd. Again, threatening legal action against A&A, saying "I'm going to come down to your office", suggesting that I am "hiding behind a social media page" and that he would "rather the guy had a bit of balls and contacted me". Oddly, calling back his office twice this afternoon he was in meetings or on a call and did not call back - maybe it is not his turn for the balls today? (I assume these are like executive stress balls or something).

With both written and verbal legal threats against A&A, we had our solicitor on site all day as he said "I'm going to come down to your office" after his 10:30 meeting. We waited, and waited. Solicitors are not cheap, so I hope he does not mind the the bill if this does go any further against A&A. Hopefully he'll consider the matter settled with the above apology. I wonder how many of the complaints on the various forums and even the Verso Group (UK) Ltd Facebook page are actually by imposters! What a terrible situation to be in.

As I own copyright in the recording I am saying now that people can copy and repost it as much as they like and laugh at the irony of a company (even if it was not in fact Verso Group (UK) Ltd) trying to sell me better broadband!!!

Monday, 4 April 2016

Number porting, Broadband, and VoIP

Hopefully I am not jumping the gun here, but we'll know for sure in two weeks.

Normal landline phone services have phone numbers, and some times there are numbers people have had a long time and do not want to lose.

People want to move numbers to VoIP. This allows the numbers to be handled in a much more flexible way than a landline - easy to route to different places, diverts, and well, almost anything. You can set up your own VoIP platform and do almost anything. It is also really good if moving house as it means you can keep your number. VoIP usually has lower running costs and call costs too.

Broadband is usually provided on a normal landline phone number, and requires that phone line to stay working or else the broadband gets ceased - making it expensive and time consuming to re-instate it.

Maybe you can see where I am going with this. People with a landline, and broadband, sometimes want to move their number to VoIP and not kill their broadband.

We have known for some time that this is, in theory, possible, but only now have we managed to find the exact incantation that should allow this to be possible. Yes, my wife is sat in the front room knitting and watching Happy Potter. Working with BT does make me feel that I need to spend a few years in Hogwarts before I try the correct XML spells on BT.

Normally, a number port is "Gaining Provider Led" and means that the new operator asks to take the number. 14 days later, if no objections, the number moved over. But this is the rub - the porting system is done on "service" not number. Having ported a service, like a normal landline, the service is inherently ceased as a result of the number port. That ceases the broadband.

However, we now know there is a modify order called a Renumber with Number Export which should renumber the landline, and make the old number available as part of a number port out to another operator. The Renumber part should not in itself break the broadband. Well, that is the theory.

We have this in progress on two of our lines and will know in just over 2 weeks if all works.

This means we'll be able to take over the phone line for someone with broadband, allow incoming calls on the line and outgoing on VoIP, and then move the number over to VoIP totally 2 weeks later. If we are really lucky, it may be possible to do the take over and renumber and port all in one go.

The line is then broadband only and somewhat cheaper (we charge £10/mon) and the number and telephone service is VoIP (we charge £1/month plus call charges). I don't know yet what this will cost but I don't think a renumber is that expensive. We'll have to price it up.

So, fingers crossed!

Update: First attempt went badly with renumber cancelled by number ports, and then ceases due to port not properly cancelled on BT systems, and a mess we are trying to get sorted. However, the good news is we now know how the process works, and it appears it really is possible to so what we want, so we are testing again.

Sunday, 3 April 2016

Growing pains - pain relief

I am pleased to say that this mornings work seems to have been a total success. It did take a lot longer than expected with several "quirks" in the cisco switch as well as one in the FireBrick.

Several people have asked what we are doing, so I thought I would explain.

We used to have a simple set up of one LNS (L2TP Network Server) to one BT back-haul fibre. This worked well. As we expanded we increased the number of BT links and LNSs.

However, when we added BE and later Talk Talk back-haul we use the same LNSs. This is so we can do bonding between BT and TT lines. This worked pretty well.

The snag has come where we need to expand the number of LNSs we have, but we don't need more BT links (yet). Indeed, we may need more TT links soon. The link of one LNS to one BT link no longer works.

So this morning we undertook the biggest restructure of our broadband handling network for around 8 years.

The change is that each BT and TT link now has a separate BGP connection that is not the LNS. This then links over to a pool of LNSs to spread the load, and allow more LNSs. We have deployed three more FireBrick FB6202 LNSs this morning.

This does, however, present some issues. The big one being how we balance the load to and from BT.

For traffic to BT/TT, we are using ECMP (Equal Cost Multiple Path). This balances traffic, but does so using a hash of IPs and ports. The snag is that there may not be many IPs and ports involved in L2TP. The ports are 1701, and in some cases there are very few IPs. BT actually expose all of their hundreds of LACs to us, but TT expose four!

The traffic from BT/TT is not so easy - we can't expect BT or TT to use ECMP, so we have to balance some other way - and we do this by using specific LNS endpoints. The snag is that you want to share N LNS endpoints over M links somehow? It is not simple when they do not divide up nicely. So the answer is a set of IPs NxM, allowing steering of sessions to hit one of these with reasonably even distribution, and allowing both an even spread over the LNSs and at the same time and even spread over the links to the carrier.

This has the side effect of giving the hash used by ECMP more to play with.

The end result is a much cooler looking "weather map" of our network with a lot more LNSs in use. It also means we can go back to rolling over night updates of LNSs, which we expect to do over the next few weeks.

It allows more LNSs to be added without breaking things, and allows more links to either BT or TT as needed.

The next step is some fine tuning of our external links to transit and peering, but for now, we have the capacity we need to grow for some time.

This is hard work, and expensive kit, but it is well worth it.

Thank you for your patience.