Wednesday, 18 October 2017

Social care / low income mobile tariffs

For a very long time, since before it was BT, there have been special BT tariffs for low income customers. It used to be a "light user scheme", which fell foul of competition from the likes of Mercury for a bit, but has changed over the years.

The principle is that the majority land line provider, BT, has to offer a social care special tariff for people on low income to ensure they can afford a means of communications. It is now called "BT Basic" and "Basic aims to keep phones ringing in the most vulnerable households by charging as little as possible: £5.10 a month." which is not bad.

Indeed, that should perhaps be good enough, but so often these days an actual landline is not what people want, need, or use. Indeed, even £5 a month is a lot more than you need to spend if you go for some really simple "pay as you go" SIM card on a cheap mobile - and remember, non-smart phones can be purchased SIM free for like £9!

So the real question is should mobile operators be required to provide a special low income tariff. I expect they would want to only have to offer to those on benefits.

What would such a package need to offer?

This is just my musings from what I know of how it works...

Many of these things are covered by PAYG packages. What would make sense is a consistent package, basically the same on all of the major networks, with the same costs, so people can make sure they get the right package if they are on benefits and just need to stay in touch.

Obviously it has to be SIM only - the packages that include the "latest phone every 6 months" can only do so by charging enough on an ongoing basis. Cheap SIM free phones are readily available, so this is not a problem for someone on low income that needs to stay in touch. No, it does not get them a nice "smart-phone", but they do cost money, sorry.

In general mobile phone companies can still make some profit on incoming calls, it is not ideal these days, but basically there is a good argument that keeping a SIM live on the network is almost no cost, and even the occasional incoming call can cover that cost. So it makes a lot of sense if such a package has no ongoing rental. That way someone can stay in touch if they have no income and people call them. Some PAYG packages work like that. The same applies to incoming SMS. If you have no money at all and cannot afford to make any calls apart from 080 numbers, people can still call you back.

Freephone calls from mobile are now set up to ensure the mobile operator gets some reverse payment for the call, and so such a service could offer freephone calls (080 at least, even if not 00800) for no charge. The recipient pays.

Mobile data is a tricky one - I image that is not "needed" for a social care package, but maybe that is changing and actually it is becoming more important. It makes a lot of sense if this is pre-pay and charged but at some sensible rate. The whole "data" and "access to the Internet" debate is somewhat separate.

I guess outgoing calls make sense to charge on a simple pre-pay, pay as you go basis, but something the operator can manage like 1p/minute to normal numbers and something sensible for actual SMS. I suspect that this is close to cost price for a lot of operators, but this is a social "low income" package here.

Special numbers - a good gesture would be to allow 030 numbers to be free, or a certain number of minutes per month free. This is tricky as they will cost the mobile operator, but they are unlikely to be abused as they are numbers only for government and registered charities. It would make sense for the universal credit helpline to move to an 0300 number for this. I am puzzled as to why they are on an 03 and not an 030 number now!

International calls - a fair price on a pre-pay basis may make sense.

I would be in favour of such a tariff not allowing any sort of premium rate calls or texts at all. They can be a trap for those on low income, especially gambling...

So what do you think?

Should the big mobile operators be obliged to offer such a tariff to people on benefits?

(Yes, as I say, some PAYG tariffs are damn close, but should there be a defined tariff and all operators offering it?)

55p a minute

As reported a lot in the news, the leader of the opposition raised questions of the Prime Minister over the 55p/minute universal credit helpline number.

There have been many stories on this, that 55p/minute is a rip off.

But what is going on? Is the helpline set up on some super expensive premium rate number?

No it is not.. It was on an 0345 number. This is a number charged at normal rates - the same as calling a normal landline. It is nor premium rate, no money from calls goes to the recipient. It is no different in cost to the millions of normal landline numbers in the country.

You would be hard pushed to find which tariff has the 55p/minute charge, and apparently there is one, a mobile package that, when calls are out of bundle, does actually charge 55p/minute for calling normal landline numbers and so for calling the helpline.

The issue is a stupid issue blowed out of all proportion. It is not an expensive number it is an expensive mobile phone contract which is expensive for all numbers.

Pay as you go mobile SIMs are readily available charging a few pence per minute, and in fact most mobile and landline contracts have an "inclusive minutes" package which includes such calls at no extra cost at all. If someone chooses a mobile contract that charges 55p/minute to call normal numbers, that is their look out - there are a lot of alternatives.

What really annoys me about this is that I would love to get the Prime Minister discussing loads of things, real issues that cause problems, but instead we have parliamentary time wasted on a contrived news story like this.

Some poor telecoms manager will be over budget now after being forced to quickly change it to a freephone number, so will be paying a surcharge for incoming calls from mobiles, when previously they did not have to pay for incoming calls and 99% of callers were not paying either as it was in their call bundle.

Is the country now run purely on news stories, even made up ones?

P.S. I have had some interesting comments on this (here and irc). Basically, if the criticism was valid it would surely equally apply to say, my Doctor's surgery, who have a normal Bracknell landline number which would also be 55p/minute on that tariff. Should everyone that could possibly be called by someone on low income be forced to run 0800 numbers?

P.P.S. Holy crap, there are scammers with web sites quoting 0844 (very expensive) numbers that presumably simply call through to the actual number...

Monday, 16 October 2017

Recording

Audio recording of conversations is a tricky business, and call recording is one aspect. The rules and advice and laws have changed. Some aspects are simple telecommunications and "interception" laws, and some can fall in to data protection where the identity of a living individual is apparent from the recording. Even with data protection laws, caveats like "public interest" and "preventing or detecting crime" come in to play. So it is not simple.

We, as a communications provider, sell telephony services where call recording is a standard feature. If you have a number from us even if connected with a mobile SIM, or VoIP phone, we can record calls and email them to you as a standard feature at no extra cost. It is really very useful.

Personally, I record all calls. As a business (A&A) we record all calls. Indeed, for business it is so common it is to be expected and you don't even have to say that calls are recorded (we think).

There are issues with "why" the calls are recorded and "who" gets to access those recordings.

Now, as a service we offer, it is important that our customers understand the rules on the recordings of calls they make or receive.

So later in the year (or next year), in light of GDPR, we need to work it all out. The plan it to make some proper legal advice on call recordings, when and how. I'll be blogging on the matter, and A&A will have advice for customers as much as we can.

At the end of the day, the fact a call was recorded usually only comes up when someone wants to deny what they said, or agreed. Once you get to that the fact you recorded the call is not the issue, it is the fact someone lied, or broke a contract, that matters. They cannot get out of that by saying they did not know the call was recorded. That is saying "If I knew it was recorded I would have told the truth" which is not going to wash with any judge, I suspect.

So watch this space on that...

But there is something weird that happened today. A public body wants a meeting, but their "policy" is (a) you cannot bring a solicitor, and (b) you cannot record the meeting. The second point is odd, well both points are odd, but especially as they say they will be recording the meeting and will send a copy of the recording...

Policy!

They say this is "policy"! Policy is a lovely term and we see it all the time. We have encountered BT policy as a company. We counter such things saying "A&A policy is X". When anyone spouts "policy" they are dictating something as an immutable rule when not considering that the other party may legitimately have their own conflicting "policy" on such matters.

It is my policy to record all meetings... This is one reason it is not me going tomorrow.

Let's record...

So we have pondered some legal points - if all participants of the meeting know it is recorded and know that we will get a copy of the recording, is there any legal impediment to us covertly recording the meeting? I think not... I am not a lawyer, but it is an interesting legal point. Comments?

You also have to wonder why, though? I can think of two reasons. The main one is for them to be able to edit the recording before providing a copy. That is not, in any way, a stated intention, and would be unethical I feel. The other is to hold copyright on the recording - but one could make your own transcript using the recording to ensure accuracy and hold your own copyright on the transcript - so not a useful right to retain. Either way, something wrong with not allowing both parties to make a recording. Neither party making a recording may be a valid thing in some cases, but hard to see why a public body would want such an "off the record" meeting, and they have not said they do. It just makes no sense to refuse us making a recording when they will and provide us with a copy!

So, what do to... We will have two see...

I find myself in one of those situations where I would love to say more - to say which public body, and what is at stake. As you may imagine, doing so at this stage could be a problem legally. But it is an interesting legal point, and I know several legal minds read my blog - so comment away...

What is the law on recording a meeting?

P.S. Thanks for all the interesting comments. Meeting went well enough and no sign of a coverup, which was a surprise. Not something we can say more on at this stage. Solicitors next. Sounds like the no-recording is just bullshit policy crap (incompetence rather than malice).

Blip

I'd thought I'd share one of the challenges of my day today - a very minor thing but it shows why some software can be such a nightmare. Maybe I can explain it in a way that is easy enough for non engineers to understand.

Sometimes a computer may be doing something wrong. That happens. One example which customers will have noticed is our "blip graph".

What is wrong is pretty obvious in that it is meant to have red (logouts) and green (login) bits, and until a few minutes ago it was only green. It is not a big deal, or highest priority, which is why I am looking today and not yesterday. We use it mostly to identify issues with the network, so it is useful and did need fixing.

What did you change?

One of the key steps in diagnosis of something like this is to look at what you changed. You then try and see if there is some link between what you changed and what is going wrong. In many cases you can just look at the changes and the error sticks out like a sore thumb.

A perfect example would be if I had, for some reason, been working on the code that creates the blip graph from the database, or if I had been working on the code that puts the blip counts in to the database.

I would be able to look at my change, and wonder why my own testing had not shown the problem as well. There are tools to show me exactly what I changed.

It is also really useful if a problem is reported quickly as you also remember why you changed something and what you were trying to actually do as well.

We changed everything and nothing!

The problem is that we changed everything because we have done a major upgrade on clueless. We have also changed nothing, in that none of the code has been changed, just built on the new machine.

The code that makes the blip graph has not changed, and the code that displays the blip graph has not changed. Clearly the database is working as we have some of the blip graph. Indeed, it really made no sense.

Error logs?

One of the key things that lots of systems have are error logs, and we check these. But there are no errors being reported by the system that generates or displays the blip graphs after the upgrade, and were not in the past. So no clues there...

How did it ever work?

After a lot of digging I have found the cause, and it leads to one of those special things that can so often happen with software. HOW THE F*CK DID THIS EVER WORK?!

The "digging" took quite a few hours, because there simply was no logic to it. Nothing had been changed recently in the code, and no errors showing.

I quickly worked out that the displaying side was probably OK, but the database has zeros for the "logouts". The code to record the data looked the same for both login and logout, so how could it only be recording one side?

The eventual bug was a stupid mistake on my part in the code, written 8 years ago. I was comparing a data and time value with a time field in one case because of a simple typo. For the login side I did not have the same typo. It was subtle.

The problem is that the database server used to (silently) decide that I meant to just compare the time part, and get one with it and "just worked". Now, some change in the date/time logic in the database means that it considers the comparison not to match - though not an error, so it (silently) does nothing, instead.

The fix was therefore very simple, and now we have working blip graphs. Just one of dozens of small things to check today. So, if you do see thinking no quite right on clueless, do let us know.


I hope that gives some insight in to the perils of programming.

Sunday, 15 October 2017

Clueless

I do feel it worth acknowledging the work of the A&A ops team, and especially Jimi and Brucey, for the upgrade today. They are not alone and we have all been involved in the planning for this. Even those not in the ops team have helped out and tested things, and thanks to customers to ongoing feedback.

We have a core server which has logically been the main database and control pages for everything we do for nearly 20 years. It has had many upgrades, but has got to the stage that we really need to do something new and a big upgrade.

A lot of functions are already moved to new servers, with extra redundancy. The database server moved to a cluster of sql servers. Lots of internal VLANs and VPNs. lots of backup servers. And much more we can now move and diversify.

But today was the big upgrade of "clueless".

It is interesting to think how "clueless" has changed over the years - at the start it was very much "the" key database server albeit only for our dialup services and even then accounts were very much separate. Now it covers many more services but is far less critical being mainly a front end for staff and customer use. Even so, it is an important server.

For those that do not know, this is the origin of "clueless" is a cartoon from June 2000.


It is that old in origin. Yes, we have a "pointy" as a test platform for clueless...

The changes are supposed to be simple, but the upgrade is operating system, and apache, and mysql, and, well everything. Apache config has changed enough that despite of a lot of planning and testing it has taken hours of work today to get it right. Scary how many things run on clueless, at least for now.

But all tools and scripts, and there are a lot, needed rebuilding and testing and fixing,

There will be some things not fixed until tomorrow, but the basics are all working and the important things were sorted first. Well done all.

Friday, 13 October 2017

Another little gem in the OFCOM CoP

There is another little gem in the OFCOM Broadband Speed Code of Practice in 2.23

When network infrastructure providers or wholesalers make available the live access line speed that is actually received on the customer's specific line, ISPs must use this as the basis for speed estimates (rather than using an access line speed range for similar lines) in circumstances where they will be using the same infrastructure and access technology to provide service. This must incorporate the measures of contention derived from the testing outlined in paragraph 2.20, and should still take the form of a range, where possible.

So, let's make sense of this. Normally the requirement is to provide a range of estimated speed that are the 20th and the 80th percentile speed of "similar customers", and set a guaranteed minimum of 10th percentile speed. As I say this makes one in ten lines faulty by definition.

But consider one of those random one in ten that are faulty, getting service. They complain. The ISP "canna change the laws of physics captain" and it gets no better, so the customer gets a refund and leaves to another ISP.

So new ISP ideally gets to see the sync speed, or gets from a carrier new speed figures based on the carrier knowing the actual sync speed. This gives a few problems :-
  1. Knowing the new sync speed it is still necessary to report a "range" ("where possible"). Well, the only range allowed is 20th and 80th percentiles, but this is a sample size of one! The 20th and 80th percentiles are the actual sync speed of that one sample. How could a range be given? What are the rules for working out that range. I can only assume it is going to be not possible, or the range will have to use some other, perhaps saner, criteria than percentiles.
  2. Assuming the ISP just makes shit up and picks a range from below the actual sync to above the actual sync in some arbitrary and undefined way, and then, of course, picks an arbitrary minimum guaranteed speed that is even lower, what then? Well now the customer migrates to a new ISP, using the same modems and the same line, and getting the same speed. All that has changed is that now they no longer has cause to complain.
This helps the customer how, exactly, OFCOM?
This helps the ISPs or gives them any incentive to change things or invest, how, exactly, OFCOM?

Maybe the existing ISP, on complaint, can offer to "migrate you to us, at not charge, here are your revised speed estimate and guarantee"? Who knows...

Wednesday, 11 October 2017

Small world, it is...

So, my Daughter is in Paphos in Cyprus on holiday along with several others in the family, or as perhaps I should call them "minions" :-)


She just bought something and it came with a silly plastic toy, as things sometimes do...


Well, they looked at the bottom of the toy...


Yes, that is right, Bracknell - which is where we live...


Which is pretty amazing, being that she is over 2,500 miles away.

But you think that is fluke, look at the postcode.

Yes...

RG12 1QS...

That looks familiar...

You may know an ISP whose office is in RG12 1QS. They must be one of the buildings next to us!

(Thanks to James for sending me the pics / story).

Concrete example of 10th percentile issue

Given OFCOMs idea that one in ten lines are faulty it may help to provide a concrete example of the problem here and explain quite how daft this really is. For example, it is not, as some may assume, the slowest 10% of lines in the country.

A friend of mind has a broadband line, it is close to the cabinet, so the forecast sync speeds on 20th to 80th percentile are 79Mb/s to 80Mb/s. He gets 79.912Mb/s. He has no complaints.

The 10th percentile is for "similar lines" and so BT will have banded lines that are that close together and sampled them and looked at the range of speeds that such lines can get so as to find 10th, 20th and 80th percentile. This means some aggregation. I don't know for sure but this could a band of line lengths 0-500m from cabinet. BT will have done some level of aggregation - we may even be able to find what, but it does not matter for this explanation, so we'll assume 500m line length bands for now.

The 10th percentile is 74Mb/s. This means that lines in that "band", i.e. "similar" lines sync are a range of speeds from below 74Mb/s up to 80Mb/s. Indeed, many would probably sync well above 80Mb/s if the sync was not capped.

One in ten of these lines will get below 74Mb/s - that is the very definition of "10th percentile". Whilst the occasional line will actually have a fault (less likely on such short lines) and still sync at a lower speed, the main reason for being below 74Mb/s will be the line length from the cabinet.

So, assuming this is, say, a 0-500m band it could simply be that everyone over 450m from the cabinet gets less than 74Mb/s, a simple fact that they are a certain line length away. Not something anyone can change.

So imagine such a person at say 490m away is getting 73Mb/s. The line may be perfect. The modem may be perfect. There may be nothing that can be done to make the line better of the sync faster whilst using this technology.

Yet, that person is one of the "one in ten" deemed faulty by OFCOM. They can insist the ISP tries to make the line better, engaging engineering time and effort. They can even insist on a refund. Simply because they are one of the "one in ten of lines" below the 10th percentile for "similar lines".

Now, let's look at their neighbour, who is, say 510m away. They may find they are in a 500m-1km band, and get lumped in with such lines for their forecasts. Being so close to the top end they may be in the top 10th percentile, even though they sync at a lower speed, say 70Mb/s. So their line is not deemed to be "faulty". Indeed, they could find themselves with a 50Mb/s guaranteed minimum, have an actual fault on their line dropping it to 51Mb/s and not be caught by the code of practice.

Please explain to me how this mad system where arbitrary bands of one in ten people at various line lengths (depending on arbitrary choices of "similar" line groupings BT do) are to be deemed to be faulty is meant to actually help consumers? It is not like these people are more or less likely to have a fault, or that they are good candidates for some changes in technology so as to improve speed, or even that they have "slow" lines, they are simply "one in ten".

A graph may help explain...


Tuesday, 10 October 2017

One in ten UK broadband lines are faulty, says OFCOM ?

We have had this in the past and once again we seem to be facing another (voluntary, phew) broadband speed code of practice from OFCOM.

Our reply to the latest consultation is here (pdf).

But once again the big issue here is that OFCOM consider any lines where the speed is below the 10th percentile of speeds for similar lines to be "faulty".

This means :-
  1. The customer can expect the ISP to try and "fix" the line, taking up to 30 days to do so.
  2. The customer can expect to be allowed to exit with no penalty and to get a refund of upfront costs if not fixed within 30 days.
Now, if the line is actually faulty, as some will be, this is all very reasonable. But the threshold is not a "fault threshold" as determined by measuring the speed of similar lines that are not faulty. It is set to the 10th percentile of speeds of similar lines.

This means OFCOM are defining that one in ten lines are faulty, end of story... In fact, this is a moving target. If some part of those lines are faulty and fixed, all that does is push up that threshold.

In fact, assuming the ISP can get a refund from Openreach or the carrier then it is in their interests NOT TO TRY AND FIX such lines. If they do, they will end up with more and more lines that are NOT FAULTY but below the 10th percentile if they do start fixing the genuinely faulty ones. Those lines simply cannot be "fixed" and so just cause even more hassle for the ISP. An ISP will actually want a load of low speed faulty lines that are not complaining so as to reduce the 10th percentile level.

The problem is that if you are unfortunate enough to be in that bottom 10th percentile, and bear in mind that one in ten people will be, you may well have a service that is indeed doing the best it can and there is no fault whatsoever on the line that can be fixed by anyone.

It is as bad as trying to say that every school should be above average or some such. It makes no sense. Why on earth do OFCOM still insist on this nonsense in the code of practice. Why do so many large ISPs agree with OFCOM by signing up to their code of practice? Are BT plc really saying one in ten of their lines are faulty. I am glad A&A don't say that to be honest.

I wonder if any other countries in the EU or the world publish stats on broadband take up, and how many of those lines they consider faulty. The UK must be leading the way with 10% of all lines being faulty by definition of the regulator.

I have to wonder if there is any other industry in the UK, or in the world, where the regulator defines that one in ten of the things you sell are faulty, regardless of what you do, even to the extent that customers can get a refund on that basis? Imagine if OFWAT defined that the lowest 10th percentile of water pressure was a fault and water companies had 30 days to fix or else refund the customer. This is basically what OFCOM are saying about broadband.

We'd love to sign up to the CoP, as it has many good things, but until this fundamental issue is fixed I don't see how we can. We simply do not agree that one in ten UK broadband lines are faulty, sorry. When there are faults we fix them (whatever speed that means you line gets when faulty).


The fix?

Have the modem providers, e.g. Openreach for most FTTC/VDSL, and BT Wholesale or others for most ADSL, define a realistic "fault threshold" which is the lowest speed for non faulty similar lines. Use that as the reference, and have them guarantee that to the ISPs who can pass on that guarantee to the end users. Not complicated!

Monday, 9 October 2017

SolarSystem alarm and web sockets

It needs saying again, web sockets are awesome - so simple. I have them properly plugged in to my new alarm system - see the video.


So next step is probably to release the web socket library on GitHub as well. The alarm system is being worked on to integrate even more - the next step is an interactive floor plan showing PIRs, door and window sensors, doors opening, all sorts, in real time on a floor plan.

Saturday, 7 October 2017

Websockets are awesome

There are some things that modern browsers do that most people do not realise, and which are awesome. One is svg, which is a whole other blog post, but the other is websockets.

They are awesome as they allow a web page to connect to some resource and keep that connection alive and open whilst that page is open, and asynchronously send or receive data on that connection.

Yes, this seems like something that has been possible on an RS232 cable for a while, but actually from a user interface point of view it is pretty big. It allows messages (blocks of data) to be sent and received. I am using JSON objects, but it could be anything.

My main application, and why I put together my own websocket server library, is to allow my alarm system to do stuff using web sockets. It means we should be able to do a floor plan with images of PIRs and doors and all sorts, updating in real time, and clickable to do things. That will be magic for installing the alarm and walking around with an iPad, but also for remote monitoring. Imagine making a page with embedded security camera footage, and so on in with sensors and doors and so on.

Today I bolted on the web socket library to the core alarm system, and all I added were a few lines of code to mirror the keypad on the system. It just worked, and a couple of lines of javascript and it looks magic.


Thursday, 5 October 2017

Apple TV

I posted back in April...



And finally with the latest release, some 6 months later, my Apple TV is no longer asking my Apple password every time I try to watch anything.

I have to say that their support is pretty crap. Periodically, every month or two, I have called, and every time I get someone that is polite and nice and well trained in placating complaining customers. They will take on the case and be my point of contact. They will stay with it until it is resolved. They understand how frustrating it is. The customer interaction training is excellent, if not the technical support behind the scenes.

Every time they have something to delay matters, such as their support people wanting times/dates of the issue, and so on.

Often it was "they wanted to know X", but that was weeks of months before and nobody emailed me or called me to say they were now waiting for something. I had to brave using my Apple TV again, get pissed off with it, and after a few drinks, feel up to the conversation with them again. Hard work.

Irony now - friends of mine can no longer use their Apple TV at all, just not accepting their password at all. Ooops.

So, now, do I go for a 4K Apple TV as I have had a 4K TV for years now? Probably.

I feel like a sheep!

Next step with A&A tariffs

I am pleased with the work so far on our (A&A) tariffs, and I'd like to thank all those that have taken the time to thank us for the changes.

The Quota Bonus seems to be working well and has given people a big safety net for variable tariffs at all levels. Obviously the extra Quota at the lower levels, and the top up that does not expire is a huge improvement also.

So, what is next?

Terabyte on BT back-haul? This would be huge if we can pull it off. We launched our terabyte based tariffs some time ago now, but only on the Talk Talk back-haul. We managed to get a deal with TT that worked for us and allowed these higher tariffs. It was hard work for the team (mostly Alex), but can we do the same with BT? It is hard work as the way we are charged, and the amounts we are charged, vary between carriers, and over time. In some cases we can manage time limited deals, and in some cases these can pass through to tariff changes and offers.

The big issue is that what we buy and what we sell are not quite aligned, and never will be. We buy big aggregate circuits and back-haul bandwidth, but sell individual lines and usage and the Internet access to which that connects. With the normal way that usage is sold (95th percentile) you can have usage that does not matter at all until it hits the top 5% levels, and then it matters a lot. That is almost impossible to map to something we can sell. We have tried in the past with units tariffs changing usage levels during the day and even the middle of the night, but peak usage moves and changes. We have moved to simpler total-usage allowances now.

We think we have something with BT, and we hope that this month, or possibly next month, we can finally start doing the terabyte usage packages on BT back-haul. Yes, you may ask how we are unsure of the BT deal we have - sorry, but it is complicated, really. This will mean that Home and SoHo packages can be changed as needed from 200G up to 1TB and change from month to month as you wish. Indeed, it will allow us to allow balancing of usage between lines on different back-haul and tariffs.

It will be a bonus for people on BT backhaul (not 20CN, sorry) who will be able to simply regrade to higher terabyte usage if they need.

Something more for SoHo users? We have different Home and SoHo packages and there are some differences - some extras on SoHo. I'll be very frank and explain that SoHo is mostly more expensive because we know a business product is usually more expensive and we consider it more of a business package. The problem is that the Home package is so good, it is quite a subtle difference, so I want to make it more so. Offer more for the business customers that are paying more.

The concept is simple - allow sharing usage over multiple sites, not just the lines on one site. We may have to do something where people have lots of sites where the usage is a separate number of extra terabytes over a whole estate, but where it is simply two or three sites then simple usage sharing as we do between lines on one site - over all sites - may make a lot of sense.

Pretty much a pre-requesit of this is the BT terabyte, else it gets very complicated with what can share with what. So, again, considering for this or next month.

FTTC being a lot more flexible? The minimum term on FTTC is an issue, 12 months normally - and we reduced to 6 months (at our cost) for Home::1. BT Wholesale are officially dropping this requirement (for new lines) in January and we hope to follow suit.

We don't know how it will work on Talk Talk lines, and we may be able to offer a choice of no install but 12 month term, or a fee to install and no 12 month term. The whole trade-off of min term and install charges may be something we can make more general, which would be a nice feature I think.

This will be January at the earliest, sorry.

So what do we do?

All a bit in the air, but reasonably confident, and I think it is unusual to share such speculative plans with customers - but A&A is not "usual". Feed back (comment here) welcome.

Tuesday, 3 October 2017

Sudafed

One of the nice things about the people that read my blog is that I get some expert opinions on all sorts of matters in the comments, and this may be one where legal, pharmaceutical or medical opinion may abound. So bring it on...

Sudafed is a brand of decongestant and one of them is Pseudoephedrine hydrochloride. It works well as a decongestant.

But buying this stuff can be an issue. They make a lesser decongestant which, to be frank, does not work (for me).

My understanding is that the big issue is that this stuff can be used as the basis for some nasty drugs. Yes, I have seen Breaking Bad. I once tried to buy some when in the US and you would not believe the hassle - passport needed, and even then I think they managed to break their own rules allowing a non US / non Canadian to buy the stuff.

It is over the counter, so a serious medication. But to be frank, when I have a nasty cold, this is what does the trick to clear my head and my chest and sort it out. The other stuff they do just gives me a headache. This works well. As I understand it, there is a possible side effect of increasing blood pressure, so one to watch out for if you are hypertensive. I am, but never have had an issue with this stuff, and I do check.


My problem here is that last year, over the end of the year, I had a really bad cold. It literally lasted for months and I managed to crack my ribs coughing so badly at one point. Yes, I went to the doctors, and they could do nothing and confirmed that lots of people had a really bad cold for months. It was not some silly "man flu", and a lot of the time I was in bed. This was really very unpleasant and lasted for months.

During this I was, at various points, taking maximum doses of paracetamol, ibuprofen and sudafed for several weeks at a time. I take the instructions seriously, and do not take more than allowed. Indeed, I tend to try and take less than maximum dose if I can. But I had a cold for MONTHS, and so did get through a few packs of decongestants.

Oddly, since then, I have had more sniffles and colds than usual. My doctor is not concerned. I get another full check up in a few months anyway. They are also not concerned if I occasionally do take sudafed for a cold. It works. They do ask that I check my blood pressure, that is all. I do that.

The problem is the pharmacist in Tesco in Warfield. She decided I was taking too much! Initially just a query, then an outright refusal to ever sell me it on the basis that I was on blood pressure meds. Well, reading the advice on this you should check with your doctor, which I have done, but no, she simply will not sell me any. Oddly, she will not sell my wife any either on the basis she is on blood pressure meds, when, in fact, she is not!!!

So is this for my health? If it is, I am sure the doctor would say. I do not buy this a lot. Well, I did not, until the day I was banned!!!

Now, what do I do - well what any sane person would do, I stockpile it!

So by banning me, I actually have loads on hand as every other pharmacy, even boots on-line, is more than happy to sell it, so now I am tempted to take a tablet at the slightest sniffle or congestion. To be flank, I am not, as I would rather not take any medication unnecessarily. But banning me has had the opposite effect on availability for me. So why do it?

Why ban me from a medication that the doctor's surgery are happy I take occasionally if I need it? Why create a situation where I end up stockpiling it just in case and so am MORE tempted to take it than I would be otherwise? How stupid is that?

Oh well, this is the same for many systems of regulation and control - they can often create the opposite effect to what they intend...

Amber Rudd - you do not need to understand encryption

Amber Rudd has made it clear that she feels she does not need to understand encryption. See BBC article here.

Really this is not actually an issue on encryption at all. You do not need to understand it, no.

That said, the principles are not hard to understand, and Amber Rudd could take the time to understand those principles. I am sure there are many trusted advisers who will be happy to explain them. It would help understand the sneering and patronising responses if she understood why her suggestions and comments are so comically stupid.

But let us try to put this in terms a politician should be able to understand.

There is an activity which is common in modern society. We'll try and understand how any activity could be considered for legislation, whether encryption or not.

That activity is conducted by bad actors. In this instance the bad actors are terrorists and extremists, one of the statistically lowest threats we face in modern society, but an issue which is disproportionately important to politicians for some reason.

That activity is conducted by good actors. Indeed, it is used by a lot of people every day. It is hard to find anyone that does not absolutely rely on this activity every day, either directly or indirectly. Everyone with a bank account relies on this activity.

Now, because the activity is conducted by bad actors, it seems that something must be done. It is worth bearing in mind that this is not always the case, and indeed, given that the bad actors in this case, terrorists, represent less of a danger than slipping on a banana skin, the idea of not doing anything is not completely stupid.

So what can be done about this activity. Can it be banned? Can it be restricted? Can it be changed? Can it be controlled? Well, this is where understanding the activity may help, but let us assume it can be controlled in some way for a moment.

The next question, assuming some legislation can be made that will somehow restrict or control the activity, what are the consequences of doing so?

There are two main issues.
  1. Will the restrictions impact the bad actors at all?
  2. Will the restrictions impact the good actors at all?


In this case, we can look at the activity being encryption and we look at these points.

Will the restrictions impact the bad actors at all?

MATHS EXISTS! No matter what law you make it is possible for the bad actors to make use of encryption. It is impossible to un-invent mathematics and encryption.

So, we know the answer to point 1 - will this impact the bad actors? Well, not really - they can move on to other apps, other tools, their own apps. They do not even need to do anything difficult or complex. Even if what they do is illegal, they can still do it. There are even ways of hiding what they are doing so you cannot tell so cannot convict them of breaking those laws. See the video at the end of this post for how to encrypt with pen and paper and dice. Maths cannot be un-invented, sorry.

[update: some useful comments on this below] I agree that it is not quite so simple. I cannot say that terrorists will simply use other apps. I can say that open source communities and privacy activists make good quality apps and not some dodgy "home grown" broken crypto, and they are even working on ways to make those apps invisible to police states and oppressive governments, so the apps to use will exist. It seems odd that terrorists would not make use of them. The issue here is that catching one terrorist by such a measure is not worth it - indeed, if you could guarantee to catch every terrorist ever it still would not be worth it - they still are so few and harm so few - we need evidence based laws and policies and it amazes me terrorists are even on the radar ahead of bee stings.

Will the restrictions impact the good actors at all?

UNDERMINING ENCRYPTION CREATES WEAKNESSES THAT CRIMINALS WILL EXPLOIT!

This has been seen over and over again, and the industry is in a constant battle against criminals. A lot of criminals that cost millions of pounds every day one way or another, and exploit companies, and normal people. Unlike terrorism, this is a big issue impacting a lot of people. The battle is now at the stage that the best defence against criminals is end to end encryption which means that even the intermediate companies cannot see the communication. This is because attacks on the data via those intermediate companies is a real threat where criminals can get in (technically or social engineering, etc). So people rely on this level of security, all the time, every day, for their banking, their medical records, everything.

So, now we know, any attempt to restrict encryption will impact the good actors. They will not be motivated to use other apps or do encryption themselves - why would they, as Amber Rudd says, normal people do not care if their WhatsApp chat is encrypted end to end or not (until they are victim of a crime, obviously). Only the bad actors will in fact be motivated to use alternatives.

So, you do not need to understand encryption really.

You just need to know that this activity is used for a minor threat (terrorism) and that any attempt to control it will not impact that threat but will impact all of the good uses of the activity.

Now you can make a choice of how to address the issue.

This is no different to seeing that terrorists use white vans, so banning them!
This is no different to seeing that terrorists use an underground map, so banning them!
This is no different to seeing that terrorists use ball point pens, so banning them!

It is a simple exercise to understand the options and consequences of those options and making the best decision for the country as a whole.


Monday, 2 October 2017

Amigo Loans being thick

As some of you have asked, why did I not lend money rather than guaranteeing it to Amigo?

Well, I was sort of bullied in to it - I have lent money before to others, and nearly a decade later do not see it repaid. I am out of pocket to well in to six figures now. I should learn, and not lend to friends or relatives, ever. It is always a mistake. (to be fair, one relative, where I applied a charge on her property, was good, thanks)

Am I a miserly old sod? I think not, as there are so many cases I give gifts and money, but when they push too far and I cannot really afford to "give", I have made the mistake of "lending". I would say to anyone considering it, just don't. If you cannot afford to give, then do not, simple as that. Really, if you cannot afford it now, say no!

The guaranteeing a loan thing was a half way house, not lending, not actually, but being there as guarantor, just in case. It does not work. It is amazing amounts of hassle, especially with Amigo Loans. They hassle like mad.

Tonight I got really cross, and sadly the call was not recorded or I would post it.

It was a simple matter - Amigo - give a settlement figure and bank details to make settlement. How hard is that as a request?

They KEPT on saying "it can take 3 to 5 days for the payment to arrive".

I had to shout a lot at them to explain that BACS allows FAST PAYMENTS that take a few seconds normally and at worst a couple of hours (though I have never seen more than a minute to two). They seemed not to understand this. They are, IMHO, fucking stupid.

The UK banking system has had fast payments for years now. Strangely enough when making a loan Amigo are happy to boast that you can have the money within 24 hours. Indeed "Borrow up to £10,000 within 24 hours" is big on https://www.amigoloans.co.uk

So they fully understand that money can be transferred quickly. When it suits them!

Yet offer to settle a loan and now it is suddenly 3 to 5 working days during which interest will accumulate at the massive rate they charge.

Let's be clear, for comparison, they are charging 49.9% APR. BoE base rate is 0.25% APR, so one 200th of the rate. Even my mortgage is 0.59% APR. To charge 49.9% APR interest is extortion.

I have explained that, having made payment, if they charge interest purely on the basis that their internal systems take time to realise that they have been paid, I will have to consider that fraudulent and worthy of reports to FCA and police. I should not have to resort to such threats. What ever happened to ethics (I ask when looking at 49.9% APR, D'Oh).

So I am charging 1% APR, is that fair? Will I get paid? Will it just live on for decades like others to which I have loaned money? Who knows? I hope not.

I really think this is the end now - no more loans to anyone - ever! Why does it take so long to learn these lessons. Why are people close to you so keen to stitch you up? Life is not fair.

P.S. Sorry I need to explain more, maybe

When a friend or family member asks for money, as a gift, and you can, then fine, give it. Ideally do so if you can before they ask..

When they ask for so much it causes you problems, then maybe say it is a problem. What if they then say "OK, lend it to me and I'll pay it back"? Well in that case it is a FUCKING LOAN, and needs to be PAID BACK.

It is not a hard concept, really, is it?

P.P.S if I borrow £10 as my round and no cash in the pub, I feel compelled to make sure I make a point of paying it back!

Thursday, 28 September 2017

Sloppy 3D print designs

I was just asked to print this :-


It is a simple box and lid. How hard can it be...

Well, this brings me to some issues I have with some 3D print designs. Of course, these are FREE and so I do not really have any justification for complaining - do I?

The problem is people will put designs on public forums like thingiverse which are clearly not designed to be printed. Some are just designed in a way that could not be printed at all, and some are just sloppy.

Sadly there are some really nice designs which you would struggle to print on most 3D printers, but can be printed by professional services, like this one. I'd love to print this, and it is a nice design (not sloppy, just the way it is).


However, getting back to the simple box and lid...

This particular design has one immediately obvious flaw - the box is upside down for printing. To print on most 3D printers this would have horrid overhangs or need supports. Simply having the box the other way up would work perfectly with no issues. The lid, however, is the right way up to print. Both are in one file, rather than two separate files, just to make things harder...

Basically, most 3D printers will print one layer on top of another. At a pinch you can create a "top" to something, spanning from one side to the other in mid air, but ideally you want designs that avoid printing in thin air, overhands, and anything shallower than 30 degrees (and even that is not ideal, better is 45 degrees). One of the challenges of 3D design is making something that can be printed on  typical 3D printer. The box and lid in this case are both fine (mostly) for additive printing, if the box is flipped over.

Fortunately I can separate the two parts and print separately. I tried printing the lid. It took me three attempts to work out why it was not printing - it is about 0.42mm off the Z axis. WTF?

Yes, this meant that the printer was trying to print the whole thing in thin air, just above the print bed, and hence it simply did not work.

It is easy to fix, I can click one button and bring the lid down to the print bed, and if it had been way off in the air I would have spotted the issue and done so, but so close to the print bed, but not actually on it, is almost designed to be a nuisance. Why would anyone do that?!?!

OK, so the box... You would not believe this...


Yep, it is 1 degree off level. What kind of sick mind publishes a design that is 0.42mm off the bed and has one part upside down and 1 degree off level? I ask you!

Yes, I can correct, but this is almost designed to confuse and annoy.

Once again, I repeat, this is a FREE design, I have paid nothing for this. Can I really complain? I am not picking on this one design, there are a mixture on thingiverse, and other forums, with a lot of designs "just working" and a few that are "sloppy".

One of the other issues is something may be designed for one printer and material, and just work on that, but need some adjustment for other printers. That is not uncommon as the tolerances and capabilities of printers vary slightly. Obviously it helps when people specify the cases they have tested.

I have to wonder, in the case of this box and lid, if this is deliberate trolling, or just sloppy, though it is hard to see how one can accidentally rotate something by 1 degree.

I wonder if I'll print it and find the lid does not actually fit on the box :-)
P.S. it fits

Tuesday, 26 September 2017

Amigo loans

This is a slightly tricky blog as it relates to someone I know.

I made the mistake (and it was a mistake) of guaranteeing an Amigo loan for someone I know. If you are asked to do this my advice, in my opinion, is DON'T DO IT!

The interest is stupid anyway, but that is not the issue.

I don't say this simply because you may have to repay some or all of their loan, but because of the hassle you suffer.

It should be simple, IMHO, in that you guarantee the payments, so if they do not pay then maybe a letter or an email to say I have to pay, charge me, and done.

But no - it is weeks of calls (sometimes several a day), letters (sometimes several a day) and emails hassling you. Why is this not simple?

The calls and letters and emails are not just that I have to pay the missed payment but they talk of court action and recovery and all manner of nasty things.

What is worse, they are calling my office - seriously! Whilst they say very little they do say they are calling from "Amigo" and their number, so clearly Amigo *LOANS* calling me. That is embarrassing to say the least.

IT IS NOT MY LOAN!!! I AM NOT REFUSING TO PAY!!!

I wonder how this is not a simple breach of Administration of Justice Act 1970 section 40.

After all, they have means and the contract in place to charge me, why not do that and be done with it? Why all the harassment? Why call my office?

I have emailed them :-

You have a contract in place with me to guarantee payments for XXXXXXXXX.
You have the means to collect those payments. I have the funds to cover
those collections.

However, if you continue to harass me, or if you EVER call my office
again I will have to consider you in breach of section 40 of The
Administration of Justice Act 1970 and report you to the POLICE for
consideration of CRIMINAL charges against you.

Is that clear?

P.S. The option of paying Amigo off and lending the money myself may well happen, so I checked! As well as owning me several hundred for missed payments, in 19 months of the loan it has gone down by £9.11 in total. Wow...

Wednesday, 20 September 2017

Unicode SSIDs

I have tried many access points over the years, and some of them allow you to use unicode characters (outside the normal ASCII set) in SSIDs. i.e. the names of WiFi networks.

It seems many devices understand these and display them correctly, which is nice. However, annoyingly, a lot of access points seem to either disallow use of interesting characters, or at least make it difficult.

Why would you use these? Well, one rarely has to type an SSID, you pick from a list, so why not make them more fun - with emojis and the like?

So what have I found with the latest APs?

Aruba Instant IAP-305(RW)

I noted on the new Aruba APs that they have the useful option of SSID Encoding, either Default or UTF-8. This was encouraging. You have to select the advanced settings to see this though.


So I tried a pile of poo as an SSID... Sadly this does not work...


Some what annoying.

The config file...

The trick, of course, is to save the config, and take a look, and if possible tweak and upload. This works!


Yay, but in various tinkering I spotted that some parts of the config file saved back in a different way?!


Yes, the character in question had been percent/hex encoded. I found that I could type that in the ESSID box on the web based config. This is a lot less hassle than manually editing the config file!

What is strange is that some I cannot, seemingly those starting %F rather than %E, for example.

Seeing boxes

Some devices cannot show them, obviously... This is my camera. Note it sees one "box" so understands that the bytes are a single UTF-8 character which it cannot display (I also tested with two characters showing two boxes).


And finally, the magic changing SSID :-)

Using U+F8FF, which is a "private block" unicode character, on anything apple, you get the apple logo. For me I see that here: 


On other machines you don't. I was hoping for the windows logo at least, or even a Klingon symbol,  but my son's windows laptop just showed a box! Shame.


Tuesday, 19 September 2017

iPhone roaming with IPv6

As you know, this has been a challenge!

In summary - using iPhones and roaming between WiFi access points on a network with IPv6 enabled does not work well! It breaks some times - the phone ends up in a state where it thinks it is connected to an AP but there is no traffic working at all (IPv4 or IPv6). Turning WiFi "off" then "on" on the phone fixes.

This has been reported by people using several different routers (which allocate IPv4 and IPv6 addresses) with ubiquiti APs. We did a lot of testing with ubiquiti to try and find the cause, but to no avail. There was suggestion it could be related to the FireBrick, but as the whole process of AP roaming does not involve the "router" device in any way, with no packets to or from it needed or seen, then it cannot be the "router" that is the cause of any problem. The fact it has been seen by others with other routers left it as either ubiquiti or iPhone.

The good news is that it is looking a lot like ubiquiti are off the hook on this one at last. It pretty much has to be an iPhone bug at this point. IPv6 is still not common enough for this have to been noticed a lot, and of course it is only noticed with routers that do IPv6, such as FireBrick.

Dumbing things down...

Having come to an impasse with ubiquiti I gave up, and got some other APs. I went for cheap(ish) xClaim ones. These are made by Ruckus with is a well known name in APs.

They do what they say on the tin, and are quite usable, and simple to set up (if prepared to use their cloud based config). But they do not do "roaming", you just have to trust the device to switch to a new AP when it wants to. This works 100% but means a gap in connectivity, it is far from seamless.

Stepping things up a bit...

Then I decided to then try some higher end ones, the Aruba APs from Hewlett Packard, another good name. I have some IAP-305(RW) APs. The config is web based, very flexible, controller based logic but one of the APs takes on that role so no separate controller needed. You can have a separate controller for larger installations. 255 associations per AP is a lot, and even 15 SSIDs per radio for fun. Lots of bells and whistles (even 3G/4G dongle fall back, PPPoE, VPN, all sorts).

I set them up, and bam, I got my iPhone playing up yet again in exactly the same way.

The good news is I can tinker and fine tune, and turn on and off specific roaming protocols on a per SSID basis. Turning off 802.11r fixed the roaming issue, which confirms it is the 802.11r that is the issue. I left 802.11k and 802.11v on as they seem to cause no issues. The iPhone does support 802.11k and 802.11v so having these enabled helps roaming anyway.

So sounds like we'll have to wait for iPhone to fix 802.11r support. I am raising on the Aruba support forum as well though in case they can help.

Sunday, 17 September 2017

Insulin pens and temperature

How hard is it to mess up your insulin?

The instructions with my insulin pens are pretty clear - store in fridge 2°C to 8°C. The in use pen should not be stored in the fridge but kept below 30°C (for a maximum 4 weeks).

Advice for flying is that you take the insulin in hand luggages as it could freeze in the hold. I have been on holiday before. I know the drill, or so I thought.

So what happened in Rhodes?

I am finally back from a week in Rhodes, a nice holiday with my wife this time. The villa was nice, and had lots of effective air-conditioning. The short excursions in to the outside where it was hot were OK. I actually got a bit if exercise even. The villa even had IPv6!

As normal I took two new pens in my hand luggage, put one in the fridge on arrival and one on the side (in an air-conditioned room, so well below 30°C) to have my daily dose.

I am lucky that at present I only need one dose of a slow acting insulin as my body does manage to make some still, with the help of some tablets. Indeed, a change of routine (i.e. my evening meal being late) will usually leave me hypo, and somewhat cranky!

However, in spite of the change of routine, and 2 hour time shift, I was not getting at all hypo. Indeed, I was not eating much at all. At the start of the week I felt mostly OK, but as the days went on I felt increasingly tired and even thirsty. What really gave it away was that I started getting spots, which is a sure sign I have high blood sugar.

Blood tests showed my blood sugar was indeed unusually high, even hours after eating. I was now taking the maximum dose of gliclazide to try and help matters. What was going on? I do not normally have to bother testing - I have a routine that works, but this week was not working.

I tried the other pen, but no better. It is a slow acting insulin, so I could not tell immediately if it was helping or not, could I?

By the time I concluded that it was also not working, we are on the last day, having slept a lot and thrown any hope of reading a book out of the window.

Finally home, gone 3am in the morning, having had one small sausage roll at the airport some 8 before, with a gliclazide, and nothing for about 4 hours before that, my blood sugar was still high. So I got a new pen from the fridge and had today's dose a few hours early before going to bed.

Well, I know now, that if there is a problem, then taking working insulin does indeed have quite a quick impact. This is useful for future reference I think. By 6:30 this morning, blood sugar low and shaking slightly (hypo), so time for some breakfast.

Now to get back into my usual routine again.

What did I do wrong?

The issue is that I don't think I did anything wrong. The plane was not hot, the taxi may have been a bit hot but that was like 25 minutes from airport. The rooms were not hot. I have a feeling the fridge may have been on the cold side, maybe too cold (i.e. below 2°C) so will have to take a thermometer next time maybe, but that does not explain the first insulin pen being broken. Maybe it was that short taxi ride in the hot Rhodes heat? Could that really be it?

Overall it seems something it a bit sensitive and the effect is not instantly obvious (well, not so much in my case, as I say I still make some insulin myself). It can have quite a nasty impact on an otherwise fairly enjoyable holiday.

What next?

There are cool bags you can get, but being a techie I am more interested in a tiny portable medication fridge - no moving parts or liquids so ideal for travelling. Yes, someone sells them! I think I will have to invest. I really do not want this happening again.

So, keep cool, and keep your insulin cool, especially when travelling.

P.S. An "eating bugger all as you have no insulin" diet did not help as I am exactly the same weight as when I left. I think it must be the "sleeping all day" side effect that thwarted it.

Friday, 15 September 2017

Who could have predicted this and told the ASA?

As I previously blogged, there are proposals to make ISPs advertise broadband service speeds differently.

This is a complex topic - the speed of the line itself depends on technology and location, so in a general headline it is hard to explain. A headline explaining the best the technology can do is good for comparing ISPs, but changes to show 90th percentile muddied the waters and they are getting worse with latest changes. One suggestion was to advertising a minimum, for example...

Oddly enough I, and others, predicted it would not help... See this from Sky...

They are advertising a 55Mb/s minimum speed service.

Now, compare to normal FTTC which could be anything from 1Mb/s (maybe even lower, not sure) to 80Mb/s, if advertised as a guaranteed minimum side by side, you would go for Sky with the 55Mb/s minimum, obviously. Obviously a "guaranteed 1Mb/s minimum" is worse than a "guaranteed 55Mb/s minimum"... WRONG!

The speed you can get using a particular technology (presumably FTTC in this case) depends on your location and the line quality. You get what you get using that technology whether you go with Sky or BT or A&A.

The difference is that if you cannot get 55Mb/s then Sky will not sell you "that package", though I am sure they will then offer alternatives such as slower FTTC or ADSL package.

So all we have is misleading advertising making people think there is a better package when there is not.

Indeed, maybe we need an A&A headline: "79Mb MINIMUM SPEED GUARANTEE (available to X%). If you cannot get this we have an alternative 78Mb MINIMUM SPEED GUARANTEE (available to X%). If you cannot get that we have 77Mb MINIMUM SPEED GUARANTEE (available to X%)..." and so on.

The changes being proposed are absolutely not helping customers make informed choices.

Update: Someone has checked the Sky web site and put in various addresses and found that Sky are apparently guaranteeing the 55Mb/s based on the "minimum forecast speed (impacted)" not on the "handback threshold" and so are taking a small risk that some lines may sync between the two and they have to refund a customer without getting a refund from BT, so well done Sky - I stand corrected.

However, my point still stands, Sky will not make your line do 55Mb/s. If it can manage 55Mb/s, then it will for any ISP. If it cannot, then it will not for any ISP.

Thursday, 14 September 2017

Data Protection

So there is the new Data Protection Bill to put in place the rules under the General Data Protection Regulation, under EU law.

Well, there is a lot to this, so this is just a placeholder post really - to say there is a lot of shit going down, and with any luck I can post more about this in due course.

This, and the NIS directive, almost feel like exactly the sort of thing those Brexit voters were wanting to kill off!

OFCOM confirm BT lied to us

Recently, BT plc stated, several times :-

"Openreach is not a communications provider."

OFCOM have now confirmed (as if there was any doubt)...

"BT plc (of which Openreach is currently a division, and of which Openreach Limited will become a subsidiary when it is incorporated) is a communications provider subject to various regulatory obligations set by Ofcom."

Oh well, not surprising I suppose. Thanks to OFCOM for confirming.

Tuesday, 12 September 2017

Quota Bonus

I have had an idea of a tweak to the way we do quotas that should help address some of the concerns people have.

Quotas are always tricky things - having some sort of roll over is more complex, and usually needs some sort of caps. We did this on the old units based system and it resulted in quite complex statements of usage and quota and roll over.

What we have now for Home::1 and SoHo::1 is quite simple - it is a monthly quota. You start each month with that quota. Simples!

Even so, there are complications, such as pre-using some of next month's quota (slowly) if you use all of this month's, and the top-up, which I have now made carry on until used. Even so, the "unused quota" that is "lost" at the end of each month is clearly a concern for some.

Quota Bonus

The proposal is relatively simple. You will start your month with your monthly quota as now, but as a bonus you will also get half of the "unused" quota from the previous month.

So if you started on 300G monthly quota but only used 200G in your first month, you start the next month with a new 300G, plus 50G bonus (half of 100G unused), making 350G.

If you only use 200G that month you will start the following month with your 300G monthly quota plus 75G bonus (half of the 150G unused), making 375G.

And so on. Any top-up remains separate and is not halved.

The nice thing is the system is self limiting in time and amount by the nature of geometric progression. It does not need any caps or time limits. It also makes it simple when you change your monthly quota and no change in caps - the same simple rule applies.

This should reduce some of the perceived "loss" of unused quota, and allow some balancing out of high and low months.

Obviously we need to make it clear on the control pages how your monthly quota was created, i.e. your monthly quota, and any bonus you have (and if you have any top-up carrying on), each month.

Comments

I am interested in comments on this specific idea. Is it easy enough to understand? Does it help address some of the concerns?

Background

Our costs depend on a lot of factors, like many services. We haves some fixed cost, some costs directly related to number of lines and types of lines, some costs related to usage of the service and the overall scale of our operation. Whilst a simple usage metric of "Gigabytes downloaded" does not relate directly to our costs, it is not a bad analogy.

So we could charge simply a monthly fee and a usage fee for what you used. Several people suggested we do this. Indeed, we do this for our mobile services, and get many calls for us to offer "call packages". At the other extreme we could do one "package", even an "unlimited*" one. But we have chosen a middle road, so that light users pay less than heavy users, but people can pick a package which means predictable charges.

This means quotas in tiers, and obviously some people will have some "unused" quota. When we start getting to the terabyte usage levels this will normally be quite a lot as these are meant to reflect a near "unlimited" usage level for most users. People feel they are losing something in such cases, and may even try and "use up" their quota at the end of the month. Others feel their usage being very variable they have some months high and some low, and that we should somehow balance usage. For lower tariffs, we allow change of quota every month.

No system will be 100% fair to everyone, and no system can meet everyone's requirements exactly. But we hope this addresses some of the issues.

This is not launched yet, I am just asking for comments at this stage.


P.S. yes, applicable to the terabyte quotas, and I am increasingly inclined to launch this now.

Sunday, 10 September 2017

NIS Directive and Internet companies in the UK…

This blog is about some upcoming legislation which could have a lot more impact than you might expect on smaller companies that provide internet related services.

Summary

The Network and Information Systems Directive is an EU Directive which will be implemented in to UK law next May. At this stage the UK implementing law is not drafted and we have a chance to influence how it is drafted by responding to a DCMS consultation. If you offer any sort of web hosting, or your are ISP, even a small one, you may find yourself in scope, and so should look in to this now. The penalties can be huge, much like GDPR penalties.

Key problems

Who should be in scope? It is not entirely clear on some aspects who should be in scope - who the directive is aiming at - we can guess some big players like LINX, Google, and Nominet, but when it comes to DNS and cloud services, it is very unclear.
Defining the scope. This is very important as defining the scope by describing the service and some measurable scale, can be very hard. I would struggle to define a DNS provider to include all of that they intend with no unintended consequences, even if I could understand the intended scope in the first place.

Both of these are areas where DCMS urgently need help so as to avoid some bad legislation — not only would it put an undue burden on smaller ISPs, it would actually be counterproductive and increase the risk.

What is the NIS directive?

If you have not heard of it before, the NIS directive is an attempt to increase the security and resiliency of network and information systems, primarily the Internet, to minimise disruption and downtime, and the ensuring impact on the economy. It builds on rules which are already in place covering electronic communications networks and services.

Essential Services

The main targets are those providing essential services. This covers Transport and Energy and so on but specifically covers internet related services provides by IXPs, DNS providers, and TLD registries. Whilst IXPs covered are likely to be LINX and perhaps a few others, and TLD providers are likely to be Nominet, the “DNS providers” is a concern as I will explain later.

Digital Service Providers

The directive also covers Digital Service Providers, which covers all sorts of people like on-line marketplaces, cloud computing, and search engines. Unlike “essential services”, there is a threshold test for digital service providers: a provider which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed €10 million is out of scope.

Do we really need legislation

Sadly the time to tackle this has gone as this is an EU directive which the UK is bound to implement, though it will be reviewed from time to time. However, this is an important question as the UK has some discretion as to the way in which the directive is implemented, and it may be possible to limit the scope to the few larger providers that already have in place the measures that the directive requires. Considering if the legislation is actually needed could be a factor in this.

The reason I am unconvinced is that the industry, at all levels from low level protocol design, to network operations of companies like google and ebay, already take these issues seriously and are constantly working on improvements.

Just looking at DNS, it was designed to be robust in the first place, and improvements to resolvers (randomised ports) and changes like DNSSEC are tacking some of the ways the system can be “attacked”. Even at higher levels, things like https (secure web pages) are making DNS attacks less useful. You then have the reputation of these larger companies, and their experience - when was the last time you could not get to Google or Facebook which was their fault (i.e. not just a broadband outage)?

So if industry is constantly working on this, do we need legislation? Will legislation simply add additional burden? Can we limit that burden when putting this in to UK law?

Search engines

They presumably mean google and bing, but how in scope do these companies become if they shut down EU offices? Maybe they should just list them as being in scope? However the definition actually talks of a service that searches all web sites, which no search engine does or ever could do, so google could easily argue it is out of scope. I am not that fussed as we are not a search engine, phew, but it would help to get DCMS to understand and refine these definitions — and, to their credit, they really do appear to be willing to listen.

Cloud computing and on-line marketplaces

This gets more complex as it could cover simple web hosting. There are the turnover figures, but if a medium sized company was to do some web hosting it could find itself in scope. At the very least the thresholds need to be tied to “relevant turnover”, and I think the definitions need to pinned down somewhat. There is a danger we could be in scope one day, and many ISPs only slightly bigger than us are probably going to be in scope.

The scope of “cloud computing services” proposed to be in scope by DCMS seems to go way beyond what the UK is required to implement under the directive, and we are not sure why. The directive requires only providers of a “digital service that enables access to a scalable and elastic pool of shareable computing resources” to be in scope, but DCMS is seemingly proposing that anyone who provides online services to businesses must be in scope — email, IM, VoIP, web hosting, and so on. Since very few of these services are actually critical to the economy, their inclusion seems unnecessary.

DNS providers

This is a special can of worms, and hence the largest part of this blog post. The problem is that this comes under the onerous “essential services” category which includes some serious fines for non compliance, and does not have the same turnover / employee threshold as the "digital services" obligations.

The actual EU directive talks of DNS being a “hierarchical system” that “refers queries”. To me that is authoritative DNS servers only. Remember that TLD operators are covered as well. The proposed UK legislation seems to cover caching and recursive resolvers too. That is where it becomes a problem.

The two sides of DNS…

Authoritative servers: The DNS database is distributed and hierarchical. It is a target for attack. If you can change the DNS entries, or make them appear to be changed, for, say, a bank, or one of those digital service providers, you can disrupt services and defraud people as well. So DNS is important.

One problem here is that DNS can be, and is, in the hands of the companies with these important domains. It is unlikely they would rely on their local ISP to manage the DNS. The TLD provider like Nominet would refer (delegate) to the company’s own authoritative DNS servers. So it could be that the DNS servers in question are not covered by the legislation anyway in the cases where attacks would cause the most damage.

Where it could come in is where there are ISPs providing authoritative DNS as a service to others. We do that as a small ISP. But our customers can, and probably should, be using secondary servers from other providers.

The threats here are mainly that DNS records are changed, and this could be by some social engineering (phoning claiming to be customer, emailing, trojanning to get control page login details, etc), or technical (straight hacking). Obviously there is a risk of something simple like a power outage, but that should be covered by the the fact DNS has redundant servers. There is also a risk of DoS attacks on such servers. The issue here really is that small ISPs like us, that could well be in scope here, are not going to be used by big players like a bank, or someone important. As such we are a lower risk target anyway, and less of a disruption when attacked. Even so, we offer our customers two factor authentication to minimise risk of unauthorised changes being made.

There is one other threat, one of incompetence, and I worry we could be failing such legislation if it applies to us. What happens is a customer will go to some web developer. The web developer will say that they will need the DNS name servers for the domain changed over to them. Many web developers work like that, and have no clue about other uses of DNS, even email!. We try very hard to warn customers if they ask for DNS to be changed to new name servers, but even so, it is not uncommon to have the customer on the phone an hour later asking why email is not working any more.

At the end of the day, I am not sure which “larger players” in the authoritative DNS market (below the TLD such as Nominet) would sensibly be a target for this legislation. Are there “Authoritative DNS providers to the stars” out there, offering authoritative DNS to large companies? Who are they?

Caching and recursive resolvers: This is where it does get scary. As worded now by DCMS we come in to scope as an essential service provider because of the caching recursive DNS resolvers we provide to customers. That is crazy! We are a small ISP, with under 10,000 customers. DCMS has proposed that only providers who get more than 60 million queries in 24 hours would be in scope but, having measured these, we exceed this threshold by a factor of two on our customer facing resolvers right now, but it gets more complex.

Each of the customer routers typically has a DNS resolver or forwarder, some of these are owned by us, and for many ISPs the customer router is owned, or maintained, by the ISP. If they come in to scope (and I cannot see that they would not), then they will be getting an order of magnitude more queries. I think, in our case, most customer routers are not “ours”, thankfully, but even those that are, I am unsure how we would know how many queries they get. Of course one customer deliberately hitting their own router on its 100Mb/s LAN as fast as they can with queries would put that one router in scope, even if the requirement is billions of queries in 24 hours. That would put that customer, or us (if it is “ours”) in scope suddenly.

There are other issues with DNS resolvers. The industry has tacked threats as they have come along, and one was that older/simpler resolvers were vulnerable to being flooded with incorrect answers and then made to look something us - not that hard to do with code embedded in a web page. So what happens if a specific make of customer router has such a vulnerability - that could cause wide spread impact on services, spoofed DNS and fake web sites and fraud. Who is, or should be responsible for that? The manufacturer? The reseller? The end users? The legislation seems to ignore this risk completely, but it is also easy to see it being impossible to police for “made in china” routers anyway, and you really cannot make code 100% bug free.

The other issue is that this could easily “put all eggs in one basket”. At present ISPs will operate a lot of customer facing caching recursive DNS resolvers. Lots of redundancy. This makes attacks such as DoS harder. As a small ISP I doubt we can afford to find ourselves in the “essential services” scope, so what would we do? What would lots of small ISPs do? We would almost certainly (with suitable announcement) change DNS servers to use googles 8.8.8.8/8.8.4.4 service (and its IPv6). Alternatively we may subcontract some commercial DNS provider. That could get us below any thresholds and out of the essential services scope.

The problem with this is that you end up with a few large DNS resolver companies instead of every ISP operating lots of separate caching resolvers, giving end users choice and redundancy (they can always switch to use 8.8.8.8 if they want or even run their own resolver). These few large providers, even though in scope of the regulation (if they are in the EU) will then be a juicy target for attack, either as DoS or DNS poisoning or simple bribery. They become the sole gatekeepers of the underlying hierarchical DNS system, undermining its integrity. This undermines the reliability of DNS and goes head to head with the technical community that DCMS should be embracing, and not fighting.

Of course, we have the issue of published resolvers that will be hard coded. We could port map these to an external DNS resolver. But then the port mapper boxes become as important as the DNS resolvers they replace - so do they become in scope as “DNS resolvers” themselves? What if part of CGNAT boxes? What if a feature of customer routers?

Personally I cannot see any logic in including caching and recursive resolvers in scope at all. Is there a threat? Maybe if they specifically called out google’s public 8.8.8.8 service as in scope, perhaps that is all they intend?

Missing!

There also seem to be a few key services missing from the directive!

Data centres: Whilst technically a data centre is not different to someone else selling office space (they sell space, power, air-con and physical security basically), they are key to the operation of all of these digital services that are covered by the directive. Why are they not in scope?

Content Delivery Networks: These too are key to many services, and could have major impact if attacked, but again, it looks like they are not in scope.

Don’t just comment here!

Please, consider the directive and DMCS proposals and reply. We need people mitigating the impact, making sure it covers what needs to be covered, and making sure the definitions work.

The consultation document is here (https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive), and you have until 30th September to respond.

This is the A&A response, here.

(Thanks to Neil Brown for help with this blog post)